OSDev.org

embryo2 wrote:If the words "a lot of subtle tricks" mean just try-catch-finally blocks, then I strongly disagree. It introduces additional level of indentation and a few extra lines of code, but I just can't call it using words "subtle" or "tricks" (or even "a lot" of such mess).

And Java, like Rust, (or is it more correct to say "Rust like Java"?) also supports so called runtime exceptions, that aren't require a developer to write exception handlers.

embryo2 wrote:How something like C style union can force a developer to write an exception handler?

fn open(path: Path) -> Result<File>;

match open("foo.txt") {
    Ok(file) => { /* file is usable in here */ },
    Err(e) => { /* file could not be opened, error information is in e */ },
}

fn possibly_fail() -> Result<i32> {
    let file = try!(open("foo.txt")); // just pass errors back to the caller
    let x = try!(something_that_could_fail(file));
    let z = match try_something(x) {
        Ok(y) => use(y),
        Err(e) => { /* explicitly handle this error instead of passing it back to the caller */ },
    };
    Ok(y)
}

embryo2 wrote:

Rusky wrote:Another example that Brendan has brought up before is passing in error handling continuations to functions, so that callers are forced, at compile time, to provide handlers for each error condition.

Java way of hiding those additional parameters is more concise.

embryo2 wrote:

Brendan wrote:I mean, the OS starts another instance of the service "somewhere" (on any computer that is still part of the group of computers/cluster). This could be either local or remote. Note: it doesn't matter much where, except for performance. For performance, "where" is a compromise between CPU load and communication overhead; and I'll be adding a little information into the executable's header (e.g. "average amount of processing per request") so that the OS can make a more effective decision. For example; if something uses a massive amount of CPU time but has very little communication then you'd want it on whichever computer has the least work to do (regardless of communication costs), and if something doesn't use much CPU time but communicates a lot then you're going to want it "close" to whatever uses it instead (regardless of existing load on the computer).

If there's no binary for the service on the computer that's chosen; then the OS uses a distributed file system so the computer will just have to fetch the file. More specifically, the computer will try to fetch an "already optimised for this computer" native version of the executable, and if that doesn't exist it will try to fetch the "portable byte-code" version of the executable file and compile it for the specific computer. In either case it will try to cache the executable locally after it's been fetched (to avoid fetching/compiling if its needed again later).

Ok, I see your point. But this algorithm is the exactly the helper I was talking about in previous message. So, instead of "elegant and clean" messaging solution you will have a set of implementations of different helper algorithms, that handles all special cases by defining one algorithm per each case. In the example above we see the cases for service deployment and start-up mixed with load optimization job and the need for software repository. And for each case you have to invent and implement a helper algorithm.

embryo2 wrote:

Brendan wrote:If the user never plugs the cable back in then the application won't recover successfully (because the OS lacks the ability to start a new instance of the service that the application requires).

Yes, the ability to start a backup service is a nice thing. But it has nothing to do with messaging, because the messaging is just one of possible transport protocols below the service level.

Brendan wrote:If the user does plug the cable in then it might recover successfully; but someone is going to have to write code to handle that (e.g. catch to exception and retry) and test to make sure it works properly (the code to handle it doesn't just magically appear out of thin air). Of course in my case the code to handle it doesn't magically appear out of thin air either; but it is built into the kernel and normal/application programmers don't need to do anything.

In my case it is the VM where the handling code is located. If a developer doesn't implement an exception handler, then the VM catches the exception outside of the root thread's method (function) and ensures that there always will be required bookkeeping.

embryo2 wrote:

Brendan wrote:What you can do is minimise the amount of code that processes depend on, that could have bugs.

The minimization only is not a silver bullet. More complex solutions with a lot of code can be more safe than solutions with lesser complexity and code volume. For example a database plus it's client represent a lot of code in total, but such solution is much safer than a freshly invented file based storage, for example.

embryo2 wrote:

Brendan wrote:it still works (even with only 1 computer); it's just less effective. For example (for the "1 computer" case) it would still guard against transient faults, and still guard against RAM faults (because each instance of the service is using different physical pages of RAM); and if the computer has 2 or more CPUs it can guard against one CPU failing (even if that CPU fails while an instance of the service is using it and that instance of the service has to be terminated).

