[dm-devel] dm-integrity: fix inefficient allocation of stack space

Mikulas Patocka mpatocka at redhat.com
Thu Jul 20 11:25:33 UTC 2017 


On Thu, 20 Jul 2017, Mikulas Patocka wrote:

> 
> 
> On Wed, 19 Jul 2017, John Stoffel wrote:
> 
> > I'd like to argue that you should never use BUG_ON at all, esp since
> > if you have integrity running on just one critical device, but have
> > other devices that work just fine, bringing down the entire system
> > because you don't think things are ok is terrible.
> > 
> > We should rip out ALL the BUG_ONs in the dm-integrity and just do
> > proper error handling instead.  For testing, sure, use them on your
> > code.  But please, not for general use!
> > 
> > John
> 
> Linus sometimes argued against BUG_ON and people are repeating it after 
> him like sheep.
> 
> If a programmer made a bug in his code, he should fix that bug, not write 
> additional recovery code for the bug.
> 
> Mikulas

For example, there a function access_journal_check that checks if journal 
section and offset are valid and calls BUG if they're not.

Now, suppose that we change BUG() to WARN() - now we need to return error 
code from the function. So we change the return value from void to int.

But this function is called by three other functions - page_list_location, 
access_journal_entry, access_journal_data - and now we need to test the 
error code in all of them.

page_list_location returns void, so it needs to be changed to return an 
error code too. access_journal_entry and access_journal_data return a 
pointer, so we change them to return NULL on error - but that NULL needs 
to be checked in the callers.

There are 11 callers of access_journal_entry and 5 calleds of 
access_journal_data and 5 callers of page_list_location.

And now you can see that changing a single BUG to WARN adds excessive 
amount of junk code that checks for "impossible" conditions. These extra 
tests do not make the code any more readable or understandable - they make 
it less readable because the programmer no longer knows what checks are 
really needed and what are not.


In the early days when I was programming, I was adding checks for NULL 
pointers "just in case - so that it doesn't crash". But these checks 
didn't make the code any more understandable - they made the code less 
understandable - because if a function return value is checked for NULL, 
the programmer believes that the function could return NULL. And the 
programmer no longer knows what is the contract of the function - could 
the function really return NULL or not?

Mikulas

More information about the dm-devel mailing list