By: Etienne Lorrain (, March 18, 2021 2:31 am
Room: Moderated Discussions
anon2 ( on March 17, 2021 3:46 am wrote:
> Why not make a robust secure microlibc that can crash and restart without bringing the system down? Users
> of the service simply have to be prepared to handle errors from various calls indicating that the service
> had to be restarted then they simply have to re-register all their current memory allocations with the malloc
> service and they'll be back up and running completely transparently, totally 100% secure and robust.
> /s

Because there is too many ways to crash, restart cannot handle them.
Let's talk about "puts("Hello world");"
The microservice "print a string" failed, how to restart?
- Did the previous failed service already outputed some chars? Half the string maybe?
- Did the previous failed service used a hardware buffer optimisation like the transmit queue of the UART, have some chars already been transmitted because the "ClearToSend" physical line has been true for 2 and a half char?
- Did the previous failed service encounter an ECC error inside the string, or did it crash and modify the string to print inside the memory, so that the request has to be re-generated?
- Did the previous failed service already allocated some intermediate buffer, did it enable the interrupt line - or decided to use polling?
- Did the previous failed service try to print to a non existent serial line, and just do not bother, ignore the failure?
- Did someone unplug the physical serial line in the middle of the string being printed?
- Was the string containing invalid UTF8 chars?
- Is the current UART setup to only transmit 7 bits chars, and one char has the eight-bit set?
- Was there an ECC error in the code of the driver?
- A combination of the above?
In a monolithic kernel, the driver knows the failure and try to handle it by itself, if it cannot, then there is no real point to try anything else.
You could set an extremely simple interface to the microkernel, like only outputing a single char at a time, and physically protecting that char by putting that argument in a read-only page, but that will slow down things considerably.
