view Documentation/CodingStyle @ 897:329ea0ccb344

balloon: try harder to balloon up under memory pressure.

Currently if the balloon driver is unable to increase the guest's
reservation it assumes the failure was due to reaching its full
allocation, gives up on the ballooning operation and records the limit
it reached as the "hard limit". The driver will not try again until
the target is set again (even to the same value).

However it is possible that ballooning has in fact failed due to
memory pressure in the host and therefore it is desirable to keep
attempting to reach the target in case memory becomes available. The
most likely scenario is that some guests are ballooning down while
others are ballooning up and therefore there is temporary memory
pressure while things stabilise. You would not expect a well behaved
toolstack to ask a domain to balloon to more than its allocation nor
would you expect it to deliberately over-commit memory by setting
balloon targets which exceed the total host memory.

This patch drops the concept of a hard limit and causes the balloon
driver to retry increasing the reservation on a timer in the same
manner as when decreasing the reservation.

Also if we partially succeed in increasing the reservation
(i.e. receive less pages than we asked for) then we may as well keep
those pages rather than returning them to Xen.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Fri Jun 05 14:01:20 2009 +0100 (2009-06-05)
parents 831230e53067
line source
2 Linux kernel coding style
4 This is a short document describing the preferred coding style for the
5 linux kernel. Coding style is very personal, and I won't _force_ my
6 views on anybody, but this is what goes for anything that I have to be
7 able to maintain, and I'd prefer it for most other things too. Please
8 at least consider the points made here.
10 First off, I'd suggest printing out a copy of the GNU coding standards,
11 and NOT read it. Burn them, it's a great symbolic gesture.
13 Anyway, here goes:
16 Chapter 1: Indentation
18 Tabs are 8 characters, and thus indentations are also 8 characters.
19 There are heretic movements that try to make indentations 4 (or even 2!)
20 characters deep, and that is akin to trying to define the value of PI to
21 be 3.
23 Rationale: The whole idea behind indentation is to clearly define where
24 a block of control starts and ends. Especially when you've been looking
25 at your screen for 20 straight hours, you'll find it a lot easier to see
26 how the indentation works if you have large indentations.
28 Now, some people will claim that having 8-character indentations makes
29 the code move too far to the right, and makes it hard to read on a
30 80-character terminal screen. The answer to that is that if you need
31 more than 3 levels of indentation, you're screwed anyway, and should fix
32 your program.
34 In short, 8-char indents make things easier to read, and have the added
35 benefit of warning you when you're nesting your functions too deep.
36 Heed that warning.
38 Don't put multiple statements on a single line unless you have
39 something to hide:
41 if (condition) do_this;
42 do_something_everytime;
44 Outside of comments, documentation and except in Kconfig, spaces are never
45 used for indentation, and the above example is deliberately broken.
47 Get a decent editor and don't leave whitespace at the end of lines.
50 Chapter 2: Breaking long lines and strings
52 Coding style is all about readability and maintainability using commonly
53 available tools.
55 The limit on the length of lines is 80 columns and this is a hard limit.
57 Statements longer than 80 columns will be broken into sensible chunks.
58 Descendants are always substantially shorter than the parent and are placed
59 substantially to the right. The same applies to function headers with a long
60 argument list. Long strings are as well broken into shorter strings.
62 void fun(int a, int b, int c)
63 {
64 if (condition)
65 printk(KERN_WARNING "Warning this is a long printk with "
66 "3 parameters a: %u b: %u "
67 "c: %u \n", a, b, c);
68 else
69 next_statement;
70 }
72 Chapter 3: Placing Braces
74 The other issue that always comes up in C styling is the placement of
75 braces. Unlike the indent size, there are few technical reasons to
76 choose one placement strategy over the other, but the preferred way, as
77 shown to us by the prophets Kernighan and Ritchie, is to put the opening
78 brace last on the line, and put the closing brace first, thusly:
80 if (x is true) {
81 we do y
82 }
84 However, there is one special case, namely functions: they have the
85 opening brace at the beginning of the next line, thus:
87 int function(int x)
88 {
89 body of function
90 }
92 Heretic people all over the world have claimed that this inconsistency
93 is ... well ... inconsistent, but all right-thinking people know that
94 (a) K&R are _right_ and (b) K&R are right. Besides, functions are
95 special anyway (you can't nest them in C).
