* [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort
@ 2015-06-17 7:24 Michael S. Tsirkin
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons Michael S. Tsirkin
` (3 more replies)
0 siblings, 4 replies; 13+ messages in thread
From: Michael S. Tsirkin @ 2015-06-17 7:24 UTC (permalink / raw)
To: qemu-devel; +Cc: kwolf, armbru, dgilbert
It's a common idiom:
Error *local_err = NULL;
....
foo(&local_err);
...
if (local_err) {
error_propagate(errp, local_err);
return;
}
Unfortunately it means that call to foo(&local_err) will
not abort even if errp is set to error_abort.
Instead, we get an abort at error_propagate which is too late,
that is, the quality of the stack trace is degraded in that it no longer
pinpoints the actual cause of failure.
To fix, add an API to check errp and set local_err to error_abort
if errp is error_abort.
This is out of RFC but I'm still not converting all users:
let's merge these patches, then I'll convert all users
on top.
Changes from v1:
Check Error * pointer, not the class, as suggested by Eric.
Extend commit log messages with explanation by Eric.
Michael S. Tsirkin (3):
error: don't rely on pointer comparisons
error: allow local errors to trigger abort
block/nfs: switch to error_init_local
include/qapi/error.h | 5 +++++
block/nfs.c | 2 +-
util/error.c | 22 +++++++++++++++++-----
3 files changed, 23 insertions(+), 6 deletions(-)
--
MST
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons
2015-06-17 7:24 [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort Michael S. Tsirkin
@ 2015-06-17 7:24 ` Michael S. Tsirkin
2015-06-17 15:21 ` Eric Blake
` (2 more replies)
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 2/3] error: allow local errors to trigger abort Michael S. Tsirkin
` (2 subsequent siblings)
3 siblings, 3 replies; 13+ messages in thread
From: Michael S. Tsirkin @ 2015-06-17 7:24 UTC (permalink / raw)
To: qemu-devel; +Cc: kwolf, armbru, dgilbert
makes it possible to copy error_abort pointers,
not just pass them on directly.
This is needed because follow-up patches add support for
Error *local_err = ...;
as a way to set an abort-on-error pointer, which requires that we have
more than just a global error_abort abort-on-error pointer, but that any
number of pointers all resolve to something specific.
Add an assert statement when class is retrieved, to make sure we still
get a core-dump if we (somehow) attempt to output the abort errp by
mistake.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
---
util/error.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/util/error.c b/util/error.c
index 14f4351..e10cb34 100644
--- a/util/error.c
+++ b/util/error.c
@@ -20,7 +20,13 @@ struct Error
ErrorClass err_class;
};
-Error *error_abort;
+static Error error_abort_st = { .err_class = ERROR_CLASS_MAX };
+Error *error_abort = &error_abort_st;
+
+static bool error_is_abort(Error **errp)
+{
+ return errp && *errp == error_abort;
+}
void error_set(Error **errp, ErrorClass err_class, const char *fmt, ...)
{
@@ -40,7 +46,7 @@ void error_set(Error **errp, ErrorClass err_class, const char *fmt, ...)
