Revisit decision to ignore I/O errors in logging #123
Comments
|
So, the conclusion of rust-lang/log#382 was that faillible logging should probably be a responsibility of individual Here is a selection of some interesting points that were raised:
Therefore, I think the best course of action is to provide a I don't think there is a clear use case for being able to switch dynamically between fatal and ignored log errors, so the way I would spontaneously interface this is via a configuration flag at Any further opinion, @GabrielMajeri and @imtsuki? |
|
I think this is a good idea. How about a It sound reasonable for downstream users to configure this depending on whether they care a lot about what gets printed to the screen or if they have other outputs. |
|
Indeed, a compile-time switch via a feature flag would also work. I guess the decision between the two designs could be guided by whether there is a use case for choosing whether to ignore log errors or not at runtime. Would it be sensible, for example, to check the UEFI firmware version information and use that to enable the workaround only on affected versions of VirtualBox? |
|
I'm not sure if we can detect broken firmware, or even if we should do it. By leaving it as a compile-time feature, it's up to the crate users to decide if they want to handle output errors or not. Alternatively, we could have an optional global, static callback for handling errors, given when initializing the logger. If it's |
|
@GabrielMajeri I would also leave as much of firmware bug workarounds as possible to users of uefi-rs, rather than uefi-rs itself, unless we end up in a situation where there is no other sensible choice. I don't think this is incompatible with the idea of a run-time configuration switch however. The idea would be that the At the current stage, I don't think going for a callback-based solution would be justified, given the lack of clear use case for doing something other than ignoring the error or panicking, and how unergonomic it is to set up a nontrivial callback before the global memory allocator has been initialized. |
|
So, since there was no reaction from @imtsuki regarding the feasibility of detecting the broken VBox firmware, I'll implement the feature flag based approach at some point in the coming days. |
This was originally added because of occasional panics when logging quickly on VirtualBox. (Unclear whether this bug is still present, and also as far as I know we haven't observed this behavior on any other UEFI implementations.) The decision was made to panic by default on logger errors, but offer an escape mechanism. However, making this a compile-time choice is not ideal, since most UEFI programs are intended to run on arbitrary UEFI implementations. We could make it a runtime option instead, but since loggers are usually just informational (i.e. not critical functionality for the application), silently ignoring errors seems like a better choice for most uses. In the rare case where an application does consider logging critical, they can turn off the `logger` helper and implement their own logger. For prior discussion, see: * rust-osdev#121 * rust-osdev#123
In the face of a VirtualBox UEFI implementation bug, #122 had to pick the lesser of two poisons. But silently dropping logs is in general a very dangerous thing to do in low-level settings like OS bootloaders, where logs are often the only available information for failure diagnosis.
Therefore, we may want to revisit this design later on, as
uefi-rsmatures and starts being used for production-grade applications in addition to being a plaform for general Rust UEFI experimentation.As a first step, I've opened rust-lang/log#382 to discuss whether the
logcrate itself should provide support for faillible logging.The text was updated successfully, but these errors were encountered: