A> In article <D51Auz....@nntpa.cb.att.com>, Vivek Kalra

A> Well, when there aren't even 6 bytes free, it's not unlikely for the
A> process might also dump code because it couldn't build a stack frame to
A> call strcpy.  So there we are again: You can't eliminate asynchronous
A> out-of-memory situations.

Add a system call?  Maybe call it allocstack(); it must run before
anything important.

A> Or if your process is the one that uses all that memory, root might find
A> out and rlimit your process down so the other users can get anything done:
A> BANG says your process, asynchronously.

What if root can't even log in?  There should be a user priority.
When there is a shortage, instead of killing the process that needs
a page, kill processes in a specific order:

1. Normal processes die before root processes
2. Users using more than x pages of memory get processes killed
3. Remote logins are logged out; processes are killed
4. Restartable servers are first root processes to get killed
5. A small list of vital programs are kept, else panic
--

Albert Cahalan
alb...@ccs.neu.edu

Hmm, I can't really tell if it's POSIX or not (I don't have an
ANSI C manual, but then, malloc is a UNIX library call originally,
and thus isn't under the authority of ANSI C).  The POSIX manual
I have just says malloc returns NULL if the memory is not available,
but it doesn't say if this is physical+swap memory or just virtual
memory.

Plus, malloc works by calling brk usually, and this just increases the
size of the data segment (by just modifying the number that says what
the end is).  Now brk can't go and verify that this new memory
actually exists, because there will be real applications that depend
upon a very large virtual address space, but won't necessarily use
that much swap (ie, a lisp process that grabs all of virtual memory
then manages it itself).

So to change this, malloc needs to be changed to verify the memory
after brk is called.  It's a malloc problem, and not an OS problem.
Thus, complain to GNU, not Linux.
--
Darin Johnson
djohn...@ucsd.edu
    "You used to be big."
    "I am big.  It's the pictures that got small."

In article <D5549D....@nntpa.cb.att.com>,

Subject to the parts you've omitted, that paragraph allows linux'
current behaviour: "space" isn't defined.  If space isn't defined or
is explicitly defined as address space, linux gets it right.  If
space is explicitly defined as current ram+swap that hasn't been
promised to this or any other process, linux gets it wrong.
(Current, because it's possible to swapon another partition or file
when swap gets tight.)

--Arnt

In article <3j57hb$...@foo.autpels.nl>,

Not so difficult, but it would have the disadvantage that it a fork
bomb or similar eat-all-ram bug would also kill the file system with
the new swap file.  This was trashed out in a long flamewar two and
a half years ago.

The practical lesson is simple: Allocate enough swap that the
machine will crawl before it exhausts swap.

--Arnt

In article <3itc77$...@ninurta.fer.uni-lj.si>,

Too late...

Anyway, it's not a simple matter of just checking how much free memory
there is: people seem to be completely unaware of how hard a problem
this actually is.

Please, read any book about resource dead-locks etc, and you'll find
that these dead-locks *can* be resolved, but at the cost of

 - efficiency (to be sure you can handle any dead-lock, you'll have to
   do a *lot* of work).
 - usability (to make sure you never get any dead-lock, you have to say
   no to somebody, and you'll have to say "no" a *lot* earlier than most
   people seem to think).

In the case of the memory handling, actually counting pages isn't that
much of an overhead (we just have one reasource, and one page is as good
as any and they don't much depend on each other, so the setup is
reasonably simple), but the usability factor is major.

As it stands, you can add these lines to your /etc/profile:

        ulimit -d 8192
        ulimit -s 2048

and it will limit your processes to 8MB of data space, and 2MB of stack.

And no, it doesn't guarantee anything at all, but hey, your malloc()
will return NULL.

Personally, I consider the linux mm handling a feature, not a bug (hmm..
I wrote it, so that's not too surprising).  People can whine all they
want, but please at least send out patches to fix it at the same time.
You'll find that some people definitely do *not* want to use your
patches.

Handling malloc() together with fork() makes for problems, adding the
problem of the stack space makes it worse, and adding the complexity of
private file mappings doesn't help.  Before complaining, *please* think
about at least the following example scenarios (and you're allowed to
think up more of your own):

1) a database process maps in a database privately into memory.  The
   database is 32MB in size, but you only have 16MB free memory/swap.
   Do you accept the mmap()?

