From: Jason Gunthorpe <jgg@nvidia.com>
To: Robin Murphy <robin.murphy@arm.com>
Cc: joro@8bytes.org, will@kernel.org, iommu@lists.linux.dev,
linux-kernel@vger.kernel.org, hch@lst.de,
baolu.lu@linux.intel.com
Subject: Re: [PATCH v2 4/8] iommu: Factor out some helpers
Date: Tue, 31 Jan 2023 15:54:52 -0400 [thread overview]
Message-ID: <Y9lyDDu/tLSX81Y9@nvidia.com> (raw)
In-Reply-To: <5498680f-df9e-287c-03f1-020848ba9b37@arm.com>
On Mon, Jan 30, 2023 at 11:33:54PM +0000, Robin Murphy wrote:
> Please understand that I'm not going to this length just to be
> objectionable; this is me genuinely being unable to rationalise your
> argument and spending my entire evening on a deep dive into my own thought
> process to lay it out and check for any obvious errors.
Sorry, I don't want to use up your time like this. It is a minor style
remark, if you don't like it then you should go ahead with your
original.
It is hard to debate style, everyone has their own viewpoint of what
is better style or not.
But to elaborate my feeling, I find this:
const struct iommu_ops *ops = dev_iommu_ops(dev);
if (!ops)
return -ENODEV
To be nicer code and more kernely then this:
const struct iommu_ops *ops;
if (!dev_iomm_ops_valid(dev))
return -ENODEV
ops = dev_iommu_ops(dev);
In part because the former is a harder to type wrong and when used
consistently it is alot more obvious that the NULL test is
missing. static checkers like smatch/coverity will even warn on the
obvious possible NULL deref if someone misses the NULL test.
In general in kernel we have the API flow of call a function and check
the result for error, asking permission to call an API is less
typical.
This case is complicated because of the effort to try and document
cases that can't fail. I'm not sure if this is worthwhile, but..
Documentation of special cases is better by labeling them as a special
case, eg with a special function name. Think
rcu_dereference_protected(). Making them special by observing a
missing related function call is trickier to learn and remember.
Also if you rely on ops testing you are sort of forced into a second
function because the static tools will complain about all the places
that don't test for null if only one API is provided.
Basically, if you have dev_iommu_ops/dev_iommu_ops_safe then the
choice to use safe is obviously documented in the code and if you
mis-use dev_iommu_ops then a static tool will complain. Reviewers who
see 'safe' in a diff are reminded to look at it for safety rules.
If you have dev_iommu_ops/dev_iommu_ops_valid then static tools will
never complain and the choice to use 'safe' is implicitly documented
by not calling dev_iommu_ops_valid. Reviewers have to remember to
check every call to dev_iommu_ops() to see if it should have the valid
check.
Regards,
Jason
next prev parent reply other threads:[~2023-01-31 19:54 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-26 18:26 [PATCH v2 0/8] iommu: The early demise of bus ops Robin Murphy
2023-01-26 18:26 ` [PATCH v2 1/8] iommu: Decouple iommu_present() from " Robin Murphy
2023-01-28 7:55 ` Baolu Lu
2023-01-30 17:31 ` Jason Gunthorpe
2023-01-30 18:21 ` Robin Murphy
2023-01-26 18:26 ` [PATCH v2 2/8] iommu: Validate that devices match domains Robin Murphy
2023-01-28 8:04 ` Baolu Lu
2023-01-30 15:59 ` Jason Gunthorpe
2023-01-26 18:26 ` [PATCH v2 3/8] iommu: Add lockdep annotations for group list iterators Robin Murphy
2023-01-28 8:08 ` Baolu Lu
2023-01-28 12:20 ` Baolu Lu
2023-01-30 14:59 ` Robin Murphy
2023-01-26 18:26 ` [PATCH v2 4/8] iommu: Factor out some helpers Robin Murphy
2023-01-28 8:12 ` Baolu Lu
2023-01-30 16:38 ` Jason Gunthorpe
2023-01-30 18:05 ` Robin Murphy
2023-01-30 18:20 ` Jason Gunthorpe
2023-01-30 23:33 ` Robin Murphy
2023-01-31 19:54 ` Jason Gunthorpe [this message]
2023-01-26 18:26 ` [PATCH v2 5/8] iommu: Switch __iommu_domain_alloc() to device ops Robin Murphy
2023-01-26 23:22 ` Jacob Pan
2023-01-27 11:42 ` Robin Murphy
2023-01-27 16:32 ` Jacob Pan
2023-01-28 8:21 ` Baolu Lu
2023-01-30 17:51 ` Jason Gunthorpe
2023-01-26 18:26 ` [PATCH v2 6/8] iommu/arm-smmu: Don't register fwnode for legacy binding Robin Murphy
2023-01-30 17:14 ` Jason Gunthorpe
2023-01-26 18:26 ` [PATCH v2 7/8] iommu: Retire bus ops Robin Murphy
2023-01-28 12:10 ` Baolu Lu
2023-01-28 12:55 ` kernel test robot
2023-01-30 14:20 ` Jason Gunthorpe
2023-01-30 17:09 ` Jason Gunthorpe
2023-01-26 18:26 ` [PATCH v2 8/8] iommu: Clean up open-coded ownership checks Robin Murphy
2023-01-30 17:10 ` Jason Gunthorpe
2023-01-30 6:45 ` [PATCH v2 0/8] iommu: The early demise of bus ops Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9lyDDu/tLSX81Y9@nvidia.com \
--to=jgg@nvidia.com \
--cc=baolu.lu@linux.intel.com \
--cc=hch@lst.de \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox