* [PATCH v2 0/8] Require error handling for dynamically created objects
@ 2024-11-11 15:55 Daniel P. Berrangé
2024-11-11 15:55 ` [PATCH v2 1/8] qom: refactor checking abstract property when creating instances Daniel P. Berrangé
` (7 more replies)
0 siblings, 8 replies; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-11 15:55 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Markus Armbruster, Peter Xu,
Daniel P. Berrangé
NB, this series is targetting 10.0, NOT for 9.2 freeze.
With code like
Object *obj = object_new(TYPE_BLAH)
the caller can be pretty confident that they will successfully create
an object instance of TYPE_BLAH. They know exactly what type has been
requested, so it passing an abstract type for example, it is a clear
programmer error that they'll get an assertion failure.
Conversely with code like
void somefunc(const char *typename) {
Object * obj = object_new(typename)
...
}
all bets are off, because the call of object_new() knows nothing
about what 'typename' resolves to. It could easily be an abstract
type. As a result, many code paths have added a manual check ahead
of time
if (object_class_is_abstract(typename)) {
error_setg(errp, ....)
}
...except for where we forget to do this, such as qdev_new().
Overall 'object_new' is a bad design because it is inherantly
unsafe to call with unvalidated typenames.
This problem is made worse by the proposal to introduce the idea
of 'singleton' classes[1].
Thus, this series suggests a way to improve safety at build
time. The core idea is to allow 'object_new' to continue to be
used *if-and-only-if* given a static, const string, because that
scenario indicates the caller is aware of what type they are
creating at build time.
A new 'object_new_dynamic' method is proposed for cases where
the typename is dynamically chosen at runtime. This method has
an "Error **errp" parameter, which can report when an abstract
type is created, leaving the assert()s only for scenarios which
are unambiguous programmer errors.
With a little macro magic, we guarantee a compile error is
generated if 'object_new' is called with a dynamic type, forcing
all potentially unsafe code over to object_new_dynamic.
This is more tractable than adding 'Error **errp' to 'object_new'
as only a handful of places use a dynamic type name.
With this series, my objections to Peter Xu's singleton series[1]
would be largely nullified.
[1] https://lists.nongnu.org/archive/html/qemu-devel/2024-10/msg05524.html
Changed in v2:
* Removed "RFC" tag
* Converted code in all non-x86_64 targets
* Converted qdev_new to same pattern as object_new
* Ensured test suites work now
Daniel P. Berrangé (8):
qom: refactor checking abstract property when creating instances
qom: allow failure of object_new_with_class
qom: introduce object_new_dynamic()
convert code to object_new_dynamic() where appropriate
qom: enforce use of static, const string with object_new()
qom: introduce qdev_new_dynamic()
convert code to qdev_new_dynamic() where appropriate
hw: enforce use of static, const string with qdev_new()
accel/accel-user.c | 4 +-
chardev/char.c | 6 ++-
hw/arm/aspeed.c | 6 +--
hw/arm/exynos4210.c | 3 +-
hw/arm/highbank.c | 2 +-
hw/arm/integratorcp.c | 2 +-
hw/arm/mps3r.c | 3 +-
hw/arm/npcm7xx_boards.c | 2 +-
hw/arm/realview.c | 3 +-
hw/arm/sbsa-ref.c | 7 +--
hw/arm/versatilepb.c | 2 +-
hw/arm/vexpress.c | 4 +-
hw/arm/virt.c | 10 ++--
hw/arm/xilinx_zynq.c | 3 +-
hw/audio/soundhw.c | 2 +-
hw/block/xen-block.c | 7 ++-
hw/core/bus.c | 2 +-
hw/core/cpu-common.c | 2 +-
hw/core/qdev.c | 24 +++++++--
hw/core/sysbus.c | 2 +-
hw/i2c/core.c | 2 +-
hw/i386/x86-common.c | 5 +-
hw/i386/xen/xen-pvh.c | 2 +-
hw/intc/xics.c | 5 +-
hw/isa/isa-bus.c | 4 +-
hw/mips/cps.c | 3 +-
hw/pci-host/pnv_phb.c | 5 +-
hw/pci/pci.c | 2 +-
hw/ppc/e500.c | 2 +-
hw/ppc/pnv.c | 6 +--
hw/ppc/pnv_core.c | 5 +-
hw/ppc/spapr.c | 2 +-
hw/ppc/spapr_cpu_core.c | 5 +-
hw/ppc/spapr_drc.c | 2 +-
hw/s390x/s390-virtio-ccw.c | 10 +++-
hw/scsi/scsi-bus.c | 5 +-
hw/sparc/leon3.c | 2 +-
hw/sparc/sun4m.c | 2 +-
hw/sparc64/sparc64.c | 2 +-
hw/ssi/ssi.c | 2 +-
hw/vfio/common.c | 6 ++-
hw/vfio/container.c | 7 ++-
include/hw/qdev-core.h | 78 ++++++++++++++++++++++++++-
include/hw/usb.h | 4 +-
include/qom/object.h | 48 +++++++++++++++--
net/net.c | 7 +--
qom/object.c | 44 ++++++++++-----
qom/object_interfaces.c | 7 ++-
qom/qom-qmp-cmds.c | 16 +++---
system/qdev-monitor.c | 5 +-
system/vl.c | 6 ++-
target/arm/arm-qmp-cmds.c | 5 +-
target/i386/cpu-apic.c | 8 ++-
target/i386/cpu-sysemu.c | 11 ++--
target/i386/cpu.c | 4 +-
target/loongarch/loongarch-qmp-cmds.c | 5 +-
target/mips/cpu.c | 2 +-
target/riscv/riscv-qmp-cmds.c | 5 +-
target/s390x/cpu_models_sysemu.c | 7 ++-
target/xtensa/cpu.c | 2 +-
tests/unit/check-qom-interface.c | 3 +-
tests/unit/test-smp-parse.c | 20 +++----
62 files changed, 353 insertions(+), 116 deletions(-)
--
2.46.0
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH v2 1/8] qom: refactor checking abstract property when creating instances
2024-11-11 15:55 [PATCH v2 0/8] Require error handling for dynamically created objects Daniel P. Berrangé
@ 2024-11-11 15:55 ` Daniel P. Berrangé
2024-11-14 19:58 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 2/8] qom: allow failure of object_new_with_class Daniel P. Berrangé
` (6 subsequent siblings)
7 siblings, 1 reply; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-11 15:55 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Markus Armbruster, Peter Xu,
Daniel P. Berrangé
Push an Error object into object_initialize_with_type, so that
reporting of attempts to create an abstract type is handled at
the lowest level.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
qom/object.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
diff --git a/qom/object.c b/qom/object.c
index 9edc06d391..dc125e55bc 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -559,14 +559,20 @@ static void object_class_property_init_all(Object *obj)
}
}
-static void object_initialize_with_type(Object *obj, size_t size, TypeImpl *type)
+static bool object_initialize_with_type(Object *obj, size_t size,
+ TypeImpl *type, Error **errp)
{
type_initialize(type);
g_assert(type->instance_size >= sizeof(Object));
- g_assert(type->abstract == false);
g_assert(size >= type->instance_size);
+ if (type->abstract) {
+ error_setg(errp, "Abstract type '%s' cannot be instantiated",
+ type->name);
+ return false;
+ }
+
memset(obj, 0, type->instance_size);
obj->class = type->class;
object_ref(obj);
@@ -575,13 +581,15 @@ static void object_initialize_with_type(Object *obj, size_t size, TypeImpl *type
NULL, object_property_free);
object_init_with_type(obj, type);
object_post_init_with_type(obj, type);
+
+ return true;
}
void object_initialize(void *data, size_t size, const char *typename)
{
TypeImpl *type = type_get_or_load_by_name(typename, &error_fatal);
- object_initialize_with_type(data, size, type);
+ object_initialize_with_type(data, size, type, &error_abort);
}
bool object_initialize_child_with_props(Object *parentobj,
@@ -753,7 +761,7 @@ typedef union {
} qemu_max_align_t;
#endif
-static Object *object_new_with_type(Type type)
+static Object *object_new_with_type(Type type, Error **errp)
{
Object *obj;
size_t size, align;
@@ -777,7 +785,10 @@ static Object *object_new_with_type(Type type)
obj_free = qemu_vfree;
}
- object_initialize_with_type(obj, size, type);
+ if (!object_initialize_with_type(obj, size, type, errp)) {
+ g_free(obj);
+ return NULL;
+ }
obj->free = obj_free;
return obj;
@@ -785,14 +796,14 @@ static Object *object_new_with_type(Type type)
Object *object_new_with_class(ObjectClass *klass)
{
- return object_new_with_type(klass->type);
+ return object_new_with_type(klass->type, &error_abort);
}
Object *object_new(const char *typename)
{
TypeImpl *ti = type_get_or_load_by_name(typename, &error_fatal);
- return object_new_with_type(ti);
+ return object_new_with_type(ti, &error_abort);
}
@@ -829,11 +840,10 @@ Object *object_new_with_propv(const char *typename,
return NULL;
}
- if (object_class_is_abstract(klass)) {
- error_setg(errp, "object type '%s' is abstract", typename);
+ obj = object_new_with_type(klass->type, errp);
+ if (!obj) {
return NULL;
}
- obj = object_new_with_type(klass->type);
if (!object_set_propv(obj, errp, vargs)) {
goto error;
--
2.46.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v2 2/8] qom: allow failure of object_new_with_class
2024-11-11 15:55 [PATCH v2 0/8] Require error handling for dynamically created objects Daniel P. Berrangé
2024-11-11 15:55 ` [PATCH v2 1/8] qom: refactor checking abstract property when creating instances Daniel P. Berrangé
@ 2024-11-11 15:55 ` Daniel P. Berrangé
2024-11-14 20:04 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 3/8] qom: introduce object_new_dynamic() Daniel P. Berrangé
` (5 subsequent siblings)
7 siblings, 1 reply; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-11 15:55 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Markus Armbruster, Peter Xu,
Daniel P. Berrangé
Since object_new_with_class() accepts a non-const parameter for
the class, callers should be prepared for failures from unexpected
input. Add an Error parameter for this and make callers check.
