Cleanup: Specify unsignedness on things that should not be signed

[ryao]

Motivation and Context

In #13871, zfs_vdev_aggregation_limit_non_rotating and zfs_vdev_aggregation_limit being signed was pointed out as a possible reason not to eliminate an unnecessary MAX(unsigned, 0) since the unsigned value was assigned from them.

There is no reason for these module parameters to be signed and upon inspection, it was found that there are a number of other module parameters that are signed, but should not be, so we make them unsigned. Making them unsigned made it clear that some other variables in the code should also be unsigned, so we also make those unsigned. This prevents users from setting negative values that could potentially cause bad behaviors. It also makes the code slightly easier to understand.

Description

Mostly module parameters that deal with timeouts, limits, bitshifts and percentages are made unsigned by this. Any that are boolean are left signed, since whether booleans should be considered signed or unsigned does not matter.

Making zfs_arc_lotsfree_percent unsigned caused a zfs_arc_lotsfree_percent >= 0 check to become redundant, so it was removed. Removing the check was also necessary to prevent a compiler error from -Werror=type-limits.

Several end of line comments had to be moved to their own lines because replacing int with uint32_t caused us to exceed the 80 character limit enforced by cstyle.pl.

The following were kept signed because they are passed to taskq_create(), which expects signed values and modifying the OpenSolaris/Illumos DDI is out of scope of this patch:

* metaslab_load_pct
* zfs_sync_taskq_batch_pct
* zfs_zil_clean_taskq_nthr_pct
* zfs_zil_clean_taskq_minalloc
* zfs_zil_clean_taskq_maxalloc
* zfs_arc_prune_task_threads

Also, negative values in those parameters was found to be harmless.

The following were left signed because either negative values make sense, or more analysis was needed to determine whether negative values should be disallowed:

* zfs_metaslab_switch_threshold
* zfs_pd_bytes_max
* zfs_livelist_min_percent_shared

zfs_multihost_history was made static to be consistent with other parameters.

A number of module parameters were marked as signed, but in reality referenced unsigned variables. upgrade_errlog_limit is one of the numerous examples. In the case of zfs_vdev_async_read_max_active, it was already uint32_t, but zdb had an extern int declaration for it.

Interestingly, the documentation in zfs.4 was right for upgrade_errlog_limit despite the module parameter being wrongly marked, while the documentation for zfs_vdev_async_read_max_active (and friends) was wrong. It was also wrong for zstd_abort_size, which was unsigned, but was documented as signed.

Also, the documentation in zfs.4 incorrectly described the following parameters as ulong when they were int:

* zfs_arc_meta_adjust_restarts
* zfs_override_estimate_recordsize

They are now uint32_t as of this patch and thus the man page has been updated to describe them as uint.

dbuf_state_index was left alone since it does nothing and perhaps should be removed in another patch.

If any module parameters were missed, they were not found by grep -r 'ZFS_MODULE_PARAM' | grep ', INT'. I did find a few that grep missed, but only because they were in files that had hits.

This patch intentionally did not attempt to address whether some of these module parameters should be elevated to 64-bit parameters, because the length of a long on 32-bit is 32-bit.

How Has This Been Tested?

Build testing has been done on Gentoo Linux.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[ryao]

I just noticed that metaslab_load_pct is undocumented. That might be because it is only available for modification on FreeBSD. I guess further cleanup could expose it on Linux and document it.

[ryao]

Additionally, even though this is just cleanup and a documentation change, I also labelled it as a bug fix since allowing negative values to be injected into the kernel module via module parameters could cause bad behavior in some circumstances.

[behlendorf]

As nice as it would be to use a fixed size type here, the Linux kernel module interfaces expect either an int, unsigned int, long or unsigned long type. Internally, we can cast these values as we need too, but since we're registering them with the kernel it seemed prudent to stick to the expected types to avoid any unexpected behavior across architectures.

[ryao]

unsigned int is the same as uint32_t across all architectures. cstyle.pl does not permit using uint and most of the code already uses uint32_t, so I used uint32_t to be consistent.

That said, the same nice consistency is not true for long, which is why I did not make any module parameters use uint64_t.

[behlendorf]

unsigned int is the same as uint32_t across all architectures.

Well, it's true for architectures which use the ILP32, LP64, or LLP64 data model, and realistically we only really support LP64 with OpenZFS (ILP32 builds but has some known issues). It's not true for LP32, but that's ancient and not a concern. So, I think your point is fair and this should be fine.

[ryao]

After talking with @amotin about #13874, I have decided to modify this to use uint_t on module parameters instead of uint32_t. It will take some time before I have reworked this, so I am marking this as a draft.

Also, I need to make changes to this to take into account the finding in #13882, which I found today during self review.

[ryao]

@amotin All module parameters are now uint_t as we previously discussed. I kept some of the int -> uint32_t in places where we already use uint64_t where the signed int was inappropriate, but those are not module parameters and they are few.

[amotin]

I am not getting sense of some uint32_t.

[amotin]

It seems arc_evict_state() may have a race when this argument may become negative,

[ryao]

That would imply that there is currently an issue on Linux since this is assigned to an unsigned variable in the Linux version at ap->p_adjust = adjust;. I will study this more after I look at your other remarks.

[ryao]

Are you referring to aggsum_compare() saying that the value is bigger than arc_dnode_size_limit, but then the value changing under us when we call aggsum_upper_bound() to something smaller than arc_dnode_size_limit?

aggsum_upper_bound() returns a uint64_t and arc_dnode_size_limit is a uint64_t, so if this happens, we should have integer underflow in the existing code. This patch does not make things any worse.

[ryao]

Also, while I imagine we should address this like we did in ccec88f, I am not seeing a way of addressing this that I particularly like. Suggestions would be appreciated. :)

[ryao]

@amotin I have redone this. Now everything that this patch touches uses uint_t, except for ->spa_sync_pass/spa_sync_pass(). That one does not need to be made a larger width in future memory models and even could stand to be shrunk.

[amotin]

Thanks you. I haven't looked down to every specific variable for possible artifacts, but it looks good to me. I am just thinking whether size_t would be more appropriate for zdm_size and everywhere around zfs_debug.c.

[ryao]

@amotin I had intentionally avoided making changes to the bit widths to avoid scope creep.

@behlendorf All outstanding blockers to merging this are now resolved.