From: David Hildenbrand <david@redhat.com>
To: John Hubbard <jhubbard@nvidia.com>, linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org, linux-doc@vger.kernel.org,
kexec@lists.infradead.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
David Laight <David.Laight@ACULAB.COM>,
Jonathan Corbet <corbet@lwn.net>,
Andy Whitcroft <apw@canonical.com>, Joe Perches <joe@perches.com>,
Dwaipayan Ray <dwaipayanray1@gmail.com>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Baoquan He <bhe@redhat.com>, Vivek Goyal <vgoyal@redhat.com>,
Dave Young <dyoung@redhat.com>
Subject: Re: [PATCH RFC 1/2] coding-style.rst: document BUG() and WARN() rules ("do not crash the kernel")
Date: Thu, 25 Aug 2022 14:12:51 +0200 [thread overview]
Message-ID: <ea380cf0-acda-aaba-fb63-2834da91b66b@redhat.com> (raw)
In-Reply-To: <0db131cf-013e-6f0e-c90b-5c1e840d869c@nvidia.com>
On 24.08.22 23:59, John Hubbard wrote:
> On 8/24/22 09:30, David Hildenbrand wrote:
>> diff --git a/Documentation/process/coding-style.rst b/Documentation/process/coding-style.rst
>> index 03eb53fd029a..a6d81ff578fe 100644
>> --- a/Documentation/process/coding-style.rst
>> +++ b/Documentation/process/coding-style.rst
>> @@ -1186,6 +1186,33 @@ expression used. For instance:
>> #endif /* CONFIG_SOMETHING */
>>
>
> I like the idea of adding this documentation, and this is the right
> place. Naturally, if one likes something, one must immediately change
> it. :) Therefore, here is an alternative writeup that I think captures
> what you and the email threads were saying.
>
> How's this sound?
Much better, thanks! :)
>
> diff --git a/Documentation/process/coding-style.rst b/Documentation/process/coding-style.rst
> index 03eb53fd029a..32df0d503388 100644
> --- a/Documentation/process/coding-style.rst
> +++ b/Documentation/process/coding-style.rst
> @@ -1185,6 +1185,53 @@ expression used. For instance:
> ...
> #endif /* CONFIG_SOMETHING */
>
> +22) Do not crash the kernel
> +---------------------------
> +
> +Use WARN() rather than BUG()
> +****************************
> +
> +Do not add new code that uses any of the BUG() variants, such as BUG(),
> +BUG_ON(), or VM_BUG_ON(). Instead, use a WARN*() variant, preferably
> +WARN_ON_ONCE(), and possibly with recovery code. Recovery code is not required
> +if there is no reasonable way to at least partially recover.
I'll tend to keep in this section:
"Unavoidable data corruption / security issues might be a very rare
exception to this rule and need good justification."
Because there are rare exceptions, and I'd much rather document the
clear exception to this rule.
> +
> +Use WARN_ON_ONCE() rather than WARN() or WARN_ON()
> +**************************************************
> +
> +WARN_ON_ONCE() is generally preferred over WARN() or WARN_ON(), because it is
> +common for a given warning condition, if it occurs at all, to occur multiple
> +times. (For example, once per file, or once per struct page.) This can fill up
I'll drop the "For example" part. I feel like this doesn't really need
an example -- most probably we've all been there already when the kernel
log was flooded :)
> +and wrap the kernel log, and can even slow the system enough that the excessive
> +logging turns into its own, additional problem.
> +
> +Do not WARN lightly
> +*******************
> +
> +WARN*() is intended for unexpected, this-should-never-happen situations. WARN*()
> +macros are not to be used for anything that is expected to happen during normal
> +operation. These are not pre- or post-condition asserts, for example. Again:
> +WARN*() must not be used for a condition that is expected to trigger easily, for
> +example, by user space actions. pr_warn_once() is a possible alternative, if you
> +need to notify the user of a problem.
> +
> +Do not worry about panic_on_warn users
> +**************************************
> +
> +A few more words about panic_on_warn: Remember that ``panic_on_warn`` is an
> +available kernel option, and that many users set this option. This is why there
> +is a "Do not WARN lightly" writeup, above. However, the existence of
> +panic_on_warn users is not a valid reason to avoid the judicious use WARN*().