If the caller does not already have an Error parameter, it is
satisfactory to use &error_abort if the class parameter choice is
not driven by untrusted user input.
This conversion allows removal of any object_class_is_abstract()
checks immediately before object_new_with_class().
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
accel/accel-user.c | 4 +++-
hw/core/qdev.c | 2 +-
include/qom/object.h | 9 +++++++--
net/net.c | 3 ++-
qom/object.c | 4 ++--
qom/object_interfaces.c | 7 +++----
qom/qom-qmp-cmds.c | 11 ++++++-----
system/vl.c | 6 ++++--
target/i386/cpu-apic.c | 8 +++++++-
target/i386/cpu-sysemu.c | 11 ++++++++---
target/i386/cpu.c | 4 ++--
target/s390x/cpu_models_sysemu.c | 7 +++++--
12 files changed, 50 insertions(+), 26 deletions(-)
diff --git a/accel/accel-user.c b/accel/accel-user.c
index 22b6a1a1a8..df673ec0e4 100644
--- a/accel/accel-user.c
+++ b/accel/accel-user.c
@@ -9,6 +9,7 @@
#include "qemu/osdep.h"
#include "qemu/accel.h"
+#include "qapi/error.h"
AccelState *current_accel(void)
{
@@ -18,7 +19,8 @@ AccelState *current_accel(void)
AccelClass *ac = accel_find("tcg");
g_assert(ac != NULL);
- accel = ACCEL(object_new_with_class(OBJECT_CLASS(ac)));
+ accel = ACCEL(object_new_with_class(OBJECT_CLASS(ac),
+ &error_abort));
}
return accel;
}
diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index 5f13111b77..0ba701f2ba 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -155,7 +155,7 @@ DeviceState *qdev_try_new(const char *name)
if (!oc) {
return NULL;
}
- return DEVICE(object_new_with_class(oc));
+ return DEVICE(object_new_with_class(oc, &error_abort));
}
static QTAILQ_HEAD(, DeviceListener) device_listeners
diff --git a/include/qom/object.h b/include/qom/object.h
index 43c135984a..11ee472719 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -606,14 +606,19 @@ struct InterfaceClass
/**
* object_new_with_class:
* @klass: The class to instantiate.
+ * @errp: pointer to be filled with error details on failure
*
* This function will initialize a new object using heap allocated memory.
* The returned object has a reference count of 1, and will be freed when
* the last reference is dropped.
*
- * Returns: The newly allocated and instantiated object.
+ * If an instance of @klass is not permitted to be instantiated, an
+ * error will be raised. This can happen if @klass is abstract.
+ *
+ * Returns: The newly allocated and instantiated object, or NULL
+ * on error.
*/
-Object *object_new_with_class(ObjectClass *klass);
+Object *object_new_with_class(ObjectClass *klass, Error **errp);
/**
* object_new:
diff --git a/net/net.c b/net/net.c
index 7ef6885876..fbbfe602a4 100644
--- a/net/net.c
+++ b/net/net.c
@@ -948,7 +948,8 @@ GPtrArray *qemu_get_nic_models(const char *device_type)
* create this property during instance_init, so we have to create
* a temporary instance here to be able to check it.
*/
- Object *obj = object_new_with_class(OBJECT_CLASS(dc));
+ Object *obj = object_new_with_class(OBJECT_CLASS(dc),
+ &error_abort);
if (object_property_find(obj, "netdev")) {
g_ptr_array_add(nic_models, (gpointer)name);
}
diff --git a/qom/object.c b/qom/object.c
index dc125e55bc..afcdeba93b 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -794,9 +794,9 @@ static Object *object_new_with_type(Type type, Error **errp)
return obj;
}
-Object *object_new_with_class(ObjectClass *klass)
+Object *object_new_with_class(ObjectClass *klass, Error **errp)
{
- return object_new_with_type(klass->type, &error_abort);
+ return object_new_with_type(klass->type, errp);
}
Object *object_new(const char *typename)
diff --git a/qom/object_interfaces.c b/qom/object_interfaces.c
index 1a6f29c053..967b906755 100644
--- a/qom/object_interfaces.c
+++ b/qom/object_interfaces.c
@@ -102,13 +102,12 @@ Object *user_creatable_add_type(const char *type, const char *id,
return NULL;
}
- if (object_class_is_abstract(klass)) {
- error_setg(errp, "object type '%s' is abstract", type);
+ assert(qdict);
+ obj = object_new_with_class(klass, errp);
+ if (!obj) {
return NULL;
}
- assert(qdict);
- obj = object_new_with_class(klass);
object_set_properties_from_qdict(obj, qdict, v, &local_err);
if (local_err) {
goto out;
diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
index 46e4562300..4a8e269fef 100644
--- a/qom/qom-qmp-cmds.c
+++ b/qom/qom-qmp-cmds.c
@@ -134,14 +134,15 @@ ObjectPropertyInfoList *qmp_device_list_properties(const char *typename,
return NULL;
}
- if (!object_class_dynamic_cast(klass, TYPE_DEVICE)
- || object_class_is_abstract(klass)) {
- error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "typename",
- "a non-abstract device type");
+ if (!object_class_dynamic_cast(klass, TYPE_DEVICE)) {
+ error_setg(errp, "Object '%s' is not a device type", typename);
return NULL;
}
- obj = object_new_with_class(klass);
+ obj = object_new_with_class(klass, errp);
+ if (!obj) {
+ return NULL;
+ }
object_property_iter_init(&iter, obj);
while ((prop = object_property_iter_next(&iter))) {
diff --git a/system/vl.c b/system/vl.c
index d217b3d64d..f4eec7f35c 100644
--- a/system/vl.c
+++ b/system/vl.c
@@ -2117,7 +2117,8 @@ static void qemu_create_machine(QDict *qdict)
MachineClass *machine_class = select_machine(qdict, &error_fatal);
object_set_machine_compat_props(machine_class->compat_props);
- current_machine = MACHINE(object_new_with_class(OBJECT_CLASS(machine_class)));
+ current_machine = MACHINE(object_new_with_class(OBJECT_CLASS(machine_class),
+ &error_fatal));
object_property_add_child(object_get_root(), "machine",
OBJECT(current_machine));
object_property_add_child(container_get(OBJECT(current_machine),
@@ -2327,7 +2328,8 @@ static int do_configure_accelerator(void *opaque, QemuOpts *opts, Error **errp)
}
goto bad;
}
- accel = ACCEL(object_new_with_class(OBJECT_CLASS(ac)));
+ accel = ACCEL(object_new_with_class(OBJECT_CLASS(ac),
+ &error_fatal));
object_apply_compat_props(OBJECT(accel));
qemu_opt_foreach(opts, accelerator_set_property,
accel,
diff --git a/target/i386/cpu-apic.c b/target/i386/cpu-apic.c
index d397ec94dc..8a518c50c7 100644
--- a/target/i386/cpu-apic.c
+++ b/target/i386/cpu-apic.c
@@ -43,12 +43,18 @@ void x86_cpu_apic_create(X86CPU *cpu, Error **errp)
{
APICCommonState *apic;
APICCommonClass *apic_class = apic_get_class(errp);
+ Object *apicobj;
if (!apic_class) {
return;
}
- cpu->apic_state = DEVICE(object_new_with_class(OBJECT_CLASS(apic_class)));
+ apicobj = object_new_with_class(OBJECT_CLASS(apic_class),
+ errp);
+ if (!apicobj) {
+ return;
+ }
+ cpu->apic_state = DEVICE(apicobj);
object_property_add_child(OBJECT(cpu), "lapic",
OBJECT(cpu->apic_state));
object_unref(OBJECT(cpu->apic_state));
diff --git a/target/i386/cpu-sysemu.c b/target/i386/cpu-sysemu.c
index 227ac021f6..612ff09e57 100644
--- a/target/i386/cpu-sysemu.c
+++ b/target/i386/cpu-sysemu.c
@@ -156,15 +156,20 @@ static X86CPU *x86_cpu_from_model(const char *model, QObject *props,
{
X86CPU *xc = NULL;
X86CPUClass *xcc;
+ Object *xcobj;
Error *err = NULL;
xcc = X86_CPU_CLASS(cpu_class_by_name(TYPE_X86_CPU, model));
if (xcc == NULL) {
- error_setg(&err, "CPU model '%s' not found", model);
- goto out;
+ error_setg(errp, "CPU model '%s' not found", model);
+ return NULL;
}
- xc = X86_CPU(object_new_with_class(OBJECT_CLASS(xcc)));
+ xcobj = object_new_with_class(OBJECT_CLASS(xcc), errp);
+ if (!xcobj) {
+ return NULL;
+ }
+ xc = X86_CPU(xcobj);
if (props) {
object_apply_props(OBJECT(xc), props, props_arg_name, &err);
if (err) {
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 58c96eafea..5e10210db9 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5973,7 +5973,7 @@ static GSList *get_sorted_cpu_model_list(void)
static char *x86_cpu_class_get_model_id(X86CPUClass *xc)
{
- Object *obj = object_new_with_class(OBJECT_CLASS(xc));
+ Object *obj = object_new_with_class(OBJECT_CLASS(xc), &error_abort);
char *r = object_property_get_str(obj, "model-id", &error_abort);
object_unref(obj);
return r;
@@ -6071,7 +6071,7 @@ static void x86_cpu_class_check_missing_features(X86CPUClass *xcc,
return;
}
- xc = X86_CPU(object_new_with_class(OBJECT_CLASS(xcc)));
+ xc = X86_CPU(object_new_with_class(OBJECT_CLASS(xcc), &error_abort));
x86_cpu_expand_features(xc, &err);
if (err) {
diff --git a/target/s390x/cpu_models_sysemu.c b/target/s390x/cpu_models_sysemu.c
index f6df691b66..7fe3093056 100644
--- a/target/s390x/cpu_models_sysemu.c
+++ b/target/s390x/cpu_models_sysemu.c
@@ -69,7 +69,7 @@ static void create_cpu_model_list(ObjectClass *klass, void *opaque)
if (cpu_list_data->model) {
Object *obj;
S390CPU *sc;
- obj = object_new_with_class(klass);
+ obj = object_new_with_class(klass, &error_abort);
sc = S390_CPU(obj);
if (sc->model) {
info->has_unavailable_features = true;
@@ -116,7 +116,10 @@ static void cpu_model_from_info(S390CPUModel *model, const CpuModelInfo *info,
error_setg(errp, "The CPU definition '%s' requires KVM", info->name);
return;
}
- obj = object_new_with_class(oc);
+ obj = object_new_with_class(oc, errp);
+ if (!obj) {
+ return;
+ }
cpu = S390_CPU(obj);
if (!cpu->model) {
--
2.46.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v2 3/8] qom: introduce object_new_dynamic()
2024-11-11 15:55 [PATCH v2 0/8] Require error handling for dynamically created objects Daniel P. Berrangé
2024-11-11 15:55 ` [PATCH v2 1/8] qom: refactor checking abstract property when creating instances Daniel P. Berrangé
2024-11-11 15:55 ` [PATCH v2 2/8] qom: allow failure of object_new_with_class Daniel P. Berrangé
@ 2024-11-11 15:55 ` Daniel P. Berrangé
2024-11-14 20:15 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 4/8] convert code to object_new_dynamic() where appropriate Daniel P. Berrangé
` (4 subsequent siblings)
7 siblings, 1 reply; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-11 15:55 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Markus Armbruster, Peter Xu,
Daniel P. Berrangé
object_new() has a failure scenario where it will assert() if given
an abstract type. Callers which are creating objects based on user
input, or unknown/untrusted type names, must manually check the
result of object_class_is_abstract() before calling object_new()
to propagate an Error, instead of asserting.
