How allocation failure is handled is a purely library level thing in Rust, so worst case it can be signaled the same way as in C, but since it's Rust it will look like Option<*mut usize [u8]> (or some "Byte" type instead of u8, perhaps for non-8 bit byte arch support if that is a thing). Constructors might then perhaps return Result<T, AllocFailure> or some such. It's unfortunate that std is lacking here, just like it lacks custom allocator support for collections, but that doesn't affect how this can be handled in the kernel.
I'm not sure what role overcommit plays in all this, I guess that isn't even really a thing in kernel space? But yes, if you want allocation to ever actually fail you have to do it like Windows and require as least as much RAM+swap as has been allocated, even if it's untouched by the process, which opens up its own can of worms, like programs OOMing even if half your RAM is free. This makes Windows totally unusable without tons of swap. I had CyberPunk 2077 crash on me every other hour until I realized that I needed more swap even though RAM was still far from exhausted, plus the swap file wasn't even being filled, which made the error in the Windows event viewer pretty puzzling, indeed. Until I remembered that Windows doesn't do overcommit... If you absolutely *need* utmost reliability you don't allocation at runtime at all, like safety critical and most embedded systems. I don't really see the point of some awkward middle-ground like on Windows, but I guess some do.
I'm not sure what role overcommit plays in all this, I guess that isn't even really a thing in kernel space? But yes, if you want allocation to ever actually fail you have to do it like Windows and require as least as much RAM+swap as has been allocated, even if it's untouched by the process, which opens up its own can of worms, like programs OOMing even if half your RAM is free. This makes Windows totally unusable without tons of swap. I had CyberPunk 2077 crash on me every other hour until I realized that I needed more swap even though RAM was still far from exhausted, plus the swap file wasn't even being filled, which made the error in the Windows event viewer pretty puzzling, indeed. Until I remembered that Windows doesn't do overcommit... If you absolutely *need* utmost reliability you don't allocation at runtime at all, like safety critical and most embedded systems. I don't really see the point of some awkward middle-ground like on Windows, but I guess some do.
Comment