On 12/9/19 1:50 PM, Jan Beulich wrote: > On 09.12.2019 12:29, George Dunlap wrote: >> --- a/CODING_STYLE >> +++ b/CODING_STYLE >> @@ -133,3 +133,97 @@ the end of files. It should be: >> * indent-tabs-mode: nil >> * End: >> */ >> + >> +Handling unexpected conditions >> +------------------------------ >> + >> +GUIDELINES: >> + >> +Passing errors up the stack should be used when the caller is already >> +expecting to handle errors, and the state when the error was >> +discovered isn’t broken, or isn't too hard to fix. >> + >> +domain_crash() should be used when passing errors up the stack is too >> +difficult, and/or when fixing up state of a guest is impractical, but >> +where fixing up the state of Xen will allow Xen to continue running. >> +This is particularly appropriate when the guest is exhibiting behavior >> +well-behaved guest should. > > DYM "shouldn't"?
Indeed. >> +- domain_crash() is similar to BUG_ON(), but with a more limited >> +effect: it stops that domain immediately. In situations where >> +continuing might cause guest or hypervisor corruption, but destroying >> +the guest allows the hypervisor to continue, this can change a more >> +serious bug into a guest denial-of-service. But in situations where >> +returning an error might be safe, then domain_crash() can change a >> +benign failure into a guest denial-of-service. > > Perhaps further put emphasis on the call tree still getting unwound > normally, which may imply further actions on the (now dying) domain > taken. Unfortunately it's not unusual for people to forget this; I > think the IOMMU code in particular was (hopefully isn't so much > anymore) a "good" example of this. Can you expand on this? Do you mean to advise that care should be taken when returning up the callstack that the domain which was running before may now be dying, and to behave appropriately? -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