va_end(ap);
err->err_class = err_class;
- if (errp == &error_abort) {
+ if (error_is_abort(errp)) {
error_report_err(err);
abort();
}
@@ -76,7 +82,7 @@ void error_set_errno(Error **errp, int os_errno, ErrorClass err_class,
va_end(ap);
err->err_class = err_class;
- if (errp == &error_abort) {
+ if (error_is_abort(errp)) {
error_report_err(err);
abort();
}
@@ -121,7 +127,7 @@ void error_set_win32(Error **errp, int win32_err, ErrorClass err_class,
va_end(ap);
err->err_class = err_class;
- if (errp == &error_abort) {
+ if (error_is_abort(errp)) {
error_report_err(err);
abort();
}
@@ -144,6 +150,7 @@ Error *error_copy(const Error *err)
ErrorClass error_get_class(const Error *err)
{
+ assert(err->err_class < ERROR_CLASS_MAX);
return err->err_class;
}
@@ -168,7 +175,7 @@ void error_free(Error *err)
void error_propagate(Error **dst_errp, Error *local_err)
{
- if (local_err && dst_errp == &error_abort) {
+ if (local_err && error_is_abort(dst_errp)) {
error_report_err(local_err);
abort();
} else if (dst_errp && !*dst_errp) {
--
MST
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Qemu-devel] [PATCH v2 2/3] error: allow local errors to trigger abort
2015-06-17 7:24 [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort Michael S. Tsirkin
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons Michael S. Tsirkin
@ 2015-06-17 7:24 ` Michael S. Tsirkin
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 3/3] block/nfs: switch to error_init_local Michael S. Tsirkin
2015-06-18 16:34 ` [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort Markus Armbruster
3 siblings, 0 replies; 13+ messages in thread
From: Michael S. Tsirkin @ 2015-06-17 7:24 UTC (permalink / raw)
To: qemu-devel; +Cc: kwolf, armbru, dgilbert
It's a common idiom:
Error *local_err = NULL;
....
foo(&local_err);
...
if (local_err) {
error_propagate(errp, local_err);
return;
}
Unfortunately it means that call to foo(&local_err) will
not abort even if errp is set to error_abort.
Instead, we get an abort at error_propagate which is too late,
that is, the quality of the stack trace is degraded in that it no longer
pinpoints the actual cause of failure.
To fix, add an API to check errp and set local_err to error_abort
if errp is error_abort.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
---
include/qapi/error.h | 5 +++++
util/error.c | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/include/qapi/error.h b/include/qapi/error.h
index f44c451..8246a62 100644
--- a/include/qapi/error.h
+++ b/include/qapi/error.h
@@ -88,6 +88,11 @@ const char *error_get_pretty(Error *err);
void error_report_err(Error *);
/**
+ * Init a local error. It must be propagated to errp using error_propagate.
+ */
+Error *error_init_local(Error **errp);
+
+/**
* Propagate an error to an indirect pointer to an error. This function will
* always transfer ownership of the error reference and handles the case where
* dst_err is NULL correctly. Errors after the first are discarded.
diff --git a/util/error.c b/util/error.c
index e10cb34..7f5b134 100644
--- a/util/error.c
+++ b/util/error.c
@@ -28,6 +28,11 @@ static bool error_is_abort(Error **errp)
return errp && *errp == error_abort;
}
+Error *error_init_local(Error **errp)
+{
+ return error_is_abort(errp) ? *errp : NULL;
+}
+
void error_set(Error **errp, ErrorClass err_class, const char *fmt, ...)
{
Error *err;
--
MST
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Qemu-devel] [PATCH v2 3/3] block/nfs: switch to error_init_local
2015-06-17 7:24 [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort Michael S. Tsirkin
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons Michael S. Tsirkin
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 2/3] error: allow local errors to trigger abort Michael S. Tsirkin
@ 2015-06-17 7:24 ` Michael S. Tsirkin
2015-06-17 15:32 ` Eric Blake
2015-06-18 16:34 ` [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort Markus Armbruster
3 siblings, 1 reply; 13+ messages in thread
From: Michael S. Tsirkin @ 2015-06-17 7:24 UTC (permalink / raw)
To: qemu-devel; +Cc: kwolf, qemu-block, Jeff Cody, Peter Lieven, armbru, dgilbert
We probably should just switch everyone, this is
just to demonstrate the API usage.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
block/nfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/nfs.c b/block/nfs.c
index ca9e24e..de4b8c3 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -385,7 +385,7 @@ static int nfs_file_open(BlockDriverState *bs, QDict *options, int flags,
NFSClient *client = bs->opaque;
int64_t ret;
QemuOpts *opts;
- Error *local_err = NULL;
+ Error *local_err = error_init_local(errp);
client->aio_context = bdrv_get_aio_context(bs);
--
MST
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons Michael S. Tsirkin
@ 2015-06-17 15:21 ` Eric Blake
2015-06-17 15:41 ` Eric Blake
2015-06-18 16:10 ` Markus Armbruster
2 siblings, 0 replies; 13+ messages in thread
From: Eric Blake @ 2015-06-17 15:21 UTC (permalink / raw)
To: Michael S. Tsirkin, qemu-devel; +Cc: kwolf, armbru, dgilbert
[-- Attachment #1: Type: text/plain, Size: 3015 bytes --]
On 06/17/2015 01:24 AM, Michael S. Tsirkin wrote:
> makes it possible to copy error_abort pointers,
> not just pass them on directly.
