|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [RFC PATCH 0/4] Add missing default labels to switch statements
On 2/25/19 3:22 PM, Julien Grall wrote: Hi, On 25/02/2019 13:06, Oleksandr Andrushchenko wrote:This is not how your e-mail came out. It came out as it is fine to add "default" with BUG() and then fix it later.On 2/25/19 2:50 PM, Julien Grall wrote:Hi, On 25/02/2019 12:38, Oleksandr Andrushchenko wrote:On 2/25/19 2:15 PM, Julien Grall wrote:Hi, On 25/02/2019 11:49, Oleksandr Andrushchenko wrote:On 2/25/19 1:23 PM, Julien Grall wrote:Hi, On 25/02/2019 09:50, Oleksandr Andrushchenko wrote:On 2/22/19 11:33 PM, Andrew Cooper wrote:On 22/02/2019 21:00, Stefano Stabellini wrote:On Fri, 22 Feb 2019, Julien Grall wrote:BTW, I checked the series with -Wswitch-default: -Wswitch-defaultWarn whenever a switch statement does not have a default case.Will you be ok to turn this particular switch on by default? Or you suggest that anyone interested to do so on their own will? If we want to turn many more warnings a bit later?If we decide to fully implement the rule in Xen, then it would be nice to get the compiler helping us spotting new switch without default case.That's not how it works in upstream. If you know some constructs are wrong, it is best to try to address partially the problem directly then having so youAgain, I see this as a dedicated change. So, in the current series I thinkIt is not because BUG() is been used today in some places that we need toIt is and not only in the switch. The reason I put BUG is that I triedFurthermore, using BUG() is a pretty bad idea in switch.to follow the existing "error handling" at those places.continue to spread it.Use of BUG() itself is another topic which will also need to beaddressedSo we should not add more of them...it isacceptable to use the existing way of error handling if any at all.reduce the amounts of change afterwards.So, then we need to get rid of BUG() from the existing code first, not trying to solve two issues at a time: rule 16.4 and BUG(). I still do think these two changes are not strictly relevant, but 16.4 just suffers from consequences of BUG() being used.Why would you add more BUG()? As I said above if this is an issue, then you don't add more. We can deal with other later on.So let me be clearer, I will not accept any new defensive code using BUG(). If you need rework in order to avoid BUG() in your series, then please do it. Note, this is not a request to remove the existing BUG().I am not defending BUG() in any way which is obviously a no-go.I am just trying to say that BUG() usage in the existing code needs to befixed first. Once done, we can then move to "default" w/o BUG()I am sorry but it does not make any sense. Why do you first need to fix the BUG() in the code before moving to "default" without BUG()?This order seems to be more consistent. Otherwise, we fix consequence and then get back to the actual causeSo you will add more badness to just be consistent. Doesn't it sound not right for you? The more that you justify this patch series as "defensive code"...Why? If we *first* deal with BUG() and *then* introduce "defaults" patch which will use the already fixed code? Yes, you are correct. But I have an impression that couple of letters agoI agreed that this *is* an issue and it *does need* a proper fix. And stated that we might want to fix that separately. So, after that point I thought the sequence will be: 1. Fix BUG() 2. Use fixed code as a basis for "defaults" Hope we are on the same page now. While I agree that one has to provide as much supporting information as possibleHowever, I don't see any strict dependencies on the both. The more than removing all BUG() is probably going to be more controversial than this series. So maybe it is good to focus on one things and do it right. Anyway, that's your call.My bad, but the patch itself was expected to raise questions, so I was not sureThis is a v1 of the patch. And one of the reasons to send it as is was to gatherThis is why defensive programming was invented, no? We at least try harderdomain_crash() is almost always better than BUG(). It is very obviousSo please try to not introduce more BUG() in the code base.Hi Oleksandr, Julien,Julien's right that we should not introduce any more BUG()s. In fact, each of them makes the code less safe, not more safe! The purpose of MISRAC 16.4 is "defensive programming": write the code in a way that ismore (not less!) resilient to failure.So, I think it is a good idea to introduce a default label because it can help us spot unexpected issues. Instead of calling BUG() in the default handler, which is detrimental, we should return an error whenpossible, or just print a warning.if it gets hit, and wont crash Xen.Thank you for suggestionsAs 16.4 clearly state, even a simple comment would be enough to address the rule. We just need to explain why a default label is not needed.Such as: default: /* unreachable because blah and blah */This is true...What a simple comment doesn't do is avoid breaking -Wswitch.... as well as this comment as well.This requirement is actively hostile towards compilers trying to help you spot when you made a mistake and forgot to update one of the $Nplaces you needed to.This is a trade-off: if your compiler is buggy or not supporting the switches then the code itself defends from such cases, hence the "default".As said before, how do you put the limit on what you need to protect against? If your compiler is buggy, then probably a default in switch is not going to help much.to defend ourselves from possible troubles.You will never be able to fully workaround a buggy compiler. Imagine the default case is also miscompiled? My point here is we have toAnyway, the chance of buggy compiler is slimmer than a programming error. Hence the defensive programming.Again, I am not an expert in this field. Neither I can defend MISRA and corresponding requirements. But, I do believe that those rules do have some ground underneath...What I question is the way your patch implemented the rule. The goal of MISRA is to make the code more defensive, a few of your changes does not achieve that.community's view on how to solve such cases.If you are aware of potential issue, then it is custom to specify them in the cover letter.what needs to be highlightedThis would allow us to directly focus on the meat of the seriesThe meat is being discussed (IMO) and it is not only empty defaultsrather than on sending an extra 40 e-mails to have more understanding.And just imagine if one spends weeks of work trying to fix some other non-trivial requirements and then receives >40 e-mails all requesting non-trivial changes. We already have such an example with Stefano's series which is now v9... So, IMO it is better to discuss some common approaches before sending something really complex which has all chances to have v15... And you might have noticed that the series starts with "RFC" wordMy point is not about sending such code on the mailing list. My point is you need to provide as much as possible details in your cover letter so we can be more efficient when reviewing. For instance, many of us does not have access to MISRA spec because it is not free... while presenting some work to the community it is that I cannot discloseMISRA rules here. As you said, MISRA spec is not free. And of course I cannot expect anyone to by it for the reason that someone wants some patch to be"securely" or blindly reviewed. (BTW, this is the topic that has already been raised in our team internally and being discussed) Cheers, _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |