Because it wasn't a line I changed and it ended up completely invisible to me as a result :). I just verified it was the only one, and have fixed it.

Yes, done.

error != 0

!= 0

style(9): no initialization in declaration.

It is undesirable to call malloc() under a vnode lock, because pagedaemon might need the vnode lock to clean pages.

Style: void * (space before start).

This is a wrong test, VOP_ISLOCKED() might return LK_EXCLOTHER or LK_SHARED. But it does not matter much because vnode is asserted exclusively locked at line 863. So this block must be removed.

`if (error != 0)

break;

`
then unindent the rest of the loop body.

I do not see why do you need new line there.

Why whiteout is not qualified for non-emptiness ? I do not argue, but want to understand the cause of the decision.

If you initialize error to zero before starting the loop, wouldn't bare 'break' work there ? You can remove 'done' label and gotos then.

I would list all three conditions in one if separated by '||', this saves ten lines.

This line should not be committed.

The check is not needed.

No need for the blank line.

I'll change them, but I'll also point out there are places in the code that do NOT do that. See sys_mount for an example of both.

style(9) says, "Be careful to not obfuscate the code" and "Use this feature only thoughtfully." Again, there are already instances in the file of that -- sysctl_ftry-reclaim_vnode, sched_sync, speedup_syncer. I don't see how it obfuscates the code; it makes it clear those are initial values.

I based the code on other uses of readdir in the kernel (blech). I'm open to suggestions there!

But that's a different function, and I can anticipate other callers. I've changed it, but I feel concern.

Indentation and 80 columns. No longer indented an extra layer, so I joined a couple of the lines together, and it looks better.

A white-out entry isn't *there*, at that level anyway, so it looks like an empty directory. I wasn't entirely sure about that, but that was the logic.

No, it's breaking out of two levels. Hm. Now, I *could* change it to do a "if error != 0 break" after the for loop, and I think that does what I want. (Or, as I just changed it, change the while loop to have eof ==0 and error == 0.)

I _think_ I had the "error = 0;" statement because of how I was thinking about flow while writing the code, but I don't think I need it -- if the VOP_READDIR gets an error, then it can propagate up, and I think that's the correct behaviour. Please feel free to check my logic.

Same format is in UFS dirempty function. (Although it doesn't do whiteout checks there, because it's checking due to rmdir.)

Holdover from xnu days where malloc with M_WAITOK could still return NULL.

There are other blank lines right around it. I did not see any particular grouping, so I put my addition in its own grouping.

return (EBUSY); Assigning to error is not useful.

This var is not very useful.

Put eof declaration together with error. -1 line.

endp = dirent + 1; ?

Style only allows C comments /* */. That said, the comment above is rather non-informative.

Then add ASSERT_VOP_LOCKED(). It is redundant because pre-condition for VOP_READDIR() asserts that anyway.

Why not td ? But I strongly suggest to remove the td arg at all, it is pointless.

Extra blank line.

Extra ().

Holdover -- I realized I could add the td argument to it, and forgot to get rid of all the vestiges from before that.

... duh. That is so much clearer.

Except, it's not needed at all, since I set endp in the for loop below before checking it.

Again, holdover from before I added the td argument.

But you still haven't said why. It's used -- by the uio, which admittedly may not use it, and by VOP_READDIR(), which may (at least for the thread credential).

Because there is high desire to drop trivial td arguments.

The reason why td was used and passed around is long time gone. Now the code makes an impression that it can work with borrowed context of arbitrary thread, but it cannot. More, the special cases where it should be able to work with td != curthread is very hard to identify.

For that reasons, td is slowly removed from kernel, and new functions should not take the arg unless there is some reason.

So now there is one useless blank line more.

Hm, ok. So I should just use curthread and curthread's cred? That strikes me as risky, but then again, I'm not sure where it wouldn't be valid, correct?

Risky in which way ?

Inherent distrust of global state. As I said, I am not sure where that global state *wouldn't* be valid. (That is, I was trying to follow my logic through, and didn't see a case where relying on curthread was unsafe. So my inherent distrust is wrong, correct?)