svn commit: r325386 - head/sys/kern

Oliver Pinter oliver.pinter at hardenedbsd.org
Sun Nov 5 18:54:10 UTC 2017 

On 11/5/17, Warner Losh <imp at bsdimp.com> wrote:
> On Sun, Nov 5, 2017 at 11:32 AM, Conrad Meyer <cem at freebsd.org> wrote:
>
>> E.g.,
>>
>> --- a/sys/ufs/ffs/ffs_alloc.c
>> +++ b/sys/ufs/ffs/ffs_alloc.c
>> @@ -304,8 +304,7 @@ retry:
>>         }
>>
>>         if (bp->b_blkno == bp->b_lblkno) {
>> -               if (lbprev >= UFS_NDADDR)
>> -                       panic("ffs_realloccg: lbprev out of range");
>> +               ASSERT(lbprev < UFS_NDADDR, "ffs_realloccg: lbprev out
>> of range");
>>                 bp->b_blkno = fsbtodb(fs, bprev);
>>         }
>>
>
> Just a side point: All these should be programming errors.

Yes, they are programming errors, but the INVATIANTS and all of the
debugging kernel
facilities are disabled on -STABLE branches, and no one (except us)
running on system
with enabled debug stuffs.

So it would be nice to enable the debug facilities on -STABLE branches
and disable them
on -RELENG branch time. There was always several errors / patch, which
could be catch.

Now I don't want to search for them, but I uptreamed them one or two years ago.

> The bogus data
> that comes or could come from the FS itself should remain always-on panics.
> Well, actually, they should transition from always-on panics to some sort
> of degraded mount that would be more resilient in the face of such
> corruption. But failing that, they should remain always-on panics :)
>
> Warner
>
>
>
>> On Sun, Nov 5, 2017 at 9:30 AM, Konstantin Belousov <kostikbel at gmail.com>
>> wrote:
>> > On Sun, Nov 05, 2017 at 09:16:28AM -0800, Conrad Meyer wrote:
>> >> On Sun, Nov 5, 2017 at 5:06 AM, Konstantin Belousov <
>> kostikbel at gmail.com> wrote:
>> >> > On Sat, Nov 04, 2017 at 12:04:56PM -0700, Conrad Meyer wrote:
>> >> >> This is a functional change, because MPASS (via KASSERT) is only
>> >> >> enabled on DEBUG kernels.  Ideally we would have a kind of ASSERT
>> that
>> >> >> worked on NODEBUG kernels.
>> >> > Why would we need such thing ?
>> >> >
>> >> > Our conventions are clear: consistency checks are normally done with
>> >> > KASSERT() and enabled for DEBUG (INVARIANTS or harder)
>> >> > configurations.
>> >> > We only leave explicit panics in the production kernels when there
>> >> > continuation of operations is worse then abort, e.g. when UFS
>> >> > detects
>> >> > the metadata corruption.
>> >>
>> >> An always-on assert construct would be precisely for the latter
>> >> scenario.  Instead, we litter the tree with "if (!invariant) {
>> >> panic(); }."
>> > We do
>> >
>> > #ifdef INVARIANTS
>> > if (!condition) panic();
>> > #endif
>> >
>> > I do not understand what do you mean by 'instead'.
>>
>>
> _______________________________________________
> svn-src-head at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscribe at freebsd.org"
>

More information about the svn-src-all mailing list