[Openmcl-devel] process-run-function and mach ports usage

Robert P. Goldman rpgoldman at sift.info
Thu Feb 24 05:28:29 PST 2011


Not only that, but if you are slow to market, your company dies.

I was peripherally involved with some people trying to do high reliability os development for avionics, and as far as I can tell no one wants to pay what this kind of software engineering really costs. Not even in industries that are safety critical.

On Feb 23, 2011, at 23:56, Ron Garret <ron at flownet.com> wrote:

> The problem is that the market for operating systems is very different than the market for bridges.  Notwithstanding the odd comp.risks horror story, in general when an OS leaks resources people may be inconvenienced, but they don't die.
> 
> On Feb 23, 2011, at 9:02 PM, Shannon Spires wrote:
> 
>> Wow. This little exchange was a mind-blower. My jaw is hanging open. My naive, childish illusions of software competence have been dashed.
>> 
>> If bridges were built with this level of professionalism, people would die and engineers would be jailed.
>> 
>> I've heard that "the difference between a Porsche and a Ferrari is that the Porsche was designed by people who went to college." All this time, I had sort of assumed
>> Porsche:Ferrari :: Apple:Microsoft.
>> 
>> Guess not. 
>> 
>> It's time somebody wrote an operating system with the same degree of engineering rigor that Germans use to design cars. Are we yet tired enough of this kind of crap to do something about it?
>> 
>> 
>> [Gary wrote:]
>> 
>>> Apple's documentation for mach_thread_self() (see
>>> 
>>> <http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/osfmk/man/mach_thread_self.html?txt>)
>>> 
>>> doesn't seem to explicitly state that that function increments the
>>> port's send reference count (though it certainly seems to.)  The GNU
>>> Hurd documentation does state this, but warns the user that
>>> mach_thread_self() allows the reference count to silently wrap around
>>> (wrap around 2^32 ?  what ?) without error and that the reference count
>>> shouldn't be decremented if this overrun might have happened.
>>> 
>>> This stuff escaped from a lab somewhere; the fact that it's been
>>> lurching around the countryside frightening villagers as long as it
>>> has is pretty sad.
>>> 
>>> I don't care what a thread's Mach port's send right's reference count
>>> is.  I do care that thread creation doesn't leak kernel resources, and
>>> because if this nonsense it does.
>>> 
>> 
>> [then mikel evins wrote:]
>> 
>>> However, during the investigation, we ended up talking over the issues with Avie Tevanian, who was the boss of that stuff at NeXT at that time, and who was before that involved in the design and construction of Mach at CMU. What struck me about the conversations was that Avie said Mach was designed to leak certain resources because allowing them to leak avoided some costly houskeeping, and in "normal use" the leaks would not be a problem. Mach's designers simply assumed that systems would be rebooted often enough to prevent any issues arising.
>>> 
>>> I remember that he seemed slightly put out that NeXT customers would use system calls in a way that violated that assumption.
>> 
>> 
>> _______________________________________________
>> Openmcl-devel mailing list
>> Openmcl-devel at clozure.com
>> http://clozure.com/mailman/listinfo/openmcl-devel
> 
> _______________________________________________
> Openmcl-devel mailing list
> Openmcl-devel at clozure.com
> http://clozure.com/mailman/listinfo/openmcl-devel



More information about the Openmcl-devel mailing list