97 Note that the closing brace is empty on a line of its own, _except_ in
98 the cases where it is followed by a continuation of the same statement,
99 ie a "while" in a do-statement or an "else" in an if-statement, like
100 this:
102 do {
103 body of do-loop
104 } while (condition);
106 and
108 if (x == y) {
109 ..
110 } else if (x > y) {
111 ...
112 } else {
113 ....
114 }
116 Rationale: K&R.
118 Also, note that this brace-placement also minimizes the number of empty
119 (or almost empty) lines, without any loss of readability. Thus, as the
120 supply of new-lines on your screen is not a renewable resource (think
121 25-line terminal screens here), you have more empty lines to put
122 comments on.
125 Chapter 4: Naming
127 C is a Spartan language, and so should your naming be. Unlike Modula-2
128 and Pascal programmers, C programmers do not use cute names like
129 ThisVariableIsATemporaryCounter. A C programmer would call that
130 variable "tmp", which is much easier to write, and not the least more
131 difficult to understand.
133 HOWEVER, while mixed-case names are frowned upon, descriptive names for
134 global variables are a must. To call a global function "foo" is a
135 shooting offense.
137 GLOBAL variables (to be used only if you _really_ need them) need to
138 have descriptive names, as do global functions. If you have a function
139 that counts the number of active users, you should call that
140 "count_active_users()" or similar, you should _not_ call it "cntusr()".
142 Encoding the type of a function into the name (so-called Hungarian
143 notation) is brain damaged - the compiler knows the types anyway and can
144 check those, and it only confuses the programmer. No wonder MicroSoft
145 makes buggy programs.
147 LOCAL variable names should be short, and to the point. If you have
148 some random integer loop counter, it should probably be called "i".
149 Calling it "loop_counter" is non-productive, if there is no chance of it
150 being mis-understood. Similarly, "tmp" can be just about any type of
151 variable that is used to hold a temporary value.
153 If you are afraid to mix up your local variable names, you have another
154 problem, which is called the function-growth-hormone-imbalance syndrome.
155 See next chapter.
158 Chapter 5: Typedefs
160 Please don't use things like "vps_t".
162 It's a _mistake_ to use typedef for structures and pointers. When you see a
164 vps_t a;
166 in the source, what does it mean?
168 In contrast, if it says
170 struct virtual_container *a;
172 you can actually tell what "a" is.
174 Lots of people think that typedefs "help readability". Not so. They are
175 useful only for:
177 (a) totally opaque objects (where the typedef is actively used to _hide_
178 what the object is).
180 Example: "pte_t" etc. opaque objects that you can only access using
181 the proper accessor functions.
183 NOTE! Opaqueness and "accessor functions" are not good in themselves.
184 The reason we have them for things like pte_t etc. is that there
185 really is absolutely _zero_ portably accessible information there.
187 (b) Clear integer types, where the abstraction _helps_ avoid confusion
188 whether it is "int" or "long".
190 u8/u16/u32 are perfectly fine typedefs, although they fit into
191 category (d) better than here.
193 NOTE! Again - there needs to be a _reason_ for this. If something is
194 "unsigned long", then there's no reason to do
196 typedef unsigned long myflags_t;
198 but if there is a clear reason for why it under certain circumstances
199 might be an "unsigned int" and under other configurations might be
200 "unsigned long", then by all means go ahead and use a typedef.
202 (c) when you use sparse to literally create a _new_ type for
203 type-checking.
205 (d) New types which are identical to standard C99 types, in certain
206 exceptional circumstances.
208 Although it would only take a short amount of time for the eyes and
209 brain to become accustomed to the standard types like 'uint32_t',
210 some people object to their use anyway.
212 Therefore, the Linux-specific 'u8/u16/u32/u64' types and their
213 signed equivalents which are identical to standard types are
214 permitted -- although they are not mandatory in new code of your
215 own.
217 When editing existing code which already uses one or the other set
218 of types, you should conform to the existing choices in that code.
