So an approach that might work is fsync() will keep the pages dirty --- but only while the file descriptor is open. This could either be the default behavior, or something that has to be specifically requested via fcntl(2). That way, as soon as the process exits (at which point it will be too late for it do anything to save the contents of the file) we also release the memory. And if the process gets OOM killed, again, the right thing happens. But if the process wants to take emergency measures to write the file somewhere else, it knows that the pages won't get lost until the file gets closed.
I think this sounds like a very reasonable default. Before reading this thread, it would have been my first guess as to how this worked. It gives the program the opportunity to retry the fsyncs, before aborting. It will also allow a database, for instance, to keep servicing reads until the issue resolves itself, or an administrator intervenes. A program cannot allow reads from the file if pages that has been written to can be evicted, and their changes lost, and then brought back with old data.
-- Chris Vest
|