Introduce a object_new_dynamic() method which is a counterpart to
object_new() that directly returns an Error, instead of asserting.
This new method is to be used where the typename is specified
dynamically by code separate from the immediate caller.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
include/qom/object.h | 27 +++++++++++++++++++++++++++
qom/object.c | 9 +++++++++
2 files changed, 36 insertions(+)
diff --git a/include/qom/object.h b/include/qom/object.h
index 11ee472719..4fc01336c4 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -624,14 +624,41 @@ Object *object_new_with_class(ObjectClass *klass, Error **errp);
* object_new:
* @typename: The name of the type of the object to instantiate.
*
+ * This method should be used where @typename is statically specified
+ * from a const string at build time, where the caller does not expect
+ * failure to be possible.
+ *
* This function will initialize a new object using heap allocated memory.
* The returned object has a reference count of 1, and will be freed when
* the last reference is dropped.
*
+ * If an instance of @typename is not permitted to be instantiated, an
+ * assert will be raised. This can happen if @typename is abstract.
+ *
* Returns: The newly allocated and instantiated object.
*/
Object *object_new(const char *typename);
+/**
+ * object_new_dynamic:
+ * @typename: The name of the type of the object to instantiate.
+ * @errp: pointer to be filled with error details on failure
+ *
+ * This method should be used where @typename is dynamically chosen
+ * at runtime, which has the possibility of unexpected choices leading
+ * to failures.
+ *
+ * This function will initialize a new object using heap allocated memory.
+ * The returned object has a reference count of 1, and will be freed when
+ * the last reference is dropped.
+ *
+ * If an instance of @typename is not permitted to be instantiated, an
+ * error will be raised. This can happen if @typename is abstract.
+ *
+ * Returns: The newly allocated and instantiated object.
+ */
+Object *object_new_dynamic(const char *typename, Error **errp);
+
/**
* object_new_with_props:
* @typename: The name of the type of the object to instantiate.
diff --git a/qom/object.c b/qom/object.c
index afcdeba93b..2e6e6495c6 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -806,6 +806,15 @@ Object *object_new(const char *typename)
return object_new_with_type(ti, &error_abort);
}
+Object *object_new_dynamic(const char *typename, Error **errp)
+{
+ TypeImpl *ti = type_get_or_load_by_name(typename, errp);
+ if (!ti) {
+ return NULL;
+ }
+
+ return object_new_with_type(ti, errp);
+}
Object *object_new_with_props(const char *typename,
Object *parent,
--
2.46.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v2 4/8] convert code to object_new_dynamic() where appropriate
2024-11-11 15:55 [PATCH v2 0/8] Require error handling for dynamically created objects Daniel P. Berrangé
` (2 preceding siblings ...)
2024-11-11 15:55 ` [PATCH v2 3/8] qom: introduce object_new_dynamic() Daniel P. Berrangé
@ 2024-11-11 15:55 ` Daniel P. Berrangé
2024-11-14 20:24 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 5/8] qom: enforce use of static, const string with object_new() Daniel P. Berrangé
` (3 subsequent siblings)
7 siblings, 1 reply; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-11 15:55 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Markus Armbruster, Peter Xu,
Daniel P. Berrangé
In cases where object_new() is not being passed a static, const
string, the caller cannot be sure what type they are instantiating.
There is a risk that instantiation could fail, if it is an abstract
type.
Convert such cases over to use object_new_dynamic() such that they
are forced to expect failure. In some cases failure can be easily
propagated, but in others using &error_abort or &error_fatal will
maintain existnig behaviour.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
chardev/char.c | 6 +++++-
hw/arm/aspeed.c | 4 ++--
hw/arm/exynos4210.c | 3 ++-
hw/arm/highbank.c | 2 +-
hw/arm/integratorcp.c | 2 +-
hw/arm/mps3r.c | 3 ++-
hw/arm/realview.c | 3 ++-
hw/arm/sbsa-ref.c | 3 ++-
hw/arm/versatilepb.c | 2 +-
hw/arm/vexpress.c | 2 +-
hw/arm/virt.c | 6 ++++--
hw/arm/xilinx_zynq.c | 3 ++-
hw/core/bus.c | 2 +-
hw/core/cpu-common.c | 2 +-
hw/core/qdev.c | 2 +-
hw/i386/x86-common.c | 5 ++++-
hw/i386/xen/xen-pvh.c | 2 +-
hw/intc/xics.c | 5 ++++-
hw/mips/cps.c | 3 ++-
hw/pci-host/pnv_phb.c | 5 ++++-
hw/ppc/e500.c | 2 +-
hw/ppc/pnv.c | 4 ++--
hw/ppc/pnv_core.c | 5 ++++-
hw/ppc/spapr.c | 2 +-
hw/ppc/spapr_cpu_core.c | 5 ++++-
hw/ppc/spapr_drc.c | 2 +-
hw/s390x/s390-virtio-ccw.c | 8 +++++++-
hw/sparc/leon3.c | 2 +-
hw/sparc/sun4m.c | 2 +-
hw/sparc64/sparc64.c | 2 +-
hw/vfio/common.c | 6 +++++-
hw/vfio/container.c | 7 ++++++-
qom/qom-qmp-cmds.c | 5 ++++-
target/arm/arm-qmp-cmds.c | 5 ++++-
target/loongarch/loongarch-qmp-cmds.c | 5 ++++-
target/mips/cpu.c | 2 +-
target/riscv/riscv-qmp-cmds.c | 5 ++++-
target/xtensa/cpu.c | 2 +-
tests/unit/check-qom-interface.c | 3 ++-
tests/unit/test-smp-parse.c | 20 ++++++++++----------
40 files changed, 107 insertions(+), 52 deletions(-)
diff --git a/chardev/char.c b/chardev/char.c
index a1722aa076..5951b8bef5 100644
--- a/chardev/char.c
+++ b/chardev/char.c
@@ -996,7 +996,11 @@ static Chardev *chardev_new(const char *id, const char *typename,
assert(g_str_has_prefix(typename, "chardev-"));
assert(id);
- obj = object_new(typename);
+ obj = object_new_dynamic(typename, errp);
+ if (!obj) {
+ return NULL;
+ }
+
chr = CHARDEV(obj);
chr->handover_yank_instance = handover_yank_instance;
chr->label = g_strdup(id);
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index 6ca145362c..71196b0a4b 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -385,7 +385,7 @@ static void aspeed_machine_init(MachineState *machine)
DriveInfo *emmc0 = NULL;
bool boot_emmc;
- bmc->soc = ASPEED_SOC(object_new(amc->soc_name));
+ bmc->soc = ASPEED_SOC(object_new_dynamic(amc->soc_name, &error_fatal));
object_property_add_child(OBJECT(machine), "soc", OBJECT(bmc->soc));
object_unref(OBJECT(bmc->soc));
sc = ASPEED_SOC_GET_CLASS(bmc->soc);
@@ -1594,7 +1594,7 @@ static void aspeed_minibmc_machine_init(MachineState *machine)
sysclk = clock_new(OBJECT(machine), "SYSCLK");
clock_set_hz(sysclk, SYSCLK_FRQ);
- bmc->soc = ASPEED_SOC(object_new(amc->soc_name));
+ bmc->soc = ASPEED_SOC(object_new_dynamic(amc->soc_name, &error_fatal));
object_property_add_child(OBJECT(machine), "soc", OBJECT(bmc->soc));
object_unref(OBJECT(bmc->soc));
qdev_connect_clock_in(DEVICE(bmc->soc), "sysclk", sysclk);
diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
index e3f1de2631..b966b0cd06 100644
--- a/hw/arm/exynos4210.c
+++ b/hw/arm/exynos4210.c
@@ -554,7 +554,8 @@ static void exynos4210_realize(DeviceState *socdev, Error **errp)
int i, n;
for (n = 0; n < EXYNOS4210_NCPUS; n++) {
- Object *cpuobj = object_new(ARM_CPU_TYPE_NAME("cortex-a9"));
+ Object *cpuobj = object_new_dynamic(ARM_CPU_TYPE_NAME("cortex-a9"),
+ &error_fatal);
object_property_add_child(OBJECT(s), "cpu[*]", cpuobj);
/* By default A9 CPUs have EL3 enabled. This board does not currently
diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index f103921d49..07740eecdb 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -206,7 +206,7 @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
Object *cpuobj;
ARMCPU *cpu;
- cpuobj = object_new(machine->cpu_type);
+ cpuobj = object_new_dynamic(machine->cpu_type, &error_abort);
cpu = ARM_CPU(cpuobj);
object_property_add_child(OBJECT(machine), "cpu[*]", cpuobj);
diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
index feb0dd63df..2d1adfd7f8 100644
--- a/hw/arm/integratorcp.c
+++ b/hw/arm/integratorcp.c
@@ -595,7 +595,7 @@ static void integratorcp_init(MachineState *machine)
DriveInfo *dinfo;
int i;
- cpuobj = object_new(machine->cpu_type);
+ cpuobj = object_new_dynamic(machine->cpu_type, &error_fatal);
/* By default ARM1176 CPUs have EL3 enabled. This board does not
* currently support EL3 so the CPU EL3 property is disabled before
diff --git a/hw/arm/mps3r.c b/hw/arm/mps3r.c
index 4d55a6564c..60c2138b4a 100644
--- a/hw/arm/mps3r.c
+++ b/hw/arm/mps3r.c
@@ -387,7 +387,8 @@ static void mps3r_common_init(MachineState *machine)
memory_region_add_subregion_overlap(&mms->cpu_sysmem[i], 0,
&mms->sysmem_alias[i], -1);
- mms->cpu[i] = object_new(machine->cpu_type);
+ mms->cpu[i] = object_new_dynamic(machine->cpu_type,
+ &error_fatal);
object_property_set_link(mms->cpu[i], "memory",
OBJECT(&mms->cpu_sysmem[i]), &error_abort);