220 (e) Types safe for use in userspace.
222 In certain structures which are visible to userspace, we cannot
223 require C99 types and cannot use the 'u32' form above. Thus, we
224 use __u32 and similar types in all structures which are shared
225 with userspace.
227 Maybe there are other cases too, but the rule should basically be to NEVER
228 EVER use a typedef unless you can clearly match one of those rules.
230 In general, a pointer, or a struct that has elements that can reasonably
231 be directly accessed should _never_ be a typedef.
234 Chapter 6: Functions
236 Functions should be short and sweet, and do just one thing. They should
237 fit on one or two screenfuls of text (the ISO/ANSI screen size is 80x24,
238 as we all know), and do one thing and do that well.
240 The maximum length of a function is inversely proportional to the
241 complexity and indentation level of that function. So, if you have a
242 conceptually simple function that is just one long (but simple)
243 case-statement, where you have to do lots of small things for a lot of
244 different cases, it's OK to have a longer function.
246 However, if you have a complex function, and you suspect that a
247 less-than-gifted first-year high-school student might not even
248 understand what the function is all about, you should adhere to the
249 maximum limits all the more closely. Use helper functions with
250 descriptive names (you can ask the compiler to in-line them if you think
251 it's performance-critical, and it will probably do a better job of it
252 than you would have done).
254 Another measure of the function is the number of local variables. They
255 shouldn't exceed 5-10, or you're doing something wrong. Re-think the
256 function, and split it into smaller pieces. A human brain can
257 generally easily keep track of about 7 different things, anything more
258 and it gets confused. You know you're brilliant, but maybe you'd like
259 to understand what you did 2 weeks from now.
262 Chapter 7: Centralized exiting of functions
264 Albeit deprecated by some people, the equivalent of the goto statement is
265 used frequently by compilers in form of the unconditional jump instruction.
267 The goto statement comes in handy when a function exits from multiple
268 locations and some common work such as cleanup has to be done.
270 The rationale is:
272 - unconditional statements are easier to understand and follow
273 - nesting is reduced
274 - errors by not updating individual exit points when making
275 modifications are prevented
276 - saves the compiler work to optimize redundant code away ;)
278 int fun(int a)
279 {
280 int result = 0;
281 char *buffer = kmalloc(SIZE);
283 if (buffer == NULL)
284 return -ENOMEM;
286 if (condition1) {
287 while (loop1) {
288 ...
289 }
290 result = 1;
291 goto out;
292 }
293 ...
294 out:
295 kfree(buffer);
296 return result;
297 }
299 Chapter 8: Commenting
301 Comments are good, but there is also a danger of over-commenting. NEVER
302 try to explain HOW your code works in a comment: it's much better to
303 write the code so that the _working_ is obvious, and it's a waste of
304 time to explain badly written code.
306 Generally, you want your comments to tell WHAT your code does, not HOW.
307 Also, try to avoid putting comments inside a function body: if the
308 function is so complex that you need to separately comment parts of it,
309 you should probably go back to chapter 5 for a while. You can make
310 small comments to note or warn about something particularly clever (or
311 ugly), but try to avoid excess. Instead, put the comments at the head
312 of the function, telling people what it does, and possibly WHY it does
313 it.
315 When commenting the kernel API functions, please use the kerneldoc format.
316 See the files Documentation/kernel-doc-nano-HOWTO.txt and scripts/kernel-doc
317 for details.
319 Chapter 9: You've made a mess of it
321 That's OK, we all do. You've probably been told by your long-time Unix
322 user helper that "GNU emacs" automatically formats the C sources for
323 you, and you've noticed that yes, it does do that, but the defaults it
324 uses are less than desirable (in fact, they are worse than random
325 typing - an infinite number of monkeys typing into GNU emacs would never
326 make a good program).
328 So, you can either get rid of GNU emacs, or change it to use saner
329 values. To do the latter, you can stick the following in your .emacs file:
331 (defun linux-c-mode ()
332 "C mode with adjusted defaults for use with the Linux kernel."