>
> This is needed because follow-up patches add support for
> Error *local_err = ...;
> as a way to set an abort-on-error pointer, which requires that we have
> more than just a global error_abort abort-on-error pointer, but that any
> number of pointers all resolve to something specific.
>
> Add an assert statement when class is retrieved, to make sure we still
> get a core-dump if we (somehow) attempt to output the abort errp by
> mistake.
>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> Reviewed-by: Eric Blake <eblake@redhat.com>
I think you made enough changes from v1 (functional change of an added
assertion, but also better justification via improved commit message)
that I would have dropped R-b if I were the one submitting it.
Your argument of aiding gdb debugging of error objects by making the
pointer point somewhere valid makes sense, when compared to my hack of
an invalid pointer that would segfault even when trying to view it
through gdb. The added assertion in this version definitely helps avoid
code making the mistake of dereferencing the magic error pointer.
> ---
> util/error.c | 17 ++++++++++++-----
> 1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/util/error.c b/util/error.c
> index 14f4351..e10cb34 100644
> --- a/util/error.c
> +++ b/util/error.c
> @@ -20,7 +20,13 @@ struct Error
> ErrorClass err_class;
> };
>
> -Error *error_abort;
> +static Error error_abort_st = { .err_class = ERROR_CLASS_MAX };
> +Error *error_abort = &error_abort_st;
> +
> +static bool error_is_abort(Error **errp)
> +{
> + return errp && *errp == error_abort;
However, now I don't like the subject line. This is still a pointer
comparison (just a different pointer than before). So while I'm now
happy with the state of the code, I think a better commit message would be:
error: don't rely on address of global variable
The old implementation used the address of a global pointer variable
(&error_abort, type Error**) as a sentinel. This patch changes to using
the value of the global pointer variable itself (error_abort, type
Error*), so that the sentinel value can be easily copied to other Error*
pointers, regardless of their address. The new sentinel points to an
actual object, in case it is inspected through a debugger, although
working code should never dereference it.
This is needed because...[snipped]
> @@ -144,6 +150,7 @@ Error *error_copy(const Error *err)
>
> ErrorClass error_get_class(const Error *err)
> {
> + assert(err->err_class < ERROR_CLASS_MAX);
I also think you should add this assert in error_copy() a few lines
above, as well as in error_get_pretty() and error_free() a few lines below.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PATCH v2 3/3] block/nfs: switch to error_init_local
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 3/3] block/nfs: switch to error_init_local Michael S. Tsirkin
@ 2015-06-17 15:32 ` Eric Blake
2015-06-23 9:03 ` Michael S. Tsirkin
0 siblings, 1 reply; 13+ messages in thread
From: Eric Blake @ 2015-06-17 15:32 UTC (permalink / raw)
To: Michael S. Tsirkin, qemu-devel
Cc: kwolf, qemu-block, Jeff Cody, Peter Lieven, armbru, dgilbert
[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]
On 06/17/2015 01:24 AM, Michael S. Tsirkin wrote:
> We probably should just switch everyone, this is
> just to demonstrate the API usage.