 - The database program probably doesn't re-write the database in memory:
   it may change a few records in-core, but the number of pages it needs
   might be less than 10 (the pages it doesn't modify don't count as
   usage, as we can always throw them out when we want the memory back).

 - on the other hand, how does the kernel *know*? It might be a program
   that just mmap()'s something and then starts writing to all the
   pages.

2) GNU emacs (ugh) wants to start up a shell script.  In the meantime,
   GNU emacs has (as it's wont to do) grown to 17 MB, and you obviously
   don't have much memory left. Do you accept the fork?

 - emacs will happily do an exec afterwards, and will actually use only
   10 pages before that in the child process (stack, mainly).  Sure, let
   it fork().

 - How is the kernel supposed to know that it will fork? No way can it
   fork, as we don't have the potential 17MB of memory that now gets
   doubled.

 - vfork() isn't an option.  Trust me on this one.  vfork is *ugly*.
   Besides, we might actually want to run the same process concurrently.

3) you have a nice quiescent little program that uses about 100kB of
   memory, and has been a good little boy for the last 5 minutes.  Now
   it obviously wants to do something, so it forks 10 times.  Do we
   accept it?

 - hell yes, we have 10MB free, and 10 forks of this program only uses
   about a megabyte of that.  Go ahead.

 - hell, no: what if this nice little program just tried to make us feel
   secure, and after the forks turns into the Program From Hell (tm)? It
   might get into a recursive loop, and start eating up stack space.
   Wheee..  Our 10MB of memory are gone in 5 seconds flat, and the OS is
   left stranded wondering what the hell hit it.

4) You have a nice little 4MB machine, no swap, and you don't run X.
   Most programs use shared libraries, and everybody is happy.  You
   don't use GNU emacs, you use "ed", and you have your own trusted
   small-C compiler that works well.  Does the system accept this?

 - why, of course it does. It's a tight setup, but there's no panic.

 - NO, DEFINITELY NOT.  Each shared library in place actually takes up
   600kB+ of virtual memory, and the system doesn't *know* that nothing
   starts using these pages in all the processes alive.  Now, with just
   10 processes (a small make, and all the deamons), the kernel is
   actually juggling more than 6MB of virtual memory in the shared
   libraries alone, although only a fraction of that is actually in use
   at that time.

It's easy to make malloc() return NULL under DOS: you just see if you
have any of the 640kB free, and if you have, it's ok.

It's easy to make malloc() return NULL under Windows: there is no fork()
system call, and nobody expects the machine to stay up anyway, so who
cares? When you say "I wrote a program that crashed Windows", people
just stare at you blankly and say "Hey, I got those with the system,
*for free*".

It's also easy to make malloc() return NULL under some trusted large
UNIX server: people running those are /expected/ to have an absolute
minimum of 256MB of RAM, and double that of swap, so we really can make
sure that any emacs that wants to fork() must have the memory available
(if you're so short of memory that 17MB is even close to tight, it's ok
to say that emacs can't fork).

It's *not* easy to say no to malloc() when you have 8-32MB of memory,
and about as much swap-space, and fork/mmap/etc works.  You can do it,
sure, but you'd prefer a system that doesn't.

                Linus

   ... Subject to the parts you've omitted, that paragraph allows linux'
   current behaviour: "space" isn't defined.  If space isn't defined or
   is explicitly defined as address space, linux gets it right.

IMHO Linux gets it wrong, but rather than listen to unsubtantiated
opinions how about clearly describing the current situation wrt to
Linux malloc and sending it to comp.std.c so the various language
lawyers there can fight over it?  If the result isn't clear then it is
possible that one of said lawyers will submit an official request for
clarification to settle the problem.

In article <BEVAN.95Mar10103...@panther.cs.man.ac.uk>, be...@cs.man.ac.uk (Stephen J Bevan) writes:

|> In article <3jm0ua$...@due.unit.no> agul...@nvg.unit.no (Arnt Gulbrandsen) writes:
|>    ... Subject to the parts you've omitted, that paragraph allows linux'
|>    current behaviour: "space" isn't defined.  If space isn't defined or
|>    is explicitly defined as address space, linux gets it right.

|> IMHO Linux gets it wrong, but rather than listen to unsubtantiated
|> opinions how about clearly describing the current situation wrt to
|> Linux malloc and sending it to comp.std.c so the various language
|> lawyers there can fight over it?  If the result isn't clear then it is
|> possible that one of said lawyers will submit an official request for
|> clarification to settle the problem.

