On 11/5/17, Warner Losh <i...@bsdimp.com> wrote:
> On Sun, Nov 5, 2017 at 11:32 AM, Conrad Meyer <c...@freebsd.org> wrote:
>
>> E.g.,
>>
>> --- a/sys/ufs/ffs/ffs_alloc.c
>> +++ b/sys/ufs/ffs/ffs_alloc.c
>> @@ -304,8 +304,7 @@ retry:
>> }
>>
>> if (bp->b_blkno == bp->b_lblkno) {
>> - if (lbprev >= UFS_NDADDR)
>> - panic("ffs_realloccg: lbprev out of range");
>> + ASSERT(lbprev < UFS_NDADDR, "ffs_realloccg: lbprev out
>> of range");
>> bp->b_blkno = fsbtodb(fs, bprev);
>> }
>>
>
> Just a side point: All these should be programming errors.
Yes, they are programming errors, but the INVATIANTS and all of the
debugging kernel
facilities are disabled on -STABLE branches, and no one (except us)
running on system
with enabled debug stuffs.
So it would be nice to enable the debug facilities on -STABLE branches
and disable them
on -RELENG branch time. There was always several errors / patch, which
could be catch.
Now I don't want to search for them, but I uptreamed them one or two years ago.
> The bogus data
> that comes or could come from the FS itself should remain always-on panics.
> Well, actually, they should transition from always-on panics to some sort
> of degraded mount that would be more resilient in the face of such
> corruption. But failing that, they should remain always-on panics :)
>
> Warner
>
>
>
>> On Sun, Nov 5, 2017 at 9:30 AM, Konstantin Belousov <kostik...@gmail.com>
>> wrote:
>> > On Sun, Nov 05, 2017 at 09:16:28AM -0800, Conrad Meyer wrote:
>> >> On Sun, Nov 5, 2017 at 5:06 AM, Konstantin Belousov <
>> kostik...@gmail.com> wrote:
>> >> > On Sat, Nov 04, 2017 at 12:04:56PM -0700, Conrad Meyer wrote:
>> >> >> This is a functional change, because MPASS (via KASSERT) is only
>> >> >> enabled on DEBUG kernels. Ideally we would have a kind of ASSERT
>> that
>> >> >> worked on NODEBUG kernels.
>> >> > Why would we need such thing ?
>> >> >
>> >> > Our conventions are clear: consistency checks are normally done with
>> >> > KASSERT() and enabled for DEBUG (INVARIANTS or harder)
>> >> > configurations.
>> >> > We only leave explicit panics in the production kernels when there
>> >> > continuation of operations is worse then abort, e.g. when UFS
>> >> > detects
>> >> > the metadata corruption.
>> >>
>> >> An always-on assert construct would be precisely for the latter
>> >> scenario. Instead, we litter the tree with "if (!invariant) {
>> >> panic(); }."
>> > We do
>> >
>> > #ifdef INVARIANTS
>> > if (!condition) panic();
>> > #endif
>> >
>> > I do not understand what do you mean by 'instead'.
>>
>>
> _______________________________________________
> svn-src-head@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
>
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
