Looking through some code, I've noticed that spllowersoftclock() and
spl0() -- IPL-lowering functions -- return 'int'.  splx(), on the
other hand (the other IPL-lowering function), returns void.  in one
place, the return value of spl0() is actually used as the argument to
splx().

This is bogus.

At minimum, there's the issue of data structure protection.  When code
is invoked at a given IPL, the calling code does so to make sure that
data structures are protected.  That protection is supplied by the
fact that interrupts below that IPL are disabled.

If the called code enables those interrupts (by lowering the IPL),
then later blocks them and returns, the data structure protection may
have been violated by an interrupt.

In certain conditions, it's desirable for carefully crafted code to
lower IPL.  This is only safe when the correct IPL is known (e.g. in a
syscall function, which is known to be called with interrupts enabled)
or in certain situations where it's otherwise known to be safe
(e.g. the case of hardclock()).  In these cases, there's no need to
restore the IPL that was dropped.

Code which lowers IPL and restores to a higher IPL can function
correctly (if there really are no data structures being protected, or
if for some reason no interrupts occur), but at best it's bad coding
style and at worst it's cause for potentially serious data structure
corruption problems.


I've updated the spl(9) manual page to indicate that the IPL-lowering
functions return 'void.'  I've not changed any ports at this time.
Rather, I expect them to be updated over time.


cgd
-- 
Chris Demetriou - cgd@netbsd.org - http://www.netbsd.org/People/Pages/cgd.html
Disclaimer: Not speaking for NetBSD, just expressing my own opinion.