Dean reports that, at least of MSWindows, File#renameTo has funny non-atomicity properties. Its doc-comment is unhelpfully vague, and does not document just how corrupt it may leave things if it crashes in the middle.
Vat persistence uses rename to commit new vat state. We must decide on the set of possible failure modes we will consider. This issue was noticed during the waterken security review, and we should probably adopt the same set of failures modes decided on there. This list is not yet written up and posted.
Log in to post a comment.