Site Navigation

Date:      Mon, 9 Feb 1998 07:51:27 +0100
From:      Eivind Eklund <eivind@FreeBSD.ORG>
To:        Michael Hancock <michaelh@cet.co.jp>
Cc:        FreeBSD Hackers <Hackers@FreeBSD.ORG>
Subject:   Re: DIAGNOSTICS and DEBUG LOGGING (was Re: cvs commit: src/sys/conf options)
Message-ID:  <19980209075127.63680@follo.net>
In-Reply-To: <Pine.SV4.3.95.980209150818.661A-100000@parkplace.cet.co.jp>; from Michael Hancock on Mon, Feb 09, 1998 at 03:23:45PM %2B0900
References:  <199802061241.EAA24833@freefall.freebsd.org> <Pine.SV4.3.95.980209150818.661A-100000@parkplace.cet.co.jp>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Mon, Feb 09, 1998 at 03:23:45PM +0900, Michael Hancock wrote:
> Eivind,
> 
> I'd like to see "sanity checks" (assertions) and diagnostic logging
> separated.  DIAGNOSTICS turns on both, but I'd like to be able to run an
> assertion checking kernel without all the logging. 

Absolutely agreed.  I was thinking of

_INVARIANTS	- Enable invariant/postcondition checking (expensive)
_ASSERTS	- Enable precondition and other cheap assertions
INVARIANT_CODE	- Compile in invariant functions.
DIAGNOSTIC	- Messages to help tracing errors; non-overwhelming amount.

The difference between _INVARIANTS and INVARIANT_CODE is that INVARIANT_CODE
just includes the actual code necessary to be able to check an invariant,
while _INVARIANTS actually throw in the code that do calls to check the
invariant.

The reason for the underscores is that header files are likely to depend on
those options.  The separation of the INVARIANT_CODE and _INVARIANTS is to
be able to support enabling invariant-checks in only some files.  Separation
of _INVARIANTS and _ASSERTS is that there is often a factor of >1000
difference between the cost of checking pre-conditions and the cost of
checking post-conditions/data-structure invariants.

Example of how the above would affect source-code:
	The following would be the diffs to kern/tty_subr.c to implement a
	clist invariant.  (It is some of the code I've got lying around of
	the type nobody-seems-to-be-interested-so-I-won't-commit-it-until-
	it-seems-I-can-find-a-nice-way-to-fit-it-in).

Index: tty_subr.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/tty_subr.c,v
retrieving revision 1.28
diff -u -r1.28 tty_subr.c
--- tty_subr.c	1997/10/12 20:24:09	1.28
+++ tty_subr.c	1998/02/09 06:37:34
@@ -112,6 +112,10 @@
 cblock_free(cblockp)
 	struct cblock *cblockp;
 {
+#ifdef _ASSERTS
+		if ((unsigned long)cblockp & (CBLOCK-1))
+		  panic("Unaligned cblock in cblock_free");
+#endif
 	if (isset(cblockp->c_quote, CBQSIZE * NBBY - 1))
 		bzero(cblockp->c_quote, sizeof cblockp->c_quote);
 	cblockp->c_next = cfreelist;
@@ -136,6 +140,10 @@
 "clist_alloc_cblocks: M_NOWAIT malloc failed, trying M_WAITOK\n");
 			cbp = malloc(sizeof *cbp, M_TTYS, M_WAITOK);
 		}
+#ifdef _ASSERTS
+		if ((unsigned long)cbp & (CBLOCK-1))
+		  panic("Unaligned cblock alloced in cblock_alloc_cblocks");
+#endif
 		/*
 		 * Freed cblocks have zero quotes and garbage elsewhere.
 		 * Set the may-have-quote bit to force zeroing the quotes.
@@ -260,6 +268,117 @@
 	return (chr);
 }
 
