On Thu, Feb 15, 2018 at 05:06:17PM +0100, Christophe de Dinechin wrote: > From: Christophe de Dinechin <dinechin@xxxxxxxxxx> > > Changes since v3: > - Integrate comments about performance impact and solution > - Integrate comments about impact of a failed assertion > - Add prohibition against side effects > > Signed-off-by: Christophe de Dinechin <dinechin@xxxxxxxxxx> > --- > docs/spice_style.txt | 36 +++++++++++++++++++++++++++++++++--- > 1 file changed, 33 insertions(+), 3 deletions(-) > > diff --git a/docs/spice_style.txt b/docs/spice_style.txt > index 5dc41cb1..3bc70570 100644 > --- a/docs/spice_style.txt > +++ b/docs/spice_style.txt > @@ -113,10 +113,40 @@ FIXME and TODO > > Comments that are prefixed with `FIXME` describe a bug that need to be fixed. Generally, it is not allowed to commit new code having `FIXME` comment. Committing `FIXME` is allowed only for existing bugs. Comments that are prefixed with `TODO` describe further features, optimization or code improvements, and they are allowed to be committed along with the relevant code. > > -ASSERT > ------- > +Assertions > +---------- > + > +Assertions help testing function arguments and function results validity. As a result, they make it easier to detect bugs. Also, by expressing the intent of the developer, they make the code easier to read. > + > +Assertions checks have a significant performance impact should be placed under the `ENABLE_EXTRA_CHECKS` conditional. "which have" ? > + > +[source,c] > +---- > +void function(void) > +{ > + while (condition()) { // Hot loop > + spice_assert(ENABLE_EXTRA_CHECKS && expensive_check()); > + } > + ... > +} > +---- > + > +Several form of assertion exist. SPICE does not use the language `assert` much, but instead relies on the following variants: > + > +- `spice_assert`, defined in `common/log.h`, is never disabled at run-time and prints an error if the assertion fails. > + > +- `g_assert` and other variants defined in glib such as `g_assert_null`, can be disabled by setting `G_DISABLE_ASSERT` (which is never done in practice for SPICE code), and emits a message through the g_assertion_message function and its variants. I would expect program abortion to be mentioned here in addition to the printing of the message. > +The guidelines for selecting one or the other are not very clear from > the existing code. The `spice_assert` variant may be preferred for > SPICE-only code, as it makes it clearer that this assertion is coming > from SPICE. The `g_assert` and variants may be preferred for > assertions related to the use of glib. I'd remove this and just say to use g_* > + > +Be mindful of the impact of a failing assertion. For example, assertions in the server should not abort it, as this would kill the QEMU process and the virtual machine. > + > +Assertions should not: > + > +- Be used as a replacement for proper error management or to check unsafe data such as user input > +- Have side effects, since an assertion check may be disabled *if* we really plan to disable assertions in some cases, I think we'd need to be more explicit about when it's going to happen. If we don't consider it a valid usecase to disable assertions, then we can drop this.
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel