On Mon, 27 Sep 2021 20:12:39 -0300 Jason Gunthorpe <jgg@xxxxxxxx> wrote: > On Mon, Sep 27, 2021 at 04:46:48PM -0600, Alex Williamson wrote: > > > + enum { MAX_STATE = VFIO_DEVICE_STATE_RESUMING }; > > > + static const u8 vfio_from_state_table[MAX_STATE + 1][MAX_STATE + 1] = { > > > + [VFIO_DEVICE_STATE_STOP] = { > > > + [VFIO_DEVICE_STATE_RUNNING] = 1, > > > + [VFIO_DEVICE_STATE_RESUMING] = 1, > > > + }, > > > > Our state transition diagram is pretty weak on reachable transitions > > out of the _STOP state, why do we select only these two as valid? > > I have no particular opinion on specific states here, however adding > more states means more stuff for drivers to implement and more risk > driver writers will mess up this uAPI. It looks like state transitions were largely discussed in v9 and v10 of the migration proposals: https://lore.kernel.org/all/1573578220-7530-2-git-send-email-kwankhede@xxxxxxxxxx/ https://lore.kernel.org/all/1576527700-21805-2-git-send-email-kwankhede@xxxxxxxxxx/ I'm not seeing that we really excluded many transitions there. > So only on those grounds I'd suggest to keep this to the minimum > needed instead of the maximum logically possible.. > > Also, probably the FSM comment from the uapi header file should be > moved into a function comment above this function? It's not clear this function shouldn't be anything more than: if (new_state > MAX_STATE || old_state > MAX_STATE) return false; /* exited via device reset, */ /* entered via transition fault */ return true; That's still only 5 fully interconnected states to work between, and potentially a 6th if we decide _RESUMING|_RUNNING is valid for a device supporting post-copy. In defining the device state, we tried to steer away from defining it in terms of the QEMU migration API, but rather as a set of controls that could be used to support that API to leave us some degree of independence that QEMU implementation might evolve. To that extent, it actually seems easier for a device implementation to focus on bit definition rather than the state machine node. I'd also vote that any clarification of state validity and transitions belongs in the uAPI header and a transition test function should reference that header as the source of truth, rather than the other way around. Thanks, Alex