Re: [Qemu-devel] [PATCH] qom: abort on error in property setter if caller passed errp == NULL

[Andreas Färber]

Am 28.11.2013 02:24, schrieb Igor Mammedov:
> in case if caller setting property doesn't care about error and
> passes in NULL as errp argument but error occurs in property setter,
> it is silently discarded leaving object in undefined state.
> 
> As result it leads to hard to find bugs, so if caller doesn't
> care about error it must be sure that property exists and
> accepts provided value, otherwise it's better to abort early
> since error case couldn't be handled gracefully and find
> invalid usecase early.
> 
> In addition multitude of property setters will be always
> guarantied to have error object present and won't be required
> to handle this condition individually.
> 
> Signed-off-by: Igor Mammedov <address@hidden>
> ---
>  qom/object.c | 19 ++++++++++++++-----
>  1 file changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/qom/object.c b/qom/object.c
> index fc19cf6..2c0bb64 100644
> --- a/qom/object.c
> +++ b/qom/object.c
> @@ -792,16 +792,25 @@ void object_property_get(Object *obj, Visitor *v, const 
> char *name,
>  void object_property_set(Object *obj, Visitor *v, const char *name,
>                           Error **errp)
>  {
> -    ObjectProperty *prop = object_property_find(obj, name, errp);
> -    if (prop == NULL) {
> -        return;
> +    Error *local_error = NULL;
> +    ObjectProperty *prop = object_property_find(obj, name, &local_error);
> +    if (local_error) {
> +        goto out;
>      }
>  
>      if (!prop->set) {
> -        error_set(errp, QERR_PERMISSION_DENIED);
> +        error_set(&local_error, QERR_PERMISSION_DENIED);
>      } else {
> -        prop->set(obj, v, prop->opaque, name, errp);
> +        prop->set(obj, v, prop->opaque, name, &local_error);
>      }
> +out:
> +    if (local_error) {
> +        if (!errp) {
> +            assert_no_error(local_error);
> +        }
> +        error_propagate(errp, local_error);
> +    }
> +
>  }
>  
>  void object_property_set_str(Object *obj, const char *value,

Aborting on NULL errp considered dangerous by me.

This function seems to work just fine with NULL errp, so your focus
seems to be on the callers.

Promoting *not* to abort has been one appeal of the new QOM-style APIs
to me, so making this implicitly assert feels like a step backwards.
The old qdev_prop_set_*() API, which most users are still using, does
assert, as discussed with PMM recently.

Also, why only for setting properties? Either all or none should behave
like this - and I guess none is going to be easier to achieve.
For instance, adding dynamic properties is a use case where in
instance_init I've seen NULL errp passed in (because instance_init API
cannot fail).

I will be more than happy to review and apply your patch (or contribute
further ones) going through (mis)uses of error_is_set().

Regards,
Andreas

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg