From: Paolo Bonzini <pbonzini@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Peter Crosthwaite" <crosthwaitepeter@gmail.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Andreas Färber" <afaerber@suse.de>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Error handling in realize() methods
Date: Thu, 10 Dec 2015 12:26:28 +0100 [thread overview]
Message-ID: <56696164.8000009@redhat.com> (raw)
In-Reply-To: <87a8piimvi.fsf@blackfin.pond.sub.org>
On 10/12/2015 12:06, Markus Armbruster wrote:
> Paolo Bonzini <pbonzini@redhat.com> writes:
>
>> On 09/12/2015 10:30, Markus Armbruster wrote:
>>> My current working assumption is that passing &error_fatal to
>>> memory_region_init_ram() & friends is okay even in realize() methods and
>>> their supporting code, except when the allocation can be large.
>>
>> I suspect a lot of memory_region_init_ram()s could be considered
>> potentially large (at least in the 16-64 megabytes range). Propagation
>> of memory_region_init_ram() failures is easy enough, thanks to Error**,
>> that we should just do it.
>
> Propagating an out-of-memory error right in realize() is easy. What's
> not so easy is making realize() fail cleanly (all side effects undone;
> we get that wrong in many places), and finding and propagating
> out-of-memory errors hiding deeper in the call tree.
grep is your friend. We're talking of a subset of these:
hw/block/onenand.c: memory_region_init_ram(&s->ram, OBJECT(s), "onenand.ram",
hw/block/pflash_cfi01.c: memory_region_init_rom_device(
hw/block/pflash_cfi02.c: memory_region_init_rom_device(&pfl->orig_mem, OBJECT(pfl), pfl->be ?
hw/display/cg3.c: memory_region_init_ram(&s->rom, obj, "cg3.prom", FCODE_MAX_ROM_SIZE,
hw/display/cg3.c: memory_region_init_ram(&s->vram_mem, NULL, "cg3.vram", s->vram_size,
hw/display/g364fb.c: memory_region_init_ram_ptr(&s->mem_vram, NULL, "vram",
hw/display/qxl.c: memory_region_init_ram(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom",
hw/display/qxl.c: memory_region_init_ram(&qxl->vram_bar, OBJECT(qxl), "qxl.vram",
hw/display/qxl.c: memory_region_init_ram(&qxl->vga.vram, OBJECT(dev), "qxl.vgavram",
hw/display/sm501.c: memory_region_init_ram(&s->local_mem_region, NULL, "sm501.local",
hw/display/tc6393xb.c: memory_region_init_ram(&s->vram, NULL, "tc6393xb.vram", 0x100000,
hw/display/tcx.c: memory_region_init_ram(&s->rom, obj, "tcx.prom", FCODE_MAX_ROM_SIZE,
hw/display/tcx.c: memory_region_init_ram(&s->vram_mem, OBJECT(s), "tcx.vram",
hw/display/vga.c: memory_region_init_ram(&s->vram, obj, "vga.vram", s->vram_size,
hw/display/vmware_vga.c: memory_region_init_ram(&s->fifo_ram, NULL, "vmsvga.fifo", s->fifo_size,
hw/dma/rc4030.c: memory_region_init_rom_device(&s->dma_tt, o,
hw/i386/pci-assign-load-rom.c: memory_region_init_ram(&dev->rom, owner, name, st.st_size, &error_abort);
hw/input/milkymist-softusb.c: memory_region_init_ram(&s->pmem, OBJECT(s), "milkymist-softusb.pmem",
hw/input/milkymist-softusb.c: memory_region_init_ram(&s->dmem, OBJECT(s), "milkymist-softusb.dmem",
hw/net/dp8393x.c: memory_region_init_ram(&s->prom, OBJECT(dev),
hw/net/milkymist-minimac2.c: memory_region_init_ram(&s->buffers, OBJECT(dev), "milkymist-minimac2.buffers",
hw/pci/pci.c: memory_region_init_ram(&pdev->rom, OBJECT(pdev), name, size, &error_fatal);
hw/s390x/sclp.c: memory_region_init_ram(standby_ram, NULL, id, this_subregion_size,
Some of them are in sysbus devices and can thus be ignored. Some of the
others may indeed need introduction of additional error propagation or may
be non-trivial.
> I doubt ensuring *all* allocations on behalf of a hot-pluggable device
> are handled gracefully is a good use of our reseources, or even
> feasible.
I agree. I don't think we have large allocations in device models,
other than from memory region allocation (e.g. VRAM).
> Consider a device that can only be created during machine initialization
> (cannot_instantiate_with_device_add_yet = true or hotpluggable = false).
> &error_fatal is perfectly adequate there. &error_abort would be
> misleading, because when it fails, it's almost certainly because the
> user tried to create too big a machine.
I agree here.
> Now consider a hot-pluggable device. Its recognized "large" allocations
> all fail gracefully. What about its other allocations? Two kinds: the
> ones visible in the device model code, and the ones hiding elsewhere,
> which include "a few" of the 2300+ uses of GLib memory allocation. The
> latter exit(). Why should the former abort()?
We've already ruled that the latter simply won't happen, so we can say at
the same time that g_malloc() does not exit at all. :)
&error_fatal is a user error, &error_abort is an assertion failure. This
is much closer to an assertion failure.
> Now use that hot-pluggable device during machine initialization.
> abort() is again misleading.
Perhaps, but---because it's hotpluggable---what happens during machine
initialization is much less important. It doesn't lead to lost data.
An abort() is much more likely to catch the developers' and the users'
attention and much more likely to be reported (compare "huh, it went
away?!?" with "abrt is asking me to open a Fedora bug, interesting").
> Let's avoid a fruitless debate on when to exit() and when to abort() on
> out-of-memory, and just stick to exit(). We don't need a core dump to
> tell a developer to fix his lazy error handling.
Perhaps we do...
Paolo
next prev parent reply other threads:[~2015-12-10 11:26 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-08 13:47 [Qemu-devel] Error handling in realize() methods Markus Armbruster
2015-12-08 14:19 ` Dr. David Alan Gilbert
2015-12-09 9:30 ` Markus Armbruster
2015-12-09 10:29 ` Dr. David Alan Gilbert
2015-12-09 11:10 ` Laszlo Ersek
2015-12-10 9:22 ` Markus Armbruster
2015-12-10 11:10 ` Laszlo Ersek
2015-12-09 11:47 ` Peter Maydell
2015-12-09 12:25 ` Laszlo Ersek
2015-12-09 13:21 ` Dr. David Alan Gilbert
2015-12-10 9:27 ` Markus Armbruster
2015-12-09 13:09 ` Paolo Bonzini
2015-12-09 13:12 ` Dr. David Alan Gilbert
2015-12-09 13:43 ` Paolo Bonzini
2015-12-10 11:06 ` Markus Armbruster
2015-12-10 11:21 ` Dr. David Alan Gilbert
2015-12-10 11:22 ` Paolo Bonzini
2015-12-10 11:26 ` Paolo Bonzini [this message]
2015-12-10 12:25 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56696164.8000009@redhat.com \
--to=pbonzini@redhat.com \
--cc=afaerber@suse.de \
--cc=armbru@redhat.com \
--cc=crosthwaitepeter@gmail.com \
--cc=dgilbert@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).