Update node creation/destruction API documentation. #249
Conversation
rmw/include/rmw/rmw.h
Outdated
| * The security options should always be non-null and encapsulate the | ||
| * essential security configurations for the node and its entities. | ||
| * \pre The given name must be a valid non-null node name. | ||
| * \pre The given namespace_ must be a valid non-null node namespace. |
There was a problem hiding this comment.
API here departs from the rest. Usually, a null argument means RMW_RET_INVALID_ARGUMENT or similar. rmw_create_node would do the same, and then require the caller to ensure name and namespace_ to be valid, precluding null arguments entirely.
I chose to keep the precondition. But we could check instead.
There was a problem hiding this comment.
The problem of requiring preconditions that aren't checked at runtime and that the compiler doesn't check is that in the case they aren't satisfied it will probably generate a segfault (in no-release mode, that can be avoided using asserts).
If it's cheap to check, I don't see why not doing that.
There was a problem hiding this comment.
Asserts would indeed be required. That still means no checks in production.
If it's cheap to check, I don't see why not doing that.
I can't tell what the cost of validation is.
In this particular case, I don't mind either way as long as it's properly documented.
There was a problem hiding this comment.
I can't tell what the cost of validation is.
Yeah, but it does sound like something we can do easily.
In this particular case, I don't mind either way as long as it's properly documented.
I think it was properly documented:
* - context, name, namespace_, or security_options is `NULL`
There was a problem hiding this comment.
Correct, the odd thing being that nullity would be checked but validity would be assumed. Here I went for complete assumption. We can go for complete checking. It's the middle ground that I find odd.
There was a problem hiding this comment.
See 6c83764 for the alternative.
There was a problem hiding this comment.
Correct, the odd thing being that nullity would be checked but validity would be assumed. Here I went for complete assumption. We can go for complete checking. It's the middle ground that I find odd.
I didn't get that part before.
I imagine that for a valid name and namespace you're referring to:
- https://github.com/ros2/rmw/blob/master/rmw/include/rmw/validate_node_name.h
- https://github.com/ros2/rmw/blob/master/rmw/include/rmw/validate_namespace.h
I think we're using that on rcl but never on the rmw implementations (not sure why the definitions are in rmw, maybe we wanted to use the functions from the rmw implementations (?)).
Repeating the validity check would be probably unnecessary, as rcl already takes care of that.
It's the middle ground that I find odd.
Yeah, it's a bit odd to check "not NULL but maybe invalid".
I'm comfortable with the middle ground though.
There was a problem hiding this comment.
So, I'm pushing for a choice because IMO the middle ground makes no sense. If the caller must ensure that names are valid, null names already fails validation. If you get a null name, that means the caller broke the precondition and you're in UB land. Checking for null doesn't make things any better.
If no one strongly disagrees, I'll keep the checks as it's less awkward.
rmw/include/rmw/rmw.h
Outdated
| * The security options should always be non-null and encapsulate the | ||
| * essential security configurations for the node and its entities. | ||
| * \pre The given name must be a valid non-null node name. | ||
| * \pre The given namespace_ must be a valid non-null node namespace. |
There was a problem hiding this comment.
The problem of requiring preconditions that aren't checked at runtime and that the compiler doesn't check is that in the case they aren't satisfied it will probably generate a segfault (in no-release mode, that can be avoided using asserts).
If it's cheap to check, I don't see why not doing that.
rmw/include/rmw/rmw.h
Outdated
| * - context is not valid i.e. it has been initialized | ||
| * by `rmw_init()` but not yet invalidated by | ||
| * `rmw_shutdown()` |
There was a problem hiding this comment.
I'm not sure I understand this sentence. Shouldn't it be more like:
* - context is not valid i.e. it has not yet been initialized
* by `rmw_init()` or has been invalidated by
* `rmw_shutdown()`
If not, can you clarify further?
There was a problem hiding this comment.
Yes! That's what I meant, though not initialized is a slippery slope. We can only safely guard against mismatching implementation identifiers or zero-initialized contexts. See 42bb43b.
| @@ -166,10 +156,9 @@ rmw_get_serialization_format(void); | |||
| * \param[in] name the node name | |||
| * \param[in] namespace_ the node namespace | |||
There was a problem hiding this comment.
