`Time paradox detected! Workflow asked for '${stepName}', but trace recorded '${recordedEvent.command}'`
The 3-delay-slot scheme works when there is useful work to fill those three cycles. But some instructions genuinely need the protection result before they can proceed. LAR (Load Access Rights) and VERR (Verify Read), for example, exist solely to query protection status -- there is no useful setup to overlap with.
,推荐阅读91视频获取更多信息
That’s a similar amount of CPU usage as when we started - but I’m running with 250 users, not 10. 25 times faster isn’t bad. With this setup, I’m able to support about 2,500 concurrent users before I start to see any stuttering.
What this means in practice is that if someone discovers a bug in the Linux kernel’s I/O implementation, containers using Docker are directly exposed. A gVisor sandbox is not, because those syscalls are handled by the Sentry, and the Sentry does not expose them to the host kernel.