>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> block/nfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/block/nfs.c b/block/nfs.c
> index ca9e24e..de4b8c3 100644
> --- a/block/nfs.c
> +++ b/block/nfs.c
> @@ -385,7 +385,7 @@ static int nfs_file_open(BlockDriverState *bs, QDict *options, int flags,
> NFSClient *client = bs->opaque;
> int64_t ret;
> QemuOpts *opts;
> - Error *local_err = NULL;
> + Error *local_err = error_init_local(errp);
>
> client->aio_context = bdrv_get_aio_context(bs);
More context:
> opts = qemu_opts_create(&runtime_opts, NULL, 0, &error_abort);
> qemu_opts_absorb_qdict(opts, options, &local_err);
> if (local_err) {
> error_propagate(errp, local_err);
> ret = -EINVAL;
Oops. Your initialization means that if the caller passed in
&error_abort, then local_err is now non-NULL, and we will attempt to do
error_propagate(errp, error_abort), which will abort(). You'd have to
change that to
if (!error_is_abort(local_err)) {
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons Michael S. Tsirkin
2015-06-17 15:21 ` Eric Blake
@ 2015-06-17 15:41 ` Eric Blake
2015-06-18 15:36 ` Markus Armbruster
2015-06-18 16:10 ` Markus Armbruster
2 siblings, 1 reply; 13+ messages in thread
From: Eric Blake @ 2015-06-17 15:41 UTC (permalink / raw)
To: Michael S. Tsirkin, qemu-devel; +Cc: kwolf, armbru, dgilbert
[-- Attachment #1: Type: text/plain, Size: 1550 bytes --]
On 06/17/2015 01:24 AM, Michael S. Tsirkin wrote:
> makes it possible to copy error_abort pointers,
> not just pass them on directly.
>
> @@ -168,7 +175,7 @@ void error_free(Error *err)
>
> void error_propagate(Error **dst_errp, Error *local_err)
> {
> - if (local_err && dst_errp == &error_abort) {
> + if (local_err && error_is_abort(dst_errp)) {
> error_report_err(local_err);
> abort();
> } else if (dst_errp && !*dst_errp) {
As I pointed out on 3/3, this breaks code that does:
if (local_err) {
error_propagate(errp, local_err);
...
}
now that local_err is non-NULL when errp is error_abort. But what if
you alter the semantics, and have error_propagate return a bool (true if
an error was propagated, false if no error or caller didn't care):
bool error_propagate(Error **dst_errp, Error *local_err)
{
if (error_is_abort(&local_err)) {
assert(error_is_abort(dst_errp);
return false;
}
if (local_err && error_is_abort(dst_errp)) {
error_report_err(local_err);
abort();
}
if (dst_errp && !*dst_errp) {
*dst_errp = local_err;
return true;
}
if (local_err) {
error_free(local_err);
}
return false;
}
then callers can be modified to this idiom (also has the benefit of
being one line shorter):
if (error_propagate(errp, local_err)) {
...
}
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons
2015-06-17 15:41 ` Eric Blake
@ 2015-06-18 15:36 ` Markus Armbruster
0 siblings, 0 replies; 13+ messages in thread
From: Markus Armbruster @ 2015-06-18 15:36 UTC (permalink / raw)
To: Eric Blake; +Cc: kwolf, qemu-devel, dgilbert, Michael S. Tsirkin
Eric Blake <eblake@redhat.com> writes:
> On 06/17/2015 01:24 AM, Michael S. Tsirkin wrote:
>> makes it possible to copy error_abort pointers,
>> not just pass them on directly.
>>
>
>> @@ -168,7 +175,7 @@ void error_free(Error *err)
>>
>> void error_propagate(Error **dst_errp, Error *local_err)
>> {
>> - if (local_err && dst_errp == &error_abort) {
>> + if (local_err && error_is_abort(dst_errp)) {
>> error_report_err(local_err);
>> abort();
>> } else if (dst_errp && !*dst_errp) {
>
> As I pointed out on 3/3, this breaks code that does:
>
> if (local_err) {
> error_propagate(errp, local_err);
> ...
> }
>
> now that local_err is non-NULL when errp is error_abort. But what if
> you alter the semantics, and have error_propagate return a bool (true if
> an error was propagated, false if no error or caller didn't care):
>
> bool error_propagate(Error **dst_errp, Error *local_err)
> {
> if (error_is_abort(&local_err)) {
> assert(error_is_abort(dst_errp);
> return false;
> }
> if (local_err && error_is_abort(dst_errp)) {
> error_report_err(local_err);
> abort();
> }
> if (dst_errp && !*dst_errp) {
> *dst_errp = local_err;
> return true;
> }
> if (local_err) {
> error_free(local_err);
> }
> return false;
> }
>
> then callers can be modified to this idiom (also has the benefit of
> being one line shorter):
>
> if (error_propagate(errp, local_err)) {
> ...
