Everhart, Glenn (FUSA)
From:	Andy Goldstein [Goldstein@star.zko.dec.youknowwhere]
Sent:	Wednesday, May 12, 1999 10:46 AM
To:	Info-VAX@Mvb.Saic.Com
Subject:	Re: VMS non-robustness (nothing too serious)
GWDVMS::MOELLER wrote:
> 
> I'm using VMS (in particular, a certain Vs3100 normally running V5.5-2)
> for 4 years at home now. Thinking about the anniversary, I remembered
> having experienced _one_ `relevant' system crash during that time:
> 
>  An unreadable (for whatever reason) CDROM caused some XQP bugcheck.
> 
> This reminded me of the same sort of crash once seen during an attempt
> to read a similarly bad 8" floppy (on a VAX 11/780, in the V3 era).
> 
> Will the VMS file system ever recognize that crashing on un-writable
> disks may be fine (in order to protect data integrity), but on _reading_
> them, it could as well return an appropriate I/O error status?

The VMS file system was designed with the principle that *no* problems
with the disk or file structure should cause it to crash. This principle
extended to the extreme case of being robust against maliciously
constructed file structures. (Try *that* on the world's favorite up and
coming enterprise operating system!) The only legitimate reason for
taking a bugcheck in the file system is that it has detected an internal
error - some inconsistency that is the consequence of a bug or in-memory
data corruption.

The only point where we stopped short on this principle is where the
disk gives back inconsistent data - i.e., returns different results from
the reading the same block at different times. We concluded that this
situaion was both very unlikely and too hard to defend against. By
modifying certain blocks with logical I/O at the right time you can
crash the file system (but I'm not going to tell you which ones).

If the file system crashes on write errors to protect the file
structure, this logic was put in when I wasn't looking and I don't agree
with it. There is logic that write-locks the disk for a certain class of
write errors that leave the file structure in an endangered state.

All crashes in the file system represent a bug (somewhere) and should be
reported to VMS engineering. (Well, OK, if you get a crash on V5.5-2 we
probably won't be as interested as if it were on V7.2.) If you don't
have a service agreement, please contact us informally and we'll get
hold of the dump somehow. By analyzing the crash, hopefully we'll find
and fix a bug before it crashes someone else's system.