+#if defined(INVARIANT_CODE) || defined(_INVARIANTS)
+/* Verify the clist invariant.  Will panic if passed an invalid clist.
+   Intended for debugging of tty-drivers. */
+void
+clist_invariant(
+     struct clist *clistp,	/* clist to verify */
+     char *descr		/* Section of program causing panic */
+) {
+  struct cblock *cblockp;	/* Presently examined cblock */
+  struct cblock *cblockp2;	/* Loop limit cblock */
+  int	real_cc;		/* Real character count */
+  int   max_loop;		/* Number of cblocks to check (max) */
+
+  if (descr == NULL)
+    descr = "undescribed";
+
+  if (clistp == NULL)
+    panic("clist invariant: NULL clist in %s", descr);
+
+  /* Check for negative counts */
+  if (clistp->c_cc < 0)
+    panic("clist invariant: negative character count(%d) in %s",
+	  clistp->c_cc, descr);
+  if (clistp->c_cbcount < 0)
+    panic("clist invariant: negative block count (%d) in %s",
+	  clistp->c_cbcount, descr);
+  if (clistp->c_cbmax < 0)
+    panic("clist invariant: negative max block count (%d) in %s",
+	  clistp->c_cbmax, descr);
+  if (clistp->c_cbreserved < 0)
+    panic("clist invariant: negative reserved block count (%d) in %s",
+	  clistp->c_cbreserved, descr);
+
+  /* Check for generally invalid counts */
+
+  if (clistp->c_cc && roundup(clistp->c_cc, CBSIZE) / CBSIZE > clistp->c_cbcount)
+    panic("clist invariant: too few cblocks for c_cc (%d vs %d) in %s",
+	  clistp->c_cbcount, clistp->c_cc, descr);
+  if (roundup(clistp->c_cc, CBSIZE) / CBSIZE + 2 < clistp->c_cbcount)
+    panic("clist invariant: too many cblocks for c_cc (%d vs %d) in %s",
+	  clistp->c_cbcount, clistp->c_cc, descr);
+  if (clistp->c_cbcount > clistp->c_cbmax)
+    panic("clist invariant: more cblocks than cb_max (%d vs %d) in %s",
+	  clistp->c_cbcount, clistp->c_cbmax, descr);
+
+  if (clistp->c_cc == 0) {
+    if (clistp->c_cf && clistp->c_cl &&
+	clistp->c_cf != clistp->c_cl)
+      panic("clist invariant: cf (%p) and cl (%p) differ for empty clist in %s",
+	    clistp->c_cf, clistp->c_cl, descr);
+    return;
+  }
+  if (clistp->c_cf == NULL)
+    panic("clist invariant: cf is NULL with c_cc=%d (cl=%p) in %s",
+	  clistp->c_cc, clistp->c_cl, descr);
+  if (clistp->c_cl == NULL)
+    panic("clist invariant: cl is NULL with c_cc=%d (cf=%p) in %s",
+	  clistp->c_cc, clistp->c_cf, descr);
+
+  /* Traverse clist to find actual character count and verify that the
+     last pointer exists */
+  cblockp = (struct cblock *)((unsigned long)clistp->c_cf & ~CROUND);
+  real_cc = (char*)cblockp->c_info - clistp->c_cf;
+  if (real_cc > 0)
+    panic("clist invariant: cf (%p) points outside c_info block in %s",
+	  clistp->c_cf, descr);
+
+  /* Limit looping */
+  max_loop = clistp->c_cbcount*2 + 2;
+  cblockp2 = cblockp;
+
+  while (cblockp) {
+    if ((void*)clistp->c_cl > (void*)cblockp &&
+	(char*)clistp->c_cl <= (char*)cblockp + CBLOCK) {
+
+      /* We've found the last block in the list - handle character
+         count and other checks */
+      if (clistp->c_cl < (char*)cblockp->c_info)
+	panic("clist invariant: cl (%p) points outside c_info block in %s",
+	      clistp->c_cl);
+      real_cc += clistp->c_cl - (char*)cblockp->c_info;
+      if (real_cc != clistp->c_cc)
+	panic("clist invariant: real cc (%d) does not match c_cc (%d) in %s",
+	      real_cc, clistp->c_cc, descr);
+      if (cblockp->c_next)
+	panic("clist invariant: non-NULL c_next (%p) on last cblock in %s",
+	      cblockp->c_next, descr);
+      /* Invariant OK */
+      return;
+    }
+
+    /* Increase character count */
+    real_cc += CBSIZE;
+    if (max_loop-- <= 0) {
+      panic("clist invariant: too long ");
+    }
+    cblockp = cblockp->c_next;
+    if (cblockp == cblockp2)
+      panic("clist invariant: loop in clist (%p) in %s",
+	    clistp, descr);
+    if ((max_loop & 1) == 0) {
+      cblockp2 = cblockp2->c_next;
+    }
+    if (cblockp == cblockp2)
+      panic("clist invariant: loop in clist (%p) in %s",
+	    clistp, descr);
+  }
+  panic("clist invariant: terminated before finding c_cl");
+}
+#endif
+
 /*
  * Copy 'amount' of chars, beginning at head of clist 'clistp' to
  * destination linear buffer 'dest'. Return number of characters
@@ -277,8 +396,15 @@
 	int numc;
 	int s;
 
+#ifdef _ASSERTS
+	if (dest == NULL)
+	  panic("destination is NULL in q_to_b");
+#endif
 	s = spltty();
 
+#ifdef _INVARIANTS
+	clist_invariant(clistp, "q_to_b");
+#endif
 	while (clistp && amount && (clistp->c_cc > 0)) {
 		cblockp = (struct cblock *)((long)clistp->c_cf & ~CROUND);
 		cblockn = cblockp + 1; /* pointer arithmetic! */
@@ -435,6 +561,10 @@
 	int startbit, endbit, num_between, numc;
 	int s;
 
+#ifdef _ASSERTS
+	if (src == NULL)
+	  panic("clist b_to_q on NULL block");
+#endif
 	/*
 	 * Avoid allocating an initial cblock and then not using it.
 	 * c_cc == 0 must imply c_cbount == 0.
@@ -444,6 +574,9 @@
 
 	s = spltty();
 
+#ifdef _INVARIANTS
+	clist_invariant(clistp, "b_to_q");
+#endif
 	/*
 	 * If there are no cblocks assigned to this clist yet,
 	 * then get one.


> Do you think that DIAGNOSTICS can be separated into these 2 categories
> without upsetting too many people?

I haven't got a clue.  I've been planning to try it, though.  Do the above
scheme look good to you?

> What does DEBUG do?  Can all sanity checks be moved to DEBUG?

DEBUG does an insane pletoria of different things, all depending on what the
driver-author (or whatever) wanted it to do.  It usually turn on insane
amounts of debugging information.

> This would give us more clearly defined debugging flags:
> 
> DIAGNOSTICS - Debug logging
> DEBUG - Sanity checks
> DDS - GDB callable debug functions.

I like the distinctions, but not the names :-)

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe hackers" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980209075127.63680>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact