Next: The problem
Up: THE SYSTEM
Previous: Dynamic name-tags
We made three decisions early in the design of the system, which
together, had unforseen consequences. These were:
- i)
- The current version of some portions of a disk file may be in
ECS, with no copy on the disk (e.g., attached blocks).
- ii)
- After a crash, we must be able to restart the system using only
data on the disk. (It was felt that the structures in ECS were
probably too fragile and complicated to reconstruct after a crash.
Also, one of the more frequent causes of a crash was failure of
ECS.)
- iii)
- Vital information, necessary to the integrity of the system,
would be stored in disk files. This included directories, with
access control information, and the system accounts. (Once disk
files had been invented, we saw no reason to invent other disk
storage facilities.)
The resulting problem was that the contents of a file after recovery
from a crash may not be the same as before the crash. Moreover, it is
conceivable that they may not represent the contents at any
previous time (i.e., one portion may represent the contents of a
different previous time from another portion).
Initially we felt that this would just be ``tough luck'' for some
unfortunate user, and it was his responsibility to maintain backup
facilities. Unfortunately, we forgot decision iii) above.
We eventually found a way around the problem, described below, but it
greatly increased the system overheads involved in the maintenance of
the system accounts.
Next: The problem
Up: THE SYSTEM
Previous: Dynamic name-tags
Paul McJones
1998-06-22