> }
Caution! The condition you need to test here is "an error has been
stored into local_err", *not* "an error was propagated". Different when
errp is NULL and local_err has an error.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons Michael S. Tsirkin
2015-06-17 15:21 ` Eric Blake
2015-06-17 15:41 ` Eric Blake
@ 2015-06-18 16:10 ` Markus Armbruster
2 siblings, 0 replies; 13+ messages in thread
From: Markus Armbruster @ 2015-06-18 16:10 UTC (permalink / raw)
To: Michael S. Tsirkin; +Cc: kwolf, qemu-devel, dgilbert
"Michael S. Tsirkin" <mst@redhat.com> writes:
> makes it possible to copy error_abort pointers,
> not just pass them on directly.
Humor me, and start your sentences with a capital letter :)
> This is needed because follow-up patches add support for
> Error *local_err = ...;
> as a way to set an abort-on-error pointer, which requires that we have
> more than just a global error_abort abort-on-error pointer, but that any
> number of pointers all resolve to something specific.
>
> Add an assert statement when class is retrieved, to make sure we still
> get a core-dump if we (somehow) attempt to output the abort errp by
> mistake.
Description could be clearer, but let's discuss the actual patches
first.
>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> Reviewed-by: Eric Blake <eblake@redhat.com>
> ---
> util/error.c | 17 ++++++++++++-----
> 1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/util/error.c b/util/error.c
> index 14f4351..e10cb34 100644
> --- a/util/error.c
> +++ b/util/error.c
> @@ -20,7 +20,13 @@ struct Error
> ErrorClass err_class;
> };
>
> -Error *error_abort;
> +static Error error_abort_st = { .err_class = ERROR_CLASS_MAX };
> +Error *error_abort = &error_abort_st;
> +
> +static bool error_is_abort(Error **errp)
> +{
> + return errp && *errp == error_abort;
> +}
If anything changes the value of error_abort, we're now screwed.
>
> void error_set(Error **errp, ErrorClass err_class, const char *fmt, ...)
> {
> @@ -40,7 +46,7 @@ void error_set(Error **errp, ErrorClass err_class, const char *fmt, ...)
> va_end(ap);
> err->err_class = err_class;
>
> - if (errp == &error_abort) {
> + if (error_is_abort(errp)) {
> error_report_err(err);
> abort();
> }
> @@ -76,7 +82,7 @@ void error_set_errno(Error **errp, int os_errno, ErrorClass err_class,
> va_end(ap);
> err->err_class = err_class;
>
> - if (errp == &error_abort) {
> + if (error_is_abort(errp)) {
> error_report_err(err);
> abort();
> }
> @@ -121,7 +127,7 @@ void error_set_win32(Error **errp, int win32_err, ErrorClass err_class,
> va_end(ap);
> err->err_class = err_class;
>
> - if (errp == &error_abort) {
> + if (error_is_abort(errp)) {
> error_report_err(err);
> abort();
> }
> @@ -144,6 +150,7 @@ Error *error_copy(const Error *err)
>
> ErrorClass error_get_class(const Error *err)
> {
> + assert(err->err_class < ERROR_CLASS_MAX);
The assertion makes some sense independent of the rest of this series.
It's not as tight as it could be when the compiler makes ErrorClass
signed.
> return err->err_class;
> }
>
> @@ -168,7 +175,7 @@ void error_free(Error *err)
>
> void error_propagate(Error **dst_errp, Error *local_err)
> {
> - if (local_err && dst_errp == &error_abort) {
> + if (local_err && error_is_abort(dst_errp)) {
> error_report_err(local_err);
> abort();
> } else if (dst_errp && !*dst_errp) {
As Eric pointed out, this isn't quite right.
Your use of ERROR_CLASS_MAX is unobvious, and needs an explanatory
comment somewhere. I'd put it right next to its definition if it wasn't
defined implicitly.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort
2015-06-17 7:24 [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort Michael S. Tsirkin
` (2 preceding siblings ...)