333 (interactive)
334 (c-mode)
335 (c-set-style "K&R")
336 (setq tab-width 8)
337 (setq indent-tabs-mode t)
338 (setq c-basic-offset 8))
340 This will define the M-x linux-c-mode command. When hacking on a
341 module, if you put the string -*- linux-c -*- somewhere on the first
342 two lines, this mode will be automatically invoked. Also, you may want
343 to add
345 (setq auto-mode-alist (cons '("/usr/src/linux.*/.*\\.[ch]$" . linux-c-mode)
346 auto-mode-alist))
348 to your .emacs file if you want to have linux-c-mode switched on
349 automagically when you edit source files under /usr/src/linux.
351 But even if you fail in getting emacs to do sane formatting, not
352 everything is lost: use "indent".
354 Now, again, GNU indent has the same brain-dead settings that GNU emacs
355 has, which is why you need to give it a few command line options.
356 However, that's not too bad, because even the makers of GNU indent
357 recognize the authority of K&R (the GNU people aren't evil, they are
358 just severely misguided in this matter), so you just give indent the
359 options "-kr -i8" (stands for "K&R, 8 character indents"), or use
360 "scripts/Lindent", which indents in the latest style.
362 "indent" has a lot of options, and especially when it comes to comment
363 re-formatting you may want to take a look at the man page. But
364 remember: "indent" is not a fix for bad programming.
367 Chapter 10: Configuration-files
369 For configuration options (arch/xxx/Kconfig, and all the Kconfig files),
370 somewhat different indentation is used.
372 Help text is indented with 2 spaces.
375 tristate CONFIG_BOOM
376 default n
377 help
378 Apply nitroglycerine inside the keyboard (DANGEROUS)
380 depends on CONFIG_BOOM
381 default y
382 help
383 Output nice messages when you explode
384 endif
386 Generally, CONFIG_EXPERIMENTAL should surround all options not considered
387 stable. All options that are known to trash data (experimental write-
388 support for file-systems, for instance) should be denoted (DANGEROUS), other
389 experimental options should be denoted (EXPERIMENTAL).
392 Chapter 11: Data structures
394 Data structures that have visibility outside the single-threaded
395 environment they are created and destroyed in should always have
396 reference counts. In the kernel, garbage collection doesn't exist (and
397 outside the kernel garbage collection is slow and inefficient), which
398 means that you absolutely _have_ to reference count all your uses.
400 Reference counting means that you can avoid locking, and allows multiple
401 users to have access to the data structure in parallel - and not having
402 to worry about the structure suddenly going away from under them just
403 because they slept or did something else for a while.
405 Note that locking is _not_ a replacement for reference counting.
406 Locking is used to keep data structures coherent, while reference
407 counting is a memory management technique. Usually both are needed, and
408 they are not to be confused with each other.
410 Many data structures can indeed have two levels of reference counting,
411 when there are users of different "classes". The subclass count counts
412 the number of subclass users, and decrements the global count just once
413 when the subclass count goes to zero.
415 Examples of this kind of "multi-level-reference-counting" can be found in
416 memory management ("struct mm_struct": mm_users and mm_count), and in
417 filesystem code ("struct super_block": s_count and s_active).
419 Remember: if another thread can find your data structure, and you don't
420 have a reference count on it, you almost certainly have a bug.
423 Chapter 12: Macros, Enums and RTL
425 Names of macros defining constants and labels in enums are capitalized.
427 #define CONSTANT 0x12345
429 Enums are preferred when defining several related constants.
431 CAPITALIZED macro names are appreciated but macros resembling functions
432 may be named in lower case.
434 Generally, inline functions are preferable to macros resembling functions.
436 Macros with multiple statements should be enclosed in a do - while block:
438 #define macrofun(a, b, c) \
439 do { \
440 if (a == 5) \
441 do_this(b, c); \
442 } while (0)
444 Things to avoid when using macros:
446 1) macros that affect control flow:
448 #define FOO(x) \
449 do { \
450 if (blah(x) < 0) \
451 return -EBUGGERED; \
452 } while(0)
454 is a _very_ bad idea. It looks like a function call but exits the "calling"
455 function; don't break the internal parsers of those who will read the code.
