|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [MirageOS-devel] RFC: disconnect / DEVICE lifetime
On 10/10/2016 16:00, Thomas Leonard wrote: >> This leads to the lifetime of a DEVICE instance: they can be demanded >> by a unikernel (during configuration/build time), and must be present >> (and in working operation) during runtime. (In some future OCaml it'd >> be nice to have linear types and be able to express that disconnect >> consumes the given t. But we're not there yet.) >> There's at no time any need to dynamically allocate a DEVICE and use it >> temporarily within the lifetime of a unikernel (please tell me if I'm >> wrong and you've scenarios in mind where you want to spawn DEVICEs >> dynamically [*]). > > mirage-firewall starts new network devices as new client VMs turn up. Good point. Let me rephrase: each DEVICE used in config.ml will be `connect` during initialisation (fail hard!), and will be disconnected during teardown (NYI) -- no user manually calls disconnect on any DEVICE where they did not call connect. > Add a `~switch` argument to the `connect` functions and have devices > disconnect when the switch is turned off. main.ml can pass a single > switch to everything it starts, and turn it off at the end. Remove the > `disconnect` function from DEVICE. That sounds like a plausible alternative, anyone else has experience with Lwt_switch (I didn't know of it until now)? > In general, you only need to check at the lowest level (e.g. writing > to a ring buffer or notifying an event channel), where failing to do > this would lead to memory corruption or similar. Higher levels (e.g. > FAT) shouldn't need to check, as an exception will be raised > automatically when they try to access their underlying device. Higher levels may introduce caches they might want to flush on shutdown. > In any case, this is a programming error and so should be reported as > an exception. > > mirage-net-xen had to check manually because currently you can't > disconnect a shared ring, I think. If shared-memory-ring provided a > reliable way to disconnect, mirage-net-xen wouldn't have to do its own > checks. > >> TL;DR: emit disconnect chain in functoria/mirage, remove checks from >> mirage-block-unix [tentative 1], remove more code ;) > > You can't remove the check from mirage-block-unix because OCaml's file > descriptors are unsafe (e.g. closing the same FD twice may close a > different FD). IC. Not clear what is the best to move forward here: a) claim use-after-disconnect to be undefined behaviour (no checks, but may lead to hard to find errors), b) implement checks `if state == Disconnected then `Error `Disconnected else ...` in all DEVICES (to have a uniform story), or c) have an exception disconnected and raise in some (or all?) DEVICES when an operation is attempted on a disconnected device. IMHO it would be nice to have a uniform story for DEVICES (and being able to clean up resources) -- I currently prefer (b) to implement the disconnected state checks in all devices, and return an error `Disconnected if an operation is tried on a disconnected device. hannes Attachment:
signature.asc _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |