Comments on: failure is not an option http://shaver.off.net/diary/2008/04/16/failure-is-not-an-option/ noise from signal Thu, 10 Nov 2011 07:05:56 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: VanillaMozilla http://shaver.off.net/diary/2008/04/16/failure-is-not-an-option/comment-page-1/#comment-139186 VanillaMozilla Fri, 18 Apr 2008 13:50:14 +0000 http://shaver.off.net/diary/?p=3891#comment-139186 <p>Exploiting a null pointer? I really don't understand how this can still happen in the 21st century. It's really time for computer languages to be strongly typed, to make sure null pointers really are null, and never to dereference null pointers. This should NEVER be left up to the programmer.</p> Exploiting a null pointer? I really don’t understand how this can still happen in the 21st century. It’s really time for computer languages to be strongly typed, to make sure null pointers really are null, and never to dereference null pointers. This should NEVER be left up to the programmer.

]]> By: Jonathan Watt http://shaver.off.net/diary/2008/04/16/failure-is-not-an-option/comment-page-1/#comment-139179 Jonathan Watt Thu, 17 Apr 2008 09:37:58 +0000 http://shaver.off.net/diary/?p=3891#comment-139179 <p>OOM may basically be a hard failure today for small allocations, but those are less likely to fail. For the more high risk, larger allocations, I think we probably do a good job of checking and are much less likely to hard fail. I'm glad to hear we'll at least still be able to still handle these points gracefully. ;-)</p> OOM may basically be a hard failure today for small allocations, but those are less likely to fail. For the more high risk, larger allocations, I think we probably do a good job of checking and are much less likely to hard fail. I’m glad to hear we’ll at least still be able to still handle these points gracefully. ;-)

]]> By: shaver http://shaver.off.net/diary/2008/04/16/failure-is-not-an-option/comment-page-1/#comment-139178 shaver Thu, 17 Apr 2008 08:55:16 +0000 http://shaver.off.net/diary/?p=3891#comment-139178 <p>We will be able to try to handle OOM gracefully, where it makes sense to do so and we can be very sure that we're going to do the right thing, which is why the jemalloc_canfail API has been requested in bug 427109. OOM is basically a hard failure today, in that you're virtually certain to crash after really hitting OOM, because not everything checks returns well enough. Whack-a-mole on those bugs is the wrong approach.</p> <p>For mobile, I think our strategy will more likely be "detect low mem/quota limit, purge caches, try again", which can be done within an allocator wrapper. Resource limiting is likely to be more effective for us, and safer, than trying to make all of our allocation paths handle "unwind safely, hope enough gets freed, and resume" -- especially if we want to be doing error reporting.</p> We will be able to try to handle OOM gracefully, where it makes sense to do so and we can be very sure that we’re going to do the right thing, which is why the jemalloc_canfail API has been requested in bug 427109. OOM is basically a hard failure today, in that you’re virtually certain to crash after really hitting OOM, because not everything checks returns well enough. Whack-a-mole on those bugs is the wrong approach.

For mobile, I think our strategy will more likely be “detect low mem/quota limit, purge caches, try again”, which can be done within an allocator wrapper. Resource limiting is likely to be more effective for us, and safer, than trying to make all of our allocation paths handle “unwind safely, hope enough gets freed, and resume” — especially if we want to be doing error reporting.

]]> By: Jonathan Watt http://shaver.off.net/diary/2008/04/16/failure-is-not-an-option/comment-page-1/#comment-139177 Jonathan Watt Thu, 17 Apr 2008 08:40:49 +0000 http://shaver.off.net/diary/?p=3891#comment-139177 <p>So have we given up on the idea of failing gracefully and trying to carry on when we hit an OOM condition? Of course, you can never hope to get to a state where you will recover from all OOM conditions, but there are cases where I think we really want to try. SVG filters jump out as a good example. With our new mobile effort I'd think handling OOM gracefully would be especially important.</p> <p>I'd also think that making OOM a hard failure will allow any malicious Web page to crash the browser trivially.</p> <p>You mention up sides of switching to making OOM a hard failure, but I think there are down sides too.</p> So have we given up on the idea of failing gracefully and trying to carry on when we hit an OOM condition? Of course, you can never hope to get to a state where you will recover from all OOM conditions, but there are cases where I think we really want to try. SVG filters jump out as a good example. With our new mobile effort I’d think handling OOM gracefully would be especially important.

I’d also think that making OOM a hard failure will allow any malicious Web page to crash the browser trivially.

You mention up sides of switching to making OOM a hard failure, but I think there are down sides too.

]]>