From: Willy Tarreau <w@1wt.eu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Andrew Morton <akpm@linux-foundation.org>,
Antonio SJ Musumeci <trapexit@spawn.link>,
Miklos Szeredi <miklos@szeredi.hu>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
stable <stable@vger.kernel.org>
Subject: Re: BUG_ON() in workingset_node_shadows_dec() triggers
Date: Wed, 5 Oct 2016 07:44:07 +0200 [thread overview]
Message-ID: <20161005054407.GC7297@1wt.eu> (raw)
In-Reply-To: <CA+55aFycvN=3DvsnRNpZbQ8z3893EK-nJA+V=Fx8o8yaviW7VA@mail.gmail.com>
On Tue, Oct 04, 2016 at 08:29:00PM -0700, Linus Torvalds wrote:
> So what I think we should think about is:
>
> - extending the checkpatch warning to VM_BUG_ON too, to discourage new users.
>
> - look at making BUG_ON() simply be less lethal. Remove the
> unrechable(), reorganize how the string is stored, and make it act
> more like WARN_ON_ONCE() instead (it's the "rewind_stack_do_exit()"
> that ends up causing us to try to kill things, we *could* just try to
> stop doing that).
>
> - Instead of adding a BUG_ON_AND_HALT(), we could perhaps add a new
> FATAL_ERROR() thing that acts like the current BUG_ON, and *not* call
> it something similar (we don't want people doing mindless
> conversions!). And that's the one that would do the whole
> rewind_stack_do_exit() to kill the process.
I think instead we should completely remove any simple way to halt the
system and document how to do it. I've already seen some userland code
stuffed with thousands of assert() everywhere and their developers are
proud of this because their code looks clean and they show that they
care for all errors. But the cost of their stupidity doesn't seem to
affect them. Maybe they'll start to think about it the day they're
brought into a self-driven car and will realize that it'd better recover
from a failing flasher and not just crash in the middle of the highway.
Thus since their motives are just to easily write nice-looking code, I'd
simply force them to explicitly write their condition and the associated
printk() and panic() calls. It will become much more of a hassle and will
make their code less elegant, they should be much less tempted.
So I think that we'd rather run a huge sed all over the code to replace
BUG/BUG_ON with their WARN/WARN_ON equivalent. We'll very likely notice
a lot of new gcc warnings from code that was supposed not to every be
reachable, which will tell us a lot about some limited error checking
in these respective code parts.
Willy
next prev parent reply other threads:[~2016-10-05 5:44 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-04 4:00 BUG_ON() in workingset_node_shadows_dec() triggers Linus Torvalds
2016-10-04 4:07 ` Andrew Morton
2016-10-04 4:12 ` Linus Torvalds
2016-10-04 7:03 ` Raymond Jennings
2016-10-04 16:03 ` Linus Torvalds
2016-10-04 8:02 ` Greg KH
2016-10-04 9:32 ` Johannes Weiner
2016-10-05 1:21 ` Linus Torvalds
2016-10-05 9:25 ` Johannes Weiner
2016-10-05 9:31 ` Johannes Weiner
2016-10-05 10:40 ` Jan Kara
2016-10-05 16:10 ` Linus Torvalds
2016-10-05 17:00 ` [PATCH] checkpatch: extend BUG warning Joe Perches
2016-10-05 17:07 ` Linus Torvalds
2016-10-05 2:43 ` BUG_ON() in workingset_node_shadows_dec() triggers Paul Gortmaker
2016-10-05 3:29 ` Linus Torvalds
2016-10-05 5:44 ` Willy Tarreau [this message]
2016-10-05 15:52 ` Linus Torvalds
2016-10-05 19:06 ` Willy Tarreau
2016-10-05 19:18 ` Linus Torvalds
2016-10-05 21:09 ` Willy Tarreau
2016-10-05 21:14 ` Kees Cook
2016-10-05 21:46 ` Linus Torvalds
2016-10-05 22:17 ` Kees Cook
2016-10-05 22:29 ` Linus Torvalds
2016-10-06 22:07 ` Kees Cook
2016-10-06 22:29 ` Linus Torvalds
2016-10-06 23:05 ` Kees Cook
2016-10-06 23:59 ` Linus Torvalds
2016-10-07 5:48 ` Willy Tarreau
2016-10-07 17:16 ` Kees Cook
2016-10-07 17:21 ` Linus Torvalds
2016-10-07 17:33 ` Kees Cook
2016-10-07 18:26 ` Willy Tarreau
2016-10-06 1:59 ` Dave Chinner
2016-10-06 2:12 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161005054407.GC7297@1wt.eu \
--to=w@1wt.eu \
--cc=akpm@linux-foundation.org \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=paul.gortmaker@windriver.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=trapexit@spawn.link \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).