object_property_set_int(mms->cpu[i], "reset-cbar",
diff --git a/hw/arm/realview.c b/hw/arm/realview.c
index b186f965c6..214c03fb20 100644
--- a/hw/arm/realview.c
+++ b/hw/arm/realview.c
@@ -116,7 +116,8 @@ static void realview_init(MachineState *machine,
}
for (n = 0; n < smp_cpus; n++) {
- Object *cpuobj = object_new(machine->cpu_type);
+ Object *cpuobj = object_new_dynamic(machine->cpu_type,
+ &error_fatal);
/* By default A9,A15 and ARM1176 CPUs have EL3 enabled. This board
* does not currently support EL3 so the CPU EL3 property is disabled
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index e3195d5449..a0006c9af0 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -767,7 +767,8 @@ static void sbsa_ref_init(MachineState *machine)
break;
}
- cpuobj = object_new(possible_cpus->cpus[n].type);
+ cpuobj = object_new_dynamic(possible_cpus->cpus[n].type,
+ &error_fatal);
object_property_set_int(cpuobj, "mp-affinity",
possible_cpus->cpus[n].arch_id, NULL);
diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c
index d48235453e..eb77dfc593 100644
--- a/hw/arm/versatilepb.c
+++ b/hw/arm/versatilepb.c
@@ -205,7 +205,7 @@ static void versatile_init(MachineState *machine, int board_id)
exit(1);
}
- cpuobj = object_new(machine->cpu_type);
+ cpuobj = object_new_dynamic(machine->cpu_type, &error_fatal);
/* By default ARM1176 CPUs have EL3 enabled. This board does not
* currently support EL3 so the CPU EL3 property is disabled before
diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index de815d84cc..98ad6299a8 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -217,7 +217,7 @@ static void init_cpus(MachineState *ms, const char *cpu_type,
/* Create the actual CPUs */
for (n = 0; n < smp_cpus; n++) {
- Object *cpuobj = object_new(cpu_type);
+ Object *cpuobj = object_new_dynamic(cpu_type, &error_abort);
if (!secure) {
object_property_set_bool(cpuobj, "has_el3", false, NULL);
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 1a381e9a2b..f80ab50d41 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2125,7 +2125,8 @@ static void machvirt_init(MachineState *machine)
* we are about to deal with. Once this is done, get rid of
* the object.
*/
- cpuobj = object_new(possible_cpus->cpus[0].type);
+ cpuobj = object_new_dynamic(possible_cpus->cpus[0].type,
+ &error_fatal);
armcpu = ARM_CPU(cpuobj);
pa_bits = arm_pamax(armcpu);
@@ -2231,7 +2232,8 @@ static void machvirt_init(MachineState *machine)
break;
}
- cpuobj = object_new(possible_cpus->cpus[n].type);
+ cpuobj = object_new_dynamic(possible_cpus->cpus[n].type,
+ &error_fatal);
object_property_set_int(cpuobj, "mp-affinity",
possible_cpus->cpus[n].arch_id, NULL);
diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
index fde4d946b7..40a725782d 100644
--- a/hw/arm/xilinx_zynq.c
+++ b/hw/arm/xilinx_zynq.c
@@ -218,7 +218,8 @@ static void zynq_init(MachineState *machine)
}
for (n = 0; n < smp_cpus; n++) {
- Object *cpuobj = object_new(machine->cpu_type);
+ Object *cpuobj = object_new_dynamic(machine->cpu_type,
+ &error_fatal);
object_property_set_int(cpuobj, "midr", ZYNQ_BOARD_MIDR,
&error_fatal);
diff --git a/hw/core/bus.c b/hw/core/bus.c
index b9d89495cd..2de714b274 100644
--- a/hw/core/bus.c
+++ b/hw/core/bus.c
@@ -163,7 +163,7 @@ BusState *qbus_new(const char *typename, DeviceState *parent, const char *name)
{
BusState *bus;
- bus = BUS(object_new(typename));
+ bus = BUS(object_new_dynamic(typename, &error_abort));
qbus_init_internal(bus, parent, name);
return bus;
diff --git a/hw/core/cpu-common.c b/hw/core/cpu-common.c
index 09c7903594..8768ae39ed 100644
--- a/hw/core/cpu-common.c
+++ b/hw/core/cpu-common.c
@@ -57,7 +57,7 @@ bool cpu_exists(int64_t id)
CPUState *cpu_create(const char *typename)
{
Error *err = NULL;
- CPUState *cpu = CPU(object_new(typename));
+ CPUState *cpu = CPU(object_new_dynamic(typename, &error_abort));
if (!qdev_realize(DEVICE(cpu), NULL, &err)) {
error_report_err(err);
object_unref(OBJECT(cpu));
diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index 0ba701f2ba..b32db8618e 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -146,7 +146,7 @@ bool qdev_set_parent_bus(DeviceState *dev, BusState *bus, Error **errp)
DeviceState *qdev_new(const char *name)
{
- return DEVICE(object_new(name));
+ return DEVICE(object_new_dynamic(name, &error_abort));
}
DeviceState *qdev_try_new(const char *name)
diff --git a/hw/i386/x86-common.c b/hw/i386/x86-common.c
index bc360a9ea4..df38235eeb 100644
--- a/hw/i386/x86-common.c
+++ b/hw/i386/x86-common.c
@@ -55,7 +55,10 @@ static size_t pvh_start_addr;
static void x86_cpu_new(X86MachineState *x86ms, int64_t apic_id, Error **errp)
{
- Object *cpu = object_new(MACHINE(x86ms)->cpu_type);
+ Object *cpu = object_new_dynamic(MACHINE(x86ms)->cpu_type, errp);
+ if (!cpu) {
+ return;
+ }
if (!object_property_set_uint(cpu, "apic-id", apic_id, errp)) {
goto out;
diff --git a/hw/i386/xen/xen-pvh.c b/hw/i386/xen/xen-pvh.c
index f1f02d3311..9aeb4e430b 100644
--- a/hw/i386/xen/xen-pvh.c
+++ b/hw/i386/xen/xen-pvh.c
@@ -28,7 +28,7 @@ struct XenPVHx86State {
static DeviceState *xen_pvh_cpu_new(MachineState *ms,
int64_t apic_id)
{
- Object *cpu = object_new(ms->cpu_type);
+ Object *cpu = object_new_dynamic(ms->cpu_type, &error_abort);
object_property_add_child(OBJECT(ms), "cpu[*]", cpu);
object_property_set_uint(cpu, "apic-id", apic_id, &error_fatal);
diff --git a/hw/intc/xics.c b/hw/intc/xics.c
index e893363dc9..2f06193bcd 100644
--- a/hw/intc/xics.c
+++ b/hw/intc/xics.c
@@ -377,7 +377,10 @@ Object *icp_create(Object *cpu, const char *type, XICSFabric *xi, Error **errp)
{
Object *obj;
- obj = object_new(type);
+ obj = object_new_dynamic(type, errp);
+ if (!obj) {
+ return NULL;
+ }
object_property_add_child(cpu, type, obj);
object_unref(obj);
object_property_set_link(obj, ICP_PROP_XICS, OBJECT(xi), &error_abort);
diff --git a/hw/mips/cps.c b/hw/mips/cps.c
index 13046628cd..b8407bb191 100644
--- a/hw/mips/cps.c
+++ b/hw/mips/cps.c
@@ -74,7 +74,8 @@ static void mips_cps_realize(DeviceState *dev, Error **errp)
}
for (int i = 0; i < s->num_vp; i++) {
- MIPSCPU *cpu = MIPS_CPU(object_new(s->cpu_type));
+ MIPSCPU *cpu = MIPS_CPU(object_new_dynamic(s->cpu_type,
+ &error_abort));
CPUMIPSState *env = &cpu->env;
object_property_set_bool(OBJECT(cpu), "big-endian", s->cpu_is_bigendian,
diff --git a/hw/pci-host/pnv_phb.c b/hw/pci-host/pnv_phb.c
index d4c118d443..6e833835d6 100644
--- a/hw/pci-host/pnv_phb.c
+++ b/hw/pci-host/pnv_phb.c
@@ -131,7 +131,10 @@ static void pnv_phb_realize(DeviceState *dev, Error **errp)
g_assert_not_reached();
}
- phb->backend = object_new(phb_typename);
+ phb->backend = object_new_dynamic(phb_typename, errp);
+ if (!phb->backend) {
+ return;
+ }
object_property_add_child(OBJECT(dev), "phb-backend", phb->backend);
/* Passthrough child device properties to the proxy device */
diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index 46261223f3..8ba34f0972 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -939,7 +939,7 @@ void ppce500_init(MachineState *machine)
PowerPCCPU *cpu;
CPUState *cs;
- cpu = POWERPC_CPU(object_new(machine->cpu_type));
+ cpu = POWERPC_CPU(object_new_dynamic(machine->cpu_type, &error_fatal));
env = &cpu->env;
cs = CPU(cpu);
diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index f0f0d7567d..75420c9413 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -1459,7 +1459,7 @@ static void pnv_chip_power8_instance_init(Object *obj)
chip8->num_phbs = pcc->num_phbs;
for (i = 0; i < chip8->num_phbs; i++) {
- Object *phb = object_new(TYPE_PNV_PHB);
+ Object *phb = object_new_dynamic(TYPE_PNV_PHB, &error_fatal);
/*
* We need the chip to parent the PHB to allow the DT
@@ -2376,7 +2376,7 @@ static void pnv_chip_core_realize(PnvChip *chip, Error **errp)
continue;
}
- pnv_core = PNV_CORE(object_new(typename));
+ pnv_core = PNV_CORE(object_new_dynamic(typename, &error_fatal));
snprintf(core_name, sizeof(core_name), "core[%d]", core_hwid);
object_property_add_child(OBJECT(chip), core_name, OBJECT(pnv_core));
diff --git a/hw/ppc/pnv_core.c b/hw/ppc/pnv_core.c
index a30693990b..4c62103021 100644
--- a/hw/ppc/pnv_core.c
+++ b/hw/ppc/pnv_core.c
@@ -361,7 +361,10 @@ static void pnv_core_realize(DeviceState *dev, Error **errp)
PowerPCCPU *cpu;
PnvCPUState *pnv_cpu;
- obj = object_new(typename);
+ obj = object_new_dynamic(typename, &local_err);
+ if (!obj) {
+ goto err;
+ }
cpu = POWERPC_CPU(obj);
pc->threads[i] = POWERPC_CPU(obj);
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 5c02037c56..ca71242fb0 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -2693,7 +2693,7 @@ static void spapr_init_cpus(SpaprMachineState *spapr)
