Re: [PATCH v4 2/3] module: add Error arguments to module_load_one and module_load_qom_one

[Markus Armbruster <armbru@redhat.com>]

Claudio Fontana <cfontana@suse.de> writes:

> On 9/22/22 16:36, Markus Armbruster wrote:
>> Claudio Fontana <cfontana@suse.de> writes:
>> 
>>> On 9/22/22 15:20, Markus Armbruster wrote:
>>>> Claudio Fontana <cfontana@suse.de> writes:
>>>>
>>>> [...]
>>>>
>>>>> I think it would be better to completely make the return value separate from the Error,
>>>>> and really treat Error as an exception and not mix it up with the regular execution,
>>>>>
>>>>> but if it is the general consensus that I am the only one seeing this conflation problem we can model it this way too.
>>>>
>>>> It's a matter of language pragmatics.  In Java, you throw an exception
>>>> on error.  In C, you return an error value.
>>>>
>>>> Trying to emulate exceptions in C might be even more unadvisable than
>>>> trying to avoid them in Java.  Best to work with the language, not
>>>> against it.
>>>>
>>>> Trouble is the error values we can conveniently return in C can't convey
>>>> enough information.  So we use Error for that.  Just like GLib uses
>>>
>>> Right, we use Error for that and that's fine, but we should use it _only Error_ for that.
>>>
>>> Ie map the Exceptions directly to Error.
>>>
>>> So:
>>>
>>> try {
>>>
>>>   rv = function_call(...);
>>>
>>>   use_return_value(rv);
>>>
>>> } catch (Exception e) {
>>>
>>>   /* handle exceptional case */
>>>
>>> }
>>>
>>> becomes
>>>
>>> rv = function_call(..., Error **errp);
>>>
>>> if (errp) {
>>>   /* handle exceptional case */
>>> }
>>>
>>> use_return_value(rv);
>> 
>> This is simply not the intended use of Error.
>> 
>> Also, "trying to emulate exceptions in C might be even more unadvisable
>> than trying to avoid them in Java."
>> 
>>> Instead we mix up the Exception code path and the regular code path, by having rv carry a mix of the Exception and regular return value,
>>> and this creates problems and confusion.
>> 
>> "In C, you return an error value."
>> 
>>> If we put a hard line between the two, I think more clarity emerges.
>> 
>> Maybe, but consistency matters.  Clarity doesn't emerge in isolation.  
>> Deviating from prevailing usage tends to confuse.
>> 
>>>> GError.
>>>>
>>>> More modern languages do "return error value" much better than C can.  C
>>>> is what it is.
>>>>
>>>> We could certainly argue how to do better than we do now in QEMU's C
>>>> code.  However, the Error API is used all over the place, which makes
>>>> changing it expensive.  "Rethinking the whole Error API" (your words)
>>>> would have to generate benefits worth this expense.  Which seems
>>>> unlikely.
>>>>
>>>> [...]
>>>>
>>>
>>> This is all fine, the problem is how we remodel this in C.
>>>
>>> This is how I see the next steps to clarify my position:
>>>
>>> short term:
>>>
>>> - keep the existing API with the existing assumptions, use a separate argument to carry the pointer to the actual return value (where the function return value as provided by the language is used to return if an exception was generated or not, as we assume today).
>> 
>> We don't actually need separate values for "actual return value" and
>> "success vs. failure" here.  We can easily encode them in a single
>
> Yes, we do, it would avoid the confusion that we see as soon as people look at the module_load_one code the first time.
>
>> return value.  This is *common* in C, for better or worse.
>
> We make our own life difficult, by wasting the very precious space of the return value that should be used to provide the meaning of the function,
>
> and using it to provide a completely useless and redundant bool return value, that by your own definition,
> is just "errp != NULL".

*errp != NULL, except that doesn't work when the caller NULL to errp.

> The very precious and scarce return value of the C function is completely wasted.

I think you're tilting at windmills :)

error.h again:

 * - Whenever practical, also return a value that indicates success /
 *   failure.  This can make the error checking more concise, and can
 *   avoid useless error object creation and destruction.  Note that
 *   we still have many functions returning void.  We recommend
 *   • bool-valued functions return true on success / false on failure,
 *   • pointer-valued functions return non-null / null pointer, and
 *   • integer-valued functions return non-negative / negative.

This does *not* ask you to waste the return value on a bool indicating
success.  It asks you to use error values whenever practical, and
recommends common ones, namely:

     • When a function returns a non-negative integer on success, use
       negative integers to signify failure.

     • When a function returns a non-null pointer on success, use a null
       pointer to signify failure.

     • When a function has nothing to return, make it return true on
       success, and false on failure.

Such use of return values is idiomatic C.

When a function can return any value of its return type on success,
there are no error values left.  Unless we can tweak the return type to
accomodate error values, say widen it from unsigned char to int, we're
outside "when practical" territory.

[...]