SEF: identity transfer only after controlled crash

Transparent (endpoint-preserving) restarts with identity transfer
are meant to exercise the crash recovery system only.  After *real*
crashes, such restarts are useless at best and dangerous at worst,
because no state integrity can be guaranteed afterwards.  Thus,
except after a controlled crash, it is best not to perform such
restarts at all.  This patch changes SEF such that identity transfer
is successful only if the old process was the subject of a crash
induced through "service fi".  As a result, testrelpol.sh should
continue to be able to use identity transfers for testing purposes,
but any real crash will be handled more appropriately.

This fixes #126.

Change-Id: Idc17ac7b3dfee05098529cb889ac835a0cd03ef0

minix/lib/libsys/sef.c

@@ -17,6 +17,7 @@ endpoint_t sef_self_proc_nr;
 int sef_self_priv_flags;
 int sef_self_init_flags;
 int sef_self_receiving;
+int sef_controlled_crash;
 
 /* Extern variables. */
 EXTERN int sef_lu_state;
@@ -84,6 +85,7 @@ void sef_startup()
   sef_self_priv_flags = priv_flags;
   sef_self_init_flags = init_flags;
   sef_lu_state = SEF_LU_STATE_NULL;
+  sef_controlled_crash = FALSE;
   old_endpoint = NONE;
   if(init_flags & SEF_LU_NOMMAP) {
       sys_upd_flags |= SF_VM_NOMMAP;
@@ -139,6 +141,7 @@ void sef_startup()
   sef_self_priv_flags = priv_flags;
   sef_self_init_flags = init_flags;
   sef_lu_state = SEF_LU_STATE_NULL;
+  sef_controlled_crash = FALSE;
 }
 
 /*===========================================================================*

minix/lib/libsys/sef_fi.c

@@ -7,14 +7,18 @@ EXTERN __attribute__((weak)) int edfi_ctl_process_request(void *ctl_request);
 
 EXTERN int do_sef_fi_request(message *m_ptr);
 
+EXTERN int sef_controlled_crash;
+
 /*===========================================================================*
  *                            do_sef_fi_request             		     *
  *===========================================================================*/
 int do_sef_fi_request(message *m_ptr)
 {
     /* See if we are simply asked to crash. */
-    if (m_ptr->m_lsys_fi_ctl.subtype == RS_FI_CRASH)
+    if (m_ptr->m_lsys_fi_ctl.subtype == RS_FI_CRASH) {
+        sef_controlled_crash = TRUE;
         panic("Crash!");
+    }
 
 #if SEF_FI_ALLOW_EDFI
     /* Forward the request to the EDFI fault injector, if linked in. */

minix/lib/libsys/sef_init.c

@@ -31,6 +31,7 @@ EXTERN char* sef_debug_header(void);
 EXTERN endpoint_t sef_self_endpoint;
 EXTERN endpoint_t sef_self_priv_flags;
 EXTERN endpoint_t sef_self_init_flags;
+EXTERN int sef_controlled_crash;
 
 #ifndef ST_STACK_REFS_BUFF_SIZE
 #define ST_STACK_REFS_BUFF_SIZE           1024
@@ -398,6 +399,12 @@ int sef_cb_init_identity_state_transfer(int type, sef_init_info_t *info)
   /* Restore stack refs. */
   sef_llvm_stack_refs_restore(stack_buff);
 
+  if (sef_controlled_crash == FALSE) {
+      printf("SEF(%d): crash was not controlled, "
+	"aborting transparent restart\n", sef_self_endpoint);
+      return EGENERIC; /* actual error code does not matter */
+  }
+
   return OK;
 }