> +That is because, whoever enables panic_on_warn has explicitly asked the kernel
> +to crash if a WARN*() fires, and such users must be prepared to deal with the
> +consequences of a system that is somewhat more likely to crash.
Side note: especially with kdump() I feel like we might see much more
widespread use of panic_on_warn to be able to actually extract debug
information in a controlled manner -- for example on enterprise distros.
... which would then make these systems more likely to crash, because
there is no way to distinguish a rather harmless warning from a severe
warning :/ . But let's see if some kdump() folks will share their
opinion as reply to the cover letter.
--
Thanks,
David / dhildenb
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: David Hildenbrand <david@redhat.com>
To: John Hubbard <jhubbard@nvidia.com>, linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org, linux-doc@vger.kernel.org,
kexec@lists.infradead.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
David Laight <David.Laight@ACULAB.COM>,
Jonathan Corbet <corbet@lwn.net>,
Andy Whitcroft <apw@canonical.com>, Joe Perches <joe@perches.com>,
Dwaipayan Ray <dwaipayanray1@gmail.com>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Baoquan He <bhe@redhat.com>, Vivek Goyal <vgoyal@redhat.com>,
Dave Young <dyoung@redhat.com>
Subject: Re: [PATCH RFC 1/2] coding-style.rst: document BUG() and WARN() rules ("do not crash the kernel")
Date: Thu, 25 Aug 2022 14:12:51 +0200 [thread overview]
Message-ID: <ea380cf0-acda-aaba-fb63-2834da91b66b@redhat.com> (raw)
In-Reply-To: <0db131cf-013e-6f0e-c90b-5c1e840d869c@nvidia.com>
On 24.08.22 23:59, John Hubbard wrote:
> On 8/24/22 09:30, David Hildenbrand wrote:
>> diff --git a/Documentation/process/coding-style.rst b/Documentation/process/coding-style.rst
>> index 03eb53fd029a..a6d81ff578fe 100644
>> --- a/Documentation/process/coding-style.rst
>> +++ b/Documentation/process/coding-style.rst
>> @@ -1186,6 +1186,33 @@ expression used. For instance:
>> #endif /* CONFIG_SOMETHING */
>>
>
> I like the idea of adding this documentation, and this is the right
> place. Naturally, if one likes something, one must immediately change
> it. :) Therefore, here is an alternative writeup that I think captures
> what you and the email threads were saying.
>
> How's this sound?
Much better, thanks! :)
>
> diff --git a/Documentation/process/coding-style.rst b/Documentation/process/coding-style.rst
> index 03eb53fd029a..32df0d503388 100644
> --- a/Documentation/process/coding-style.rst
> +++ b/Documentation/process/coding-style.rst
> @@ -1185,6 +1185,53 @@ expression used. For instance:
> ...
> #endif /* CONFIG_SOMETHING */
>
> +22) Do not crash the kernel
> +---------------------------
> +
> +Use WARN() rather than BUG()
> +****************************
> +
> +Do not add new code that uses any of the BUG() variants, such as BUG(),
> +BUG_ON(), or VM_BUG_ON(). Instead, use a WARN*() variant, preferably
> +WARN_ON_ONCE(), and possibly with recovery code. Recovery code is not required
> +if there is no reasonable way to at least partially recover.
I'll tend to keep in this section:
"Unavoidable data corruption / security issues might be a very rare
exception to this rule and need good justification."
Because there are rare exceptions, and I'd much rather document the
clear exception to this rule.
> +
> +Use WARN_ON_ONCE() rather than WARN() or WARN_ON()
> +**************************************************
> +
> +WARN_ON_ONCE() is generally preferred over WARN() or WARN_ON(), because it is
> +common for a given warning condition, if it occurs at all, to occur multiple
> +times. (For example, once per file, or once per struct page.) This can fill up
I'll drop the "For example" part. I feel like this doesn't really need
an example -- most probably we've all been there already when the kernel
log was flooded :)
> +and wrap the kernel log, and can even slow the system enough that the excessive
> +logging turns into its own, additional problem.