I think comp.std.c is the wrong group, since ANSI C does not know
anything about ram and swap, it only talks about a virtual machine
that may have a totally different view of storage or space.  It's
rather a POSIX question.
--
Andreas Schwab                                      "And now for something
sch...@issan.informatik.uni-dortmund.de              completely different"

In article <ALBERT.95Mar10020...@snowdon.ccs.neu.edu>, alb...@snowdon.ccs.neu.edu (Albert Cahalan) writes:

|>>>>>> "LT" == Linus Torvalds <torva...@cc.Helsinki.FI> writes:
|LT> 2) GNU emacs (ugh) wants to start up a shell script.  In the meantime, GNU
|LT> emacs has (as it's wont to do) grown to 17 MB, and you obviously don't
|LT> have much memory left. Do you accept the fork?

|LT> - emacs will happily do an exec afterwards, and will actually use only 10
|LT> pages before that in the child process (stack, mainly).  Sure, let it
|LT> fork().

|LT> - How is the kernel supposed to know that it will fork? No way can it
|LT> fork, as we don't have the potential 17MB of memory that now gets doubled.

|> Why must fork() and exec() be used?  It would be better to have a spawn()
|> that would produce the same result by a different method.

With spawn you cannot change the environment of the child without
affecting the parent, unless you save and restore it around the call.
For example, redirections: you have to save the original meaning of
stdin and stdout before redirecting it for the child.  It can be done,
but you have to rewrite every program that forks a filter, at least.
--
Andreas Schwab                                      "And now for something
sch...@issan.informatik.uni-dortmund.de              completely different"

 >My concept of malloc() is that once a process calls it, if the OS (in the
 >sense of the OS + library) returns a non-NULL pointer, the OS would have
 >committed a block of memory to the process, no matter it is dirtied or
 >not.

It's surely a bad point about Linux.  And the problem is not limited
to malloc() nor stack.

Even if you cleared out all of pages returned by malloc(), still your
program can fail (i.e. after fork()).  Or even if you don't use malloc()
at all, your program may fail at any write operation to memory, if it
is the first write to that page.  Resource limit doesn't help at all,
because the memory shortage may be caused by other processes.

The problem is tightly coupled with many optimizations in the Linux kernel
(such as lazy allocation of pages and sharing user pages with buffers).

Linux uses memory very efficiently, but on the other hand there is no
guarantee of safe execution of programs because it's too optimistic in
allocating memory.  Important system processes can die unexpectedly on
write to not-yet-written page.  (In reality, Linux doesn't kill
processes so easily.  It tries very hard finding free page and the
system almost locks up).

We could get more robust system if Linux stops sharing pages and
assigns backing store block for every page (a la classic BSD systems).
But such an allocation scheme is too pesimistic and unacceptably
inefficient.

Personally I prefer efficiency over robustness when I use Linux at
home.  But I wish someday Linux can get both of them.

`Reserving' pages at fork/malloc, as Bodo Moeller mentioned in
<3jk6fa$...@rzsun02.rrz.uni-hamburg.de>, sounds like a nice idea.
This way we give up using copy-on-write as space optimization, but
still we can get a speed gain from c-o-w.  It is nicer if we can
choose between optimistic/pesimistic memory allocation scheme in a
process basis, as well as system default behavior.

Possiblly adding RLIMIT_RESERVE_PERCENTAGE or UL_RESERVE_PERCENTAGE
could be the ultimate solution?  Setting this parameter to zero, Linux
allocates a page only when it is needed (i.e. first write).  Setting
this to 100, Linux reserves (but not assigns) all pages when required
(e.g. by sbrk() or fork()) so that processs can run safely.  Setting
this param to, say, 30 makes Linux assume 30% of process memory is
actually written.
                                --mad

LT> 2) GNU emacs (ugh) wants to start up a shell script.  In the meantime, GNU
LT> emacs has (as it's wont to do) grown to 17 MB, and you obviously don't
LT> have much memory left. Do you accept the fork?

LT>  - emacs will happily do an exec afterwards, and will actually use only 10
LT> pages before that in the child process (stack, mainly).  Sure, let it
LT> fork().

LT>  - How is the kernel supposed to know that it will fork? No way can it
LT> fork, as we don't have the potential 17MB of memory that now gets doubled.

Why must fork() and exec() be used?  It would be better to have a spawn()
that would produce the same result by a different method.
--

Albert Cahalan
alb...@ccs.neu.edu