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 3/3] block/nfs: switch to error_init_local Michael S. Tsirkin
@ 2015-06-18 16:34 ` Markus Armbruster
2015-06-18 16:49 ` Paolo Bonzini
3 siblings, 1 reply; 13+ messages in thread
From: Markus Armbruster @ 2015-06-18 16:34 UTC (permalink / raw)
To: Michael S. Tsirkin; +Cc: kwolf, qemu-devel, dgilbert
"Michael S. Tsirkin" <mst@redhat.com> writes:
> It's a common idiom:
>
> Error *local_err = NULL;
> ....
> foo(&local_err);
> ...
> if (local_err) {
> error_propagate(errp, local_err);
> return;
> }
>
> Unfortunately it means that call to foo(&local_err) will
> not abort even if errp is set to error_abort.
>
> Instead, we get an abort at error_propagate which is too late,
> that is, the quality of the stack trace is degraded in that it no longer
> pinpoints the actual cause of failure.
>
> To fix, add an API to check errp and set local_err to error_abort
> if errp is error_abort.
>
> This is out of RFC but I'm still not converting all users:
> let's merge these patches, then I'll convert all users
> on top.
Let's take a step back and review intended use of Error before and after
this series.
Before:
* Parameter Error **errp (by convention the last one)
To create and return an error, do:
error_setg(errp, ...);
To propagate an existing error (typically one you received from a
callee), do:
error_propagate(errp, ...);
You're not supposed to examine errp, let alone dereference it.
* Actual argument
- to receive an error: address of an Error * variable, its value must
be null before the call, and may be examined afterwards
- to ignore errors: null pointer
- to abort on error: &error_abort
This leads to a few patterns:
T foo(..., Error **errp)
{
// pattern: receive, test and propagate error
Error *err = NULL;
bar(..., &err);
if (err) {
error_propagate(errp, err);
return ...;
}
// pattern: set error
if (...) {
error_setg(errp, ...);
return ...;
}
// pattern: pass through error
// really the first pattern less the test simplified
baz(..., errp);
return ...;
}
Your patch modifies the "actual argument to receive an error" clause:
the variable must now be either null or the value of
error_init_local(errp). If it's the latter, then it must be passed to
error_propagate(errp, err).
We acquire a new pattern:
// pattern: receive, test and propagate error
Error *err = error_init_local(errp);
bar(..., &err);
if (err) {
error_propagate(errp, err);
return ...;
}
Let's see whether it can fully replace the existing pattern. Before you
can convert err = NULL to err = error_init_local(errp), you have to:
* find the appropriate errp (usually trivial)
* double-check we error_propagate(errp, err) on every path leaving the
function
It's perfectly possible that we *don't* propagate on all paths:
Error *err = NULL;
bar(..., &err);
if (error is non-recoverable) {
error_propagate(errp, err);
return ...;
}
recover and carry on
Here, error_init_local(errp) would be *wrong*.
The Error boilerplate is annoying, but at least there are few ways to
get it wrong (the most common one is "Error * variable not null before
the call"). I'm most reluctant to add more ways to get it wrong.
Is the gain worth all this additional complexity? The gain is certainly
real: backtrace shows where the error got created instead of where it
was propagated to &error_abort. But the existing backtraces have never
bothered me. When I get one ending at an error_propagate(errp, err),
and I need the real one instead, finding it in the debugger is easy
enough. The complexity does bother me.
Here's an utterly trivial way to get some of the gain for none of the
complexity: make error_setg() & friends store caller's __FILE__ and
__LINE__.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort
2015-06-18 16:34 ` [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort Markus Armbruster
@ 2015-06-18 16:49 ` Paolo Bonzini
2015-06-22 11:31 ` Markus Armbruster
0 siblings, 1 reply; 13+ messages in thread
From: Paolo Bonzini @ 2015-06-18 16:49 UTC (permalink / raw)
To: Markus Armbruster, Michael S. Tsirkin; +Cc: kwolf, qemu-devel, dgilbert
On 18/06/2015 18:34, Markus Armbruster wrote:
> Here's an utterly trivial way to get some of the gain for none of the
> complexity: make error_setg() & friends store caller's __FILE__ and
> __LINE__.
