> Solving this is not trivial, I don't think changing the panic() to
> return(appropriate_error_code) is the rigth thing to do, in some case
> you want to panic if a filesystem gets corrupted. 

Indeed, from an overall system robustness perspective, a panic,
reboot, and salvage is, in general, preferable to a forced-unmount of
/ or /usr leading to the system becoming useless..  This isn't
necessarily going to be the case for other filesystems, but still, it
would require manual intervention to recover from.

This problem has been dealt with in various ways in other systems in
the past.  

My understanding is that under some circumstances, Multics would
automatically invoke an on-line incremental salvager when corruption
was detected; however, this can also be dangerous -- several multics
security holes (which were all eventually closed) involved tricking
the directory salvager in various ways...  one of these involved a
quoting error in the script which invoked the salvager so that you
could embed a ";" followed by a command in the name of the directory
to be salvaged...

						- Bill