}
if (i < boot_cores_nr) {
- Object *core = object_new(type);
+ Object *core = object_new_dynamic(type, &error_fatal);
int nr_threads = smp_threads;
/* Handle the partially filled core for older machine types */
diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index ada439e831..aa9704e7ea 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -298,7 +298,10 @@ static PowerPCCPU *spapr_create_vcpu(SpaprCpuCore *sc, int i, Error **errp)
PowerPCCPU *cpu;
CPUPPCState *env;
- obj = object_new(scc->cpu_type);
+ obj = object_new_dynamic(scc->cpu_type, errp);
+ if (!obj) {
+ return NULL;
+ }
cs = CPU(obj);
cpu = POWERPC_CPU(obj);
diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index 1484e3209d..56835ebf2b 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -554,7 +554,7 @@ static void drc_unrealize(DeviceState *d)
SpaprDrc *spapr_dr_connector_new(Object *owner, const char *type,
uint32_t id)
{
- SpaprDrc *drc = SPAPR_DR_CONNECTOR(object_new(type));
+ SpaprDrc *drc = SPAPR_DR_CONNECTOR(object_new_dynamic(type, &error_fatal));
g_autofree char *prop_name = NULL;
drc->id = id;
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index fe03f716f3..5441dc4c32 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -55,9 +55,15 @@ static Error *pv_mig_blocker;
static S390CPU *s390x_new_cpu(const char *typename, uint32_t core_id,
Error **errp)
{
- S390CPU *cpu = S390_CPU(object_new(typename));
+ Object *cpuobj = object_new_dynamic(typename, errp);
+ S390CPU *cpu = NULL;
S390CPU *ret = NULL;
+ if (!cpuobj) {
+ return NULL;
+ }
+
+ cpu = S390_CPU(cpuobj);
if (!object_property_set_int(OBJECT(cpu), "core-id", core_id, errp)) {
goto out;
}
diff --git a/hw/sparc/leon3.c b/hw/sparc/leon3.c
index 6aaa04cb19..519169af1e 100644
--- a/hw/sparc/leon3.c
+++ b/hw/sparc/leon3.c
@@ -277,7 +277,7 @@ static void leon3_generic_hw_init(MachineState *machine)
for (i = 0; i < machine->smp.cpus; i++) {
/* Init CPU */
- cpu = SPARC_CPU(object_new(machine->cpu_type));
+ cpu = SPARC_CPU(object_new_dynamic(machine->cpu_type, &error_fatal));
qdev_init_gpio_in_named(DEVICE(cpu), leon3_start_cpu, "start_cpu", 1);
qdev_init_gpio_in_named(DEVICE(cpu), leon3_set_pil_in, "pil", 1);
qdev_realize(DEVICE(cpu), NULL, &error_fatal);
diff --git a/hw/sparc/sun4m.c b/hw/sparc/sun4m.c
index d52e6a7213..c7e47af1d5 100644
--- a/hw/sparc/sun4m.c
+++ b/hw/sparc/sun4m.c
@@ -802,7 +802,7 @@ static void cpu_devinit(const char *cpu_type, unsigned int id,
SPARCCPU *cpu;
CPUSPARCState *env;
- cpu = SPARC_CPU(object_new(cpu_type));
+ cpu = SPARC_CPU(object_new_dynamic(cpu_type, &error_fatal));
env = &cpu->env;
qemu_register_reset(sun4m_cpu_reset, cpu);
diff --git a/hw/sparc64/sparc64.c b/hw/sparc64/sparc64.c
index 3091cde586..9e032e6124 100644
--- a/hw/sparc64/sparc64.c
+++ b/hw/sparc64/sparc64.c
@@ -272,7 +272,7 @@ SPARCCPU *sparc64_cpu_devinit(const char *cpu_type, uint64_t prom_addr)
uint32_t stick_frequency = 100 * 1000000;
uint32_t hstick_frequency = 100 * 1000000;
- cpu = SPARC_CPU(object_new(cpu_type));
+ cpu = SPARC_CPU(object_new_dynamic(cpu_type, &error_fatal));
qdev_init_gpio_in_named(DEVICE(cpu), sparc64_cpu_set_ivec_irq,
"ivec-irq", IVEC_MAX);
qdev_realize(DEVICE(cpu), NULL, &error_fatal);
diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index dcef44fe55..9799fd8627 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -1550,7 +1550,11 @@ bool vfio_attach_device(char *name, VFIODevice *vbasedev,
if (!vbasedev->mdev) {
- hiod = HOST_IOMMU_DEVICE(object_new(ops->hiod_typename));
+ Object *obj = object_new_dynamic(ops->hiod_typename, errp);
+ if (!obj) {
+ return false;
+ }
+ hiod = HOST_IOMMU_DEVICE(obj);
vbasedev->hiod = hiod;
}
diff --git a/hw/vfio/container.c b/hw/vfio/container.c
index 9ccdb639ac..6642d2f79b 100644
--- a/hw/vfio/container.c
+++ b/hw/vfio/container.c
@@ -419,6 +419,7 @@ static VFIOContainer *vfio_create_container(int fd, VFIOGroup *group,
{
int iommu_type;
const char *vioc_name;
+ Object *obj;
VFIOContainer *container;
iommu_type = vfio_get_iommu_type(fd, errp);
@@ -432,7 +433,11 @@ static VFIOContainer *vfio_create_container(int fd, VFIOGroup *group,
vioc_name = vfio_get_iommu_class_name(iommu_type);
- container = VFIO_IOMMU_LEGACY(object_new(vioc_name));
+ obj = object_new_dynamic(vioc_name, errp);
+ if (!obj) {
+ return NULL;
+ }
+ container = VFIO_IOMMU_LEGACY(obj);
container->fd = fd;
container->iommu_type = iommu_type;
return container;
diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
index 4a8e269fef..a32855659e 100644
--- a/qom/qom-qmp-cmds.c
+++ b/qom/qom-qmp-cmds.c
@@ -203,7 +203,10 @@ ObjectPropertyInfoList *qmp_qom_list_properties(const char *typename,
if (object_class_is_abstract(klass)) {
object_class_property_iter_init(&iter, klass);
} else {
- obj = object_new(typename);
+ obj = object_new_dynamic(typename, errp);
+ if (!obj) {
+ return NULL;
+ }
object_property_iter_init(&iter, obj);
}
while ((prop = object_property_iter_next(&iter))) {
diff --git a/target/arm/arm-qmp-cmds.c b/target/arm/arm-qmp-cmds.c
index 3cc8cc738b..61024f480d 100644
--- a/target/arm/arm-qmp-cmds.c
+++ b/target/arm/arm-qmp-cmds.c
@@ -150,7 +150,10 @@ CpuModelExpansionInfo *qmp_query_cpu_model_expansion(CpuModelExpansionType type,
}
}
- obj = object_new(object_class_get_name(oc));
+ obj = object_new_dynamic(object_class_get_name(oc), errp);
+ if (!obj) {
+ return NULL;
+ }
if (model->props) {
Visitor *visitor;
diff --git a/target/loongarch/loongarch-qmp-cmds.c b/target/loongarch/loongarch-qmp-cmds.c
index 782fd511fd..5f565e2236 100644
--- a/target/loongarch/loongarch-qmp-cmds.c
+++ b/target/loongarch/loongarch-qmp-cmds.c
@@ -83,7 +83,10 @@ CpuModelExpansionInfo *qmp_query_cpu_model_expansion(CpuModelExpansionType type,
return NULL;
}
- obj = object_new(object_class_get_name(oc));
+ obj = object_new_dynamic(object_class_get_name(oc), errp);
+ if (!obj) {
+ return NULL;
+ }
expansion_info = g_new0(CpuModelExpansionInfo, 1);
expansion_info->model = g_malloc0(sizeof(*expansion_info->model));
diff --git a/target/mips/cpu.c b/target/mips/cpu.c
index d0a43b6d5c..1bf872c3e0 100644
--- a/target/mips/cpu.c
+++ b/target/mips/cpu.c
@@ -648,7 +648,7 @@ MIPSCPU *mips_cpu_create_with_clock(const char *cpu_type, Clock *cpu_refclk,
{
DeviceState *cpu;
- cpu = DEVICE(object_new(cpu_type));
+ cpu = DEVICE(object_new_dynamic(cpu_type, &error_abort));
qdev_connect_clock_in(cpu, "clk-in", cpu_refclk);
object_property_set_bool(OBJECT(cpu), "big-endian", is_big_endian,
&error_abort);
diff --git a/target/riscv/riscv-qmp-cmds.c b/target/riscv/riscv-qmp-cmds.c
index d363dc318d..61f30b6bc6 100644
--- a/target/riscv/riscv-qmp-cmds.c
+++ b/target/riscv/riscv-qmp-cmds.c
@@ -188,7 +188,10 @@ CpuModelExpansionInfo *qmp_query_cpu_model_expansion(CpuModelExpansionType type,
return NULL;
}
- obj = object_new(object_class_get_name(oc));
+ obj = object_new_dynamic(object_class_get_name(oc), errp);
+ if (!obj) {
+ return NULL;
+ }
riscv_check_if_cpu_available(RISCV_CPU(obj), &local_err);
if (local_err != NULL) {
diff --git a/target/xtensa/cpu.c b/target/xtensa/cpu.c
index 6f9039abae..3e036a1191 100644
--- a/target/xtensa/cpu.c
+++ b/target/xtensa/cpu.c
@@ -204,7 +204,7 @@ XtensaCPU *xtensa_cpu_create_with_clock(const char *cpu_type, Clock *cpu_refclk)
{
DeviceState *cpu;
- cpu = DEVICE(object_new(cpu_type));
+ cpu = DEVICE(object_new_dynamic(cpu_type, &error_abort));
qdev_connect_clock_in(cpu, "clk-in", cpu_refclk);
qdev_realize(cpu, NULL, &error_abort);
diff --git a/tests/unit/check-qom-interface.c b/tests/unit/check-qom-interface.c
index c99be97ed8..e4532ae814 100644
--- a/tests/unit/check-qom-interface.c
+++ b/tests/unit/check-qom-interface.c
@@ -13,6 +13,7 @@
#include "qom/object.h"
#include "qemu/module.h"
+#include "qapi/error.h"
#define TYPE_TEST_IF "test-interface"
@@ -67,7 +68,7 @@ static const TypeInfo intermediate_impl_info = {
static void test_interface_impl(const char *type)
{
- Object *obj = object_new(type);
+ Object *obj = object_new_dynamic(type, &error_abort);
TestIf *iobj = TEST_IF(obj);
TestIfClass *ioc = TEST_IF_GET_CLASS(iobj);
diff --git a/tests/unit/test-smp-parse.c b/tests/unit/test-smp-parse.c
index f9bccb56ab..f4893d5f24 100644
--- a/tests/unit/test-smp-parse.c
+++ b/tests/unit/test-smp-parse.c
@@ -1008,7 +1008,7 @@ static void machine_full_topo_class_init(ObjectClass *oc, void *data)
static void test_generic_valid(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
@@ -1027,7 +1027,7 @@ static void test_generic_valid(const void *opaque)
