-
Notifications
You must be signed in to change notification settings - Fork 686
-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracking: HIL methods that can fail should have ErrorCodes #1052
Comments
Generally speaking, almost every call in a HIL can have a failure condition. E.g., suppose that the operation is performed by a separate chip over a bus. E.g., an external encryption accelerator, a GPIO MUX, etc. This will involve an interaction over the bus to turn on/configure the other chip; what if the external chip does not respond correctly, e.g., there is a power problem. The interfaces to specific implementations might not have failure conditions, but the HIL needs to represent the union of all possible implementations. Also, callbacks usually need to have ReturnCodes. If the call could fail, then it's possible the failure isn't detected until later, at which point it has to be signaled through the callback. E.g., suppose a call to symmetric encryption might fail because the data is the wrong length. The symmetric encryption engine is virtualized, so the fact that it's the wrong length isn't detected until after the initial call is made (and the call is forwarded to the underlying engine). If the virtualizer can detect it's the wrong length, this means the virtualizer has to repeat encryption-specific logic that's in the encryption implementation. |
Maybe there are other examples of this that don't involve a chip over a bus, but in general, whether a particular HIL supports operations for a bus is explicit (e.g. So, for example, I think it's certainly fine for Even for some cases that are over a bus, like an external encryption accelerator, I'm not entirely sure how a client of the HIL would deal with an error like the peripheral chip not responding correctly in a reasonable way. I'm not saying suggesting one way or another whether encryption HIL's methods or callbacks should have a In general, having error cases greatly complicates writing client code, so it should be avoided if it's not necessary or useful. |
I've been thinking about this a little, and I wonder if it's suboptimal for HIL methods to return generic I don't have this idea totally fleshed out, but perhaps we could add some form of macro that would look something like: return_codes![RNG::get,
/// If SUCCESS is returned then the implementation MUST issue a randomness_available callback sometime in the future.
SUCCESS,
/// Indicates that the RNG is not currently powered/available. No callback will be generated.
EOFF,
/// Indicates a more general failure condition.
FAIL,
]
pub trait RNG<'a> {
fn get(&self) -> RNG::get::ReturnCode;
...
} Where the macro enforces that the return codes supplied are all kernel Too complex to be useful / worth the effort, or worthwhile to help ease error handling / ensure correctness? |
Handling ReturnCodes is hard, but if there is no mechanism to report errors that writing reliable long-running applications is hard too, so in general I think we do need a way to signal errors, but, I agree that we don't in the cases where something can't realistically fail.
I'm not sure. I wonder how this could be implemented, because I imagine that in a lot of cases the handler of the HIL error is simply going to pass it to userspace. |
I think the pass-through case is actually the easiest, since the syscall interface already takes the generic I think where this would really see use is where callers of the HIL do want to handle errors, so they |
On Jul 4, 2018, at 3:25 PM, Pat Pannuto ***@***.***> wrote:
There are currently 13 different types of failures in enum ReturnCode, but most HIL interfaces specify (in documentation only) that the HIL can only return 1-3 of these.
This is not uncommon; ReturnCode is like errno in UNIX. Any given HIL may only return a subset, but those subsets are somewhat distinct. ENOACK, for example, is a very specific one for radios with synchronous acknowledgments, while ENODEVICE is for system calls.
In Tock’s case, I think there’s an additional problem, that in many HILs we have yet to think through all of the error cases and assign them to ReturnCodes. For example, sdcard.rs uses ERESERVE to indicate the card wasn’t initialized and ENOMEM to indicate there’s no buffer available. The console driver, in contrast, uses ERESERVE to indicate that there’s no buffer available.
On one hand, I think your suggestion of more strongly typing the error codes would be useful: it explicitly specifies in code (rather than documentation) which error codes. If I felt that the HILs were fully nailed down, that might make sense: you can match on the ReturnCode and know you hit them all. The one challenge here is what you do when you decide there needs to be a new error code (the HIL changes). If the return codes are all explicit, then all code calling the HIL will break. If the return codes are not explicit, then your code will have a default match. This is nice, because code that knows about the new error code can match on it, while code that doesn’t will just treat it like a generic failure. You always need to have a FAIL case.
Phil
|
Several of the older HILs just drop errors on the floor, and callers will assume they succeeded when they actually failed.
I seeded this tracking issue with a quick skim of the existing HILs. Some of these that are questions may not actually need changes, some may be missing. Please edit this comment as appropriate.
enable_interrupt
should fail. Maybe alsomake_[out/in]put
.get
can fail?read_write_bytes
fail, butread_write_byte
,write_byte
, andread_byte
can't?start_message
should returnEBUSY
rather than dropping the new requesttics
value forset_alarm
should returnEINVAL
orESIZE
? Shouldrepeat
be able to fail if theinterval
is too small?ReturnCode
s to UART HIL, changeabort
policy #1049attach
can failstart
be able to reject impossibleperiod
s?The text was updated successfully, but these errors were encountered: