From owner-svn-src-head@FreeBSD.ORG  Tue Dec 18 20:45:02 2012
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 4265A2C8;
 Tue, 18 Dec 2012 20:45:02 +0000 (UTC) (envelope-from jhb@freebsd.org)
Received: from bigwig.baldwin.cx (bigknife-pt.tunnel.tserv9.chi1.ipv6.he.net
 [IPv6:2001:470:1f10:75::2])
 by mx1.freebsd.org (Postfix) with ESMTP id 0FE188FC0A;
 Tue, 18 Dec 2012 20:45:02 +0000 (UTC)
Received: from pakbsde14.localnet (unknown [38.105.238.108])
 by bigwig.baldwin.cx (Postfix) with ESMTPSA id 7EE0AB97D;
 Tue, 18 Dec 2012 15:45:01 -0500 (EST)
From: John Baldwin <jhb@freebsd.org>
To: Adrian Chadd <adrian@freebsd.org>
Subject: Re: svn commit: r244112 - head/sys/kern
Date: Tue, 18 Dec 2012 15:23:05 -0500
User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p22; KDE/4.5.5; amd64; ; )
References: <201212121658.49048.jhb@freebsd.org> <20121216233213.GA1451@itx>
 <CAJ-Vmo=XPXAAV90ZNqbky8kBfxGdQ6iB6GX4YQ_oQayeKiNWFQ@mail.gmail.com>
In-Reply-To: <CAJ-Vmo=XPXAAV90ZNqbky8kBfxGdQ6iB6GX4YQ_oQayeKiNWFQ@mail.gmail.com>
MIME-Version: 1.0
Message-Id: <201212181523.05713.jhb@freebsd.org>
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
 (bigwig.baldwin.cx); Tue, 18 Dec 2012 15:45:01 -0500 (EST)
Cc: Ian Lepore <freebsd@damnhippie.dyndns.org>, src-committers@freebsd.org,
 Peter Wemm <peter@wemm.org>, svn-src-all@freebsd.org,
 Andriy Gapon <avg@freebsd.org>, svn-src-head@freebsd.org,
 Peter Jeremy <peter@rulingia.com>
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2012 20:45:02 -0000

On Sunday, December 16, 2012 10:05:48 pm Adrian Chadd wrote:
> On 16 December 2012 15:32, Navdeep Parhar <nparhar@gmail.com> wrote:
> 
> 
> >> The status quo _does not change_ by default.
> >
> > So now we have a knob that could be used to change the behaviour of all
> > the KASSERTs in the system; one that hints that it may be possible to
> > continue even if an assertion in the FreeBSD kernel doesn't hold good
> > (this is the part that bothers me).  I know all the KASSERTs I've looked
> > at or written are genuine assertions -- the code simply wouldn't be able
> > to cope if they were violated.  You'd get NULL dereferences, or worse,
> > access protected structures without corresponding locks held, etc.
> 
> In that case, those failures should be handled gracefully, or they
> should immediately panic the kernel.
> 
> Claiming that a KASSERT() is optional at this point is basically us as
> a project saying "We know that if the kernel gets to this point and it
> fails this check, everything is busted after this." Ie, "Hey, if you
> disable KASSERT(), your data is potentially toast."
> 
> Yet we ship with KASSERT() disabled. Silent data corruption, race
> conditions, etc. Not everything leads to a NULL pointer dereference.
> 
> Again, we ship with KASSERT disabled in GENERIC on shipping production
> releases. The concerns you have with KASSERT printing out when
> Alfred's modification is enabled -does not change the fact that the
> kernel does _EXACTLY THIS_ kind of "oh well, I'll keep going"
> behaviour in a GENERIC, production, release kernel-.

It seems to me that if you are willing to pay the cost of extra sanity checks, 
you should gain the extra protection against data corruption.  We have made 
the design decision to trade the extra data protection for increased 
performance in GENERIC since we feel the cases of data corruption should be 
rare.  In HEAD we have altered the tradeoff since code in HEAD has had less 
testing and is thus assumed to be more risky.  In your case you seem to be 
trading performance for reduced data protection.  Can you at least appreciate 
that argument?

Also, to Alfred's point that "we have spare CPU lying around".  Performance
is not only measured in throughput, it can also be measured in latency.

One other note: have you noticed that there is not a similar "whine but don't 
core" option for the userland assert()?  OTOH, there are such things in glib 
and the core KDE libraries.  Try firing up a gnome or KDE application in a 
terminal window.  You will be greeted by an endless stream of various debug 
messages.  The noise is so great that I haven't bothered to report any of them 
as bugs.  OTOH, I do open bugs if a KDE app cores.  It would not surprise me 
to find that enabling KASSERTS but having them only log doesn't actually help 
with anything as the extra logging could prove so noisy that no one bothers 
reporting them (and/or you end up with spurious noise due to secondary 
failures similar to the noise one can get with compiler warnings).

-- 
John Baldwin