static void test_generic_invalid(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
@@ -1046,7 +1046,7 @@ static void test_generic_invalid(const void *opaque)
static void test_with_modules(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
@@ -1096,7 +1096,7 @@ static void test_with_modules(const void *opaque)
static void test_with_dies(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
@@ -1146,7 +1146,7 @@ static void test_with_dies(const void *opaque)
static void test_with_modules_dies(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
@@ -1207,7 +1207,7 @@ static void test_with_modules_dies(const void *opaque)
static void test_with_clusters(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
@@ -1257,7 +1257,7 @@ static void test_with_clusters(const void *opaque)
static void test_with_books(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
@@ -1307,7 +1307,7 @@ static void test_with_books(const void *opaque)
static void test_with_drawers(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
@@ -1357,7 +1357,7 @@ static void test_with_drawers(const void *opaque)
static void test_with_drawers_books(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
@@ -1418,7 +1418,7 @@ static void test_with_drawers_books(const void *opaque)
static void test_full_topo(const void *opaque)
{
const char *machine_type = opaque;
- Object *obj = object_new(machine_type);
+ Object *obj = object_new_dynamic(machine_type, &error_abort);
MachineState *ms = MACHINE(obj);
MachineClass *mc = MACHINE_GET_CLASS(obj);
SMPTestData data = {};
--
2.46.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v2 5/8] qom: enforce use of static, const string with object_new()
2024-11-11 15:55 [PATCH v2 0/8] Require error handling for dynamically created objects Daniel P. Berrangé
` (3 preceding siblings ...)
2024-11-11 15:55 ` [PATCH v2 4/8] convert code to object_new_dynamic() where appropriate Daniel P. Berrangé
@ 2024-11-11 15:55 ` Daniel P. Berrangé
2024-11-14 20:28 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 6/8] qom: introduce qdev_new_dynamic() Daniel P. Berrangé
` (2 subsequent siblings)
7 siblings, 1 reply; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-11 15:55 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Markus Armbruster, Peter Xu,
Daniel P. Berrangé
Since object_new() will assert(), it should only be used in scenarios
where the caller knows exactly what type it is asking to be created,
and can thus be confident in avoiding abstract types.
Enforce this by using a macro wrapper which types to paste "" to the
type name. This will generate a compile error if not passed a static
const string, forcing callers to use object_new_dynamic() instead.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
include/qom/object.h | 12 +++++++++++-
qom/object.c | 3 ++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/include/qom/object.h b/include/qom/object.h
index 4fc01336c4..2d5a0d84b5 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -637,7 +637,17 @@ Object *object_new_with_class(ObjectClass *klass, Error **errp);
*
* Returns: The newly allocated and instantiated object.
*/
-Object *object_new(const char *typename);
+
+/*
+ * NB, object_new_internal is just an internal helper, wrapped by
+ * the object_new() macro which prevents invokation unless given
+ * a static, const string.
+ *
+ * Code should call object_new(), or object_new_dynamic(), not
+ * object_new_internal().
+ */
+Object *object_new_internal(const char *typename);
+#define object_new(typename) object_new_internal(typename "")
/**
* object_new_dynamic:
diff --git a/qom/object.c b/qom/object.c
index 2e6e6495c6..645f560ec8 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -799,7 +799,8 @@ Object *object_new_with_class(ObjectClass *klass, Error **errp)
return object_new_with_type(klass->type, errp);
}
-Object *object_new(const char *typename)
+/* Only to be called via the 'object_new' macro */
+Object *object_new_internal(const char *typename)
{
TypeImpl *ti = type_get_or_load_by_name(typename, &error_fatal);
--
2.46.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v2 6/8] qom: introduce qdev_new_dynamic()
2024-11-11 15:55 [PATCH v2 0/8] Require error handling for dynamically created objects Daniel P. Berrangé
` (4 preceding siblings ...)
2024-11-11 15:55 ` [PATCH v2 5/8] qom: enforce use of static, const string with object_new() Daniel P. Berrangé
@ 2024-11-11 15:55 ` Daniel P. Berrangé
2024-11-14 20:47 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 7/8] convert code to qdev_new_dynamic() where appropriate Daniel P. Berrangé
2024-11-11 15:55 ` [PATCH v2 8/8] hw: enforce use of static, const string with qdev_new() Daniel P. Berrangé
7 siblings, 1 reply; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-11 15:55 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Markus Armbruster, Peter Xu,
Daniel P. Berrangé
qdev_new() has a failure scenario where it will assert() if given
an abstract type. Callers which are creating qdevs based on user
input, or unknown/untrusted type names, must manually check the
result of qdev_class_is_abstract() before calling qdev_new()
to propagate an Error, instead of asserting.
Introduce a qdev_new_dynamic() method which is a counterpart to
qdev_new() that directly returns an Error, instead of asserting.
This new method is to be used where the typename is specified
dynamically by code separate from the immediate caller.
Do likewise with qdev_try_new_dynamic() as a counterpart to
qdev_try_new().
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/core/qdev.c | 14 +++++++++++
include/hw/qdev-core.h | 54 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 68 insertions(+)
diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index b32db8618e..10a7b87c3d 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -149,6 +149,11 @@ DeviceState *qdev_new(const char *name)
return DEVICE(object_new_dynamic(name, &error_abort));
}
+DeviceState *qdev_new_dynamic(const char *name, Error **errp)
+{
+ return DEVICE(object_new_dynamic(name, errp));
+}
+
DeviceState *qdev_try_new(const char *name)
{
ObjectClass *oc = module_object_class_by_name(name);
@@ -158,6 +163,15 @@ DeviceState *qdev_try_new(const char *name)
return DEVICE(object_new_with_class(oc, &error_abort));
}
+DeviceState *qdev_try_new_dynamic(const char *name, Error **errp)
+{
+ ObjectClass *oc = module_object_class_by_name(name);
+ if (!oc) {
+ return NULL;
+ }
+ return DEVICE(object_new_with_class(oc, errp));
+}
+
static QTAILQ_HEAD(, DeviceListener) device_listeners
= QTAILQ_HEAD_INITIALIZER(device_listeners);
diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index 5be9844412..68ebaec058 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -435,26 +435,80 @@ compat_props_add(GPtrArray *arr,
* qdev_new: Create a device on the heap
* @name: device type to create (we assert() that this type exists)
*
+ * This method should be used where @name is statically specified
+ * from a const string at build time, where the caller does not expect
+ * failure to be possible.
+ *
* This only allocates the memory and initializes the device state
* structure, ready for the caller to set properties if they wish.
* The device still needs to be realized.
*
+ * If an instance of @name is not permitted to be instantiated, an
+ * assert will be raised. This can happen if @name is abstract.
+ *
* Return: a derived DeviceState object with a reference count of 1.
*/
DeviceState *qdev_new(const char *name);
+/**
+ * qdev_new_dynamic: Create a device on the heap
+ * @name: device type to create (we assert() that this type exists)
+ * @errp: pointer to be filled with error details on failure
+ *
+ * This method must be used where @name is dynamically chosen
+ * at runtime, which has the possibility of unexpected choices leading
+ * to failures.
+ *
+ * This only allocates the memory and initializes the device state
+ * structure, ready for the caller to set properties if they wish.
+ * The device still needs to be realized.
+ *
+ * If an instance of @name is not permitted to be instantiated, an
+ * error will be reported. This can happen if @name is abstract.
+ *
+ * Return: a derived DeviceState object with a reference count of 1.
+ */
+DeviceState *qdev_new_dynamic(const char *name, Error **errp);
+
/**
* qdev_try_new: Try to create a device on the heap
* @name: device type to create
*
+ * This method should be used where @name is statically specified
+ * from a const string at build time, where the caller does not expect
+ * failure to be possible.
