Re: Alan Cox quote? (was: Re: accounting for threads)

Rob Landley (landley@webofficenow.com)
Wed, 20 Jun 2001 07:56:10 -0400


On Wednesday 20 June 2001 10:35, Mike Porter wrote:
> > But that foregoes the point that the code is far more complex and harder
> > to make 'obviously correct', a concept that *does* translate well to
> > userspace.
>
> One point is that 'obviously correct' is much harder to 'prove' for
> threads (or processes with shared memory) than you might think.
> With a state machine, you can 'prove' that object accesses won't
> conflict much more easily. With a threaded or process based model,
> you have to spend considerable time thinking about multiple readers
> and writers and locking.
>
> One metric I use to evaluate program complexity is how big of a
> headache I get when trying to prove something "correct".
> Multi-process or multi-threaded code hurts more than a well written
> state machine.

The same applies to security though. There's programmers out there we're
unwilling to give the tools to create race conditions, but we expect them to
write stuff that won't allow a box on the internet to be own3d in under 24
hours...

Obvious isn't always correct...

Rob
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/