Home » Mailing list archives » freebsd-current » 2008 » January » 4

Re: sbrk(2) broken

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Robert Watson <rwatson@...>
To: Dag-Erling Smørgrav <des@...>
Cc: <freebsd-current@...>, Jason Evans <jasone@...>, Poul-Henning Kamp <phk@...>
Subject: Re: sbrk(2) broken
Date: Thursday, January 3, 2008 - 8:26 pm

On Thu, 3 Jan 2008, Dag-Erling Sm=F8rgrav wrote:

rom=20
=20
=20
e=20
=20

The issue here was that there were a number of reports that out-of-control=
=20
applications were toasting systems that weren't getting toasted under 6.x. =
 I=20
experienced this on my web server, but the ports build cluster has been=20
running into it for months.  The symptom is that a single application exhau=
sts=20
swap, causing all sorts of things to break (tm), killing of other large=20
processes, etc.  To be clear, in the new world order, instead of getting NU=
LL=20
back from malloc(3), SIGKILL is delivered to large processes.

When I e-mailed Jason Evans and Alan Cox about it, I suggested that we=20
actually teach malloc(3) to enforce an allocation limit itself by querying =
a=20
limit once at process startup, and then using its own accounting to decide=
=20
when to start failing requests.  As an alternative model that would require=
=20
some more infrastructural changes, I suggested a new mmap() flag that hinte=
d=20
to the kernel that the page should count against a swap/anonymous memory=20
limit, but that we should avoid more serious changes at the last minute bef=
ore=20
a release.  Alan suggested the the model Jason ended up implementing as a=
=20
lower risk way to restore the 6.x resource limits non-disruptively.  As it=
=20
turned out, this proved much more complicated than expected.

The right answer is presumably to introduce a new LIMIT_SWAP, which limits =
the=20
allocation of anonymous memory by processes, and size it to something like =
90%=20
of swap space by default.  Since that won't be happening before 7.0, I beli=
eve=20
the consensus is to simply not MFC the changes for 7 and proceed with the=
=20
release.  However, having a resource limit on swap use in order to prevent =
the=20
above scenario is actually quite important: SIGKILL of arbitrary processes =
is=20
not a good way to deal with one run-away process, and the virtual memory si=
ze=20
limit, while also useful, prevents you from limiting the allocation of swap=
=20
without also limiting memory mapping.  So wouldn't help, for example, to li=
mit=20
swap used by a web cache that memory mapped cache files.

