On Thu, 2025-08-28 at 15:33 -0700, Sean Christopherson wrote: > On Thu, Aug 28, 2025, Rick P Edgecombe wrote: > > On Thu, 2025-08-28 at 14:48 +0800, Yan Zhao wrote: > > > Hmm, I still think it's safer to keep the nr_premapped to detect any unexpected > > > code change. > > > > When I checking patch 6 I saw how many more KVM_BUG_ON()s we ended up with in > > TDX code compared to the rest of KVM. (even after we dropped a bunch during > > development) We have to differentiate from good safety, and "safety" that is > > really just propping up brittle code. Each KVM_BUG_ON() is a hint that there > > might be design issues. > > Nah, I think we're good. The majority of the asserts are on SEAMCALLs, and those > are no different than the WARN_ONCE() in vmx_insn_failed(), just spread out to > individual call sites. > > Once those are out of the numbers are entirely reasonable (WARNs and KVM_BUG_ON > are both assertions against bugs, one is just guaranteed to be fatal to the VM). > > $ git grep -e KVM_BUG_ON -e WARN_ vmx/tdx.c | wc -l > 25 > $ git grep -e KVM_BUG_ON -e WARN_ | wc -l > 459 Hmm, ok.