I know you didn't change this, but I find it odd that namespace_ has a trailing underscore. What do you think about changing that (and updating the documentation to match)?
There was a problem hiding this comment.
Spoke too soon, 2442051.
Even though it's an argument name and it is within an external C linkage block, the compiler barfs at namespace.
There was a problem hiding this comment.
In rcl we are using node_namespace to avoid that problem, which looks a bit nicer that the trailing underscore.
That change sounds a bit unrelated to the PR though.
There was a problem hiding this comment.
It's slightly redundant though.
rmw/include/rmw/rmw.h
Outdated
| * \pre All publishers, subscribers, services, and clients created from this node must | ||
| * have been destroyed upon call. Some rmw implementations may choose to verify this, | ||
| * returning `RMW_RET_ERROR` and setting a human readable error message if any entity | ||
| * created from this node has not yet been destroyed. |
There was a problem hiding this comment.
| * \pre All publishers, subscribers, services, and clients created from this node must | |
| * have been destroyed upon call. Some rmw implementations may choose to verify this, | |
| * returning `RMW_RET_ERROR` and setting a human readable error message if any entity | |
| * created from this node has not yet been destroyed. | |
| * \pre All publishers, subscribers, services, and clients created from this node must | |
| * have been destroyed prior to this call. Some rmw implementations may verify this, | |
| * returning `RMW_RET_ERROR` and setting a human readable error message if any entity | |
| * created from this node has not yet been destroyed. However, this is not guaranteed and so | |
| * callers should ensure that this is the case before calling this function. |
| @@ -166,10 +156,9 @@ rmw_get_serialization_format(void); | |||
| * \param[in] name the node name | |||
| * \param[in] namespace_ the node namespace | |||
There was a problem hiding this comment.
In rcl we are using node_namespace to avoid that problem, which looks a bit nicer that the trailing underscore.
That change sounds a bit unrelated to the PR though.
|
One thing I changed in RMW implementations but didn't reflect here yet. Should we specify how memory is to be allocated?
|
I agree that this is kind of messy. But it seems orthogonal to this PR; should we go ahead and merge this one, and open an issue for further discussion of this topic? |
Yeah, I guess. I do think that the way memory is allocated should be consistent and documented though. |
|
I would agree with merge then fix in a follow up, just because there's so much inconsistency already. I think the "right way" to do this is to always use the passed rcutils allocator, or pass one if there's not one being passed atm. We should deprecate the |
Signed-off-by: Michel Hidalgo <michel@ekumenlabs.com>
Signed-off-by: Michel Hidalgo <michel@ekumenlabs.com>
Signed-off-by: Michel Hidalgo <michel@ekumenlabs.com>
Signed-off-by: Michel Hidalgo <michel@ekumenlabs.com>
Signed-off-by: Michel Hidalgo <michel@ekumenlabs.com>
hidmic
force-pushed
the
hidmic/update-node-docs
branch
from
6498e2f
to
d9930ed
Compare
|
Rebased to reflect #248 API changes. |
|
Running CI up to
|
rmw/include/rmw/rmw.h
Outdated
| * created from this node has not yet been destroyed. | ||
| * This function will return early if a logical error, such as `RMW_RET_INVALID_ARGUMENT` | ||
| * or `RMW_RET_INCORRECT_RMW_IMPLEMENTATION`, ensues, leaving the given node handle unchanged. | ||
| * Otherwise, it will proceed despite errors, freeing as much resources as it can, including |
There was a problem hiding this comment.
| * Otherwise, it will proceed despite errors, freeing as much resources as it can, including | |
| * Otherwise, it will proceed despite errors, freeing as many resources as it can, including |
Signed-off-by: Michel Hidalgo <michel@ekumenlabs.com>
|
Alright, all green. Merging. |
Signed-off-by: Michel Hidalgo <michel@ekumenlabs.com>
Signed-off-by: Michel Hidalgo <michel@ekumenlabs.com>
Precisely what the title says.