> +
> +Do not WARN lightly
> +*******************
> +
> +WARN*() is intended for unexpected, this-should-never-happen situations. WARN*()
> +macros are not to be used for anything that is expected to happen during normal
> +operation. These are not pre- or post-condition asserts, for example. Again:
> +WARN*() must not be used for a condition that is expected to trigger easily, for
> +example, by user space actions. pr_warn_once() is a possible alternative, if you
> +need to notify the user of a problem.
> +
> +Do not worry about panic_on_warn users
> +**************************************
> +
> +A few more words about panic_on_warn: Remember that ``panic_on_warn`` is an
> +available kernel option, and that many users set this option. This is why there
> +is a "Do not WARN lightly" writeup, above. However, the existence of
> +panic_on_warn users is not a valid reason to avoid the judicious use WARN*().
> +That is because, whoever enables panic_on_warn has explicitly asked the kernel
> +to crash if a WARN*() fires, and such users must be prepared to deal with the
> +consequences of a system that is somewhat more likely to crash.
Side note: especially with kdump() I feel like we might see much more
widespread use of panic_on_warn to be able to actually extract debug
information in a controlled manner -- for example on enterprise distros.
... which would then make these systems more likely to crash, because
there is no way to distinguish a rather harmless warning from a severe
warning :/ . But let's see if some kdump() folks will share their
opinion as reply to the cover letter.
--
Thanks,
David / dhildenb
next prev parent reply other threads:[~2022-08-25 12:13 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-24 16:30 [PATCH RFC 0/2] coding-style.rst: document BUG() and WARN() rules David Hildenbrand
2022-08-24 16:30 ` David Hildenbrand
2022-08-24 16:30 ` [PATCH RFC 1/2] coding-style.rst: document BUG() and WARN() rules ("do not crash the kernel") David Hildenbrand
2022-08-24 16:30 ` David Hildenbrand
2022-08-24 21:59 ` John Hubbard
2022-08-24 21:59 ` John Hubbard
2022-08-25 12:12 ` David Hildenbrand [this message]
2022-08-25 12:12 ` David Hildenbrand
2022-08-26 1:43 ` Dave Young
2022-08-26 1:43 ` Dave Young
2022-08-26 17:02 ` David Hildenbrand
2022-08-26 17:02 ` David Hildenbrand
2022-08-29 1:55 ` Dave Young
2022-08-29 1:55 ` Dave Young
2022-08-29 3:07 ` Linus Torvalds
2022-08-29 3:07 ` Linus Torvalds
2022-08-29 4:49 ` John Hubbard
2022-08-29 4:49 ` John Hubbard
2022-08-29 17:19 ` Linus Torvalds
2022-08-29 17:19 ` Linus Torvalds
2022-08-29 8:44 ` David Hildenbrand
2022-08-29 8:44 ` David Hildenbrand
2022-08-29 9:25 ` Jani Nikula
2022-08-29 9:25 ` Jani Nikula
2022-08-24 16:31 ` [PATCH RFC 2/2] checkpatch: warn on usage of VM_BUG_ON() and friends David Hildenbrand
2022-08-24 16:31 ` David Hildenbrand
2022-08-24 16:52 ` Joe Perches
2022-08-24 16:52 ` Joe Perches
2022-08-24 19:00 ` David Hildenbrand
2022-08-24 19:00 ` David Hildenbrand
2022-08-25 9:58 ` David Hildenbrand
2022-08-25 9:58 ` David Hildenbrand
2022-08-25 11:43 ` Jani Nikula
2022-08-25 11:43 ` Jani Nikula
2022-08-25 11:51 ` David Hildenbrand
2022-08-25 11:51 ` David Hildenbrand
2022-08-25 2:30 ` [PATCH RFC 0/2] coding-style.rst: document BUG() and WARN() rules John Hubbard
2022-08-25 2:30 ` John Hubbard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea380cf0-acda-aaba-fb63-2834da91b66b@redhat.com \
--to=david@redhat.com \
--cc=David.Laight@ACULAB.COM \
--cc=akpm@linux-foundation.org \
--cc=apw@canonical.com \
--cc=bhe@redhat.com \
--cc=corbet@lwn.net \
--cc=dwaipayanray1@gmail.com \
--cc=dyoung@redhat.com \
--cc=jhubbard@nvidia.com \
--cc=joe@perches.com \
--cc=kexec@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lukas.bulwahn@gmail.com \
--cc=mingo@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.