SEF: identity transfer only after controlled crash

Transparent (endpoint-preserving) restarts with identity transfer
are meant to exercise the crash recovery system only.  After *real*
crashes, such restarts are useless at best and dangerous at worst,
because no state integrity can be guaranteed afterwards.  Thus,
except after a controlled crash, it is best not to perform such
restarts at all.  This patch changes SEF such that identity transfer
is successful only if the old process was the subject of a crash
induced through "service fi".  As a result, testrelpol.sh should
continue to be able to use identity transfers for testing purposes,
but any real crash will be handled more appropriately.

This fixes #126.

Change-Id: Idc17ac7b3dfee05098529cb889ac835a0cd03ef0

diff --git a/minix/lib/libsys/sef.c b/minix/lib/libsys/sef.c
index 0c593893972675c095c1d440305dd631eb2b3223..b19dd539a227bf2722626104358d90c13c332e8a 100644 (file)
--- a/minix/lib/libsys/sef.c
+++ b/minix/lib/libsys/sef.c
@@ -17,6 +17,7 @@ endpoint_t sef_self_proc_nr;
 int sef_self_priv_flags;
 int sef_self_init_flags;
 int sef_self_receiving;
+int sef_controlled_crash;
 
 /* Extern variables. */
 EXTERN int sef_lu_state;
@@ -84,6 +85,7 @@ void sef_startup()
   sef_self_priv_flags = priv_flags;
   sef_self_init_flags = init_flags;
   sef_lu_state = SEF_LU_STATE_NULL;
+  sef_controlled_crash = FALSE;
   old_endpoint = NONE;
   if(init_flags & SEF_LU_NOMMAP) {
       sys_upd_flags |= SF_VM_NOMMAP;
@@ -139,6 +141,7 @@ void sef_startup()
   sef_self_priv_flags = priv_flags;
   sef_self_init_flags = init_flags;
   sef_lu_state = SEF_LU_STATE_NULL;
+  sef_controlled_crash = FALSE;
 }
 
 /*===========================================================================*

diff --git a/minix/lib/libsys/sef_fi.c b/minix/lib/libsys/sef_fi.c
index 3838fd8f83feb6c21a67ad0c7cc9ebe877ae7632..3f8c0ea93d1c6f0d96b59e675efc02583410d639 100644 (file)
--- a/minix/lib/libsys/sef_fi.c
+++ b/minix/lib/libsys/sef_fi.c
@@ -7,14 +7,18 @@ EXTERN __attribute__((weak)) int edfi_ctl_process_request(void *ctl_request);
 
 EXTERN int do_sef_fi_request(message *m_ptr);
 
+EXTERN int sef_controlled_crash;
+
 /*===========================================================================*
  *                            do_sef_fi_request                             *
  *===========================================================================*/
 int do_sef_fi_request(message *m_ptr)
 {
     /* See if we are simply asked to crash. */
-    if (m_ptr->m_lsys_fi_ctl.subtype == RS_FI_CRASH)
+    if (m_ptr->m_lsys_fi_ctl.subtype == RS_FI_CRASH) {
+        sef_controlled_crash = TRUE;
         panic("Crash!");
+    }
 
 #if SEF_FI_ALLOW_EDFI
     /* Forward the request to the EDFI fault injector, if linked in. */

diff --git a/minix/lib/libsys/sef_init.c b/minix/lib/libsys/sef_init.c
index e3c50ceee984c07d2b6feabf6ea0eb6e9da4ce4a..2262a1651a473b4944ddad077aad127dffc27520 100644 (file)
--- a/minix/lib/libsys/sef_init.c
+++ b/minix/lib/libsys/sef_init.c
@@ -31,6 +31,7 @@ EXTERN char* sef_debug_header(void);
 EXTERN endpoint_t sef_self_endpoint;
 EXTERN endpoint_t sef_self_priv_flags;
 EXTERN endpoint_t sef_self_init_flags;
+EXTERN int sef_controlled_crash;
 
 #ifndef ST_STACK_REFS_BUFF_SIZE
 #define ST_STACK_REFS_BUFF_SIZE           1024
@@ -398,6 +399,12 @@ int sef_cb_init_identity_state_transfer(int type, sef_init_info_t *info)
   /* Restore stack refs. */
   sef_llvm_stack_refs_restore(stack_buff);
 
+  if (sef_controlled_crash == FALSE) {
+      printf("SEF(%d): crash was not controlled, "
+       "aborting transparent restart\n", sef_self_endpoint);
+      return EGENERIC; /* actual error code does not matter */
+  }
+
   return OK;
 }