+ *
* This is like qdev_new(), except it returns %NULL when type @name
* does not exist, rather than asserting.
*
+ * If an instance of @name is not permitted to be instantiated, an
+ * assert will be raised. This can happen if @name is abstract.
+ *
* Return: a derived DeviceState object with a reference count of 1 or
* NULL if type @name does not exist.
*/
DeviceState *qdev_try_new(const char *name);
+/**
+ * qdev_try_new_dynamic: Try to create a device on the heap
+ * @name: device type to create
+ * @errp: pointer to be filled with error details on failure
+ *
+ * This method must be used where @name is dynamically chosen
+ * at runtime, which has the possibility of unexpected choices leading
+ * to failures.
+ *
+ * This is like qdev_new_dynamic(), except it returns %NULL when type @name
+ * does not exist, rather than asserting.
+ *
+ * If an instance of @name is not permitted to be instantiated, an
+ * error will be reported. This can happen if @name is abstract.
+ *
+ * Return: a derived DeviceState object with a reference count of 1 or
+ * NULL if type @name does not exist.
+ */
+DeviceState *qdev_try_new_dynamic(const char *name, Error **errp);
+
/**
* qdev_is_realized() - check if device is realized
* @dev: The device to check.
--
2.46.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v2 7/8] convert code to qdev_new_dynamic() where appropriate
2024-11-11 15:55 [PATCH v2 0/8] Require error handling for dynamically created objects Daniel P. Berrangé
` (5 preceding siblings ...)
2024-11-11 15:55 ` [PATCH v2 6/8] qom: introduce qdev_new_dynamic() Daniel P. Berrangé
@ 2024-11-11 15:55 ` Daniel P. Berrangé
2024-11-14 21:00 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 8/8] hw: enforce use of static, const string with qdev_new() Daniel P. Berrangé
7 siblings, 1 reply; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-11 15:55 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Markus Armbruster, Peter Xu,
Daniel P. Berrangé
In cases where qdev_new() is not being passed a static, const
string, the caller cannot be sure what type they are instantiating.
There is a risk that instantiation could fail, if it is an abstract
type.
Convert such cases over to use qdev_new_dynamic() such that they
are forced to expect failure. In some cases failure can be easily
propagated, but in others using &error_abort or &error_fatal will
maintain existing behaviour.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/arm/aspeed.c | 2 +-
hw/arm/npcm7xx_boards.c | 2 +-
hw/arm/sbsa-ref.c | 4 ++--
hw/arm/vexpress.c | 2 +-
hw/arm/virt.c | 4 ++--
hw/audio/soundhw.c | 2 +-
hw/block/xen-block.c | 7 ++++++-
hw/core/sysbus.c | 2 +-
hw/i2c/core.c | 2 +-
hw/isa/isa-bus.c | 4 ++--
hw/pci/pci.c | 2 +-
hw/ppc/pnv.c | 2 +-
hw/s390x/s390-virtio-ccw.c | 2 +-
hw/scsi/scsi-bus.c | 5 ++++-
hw/ssi/ssi.c | 2 +-
include/hw/usb.h | 4 ++--
include/qom/object.h | 4 ++--
net/net.c | 4 ++--
system/qdev-monitor.c | 5 ++++-
19 files changed, 36 insertions(+), 25 deletions(-)
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index 71196b0a4b..19dbcee64a 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -320,7 +320,7 @@ void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype,
DriveInfo *dinfo = drive_get(IF_MTD, 0, unit0 + i);
DeviceState *dev;
- dev = qdev_new(flashtype);
+ dev = qdev_new_dynamic(flashtype, &error_fatal);
if (dinfo) {
qdev_prop_set_drive(dev, "drive", blk_by_legacy_dinfo(dinfo));
}
diff --git a/hw/arm/npcm7xx_boards.c b/hw/arm/npcm7xx_boards.c
index e229efb447..098beeab63 100644
--- a/hw/arm/npcm7xx_boards.c
+++ b/hw/arm/npcm7xx_boards.c
@@ -83,7 +83,7 @@ static void npcm7xx_connect_flash(NPCM7xxFIUState *fiu, int cs_no,
DeviceState *flash;
qemu_irq flash_cs;
- flash = qdev_new(flash_type);
+ flash = qdev_new_dynamic(flash_type, &error_fatal);
if (dinfo) {
qdev_prop_set_drive(flash, "drive", blk_by_legacy_dinfo(dinfo));
}
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index a0006c9af0..12e0a70981 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -419,7 +419,7 @@ static void create_its(SBSAMachineState *sms)
const char *itsclass = its_class_name();
DeviceState *dev;
- dev = qdev_new(itsclass);
+ dev = qdev_new_dynamic(itsclass, &error_fatal);
object_property_set_link(OBJECT(dev), "parent-gicv3", OBJECT(sms->gic),
&error_abort);
@@ -438,7 +438,7 @@ static void create_gic(SBSAMachineState *sms, MemoryRegion *mem)
gictype = gicv3_class_name();
- sms->gic = qdev_new(gictype);
+ sms->gic = qdev_new_dynamic(gictype, &error_fatal);
qdev_prop_set_uint32(sms->gic, "revision", 3);
qdev_prop_set_uint32(sms->gic, "num-cpu", smp_cpus);
/*
diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index 98ad6299a8..e13c66b838 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -239,7 +239,7 @@ static void init_cpus(MachineState *ms, const char *cpu_type,
* this must happen after the CPUs are created because a15mpcore_priv
* wires itself up to the CPU's generic_timer gpio out lines.
*/
- dev = qdev_new(privdev);
+ dev = qdev_new_dynamic(privdev, &error_fatal);
qdev_prop_set_uint32(dev, "num-cpu", smp_cpus);
busdev = SYS_BUS_DEVICE(dev);
sysbus_realize_and_unref(busdev, &error_fatal);
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index f80ab50d41..57b1735380 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -715,7 +715,7 @@ static void create_its(VirtMachineState *vms)
return;
}
- dev = qdev_new(itsclass);
+ dev = qdev_new_dynamic(itsclass, &error_fatal);
object_property_set_link(OBJECT(dev), "parent-gicv3", OBJECT(vms->gic),
&error_abort);
@@ -791,7 +791,7 @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
default:
g_assert_not_reached();
}
- vms->gic = qdev_new(gictype);
+ vms->gic = qdev_new_dynamic(gictype, &error_fatal);
qdev_prop_set_uint32(vms->gic, "revision", revision);
qdev_prop_set_uint32(vms->gic, "num-cpu", smp_cpus);
/* Note that the num-irq property counts both internal and external
diff --git a/hw/audio/soundhw.c b/hw/audio/soundhw.c
index d18fd9fa05..17ed3a8084 100644
--- a/hw/audio/soundhw.c
+++ b/hw/audio/soundhw.c
@@ -132,7 +132,7 @@ void soundhw_init(void)
}
if (c->typename) {
- DeviceState *dev = qdev_new(c->typename);
+ DeviceState *dev = qdev_new_dynamic(c->typename, &error_fatal);
qdev_prop_set_string(dev, "audiodev", audiodev_id);
qdev_realize_and_unref(dev, bus, &error_fatal);
} else {
diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
index aed1d5c330..fd5fa7b6e7 100644
--- a/hw/block/xen-block.c
+++ b/hw/block/xen-block.c
@@ -1034,6 +1034,7 @@ static void xen_block_device_create(XenBackendInstance *backend,
XenDevice *xendev = NULL;
const char *type;
XenBlockDevice *blockdev;
+ DeviceState *dev;
if (qemu_strtoul(name, NULL, 10, &number)) {
error_setg(errp, "failed to parse name '%s'", name);
@@ -1075,7 +1076,11 @@ static void xen_block_device_create(XenBackendInstance *backend,
goto fail;
}
- xendev = XEN_DEVICE(qdev_new(type));
+ dev = qdev_new_dynamic(type, errp);
+ if (!dev) {
+ goto fail;
+ }
+ xendev = XEN_DEVICE(dev);
blockdev = XEN_BLOCK_DEVICE(xendev);
if (!object_property_set_str(OBJECT(xendev), "vdev", vdev,
diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c
index e64d99c8ed..e472a969f1 100644
--- a/hw/core/sysbus.c
+++ b/hw/core/sysbus.c
@@ -221,7 +221,7 @@ DeviceState *sysbus_create_varargs(const char *name,
qemu_irq irq;
int n;
- dev = qdev_new(name);
+ dev = qdev_new_dynamic(name, &error_fatal);
s = SYS_BUS_DEVICE(dev);
sysbus_realize_and_unref(s, &error_fatal);
if (addr != (hwaddr)-1) {
diff --git a/hw/i2c/core.c b/hw/i2c/core.c
index 4cf30b2c86..a430f4e767 100644
--- a/hw/i2c/core.c
+++ b/hw/i2c/core.c
@@ -369,7 +369,7 @@ I2CSlave *i2c_slave_new(const char *name, uint8_t addr)
{
DeviceState *dev;
- dev = qdev_new(name);
+ dev = qdev_new_dynamic(name, &error_fatal);
qdev_prop_set_uint8(dev, "address", addr);
return I2C_SLAVE(dev);
}
diff --git a/hw/isa/isa-bus.c b/hw/isa/isa-bus.c
index f1e0f14007..11795df8cf 100644
--- a/hw/isa/isa-bus.c
+++ b/hw/isa/isa-bus.c
@@ -155,12 +155,12 @@ int isa_register_portio_list(ISADevice *dev,
ISADevice *isa_new(const char *name)
{
- return ISA_DEVICE(qdev_new(name));
+ return ISA_DEVICE(qdev_new_dynamic(name, &error_fatal));
}
ISADevice *isa_try_new(const char *name)
{
- return ISA_DEVICE(qdev_try_new(name));
+ return ISA_DEVICE(qdev_try_new_dynamic(name, &error_fatal));
}
ISADevice *isa_create_simple(ISABus *bus, const char *name)
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 1416ae202c..51338320c1 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -2186,7 +2186,7 @@ static PCIDevice *pci_new_internal(int devfn, bool multifunction,
{
DeviceState *dev;
- dev = qdev_new(name);
+ dev = qdev_new_dynamic(name, &error_fatal);
qdev_prop_set_int32(dev, "addr", devfn);
qdev_prop_set_bit(dev, "multifunction", multifunction);
return PCI_DEVICE(dev);
diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index 75420c9413..e81c562967 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -1115,7 +1115,7 @@ static void pnv_init(MachineState *machine)
