[Intel-gfx] [PATCH v2] drm/i915: Use BUILD_BUG_ON to detected missing engine definitions

Tvrtko Ursulin tvrtko.ursulin at linux.intel.com
Thu Mar 2 07:44:57 UTC 2017 

On 01/03/2017 20:07, Michal Wajdeczko wrote:
> On Wed, Mar 01, 2017 at 07:29:15PM +0000, Tvrtko Ursulin wrote:
>>
>> On 01/03/2017 17:39, Michal Wajdeczko wrote:
>>> Engine related definitions are located in different files
>>> and it is easy to break their cross dependency.
>>>
>>> Additionally use GEM_WARN_ON to catch invalid engine index.
>>>
>>> v2: compare against array size
>>>
>>> Signed-off-by: Michal Wajdeczko <michal.wajdeczko at intel.com>
>>> Cc: Jani Nikula <jani.nikula at intel.com>
>>> Cc: Joonas Lahtinen <joonas.lahtinen at linux.intel.com>
>>> Cc: Chris Wilson <chris at chris-wilson.co.uk>
>>> Cc: Tvrtko Ursulin <tvrtko.ursulin at intel.com>
>>> ---
>>>  drivers/gpu/drm/i915/intel_engine_cs.c | 7 ++++++-
>>>  1 file changed, 6 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/gpu/drm/i915/intel_engine_cs.c b/drivers/gpu/drm/i915/intel_engine_cs.c
>>> index a238304..c1f58b5 100644
>>> --- a/drivers/gpu/drm/i915/intel_engine_cs.c
>>> +++ b/drivers/gpu/drm/i915/intel_engine_cs.c
>>> @@ -84,11 +84,16 @@ static const struct engine_info {
>>>
>>>  static int
>>>  intel_engine_setup(struct drm_i915_private *dev_priv,
>>> -		   enum intel_engine_id id)
>>> +		   unsigned int id)
>>>  {
>>>  	const struct engine_info *info = &intel_engines[id];
>>>  	struct intel_engine_cs *engine;
>>>
>>> +	BUILD_BUG_ON(ARRAY_SIZE(intel_engines) !=
>>> +		     ARRAY_SIZE(dev_priv->engine));
>>> +	if (GEM_WARN_ON(id >= ARRAY_SIZE(intel_engines)))
>>> +		return -EINVAL;
>>> +
>>>  	GEM_BUG_ON(dev_priv->engine[id]);
>>>  	engine = kzalloc(sizeof(*engine), GFP_KERNEL);
>>>  	if (!engine)
>>>
>>
>> I would add asserts for id >= ARRAY_SIZE(intel_engines) and id >=
>> ARRAY_SIZE(dev_priv->engine). That provides guarantees for no out of bounds
>> access within this function and should be enough for this function.
>
> True, but then we will loose early (ie. at build time) detection that our
> engine array definitions are not in sync (which was primary reason for this
> patch).
>
>>
>> The rest sounds just like trouble for now.
>
> I would not call extra check as a trouble.
> But if you prefer freedom over robustness, then I will step back.

Lets call it flexibility and pragmatism. :)

>> Also I am not sure about negative enum, do we elsewhere check for that class
>> of errors? Is it worth it? Maybe then just cast to unsigned in the above
>> mentioned asserts?
>
> Note that the caller function is not using enum at all, this id/index is defined
> there as plain "unsigned". Then it is promoted in this function only, where we
> start to use it as index again (except id assignment).

Maybe we should make the loop in intel_engines_init_early use the id 
instead of i then...

> IMHO enums are not the best choice for indexing arrays, and if you really want
> to do so, you should add some guards to prevent unexpected use.

... although it is still a local function with a single call site so 
doesn't get me too excited. But since I'm usually all for data type tidy 
so feel free to do it.

> Using cast in these two asserts will do the trick.
>
> Let's try this as compromise ;)

Yes I think this compromise is robust enough! ;)

Regards,

Tvrtko

More information about the Intel-gfx mailing list