So, it works just partially, for some hardware or some special kinds of problems.

embryo2 wrote:

Brendan wrote:The problem with (e.g.) RPC is that it's synchronous (designed to mimic the behaviour of function calls), which means that you can't just send 10 requests to 10 different computers and do other work while you're waiting for the replies to get all 11 computers doing useful work in parallel. To achieve that with RPC you'd have to spawn 10 new threads and do one "request+reply" RPC on each thread, which ends up causing more overhead (thread creation, thread switching, etc) and is a very ugly (e.g. needing locks and stuff to manage state) and is much more error prone.

In fact your solution also requires locks and stuff to manage state. Every time your message is posted the lock is required to ensure the queue structure (the state) is not corrupted by multiple threads. So, here we see the standard solution is on par with yours. Also the thread creation do not required because of the widely used thread pooling approach. And thread switching also should be implemented in your solution (just because it has threads).

embryo2 wrote:

Brendan wrote:Note that most distributed systems suck - e.g. they require manual configuration and assigned roles, and don't dynamically shift things around to cope with hardware failures or to balance load.

Cloud computing offers dynamic reconfiguration variants. And automatic load balancers are used everywhere. So, your variant isn't the best in this area.

embryo2 wrote:

Brendan wrote:if the OS detects that a user's mouse is due for cleaning it gets added as a low priority job in the "maintenance tool", and when admin/maintenance staff do that job they tell the OS it's been completed.

If an OS is able to automatically detect the need for mouse cleaning, then it should detect the change after the mouse was cleaned. And by the way, such detection isn't a trivial thing.

Rusky wrote:Exception safety means more than just using finally blocks. It means being aware of every point at which your code could be interrupted by an exception, and making sure that such an event would not leave anything in a corrupted state.

Rusky wrote:Java runtime exceptions do not help you here. They are the problem: because they can be caught at any point in the call stack, they can easily expose state corrupted by non-exception-safe code. Rust panics, on the other hand, cannot be caught anywhere- they abort the entire thread. Combined with Rust's rules for how memory can and cannot be shared between threads, this means Rust programs do not need to worry about exception safety- corrupted state is impossible to observe.

Rusky wrote:Rust's "unions" are actually extended enums, and the language does not allow access to their contents without checking which variant they are using.

Rusky wrote:That's the entire problem with exceptions- they hide errors so things fail at runtime instead of forcing the programmer to decide what should be done with them. There are better ways to make things concise than to bury your head in the sand and hope someone farther up the call stack knows what to do.

Brendan wrote:Most of the stuff I mentioned above is just code to start a process, which is more complex in my case because of additional features that typical OS's lack (trying distribute load across multiple computers intelligently, executables as portable byte-code rather than native binaries). However; those additional features have nothing to do with fault tolerance or redundancy or messaging anything else that we've been talking about, and it's unfair to claim my approach to fault tolerance/redundancy/messaging is not clean or elegant because of things that have nothing to do with fault tolerance/redundancy/messaging.

Brendan wrote:As far as programmers writing applications/processes are concerned, the fault tolerance/redundancy is clean and elegant because they don't have to worry about any of it (unlike alternative approaches, where programmers writing applications/processes need to worry about it, and then screw it up half the time).

Brendan wrote:Imagine you're writing a spreadsheet application. You've got a function to calculate the value in a cell, which sends the formula in that cell and the values that the formula depends on to an arbitrary precision maths library and gets the result. The arbitrary precision maths library fails due to a network time-out (because the user unplugged the network cable); and you haven't written any code to handle that failure at all. In this case you're trying to pretend that the VM will automatically recover and the application will behave as if the arbitrary precision maths library didn't fail.

Brendan wrote:Wrong. You're using an extremely misleading/biased comparison (mature code vs. freshly invented) to make false assumptions.

Brendan wrote:Where can I download the "cloud computing" OS that lets all applications use all of the computers on my LAN, with almost no configuration at all?

