DragonFly BSD
DragonFly commits List (threaded) for 2005-08
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: cvs commit: src/sys/dev/netif/ndis if_ndis.c

From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Aug 2005 12:06:08 -0700 (PDT)

:Content-Transfer-Encoding: 7bit
:Content-Type: text/plain; charset=US-ASCII; format=flowed
:On 11.08.2005, at 19:34, Matthew Dillon wrote:
:>     From my read, nearly all the M_NOWAIT's here should be changed
:>     to M_INTWAIT's.  Basically any path which is not subject to
:>     network load, which is all of the paths still using M_NOWAIT
:>     in this case.
:What's preferable: gracefully accept low-memory situations, or block on 
:these?  I prefer the former.

    For malloc to fail in a low-memory situation implies that malloc is
    being called in a manner which scales to the load.  i.e. that we have
    to allow it to fail or the system would not be able to recover.

    malloc's which do NOT scale to load, in particular any malloc related
    to structures that already exist in the system, or during initialization,
    or other things that do not scale to load, should be expected to succeed
    and M_NOWAIT should not be used with them.

    A very common place for bugs to be introduced is in error handling,
    simply because error paths are very rarely exercised on a running system.
    For this reason, trying to deal with low-memory situations gracefully
    for allocations which are not significant contributors to the low-memory
    situation or otherwise not significantly related to the load on the 
    system is a bad idea.  Such allocations should always be require to

    I'll give you a couple of examples:  

    * Incoming packets.  Clearly such allocations must be allowed to fail
      (and they do).

    * Dynamic filter rules.  Clearly should be programmatically limited
      and not depend on M_NOWAIT failing.

    * Look-aside structures related to elements of the system that have
      already been successfully allocated.  For example, lets say we
      have an I/O buffer and we need to tag it with a small allocated
      structure.  Such allocations should be required to succeed.

    * Temporary structures, using during the course of a single procedure,
      clearly must be required to succeed.

    * Allocations with limited scope during initialization, such as the
      ring buffers for a network driver, clearly must be required to succeed.

    And so on and so forth.

					Matthew Dillon 

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]