kernel: Add trait for process restart policies #1565
Conversation
There was a problem hiding this comment.
I have some minor inline naming nits.
Overall, I wonder if this is better to do on a per-process/app basis, rather than an entire kernel. Wouldn't it make more sense to have different policies for different apps than to have a fixed policy for an entire board?
kernel/src/process.rs
Outdated
|
|
||
| /// Implementation of `ProcessRestartPolicy` that unconditionally restarts the | ||
| /// app. | ||
| pub struct PrpAlways {} |
There was a problem hiding this comment.
How about just naming it "AlwaysRestart"?
kernel/src/process.rs
Outdated
| /// Implementation of `ProcessRestartPolicy` that uses a threshold to decide | ||
| /// whether to restart an app. If the app has been restarted more times than the | ||
| /// threshold then the app will no longer be restarted. | ||
| pub struct PrpThreshold { |
kernel/src/process.rs
Outdated
| /// Decide whether to restart the `process` or not. | ||
| /// | ||
| /// Returns `true` if the process should be restarted, `false` otherwise. | ||
| fn evaluate(&self, process: &dyn ProcessType) -> bool; |
There was a problem hiding this comment.
This type signature/name is kind of clunky. If it should return a bool (indicating whether the process should be restarted, maybe it the method should be called should_restart or something.
Alternatively, maybe call it fault_behavior have it return a specialized enum:
enum FaultBehavior {
Restart,
Terminate
}| /// | ||
| /// The provided restart policy is used to determine whether to reset the | ||
| /// app, and can be specified on a per-app basis. | ||
| Restart(&'static dyn ProcessRestartPolicy), |
There was a problem hiding this comment.
Just noting that this is going to add two words of memory to the kernel, regardless of whether this variant is used.
There was a problem hiding this comment.
It will add two words to the process, which we charge to the process's memory region.
|
This is in fact already per-process because yes, that likely makes more sense. The limiting factor is the shared |
|
@bradjc, OK missed that, my bad. So now it's an additional word in memory for each process (not a huge deal), and my only comments are about the name/type-signature |
bradjc
force-pushed
the
process-restart-policy
branch
2 times, most recently
from
25b1279
to
0a887c5
Compare
|
Added a new commit which updates the naming. |
|
Other thoughts? |
This adds a trait so that boards can specify the policy the kernel should use when deciding whether to restart an app or not.
Since restart_count is used in decision making, and not just debugging, it doesn't make sense to leaave it as a debug variable. This promotes it to an actual field in the process struct. Also, remove re-setting the process state if syscall init fails.
bradjc
dismissed stale reviews from hudson-ayers, ppannuto, and alevy
via
ac58cda
bradjc
force-pushed
the
process-restart-policy
branch
from
0a887c5
to
ac58cda
Compare
|
I moved the restart count out of debugging since it is now used for more than just debugging. Also rebased. |
Build succeeded |
1609: ADC Capsule: More work on supporting restarts. r=alevy a=bradjc ### Pull Request Overview This pull request continues to update the ADC capsule to allow applications to restart while using the ADC driver and for the system to continue working afterwards. Highlights of changes: - Handle `InactiveApp` error when checking if a grant region is valid. - Check on `sample_ready()` and `samples_ready()` if the app is still valid, and properly handle it if not. - Check on every command syscall if the app that has exclusive control of the adc driver still exists. - Call stop sampling if a callback from the adc peripheral driver occurs and the app is no longer valid. Note, if/when the ADC capsule is virtualized then this will no longer be an issue. ### Testing Strategy I ran the adc and adc_continuous apps numerous times and used the process console to cause them to fault in various stages of their operation. I can now no longer get the ADC capsule into a state where apps only error. ### TODO or Help Wanted I tested this with a combination of my other PRs #1565 #1566 #1588. Until those are merged this PR/commit alone will not work. ### Documentation Updated - [x] Updated the relevant files in `/docs`, or no updates are required. ### Formatting - [x] Ran `make formatall`. Co-authored-by: Brad Campbell <[email protected]>
If a process's fault response is set to "Restart", then currently that process is unconditionally restarted if it crashes. This PR adds a trait so that boards can specify the policy the kernel should use when deciding whether to restart an app or not. There is an Always option to match what we have now, and I also implemented a very simple threshold approach where an app will only be restarted a certain number of times.
This is part of #1082.
Testing Strategy
I tested this earlier, but need to test with the recent PR merges.
TODO or Help Wanted
Thoughts?
Documentation Updated
/docs, or no updates are required.Formatting
make formatall.