Brendan wrote:The OS can't detect when the mouse is actually dirty (the hardware lacks that capability).

Brendan wrote:The idea is that a maintenance person spends their day doing whatever the OS's maintenance tool tells them to do; and the OS automates everything it can to avoid the need to employ someone to manage the maintenance people.

embryo2 wrote:

Brendan wrote:As far as programmers writing applications/processes are concerned, the fault tolerance/redundancy is clean and elegant because they don't have to worry about any of it (unlike alternative approaches, where programmers writing applications/processes need to worry about it, and then screw it up half the time).

Yes, the shift of the corresponding code on the side of the kernel or some other framework can help. But the complexity of possible situations prevents you from implementing a solution for all faults, so, a developer still needs the code that handles such cases. And even if your efforts relieve some burden from a developer but I'm still afraid of the situations when developer will be required to understand the internals of your solution just to be able to write an efficient handler of a fault. For example, for an application to behave correctly instead of failing every time when a file isn't found, a developer should understand how your solution will handle such situation (would it connect to the internet and ask the Google about the file?) and how to stop it from doing wrong things.

Your fault tolerance should be defined very strictly, so, that a developer has no chance to be confused by the way your system will behave.

embryo2 wrote:

Brendan wrote:Wrong. You're using an extremely misleading/biased comparison (mature code vs. freshly invented) to make false assumptions.

Ok, if you insist then here is another version - imagine one page of a code with 20 nested ifs and 100 pages of a code with prints only. Both variants can have the same number of bugs despite of the code size.

embryo2 wrote:

Brendan wrote:Where can I download the "cloud computing" OS that lets all applications use all of the computers on my LAN, with almost no configuration at all?

You have no need for downloading anything or even for the computers and your LAN, just because the cloud computing already has it available online (yes, you need one PC and some kind of internet connection, but that's all you need).

embryo2 wrote:

Brendan wrote:The OS can't detect when the mouse is actually dirty (the hardware lacks that capability).

It can use something like pattern matching for detection of "non-standard" mouse behaviour. But it's not a trivial task.

embryo2 wrote:

Brendan wrote:The idea is that a maintenance person spends their day doing whatever the OS's maintenance tool tells them to do; and the OS automates everything it can to avoid the need to employ someone to manage the maintenance people.

Unfortunately, automation of such narrow areas like mouse cleaning without understanding of the biggest context of organization's maintenance requirements often leads to fragmentary and inefficient systems. But may be if an organization has clear understanding of the maintenance and sees your mouse cleaning fits the global picture, then it can be helpful.

embryo2 wrote:Well, do your words mean that a developer should be careless while writing a complex application? Or do you know a way of writing code without paying attention to all possible execution paths?
...
Here you claim that Rust magically manages to roll back or commit whatever possible state of a program. And it does it without programmer's efforts.
...
Exceptions are a part of method declaration in Java, so, it is impossible to hide them. But it is possible not to catch successors of the RuntimeException.

ResultType result;
try {
    result = compute_result();
} catch (SomeException) {
    result = default_value;
}
use(result);

use(compute_result().unwrap_or(default_value));

• Technical leadership. You would lead the project.
• Long contract. Minimum of 10 years and you would be able to fail the project without any consequences.
• Significant financial support. Practically you would be financially independent for the rest of you life even if the project failed.
• Resources. You would have huge resources at hand if you wanted something implemented. You would be able to set the acceptable quality level. You would not need to worry about human resource management or anything.
• Contacts. OEM vendors would ship some computer models with the new OS pre-installed. Some hardware manufacturers would need to write native drivers (based on some kind of OEM agreement).

Antti wrote:What would you think if a big company (e.g. Microsoft) thought that your ideas are so potential that they wanted to invest in them? They would give you:

• Technical leadership. You would lead the project.
• Long contract. Minimum of 10 years and you would be able to fail the project without any consequences.
• Significant financial support. Practically you would be financially independent for the rest of you life even if the project failed.
• Resources. You would have huge resources at hand if you wanted something implemented. You would be able to set the acceptable quality level. You would not need to worry about human resource management or anything.
• Contacts. OEM vendors would ship some computer models with the new OS pre-installed. Some hardware manufacturers would need to write native drivers (based on some kind of OEM agreement).