457 2) macros that depend on having a local variable with a magic name:
459 #define FOO(val) bar(index, val)
461 might look like a good thing, but it's confusing as hell when one reads the
462 code and it's prone to breakage from seemingly innocent changes.
464 3) macros with arguments that are used as l-values: FOO(x) = y; will
465 bite you if somebody e.g. turns FOO into an inline function.
467 4) forgetting about precedence: macros defining constants using expressions
468 must enclose the expression in parentheses. Beware of similar issues with
469 macros using parameters.
471 #define CONSTANT 0x4000
472 #define CONSTEXP (CONSTANT | 3)
474 The cpp manual deals with macros exhaustively. The gcc internals manual also
475 covers RTL which is used frequently with assembly language in the kernel.
478 Chapter 13: Printing kernel messages
480 Kernel developers like to be seen as literate. Do mind the spelling
481 of kernel messages to make a good impression. Do not use crippled
482 words like "dont" and use "do not" or "don't" instead.
484 Kernel messages do not have to be terminated with a period.
486 Printing numbers in parentheses (%d) adds no value and should be avoided.
489 Chapter 14: Allocating memory
491 The kernel provides the following general purpose memory allocators:
492 kmalloc(), kzalloc(), kcalloc(), and vmalloc(). Please refer to the API
493 documentation for further information about them.
495 The preferred form for passing a size of a struct is the following:
497 p = kmalloc(sizeof(*p), ...);
499 The alternative form where struct name is spelled out hurts readability and
500 introduces an opportunity for a bug when the pointer variable type is changed
501 but the corresponding sizeof that is passed to a memory allocator is not.
503 Casting the return value which is a void pointer is redundant. The conversion
504 from void pointer to any other pointer type is guaranteed by the C programming
505 language.
508 Chapter 15: The inline disease
510 There appears to be a common misperception that gcc has a magic "make me
511 faster" speedup option called "inline". While the use of inlines can be
512 appropriate (for example as a means of replacing macros, see Chapter 11), it
513 very often is not. Abundant use of the inline keyword leads to a much bigger
514 kernel, which in turn slows the system as a whole down, due to a bigger
515 icache footprint for the CPU and simply because there is less memory
516 available for the pagecache. Just think about it; a pagecache miss causes a
517 disk seek, which easily takes 5 miliseconds. There are a LOT of cpu cycles
518 that can go into these 5 miliseconds.
520 A reasonable rule of thumb is to not put inline at functions that have more
521 than 3 lines of code in them. An exception to this rule are the cases where
522 a parameter is known to be a compiletime constant, and as a result of this
523 constantness you *know* the compiler will be able to optimize most of your
524 function away at compile time. For a good example of this later case, see
525 the kmalloc() inline function.
527 Often people argue that adding inline to functions that are static and used
528 only once is always a win since there is no space tradeoff. While this is
529 technically correct, gcc is capable of inlining these automatically without
530 help, and the maintenance issue of removing the inline when a second user
531 appears outweighs the potential value of the hint that tells gcc to do
532 something it would have done anyway.
536 Appendix I: References
538 The C Programming Language, Second Edition
539 by Brian W. Kernighan and Dennis M. Ritchie.
540 Prentice Hall, Inc., 1988.
541 ISBN 0-13-110362-8 (paperback), 0-13-110370-9 (hardback).
542 URL: http://cm.bell-labs.com/cm/cs/cbook/
544 The Practice of Programming
545 by Brian W. Kernighan and Rob Pike.
546 Addison-Wesley, Inc., 1999.
547 ISBN 0-201-61586-X.
548 URL: http://cm.bell-labs.com/cm/cs/tpop/
550 GNU manuals - where in compliance with K&R and this text - for cpp, gcc,
551 gcc internals and indent, all available from http://www.gnu.org/manual/
553 WG14 is the international standardization working group for the programming
554 language C, URL: http://www.open-std.org/JTC1/SC22/WG14/
556 Kernel CodingStyle, by greg@kroah.com at OLS 2002:
557 http://www.kroah.com/linux/talks/ols_2002_kernel_codingstyle_talk/html/
559 --
560 Last updated on 30 April 2006.