This is probably worth a COREDUMP_HANDLER(9) if the idea isn't rejected

Do you need a way to drain the activities of the coredumpers?

Use the opportunity to add EXTERRORs? This EFAULT is not quite EFAULT.

How would an exterror be consumed at this point?

Do you need to acquire some reference on chosen to ensure it doesn't get freed while a process is dumping?

This kind of goes with kib's comment above about draining, and something I forgot to think about when trying to un-PoC this.

I guess struct coredumper should probably grow a cd_flags / CDF_QUIESCE / coredumper_quiesce() so that we stop handing it requests prior to deregistration (presumably in a MOD_UNLOAD handler), and perhaps a refcount(9) to track and wait on in-flight coredumps

In lieu of an explicit quiesce state, I think you can just unlink the dumper from the list and use a refcount to wait for dumping threads to drain. There is a small undocumented interface in blockcount.h that maybe makes this a bit neater.

Good point, I've sprinkled some blockcount on it locally and that feels better, though it does have me thinking more about how I have this currently setup. coredumper_unregister() is currently done via SYSUNINIT, so I'd need one of:

• Another SYSUNINIT to further free resources,
• A callback for the dumper to free up, or
• Drop the SYSINIT/SYSUNINIT entirely and make the module handle registration in MOD_LOAD/MOD_UNLOAD

I don't really like option #1. I'm not sure I see a clear winner between the other two, though clearly just pushing that off to the module would be simpler.

In general, what is the cd_probe method supposed to do?

It offers some mechanism to filter out the kind of coredumps the dumper will handle, so that one can decline to deal with one and we don't lose the dump entirely as it falls back to some other dumper (or the standard vnode dumper). I'm not strongly tied to the motion, at one point I thought I'd want my custom dumper to decline coredumps if nothing had opened its /dev/ucore or if we enqueued too many dumps without a reader to drain them.

My initial thinking of thread/proc-based filtering (not state of the module as above) was that one could write interesting policies around any of p_sig/p_comm/jail/uid

If I'm reading this correctly, it's not "dumped" until after the write is done.

Not asking you to change anything, but: this is less true after commit f31695cc64e2328028b7432a2a6bdcd088909b2a. A further optimization would be to avoid visiting each page in a segment if the VM object for the mapping has no backing object. Then we can skip over non-resident ranges of VA in logn time rather than calling vm_fault() on each page in core_output().

This would be useful for programs which map very large VA ranges. I think chromium does this, and snmalloc also maps 512GB by default. Dumping core from such a program is slow, even with the commit above.

Maybe drop "kernel"? It's a bit confusing otherwise.

This sentence doesn't really make sense to me.

Right, good point.

Hmm, yeah, that makes sense; I'll revert this back to just regrouping the core naming stuff together.

Noted, I might do a follow-up editorial pass on core(5) later- I think I'd also like to rewrite the bits describing compression somehow to better draw the values of kern.compress_user_cores back to the kernel options needed to enable them, but I don't really have a vision for how to better describe that at the moment.

Basically, yes- what I was wanting to capture here is that the coredumper should be aware of the fact that it's about to unregister and depending on the implementation, may want to be sure that any in-progress dumps happening concurrently will finish up to avoid blocking module unload for too long (or perhaps have its own method to quiesce dumps and abdicate from handling more via its cd_probe).

Whoops; missed a word and adding "level greater than 0" to the end.