Re: [dpdk-dev] Questions about API with no parameter check

[Tyler Retzlaff <roretzla@linux.microsoft.com>]

On Tue, May 04, 2021 at 09:36:24AM +0000, Ananyev, Konstantin wrote:
> 
> 
> > 
> > 2021-04-29 09:16 (UTC-0700), Tyler Retzlaff:
> > > On Wed, Apr 07, 2021 at 05:10:00PM +0100, Ferruh Yigit wrote:
> > > > On 4/7/2021 4:25 PM, Hemant Agrawal wrote:
> > > > >>+1
> > > > >>But are we going to check all parameters?
> > > > >
> > > > >+1
> > > > >
> > > > >It may be better to limit the number of checks.
> > > > >
> > > >
> > > > +1 to verify input for APIs.
> > > >
> > > > Why not do all, what is the downside of checking all input for control path APIs?
> > >
> > > why not assert them then, what is the purpose of returning an error to a
> > > caller for a api contract violation like a `parameter shall not be NULL`
> > >
> > > * assert.h/cassert can be compiled away for those pundits who don't want
> > >   to see extra branches in their code
> > >
> > > * when not compiled away it gives you an immediate stack trace or dump to operate
> > >   on immediately identifying the problem instead of having to troll
> > >   through hoaky inconsistently formatted logging.
> > >
> > > * it catches callers who don't bother to check for error from return of
> > >   the function (debug builds) instead of some arbitrary failure at some
> > >   unrelated part of the code where the corrupted program state is relied
> > >   upon.
> > >
> > > we aren't running in kernel, we can crash.
> > 
> > As library developers we can't assume stability requirements at call site.
> > There may be temporary files to clean up, for example,
> > or other threads in the middle of their work.
> > 
> > As an application developer I'd hate to get a crash inside a library and
> > having to debug it. Usually installed are release versions with assertions
> > compiled away.
> 
> I agree with Dmitry summary above.
> Asserting inside the library calls is bad programming practice,
> please keep it away from the project. 

i'm not advocating for asserts i'm advocating for users to have a
choice instead of being opted in to this change unconditionally.

asserts are an option that may be policy controlled as previously mentioned
either in this thread or another. so if you don't like them you can disable
them as a function of the policy. for a basic assert that means building
release instead of debug but a more sophisticated policy mechanism could be
employed if desired.

what you can't turn off is introduction of superfluous errors being
returned due to programming mistakes in the application which should be
handled yet have no sensible way to be handled. it just clutters the
calling code with unnecessary error handling, makes the errors returned
ambiguious and often indistinguishable from real errors.

by this logic we should modify rte_free to be

int rte_free(void * p) { if (p == NULL) return EINVAL; mem_free(p, true); }

which is about as useful as one can imagine.

this proposal has been pushed through too quickly without proper debate,
and the patch that introduces the superfluous errors breaks abi. tech
board should get involved before it goes further.

i'm not asking for asserts, i'm asking not to be opted in to an equally
harmful error handling pattern that makes application logic more error
prone and more complex negatively impacting quality.

thanks