Yes, please!!
Paolo
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort
2015-06-18 16:49 ` Paolo Bonzini
@ 2015-06-22 11:31 ` Markus Armbruster
0 siblings, 0 replies; 13+ messages in thread
From: Markus Armbruster @ 2015-06-22 11:31 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: kwolf, qemu-devel, dgilbert, Michael S. Tsirkin
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 18/06/2015 18:34, Markus Armbruster wrote:
>> Here's an utterly trivial way to get some of the gain for none of the
>> complexity: make error_setg() & friends store caller's __FILE__ and
>> __LINE__.
>
> Yes, please!!
I coded it up, will post as soon as its dependencies are in place.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PATCH v2 3/3] block/nfs: switch to error_init_local
2015-06-17 15:32 ` Eric Blake
@ 2015-06-23 9:03 ` Michael S. Tsirkin
0 siblings, 0 replies; 13+ messages in thread
From: Michael S. Tsirkin @ 2015-06-23 9:03 UTC (permalink / raw)
To: Eric Blake
Cc: kwolf, qemu-block, armbru, Jeff Cody, Peter Lieven, qemu-devel,
dgilbert
On Wed, Jun 17, 2015 at 09:32:09AM -0600, Eric Blake wrote:
> On 06/17/2015 01:24 AM, Michael S. Tsirkin wrote:
> > We probably should just switch everyone, this is
> > just to demonstrate the API usage.
> >
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > ---
> > block/nfs.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/block/nfs.c b/block/nfs.c
> > index ca9e24e..de4b8c3 100644
> > --- a/block/nfs.c
> > +++ b/block/nfs.c
> > @@ -385,7 +385,7 @@ static int nfs_file_open(BlockDriverState *bs, QDict *options, int flags,
> > NFSClient *client = bs->opaque;
> > int64_t ret;
> > QemuOpts *opts;
> > - Error *local_err = NULL;
> > + Error *local_err = error_init_local(errp);
> >
> > client->aio_context = bdrv_get_aio_context(bs);
>
> More context:
>
> > opts = qemu_opts_create(&runtime_opts, NULL, 0, &error_abort);
> > qemu_opts_absorb_qdict(opts, options, &local_err);
> > if (local_err) {
> > error_propagate(errp, local_err);
> > ret = -EINVAL;
>
> Oops. Your initialization means that if the caller passed in
> &error_abort, then local_err is now non-NULL, and we will attempt to do
> error_propagate(errp, error_abort), which will abort(). You'd have to
> change that to
> if (!error_is_abort(local_err)) {
Looking at the alternatives, this seems like a reasonable change,
does it not?
Except it's a slightly ugly name, we need a new wrapper
if (!error_is_set(local_err))
which does if (!local_err || local_err == &error_abort)
internally.
> --
> Eric Blake eblake redhat com +1-919-301-3266
> Libvirt virtualization library http://libvirt.org
>
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2015-06-23 9:03 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-17 7:24 [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort Michael S. Tsirkin
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 1/3] error: don't rely on pointer comparisons Michael S. Tsirkin
2015-06-17 15:21 ` Eric Blake
2015-06-17 15:41 ` Eric Blake
2015-06-18 15:36 ` Markus Armbruster
2015-06-18 16:10 ` Markus Armbruster
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 2/3] error: allow local errors to trigger abort Michael S. Tsirkin
2015-06-17 7:24 ` [Qemu-devel] [PATCH v2 3/3] block/nfs: switch to error_init_local Michael S. Tsirkin
2015-06-17 15:32 ` Eric Blake
2015-06-23 9:03 ` Michael S. Tsirkin
2015-06-18 16:34 ` [Qemu-devel] [PATCH v2 0/3] error: allow local errors to trigger abort Markus Armbruster
2015-06-18 16:49 ` Paolo Bonzini
2015-06-22 11:31 ` Markus Armbruster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.