Robert N M Watson
Computer Laboratory
University of Cambridge
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
sbrk(2) broken, Jason Evans, (Thu Jan 3, 2:38 am)
Re: sbrk(2) broken, Andrey Chernov, (Fri Jan 4, 8:21 am)
Re: sbrk(2) broken , Poul-Henning Kamp, (Fri Jan 4, 8:57 am)
Re: sbrk(2) broken, Andrey Chernov, (Fri Jan 4, 9:12 am)
Re: sbrk(2) broken, David Taylor, (Fri Jan 4, 9:25 am)
Re: sbrk(2) broken, Andrey Chernov, (Fri Jan 4, 10:22 am)
Re: sbrk(2) broken , Poul-Henning Kamp, (Fri Jan 4, 9:28 am)
Re: sbrk(2) broken, Kostik Belousov, (Thu Jan 3, 4:39 pm)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Thu Jan 3, 3:21 pm)
Re: sbrk(2) broken, Robert Watson, (Thu Jan 3, 8:26 pm)
Re: sbrk(2) broken, Igor Mozolevsky, (Fri Jan 4, 6:41 am)
Re: sbrk(2) broken, Robert Watson, (Fri Jan 4, 7:19 am)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Fri Jan 4, 6:55 am)
Re: sbrk(2) broken, Igor Mozolevsky, (Fri Jan 4, 7:18 am)
Re: sbrk(2) broken, Giorgos Keramidas, (Fri Jan 4, 11:26 pm)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Fri Jan 4, 8:45 am)
Re: sbrk(2) broken , Poul-Henning Kamp, (Fri Jan 4, 8:53 am)
Re: sbrk(2) broken, Igor Mozolevsky, (Fri Jan 4, 9:03 am)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Fri Jan 4, 9:12 am)
Re: sbrk(2) broken, Kostik Belousov, (Fri Jan 4, 9:48 am)
Re: sbrk(2) broken , Poul-Henning Kamp, (Mon Jan 7, 5:08 am)
Re: sbrk(2) broken, Peter Jeremy, (Mon Jan 7, 5:58 am)
Re: sbrk(2) broken , Poul-Henning Kamp, (Mon Jan 7, 6:05 am)
Re: sbrk(2) broken, Igor Mozolevsky, (Mon Jan 7, 9:15 am)
Re: sbrk(2) broken , Poul-Henning Kamp, (Mon Jan 7, 9:18 am)
Re: sbrk(2) broken, Andrew Reilly, (Mon Jan 7, 7:19 pm)
Re: sbrk(2) broken, Igor Mozolevsky, (Mon Jan 7, 8:06 pm)
Re: sbrk(2) broken , Poul-Henning Kamp, (Mon Jan 7, 8:17 pm)
Re: sbrk(2) broken, Peter Schuller, (Mon Jan 7, 9:37 pm)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Tue Jan 8, 2:36 pm)
Re: sbrk(2) broken, Peter Schuller, (Wed Jan 9, 2:22 pm)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Thu Jan 10, 6:04 am)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Thu Jan 10, 10:31 am)
Re: sbrk(2) broken, Igor Mozolevsky, (Mon Jan 7, 8:57 pm)
Re: sbrk(2) broken , Poul-Henning Kamp, (Tue Jan 8, 4:31 am)
Re: sbrk(2) broken, Alexander Kabaev, (Mon Jan 7, 10:34 pm)
Re: sbrk(2) broken, Andrew Reilly, (Mon Jan 7, 8:28 pm)
Re: sbrk(2) broken, Robert Watson, (Fri Jan 4, 9:24 am)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Sat Jan 5, 9:50 am)
Re: sbrk(2) broken, Kris Kennaway, (Fri Jan 4, 7:31 am)
Re: sbrk(2) broken, Robert Watson, (Fri Jan 4, 7:22 am)
Re: sbrk(2) broken, Igor Mozolevsky, (Fri Jan 4, 7:30 am)
Re: sbrk(2) broken, Robert Watson, (Fri Jan 4, 7:38 am)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Fri Jan 4, 8:48 am)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Fri Jan 4, 5:32 am)
Re: sbrk(2) broken, Robert Watson, (Fri Jan 4, 7:06 am)
Re: sbrk(2) broken, Skip Ford, (Fri Jan 4, 9:54 am)
Re: sbrk(2) broken, Kostik Belousov, (Fri Jan 4, 9:59 am)
Re: sbrk(2) broken, Skip Ford, (Fri Jan 4, 10:11 am)
Re: sbrk(2) broken, Kostik Belousov, (Fri Jan 4, 10:18 am)
Re: sbrk(2) broken, Skip Ford, (Fri Jan 4, 10:58 am)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Sat Jan 5, 10:01 am)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Fri Jan 4, 8:34 am)
Re: sbrk(2) broken, Robert Watson, (Fri Jan 4, 9:26 am)
Re: sbrk(2) broken , Ian FREISLICH, (Fri Jan 4, 2:27 am)
Re: sbrk(2) broken, Peter Jeremy, (Fri Jan 4, 5:51 am)
Re: sbrk(2) broken, Kostik Belousov, (Fri Jan 4, 8:47 am)
Re: sbrk(2) broken, Scott Long, (Thu Jan 3, 6:23 pm)
Re: sbrk(2) broken, John Baldwin, (Thu Jan 3, 6:46 pm)
Re: sbrk(2) broken, Scott Long, (Thu Jan 3, 7:08 pm)
Re: sbrk(2) broken, Robert Watson, (Thu Jan 3, 8:31 pm)
Re: sbrk(2) broken, Peter Schuller, (Thu Jan 3, 5:00 pm)
Re: sbrk(2) broken, Jason Fesler, (Thu Jan 3, 5:08 pm)
Re: sbrk(2) broken, Dag-Erling Smørgrav, (Fri Jan 4, 5:07 am)
Re: sbrk(2) broken, Tim Kientzle, (Fri Jan 4, 1:55 pm)
ELF dynamic loader name [was: sbrk(2) broken], Maxim Sobolev, (Fri Jan 4, 5:25 pm)
Re: ELF dynamic loader name [was: sbrk(2) broken], Peter Wemm, (Fri Jan 4, 5:42 pm)
Re: ELF dynamic loader name [was: sbrk(2) broken], Tim Kientzle, (Fri Jan 4, 11:51 pm)
Re: ELF dynamic loader name, Dag-Erling Smørgrav, (Sat Jan 5, 10:16 am)
Re: ELF dynamic loader name, Tim Kientzle, (Sun Jan 13, 3:33 pm)
Re: ELF dynamic loader name, John Baldwin, (Mon Jan 14, 9:51 am)
Re: ELF dynamic loader name, Dag-Erling Smørgrav, (Sun Jan 13, 3:48 pm)
Re: ELF dynamic loader name, John Baldwin, (Mon Jan 14, 9:46 am)
Re: ELF dynamic loader name, Alexander Leidinger, (Mon Jan 14, 7:03 am)
Re: ELF dynamic loader name [was: sbrk(2) broken] , Danny Braniss, (Sat Jan 5, 3:32 am)
Re: ELF dynamic loader name [was: sbrk(2) broken], Peter Wemm, (Sat Jan 5, 6:24 pm)
Re: ELF dynamic loader name [was: sbrk(2) broken] , Danny Braniss, (Sun Jan 6, 3:56 am)
Re: ELF dynamic loader name [was: sbrk(2) broken], Andrew Reilly, (Sun Jan 6, 4:42 pm)
Re: ELF dynamic loader name, Dag-Erling Smørgrav, (Mon Jan 7, 5:42 am)
Re: ELF dynamic loader name, Andrew Reilly, (Mon Jan 7, 7:30 pm)
Re: ELF dynamic loader name, Dag-Erling Smørgrav, (Tue Jan 8, 5:27 am)
Re: ELF dynamic loader name [was: sbrk(2) broken], Maxim Sobolev, (Fri Jan 4, 7:42 pm)
Re: ELF dynamic loader name [was: sbrk(2) broken], Maxim Sobolev, (Fri Jan 4, 7:38 pm)
Re: ELF dynamic loader name, Dag-Erling Smørgrav, (Sat Jan 5, 10:03 am)
Re: ELF dynamic loader name, Ollivier Robert, (Sat Jan 5, 4:56 pm)