In short; in the worst case your project would just fail the big exceptions. However, it would still be a well-recognized and real OS. There would be a small market niche in any case. Perhaps this sounds good but there would be a teeny-tiny detail: you would not own it.

Brendan wrote:Implementations of that design are just a means to an end; and it doesn't really matter who owns the initial implementation (or any subsequent implementations).

• A large portion of the CIE XYZ colour space is imaginary, in contrast with RGB where every possible colour value creates a unique colour (HSV also suffers this problem - a V of 0 is output as black, regardless of H and S.)
• The blending algorithms are somewhat more difficult in this colour space. Imagine you're writing a 3D game and two light sources are shining on the same wall, you can easily do final colour = (wall colour * light a) + (wall colour * light b) in RGB. Transparency is final colour = (source a * 1/alpha) + (source b * alpha).
• Performance. If you're watching a video or playing a real time 3D game, can you convert 1920*1080*60 pixels per second? I'd imagine for an 8-bit video game, you could simplify the problem by generating a lookup table for all 256 colours - but what if the screen is shared across multiple monitors? (A video wall or a duel-monitor workstation.)

MessiahAndrw wrote:My wife is a graphic designer and she deals with the Pantone Matching System for printed media. She has one of these monitor calibrator things (http://www.xrite.com/i1display-pro) that measure the wavelengths outputted by the monitor to create a monitor profile, so what she sees on the printed output matches what her monitor shows. The main problem is that monitors are backlit, whereas printed media isn't and the colour on printed media depends on ambient light. In the end, you end up with 3 colour profiles - for the input media (the camera), the workstation monitor, and the printer. Since you're just dealing with screens it's a simpler problem, and X-Rite (the company that now owns Pantone) might have some kind of gadget for measuring your monitor output.

MessiahAndrw wrote:My concerns;

• A large portion of the CIE XYZ colour space is imaginary, in contrast with RGB where every possible colour value creates a unique colour (HSV also suffers this problem - a V of 0 is output as black, regardless of H and S.)

• it is able to represent all colours that humans can see and there is some wasted space for imaginary colours.
• it's unacceptable as a device independent colour space (incapable of representing all colours that humans can see).

MessiahAndrw wrote:

• The blending algorithms are somewhat more difficult in this colour space. Imagine you're writing a 3D game and two light sources are shining on the same wall, you can easily do final colour = (wall colour * light a) + (wall colour * light b) in RGB. Transparency is final colour = (source a * 1/alpha) + (source b * alpha).

MessiahAndrw wrote:

• Performance. If you're watching a video or playing a real time 3D game, can you convert 1920*1080*60 pixels per second? I'd imagine for an 8-bit video game, you could simplify the problem by generating a lookup table for all 256 colours - but what if the screen is shared across multiple monitors? (A video wall or a duel-monitor workstation.)

MessiahAndrw wrote:There have also been RGB colour space standards (like sRGB, Adobe RGB), and many monitors and HDTVs are sRGB compliant, and I've thought the theory was that a colour on any two sRGB screens should be identical. My monitor has an sRGB mode, but it also lets me change the brightness/contrast/colour temperature (which obviously alters the output colour) while claiming to be in sRGB mode, so that throws out that theory.

MessiahAndrw wrote:

• The blending algorithms are somewhat more difficult in this colour space. Imagine you're writing a 3D game and two light sources are shining on the same wall, you can easily do final colour = (wall colour * light a) + (wall colour * light b) in RGB. Transparency is final colour = (source a * 1/alpha) + (source b * alpha).

Brendan wrote:You're using a very loose definition of "faults". To me, a failure is when software doesn't do something it should or does do something it shouldn't (e.g. crash).

Brendan wrote:

embryo2 wrote:Ok, if you insist then here is another version - imagine one page of a code with 20 nested ifs and 100 pages of a code with prints only. Both variants can have the same number of bugs despite of the code size.

