Quoth Richard Hipp <d...@sqlite.org>, on 2013-04-04 10:51:22 -0400: > Is this really a problem? Your executable and all of your shared libraries > are also mmapped into your address space. If accessing mmapped memory were > causing bus errors, then we'd be seeing bus errors all over the place.
As I interpret it, this is because it's commonly assumed that if part of your executable code goes away, you cannot reliably continue (there is no way to know what to do now), so crashing the whole process is acceptable. A system integrator or administrator must choose the devices that will contain native code accordingly, since they can bound the reliability of almost the entire system. A similar argument applies for choosing swap devices that may back any anonymous memory; if a swap device fails, it is expected that a lot of things may crash. So it is perfectly okay to use unprotected mmap accesses if an I/O error on the file will already make the entire process uncontinuable. The question is whether this applies to arbitrary SQLite databases that an application may open, and I suspect that (a) it probably doesn't, and (b) this reliability transitivity behavior would be a significant departure from earlier SQLite versions. As a hypothetical, more concrete example, consider a cluster of DNS servers backed by mostly-read-only SQLite databases. The system integrator chooses highly reliable local ROM devices to store OS and application code, but due to size and update flexibility requirements, the database files are spread out and accessed via network filesystem. With unprotected mmap, if any storage backend goes down or suffers a media error, the entire DNS server process may crash upon trying to read it, as opposed to receiving an error code and returning temporary SERVFAIL responses for the affected data sets until the error can be repaired. (Arguably someone running such a service should plan for this in other ways too, but I think SQLite should not exacerbate the effects of such failures any more than necessary.) This can be avoided by explicitly turning mmap off, but due to this I would think that off should be the default, much like how WAL is not the default journal mode (despite its considerable benefits in many use cases) because it creates additional requirements that must be taken into account. Of course I may be missing something important here. ---> Drake Wilson _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
