Marcus Brinkmann wrote : > Capabilities to resources outside of the persistent core (device > drivers, external filesystems, network) have to be invalidated on > recover. > > This will make the applications that rely on them get a fault, which > they can handle by reconnecting (and then verifying their consistency > requirements!) or by terminating. >
Yes, this may work as soon as the application tries to perform an action on the given capability, but what if it was just waiting for data to be available? Will the system send such applications a fault at system restart? Then, in this case, how does the application knows which capabilities have to be reconnected? (Is it possible for it to know which of its capabilities refer to something outside the persistent core?) And what if the system crashes again, but has taken his last snapshot during application reconnection? (Well, such a reconnection may take a long time...) Will an application who is in its recovery fault handler receive the fault another time? And what if one finds a way to deterministically crash the system, and starts a task which will crash it just after a snapshot? Or, worse, after twenty days, just after a snapshot, and everytime it receives the system recovery fault, and everytime the date is set over task start time + 20 days? Thanks, Emmanuel _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