So you're saying that for a fair comparison (same quality control, same code maturity, same code size); complex code (e.g. the code in high performance VM that does JIT compiling and optimisation) is more likely to have bugs and security vulnerabilities than simpler code (e.g. the code you find in typical desktop applications)?

Brendan wrote:

embryo2 wrote:You have no need for downloading anything or even for the computers and your LAN, just because the cloud computing already has it available online (yes, you need one PC and some kind of internet connection, but that's all you need).

How do I plug 100 keyboards and 100 monitors into this "cloud"? When the cloud tells me networking is a bottleneck, and I just install some extra network cards in my cloud?

Brendan wrote:Mostly all I'm saying here is that "cloud" is intended for an extremely different use case. I want all the my computers on my LAN to work together (with or without any Internet connection), and I don't want to pay some third party for processing time. I want the typical ("one computer per user plus a server") office to shift to my OS to reduce hardware costs ("one computer per pair of users with no server"). I want this to work for mobile devices (laptops, tablets, smartphones) where (e.g.) if you're using a weak/low power tablet while you're walking around and happen to wander into wifi range the OS automatically shifts processing to the faster systems and the software you were already running starts running much faster (and if you walk out of wifi range the applications just start running slower without any "network connection lost" failures).

Brendan wrote:I also want to do things like let users send running applications to each other (e.g. you open a word processor document, write half of a letter, then send the application "as is" to another user so they can finish writing the letter);

Brendan wrote:and to have multi-user applications (where 10 programmers working on the project can all use the same IDE at the same time).

Brendan wrote:For power management, I want the OS to automatically shutdown computers when they aren't needed and (using "wake on LAN") automatically start them again when they are needed.

Brendan wrote:I also want all of this to be as close as possible to "zero configuration". For example, if you buy 20 new computers with no OS on them at all; you should be able to plug them into your network and do nothing else; where those 20 new computers boot from network, automatically become part of the cluster, and automatically start doing work.

Brendan wrote:

embryo2 wrote:It can use something like pattern matching for detection of "non-standard" mouse behaviour. But it's not a trivial task.

For existing mouse hardware, I very much doubt that this is possible without an unacceptable number of false positives and/or false negatives (and if its too unreliable it's just going to annoy people instead of being useful).

Brendan wrote:There would also be a way for normal users to add a "trouble ticket" to the system; for whatever the OS can't automatically detect (even if it's "my office chair broke!").

I really don't think it'd be hard to design a maintenance tool that suits almost everyone; and if people don't like my tool then they're able to suggest improvements, or replace any or all of the "pieces that communicate" with their own alternative piece/s;

Brendan wrote: Basically, as far as I can tell, hardware is not to blame for the unacceptable failure in the IT industry and it's almost entirely software's fault.

Brendan wrote: in theory a colour should be the same on both displays but in practice it's unwise to trust marketing departments and there's no guarantee that the colours actually will be the same.

Rusky wrote:People make mistakes, whether they're careless or not. Giving the language the ability to point out their mistakes before they release their program helps alleviate that problem.

Rusky wrote:My point is that Rust has two error handling modes. Only unrecoverable exceptions (called panics) are allowed to unwind the program in the middle, and they will always run all destructors, so the you can't catch the exception partway through the rollback. This means programmers don't have to care about exception safety, because the language takes care of it in a general way.

Rusky wrote:Java, on the other hand, allows you to invisibly pass exceptions on up the call stack. If the programmer doesn't check the documentation or method signature, all runtime exceptions become invisible

Rusky wrote:and adding "throws Exception" makes all the rest invisible.

Rusky wrote:while Rust's "try!" macro only effects a single potential error.

Rusky wrote:Further, Rust's "Result" type is much more composable than Java exceptions, because it's part of the normal data flow, rather than in a side channel requiring separate syntactic structures.

Rusky wrote:For example, instead of this multiline monstrosity:

Code: Select all

ResultType result;
try {
    result = compute_result();
} catch (SomeException) {
    result = default_value;
}
use(result);

You could just do this:

Code: Select all

use(compute_result().unwrap_or(default_value));