pnv->chips = g_new0(PnvChip *, pnv->num_chips);
for (i = 0; i < pnv->num_chips; i++) {
char chip_name[32];
- Object *chip = OBJECT(qdev_new(chip_typename));
+ Object *chip = OBJECT(qdev_new_dynamic(chip_typename, &error_fatal));
uint64_t chip_ram_size = pnv_chip_get_ram_size(pnv, i);
pnv->chips[i] = PNV_CHIP(chip);
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index 5441dc4c32..b276b5e77f 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -242,7 +242,7 @@ static void s390_create_sclpconsole(SCLPDevice *sclp,
BusState *ev_fac_bus = sclp_get_event_facility_bus(ef);
DeviceState *dev;
- dev = qdev_new(type);
+ dev = qdev_new_dynamic(type, &error_fatal);
object_property_add_child(OBJECT(ef), type, OBJECT(dev));
qdev_prop_set_chr(dev, "chardev", chardev);
qdev_realize_and_unref(dev, ev_fac_bus, &error_fatal);
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index 53eff5dd3d..23be8ebca4 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -396,7 +396,10 @@ SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockBackend *blk,
driver = "scsi-hd";
}
}
- dev = qdev_new(driver);
+ dev = qdev_new_dynamic(driver, errp);
+ if (!dev) {
+ return NULL;
+ }
name = g_strdup_printf("legacy[%d]", unit);
object_property_add_child(OBJECT(bus), name, OBJECT(dev));
g_free(name);
diff --git a/hw/ssi/ssi.c b/hw/ssi/ssi.c
index 3f357e8f16..712bb1781c 100644
--- a/hw/ssi/ssi.c
+++ b/hw/ssi/ssi.c
@@ -141,7 +141,7 @@ bool ssi_realize_and_unref(DeviceState *dev, SSIBus *bus, Error **errp)
DeviceState *ssi_create_peripheral(SSIBus *bus, const char *name)
{
- DeviceState *dev = qdev_new(name);
+ DeviceState *dev = qdev_new_dynamic(name, &error_fatal);
ssi_realize_and_unref(dev, bus, &error_fatal);
return dev;
diff --git a/include/hw/usb.h b/include/hw/usb.h
index d46d96779a..97d76b11c0 100644
--- a/include/hw/usb.h
+++ b/include/hw/usb.h
@@ -581,12 +581,12 @@ void usb_pcap_data(USBPacket *p, bool setup);
static inline USBDevice *usb_new(const char *name)
{
- return USB_DEVICE(qdev_new(name));
+ return USB_DEVICE(qdev_new_dynamic(name, &error_fatal));
}
static inline USBDevice *usb_try_new(const char *name)
{
- return USB_DEVICE(qdev_try_new(name));
+ return USB_DEVICE(qdev_try_new_dynamic(name, &error_fatal));
}
static inline bool usb_realize_and_unref(USBDevice *dev, USBBus *bus, Error **errp)
diff --git a/include/qom/object.h b/include/qom/object.h
index 2d5a0d84b5..4e660da84a 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -654,7 +654,7 @@ Object *object_new_internal(const char *typename);
* @typename: The name of the type of the object to instantiate.
* @errp: pointer to be filled with error details on failure
*
- * This method should be used where @typename is dynamically chosen
+ * This method must be used where @typename is dynamically chosen
* at runtime, which has the possibility of unexpected choices leading
* to failures.
*
@@ -663,7 +663,7 @@ Object *object_new_internal(const char *typename);
* the last reference is dropped.
*
* If an instance of @typename is not permitted to be instantiated, an
- * error will be raised. This can happen if @typename is abstract.
+ * error will be reported. This can happen if @typename is abstract.
*
* Returns: The newly allocated and instantiated object.
*/
diff --git a/net/net.c b/net/net.c
index fbbfe602a4..fa89ec8e03 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1175,7 +1175,7 @@ DeviceState *qemu_create_nic_device(const char *typename, bool match_default,
return NULL;
}
- dev = qdev_new(typename);
+ dev = qdev_new_dynamic(typename, &error_fatal);
qdev_set_nic_properties(dev, nd);
return dev;
}
@@ -1225,7 +1225,7 @@ void qemu_create_nic_bus_devices(BusState *bus, const char *parent_type,
continue;
}
- dev = qdev_new(model);
+ dev = qdev_new_dynamic(model, &error_fatal);
qdev_set_nic_properties(dev, nd);
qdev_realize_and_unref(dev, bus, &error_fatal);
}
diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
index 4c09b38ffb..3138192cf8 100644
--- a/system/qdev-monitor.c
+++ b/system/qdev-monitor.c
@@ -686,7 +686,10 @@ DeviceState *qdev_device_add_from_qdict(const QDict *opts,
}
/* create device */
- dev = qdev_new(driver);
+ dev = qdev_new_dynamic(driver, errp);
+ if (!dev) {
+ return NULL;
+ }
/* Check whether the hotplug is allowed by the machine */
if (phase_check(PHASE_MACHINE_READY)) {
--
2.46.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v2 8/8] hw: enforce use of static, const string with qdev_new()
2024-11-11 15:55 [PATCH v2 0/8] Require error handling for dynamically created objects Daniel P. Berrangé
` (6 preceding siblings ...)
2024-11-11 15:55 ` [PATCH v2 7/8] convert code to qdev_new_dynamic() where appropriate Daniel P. Berrangé
@ 2024-11-11 15:55 ` Daniel P. Berrangé
7 siblings, 0 replies; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-11 15:55 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Markus Armbruster, Peter Xu,
Daniel P. Berrangé
Since qdev_new() will assert(), it should only be used in scenarios
where the caller knows exactly what type it is asking to be created,
and can thus be confident in avoiding abstract types.
Enforce this by using a macro wrapper which types to paste "" to the
type name. This will generate a compile error if not passed a static
const string, forcing callers to use qdev_new_dynamic() instead.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/core/qdev.c | 6 ++++--
include/hw/qdev-core.h | 24 ++++++++++++++++++++++--
2 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index 10a7b87c3d..d561478437 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -144,7 +144,8 @@ bool qdev_set_parent_bus(DeviceState *dev, BusState *bus, Error **errp)
return true;
}
-DeviceState *qdev_new(const char *name)
+/* Only to be called via the 'qdev_new' macro */
+DeviceState *qdev_new_internal(const char *name)
{
return DEVICE(object_new_dynamic(name, &error_abort));
}
@@ -154,7 +155,8 @@ DeviceState *qdev_new_dynamic(const char *name, Error **errp)
return DEVICE(object_new_dynamic(name, errp));
}
-DeviceState *qdev_try_new(const char *name)
+/* Only to be called via the 'qdev_try_new' macro */
+DeviceState *qdev_try_new_internal(const char *name)
{
ObjectClass *oc = module_object_class_by_name(name);
if (!oc) {
diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index 68ebaec058..6d9f6ba805 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -448,7 +448,17 @@ compat_props_add(GPtrArray *arr,
*
* Return: a derived DeviceState object with a reference count of 1.
*/
-DeviceState *qdev_new(const char *name);
+
+/*
+ * NB, qdev_new_internal is just an internal helper, wrapped by
+ * the qdev_new() macro which prevents invokation unless given
+ * a static, const string.
+ *
+ * Code should call qdev_new(), or qdev_new_dynamic(), not
+ * qdev_new_internal().
+ */
+DeviceState *qdev_new_internal(const char *name);
+#define qdev_new(name) qdev_new_internal(name "")
/**
* qdev_new_dynamic: Create a device on the heap
@@ -487,7 +497,17 @@ DeviceState *qdev_new_dynamic(const char *name, Error **errp);
* Return: a derived DeviceState object with a reference count of 1 or
* NULL if type @name does not exist.
*/
-DeviceState *qdev_try_new(const char *name);
+
+/*
+ * NB, qdev_try_new_internal is just an internal helper, wrapped by
+ * the qdev_try_new() macro which prevents invokation unless given
+ * a static, const string.
+ *
+ * Code should call qdev_try_new(), or qdev_try_new_dynamic(), not
+ * qdev_try_new_internal().
+ */
+DeviceState *qdev_try_new_internal(const char *name);
+#define qdev_try_new(name) qdev_try_new_internal(name "")
/**
* qdev_try_new_dynamic: Try to create a device on the heap
--
2.46.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH v2 1/8] qom: refactor checking abstract property when creating instances
2024-11-11 15:55 ` [PATCH v2 1/8] qom: refactor checking abstract property when creating instances Daniel P. Berrangé
@ 2024-11-14 19:58 ` Peter Xu
2024-11-15 10:41 ` Daniel P. Berrangé
0 siblings, 1 reply; 18+ messages in thread
From: Peter Xu @ 2024-11-14 19:58 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: qemu-devel, Paolo Bonzini, Markus Armbruster
On Mon, Nov 11, 2024 at 03:55:48PM +0000, Daniel P. Berrangé wrote:
> @@ -753,7 +761,7 @@ typedef union {
> } qemu_max_align_t;
> #endif
>
> -static Object *object_new_with_type(Type type)
> +static Object *object_new_with_type(Type type, Error **errp)
> {
> Object *obj;
> size_t size, align;
> @@ -777,7 +785,10 @@ static Object *object_new_with_type(Type type)
> obj_free = qemu_vfree;
> }
>
> - object_initialize_with_type(obj, size, type);
> + if (!object_initialize_with_type(obj, size, type, errp)) {
> + g_free(obj);
obj_free(obj)?
> + return NULL;
> + }
> obj->free = obj_free;
>
> return obj;
--
Peter Xu
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v2 2/8] qom: allow failure of object_new_with_class
2024-11-11 15:55 ` [PATCH v2 2/8] qom: allow failure of object_new_with_class Daniel P. Berrangé
@ 2024-11-14 20:04 ` Peter Xu
0 siblings, 0 replies; 18+ messages in thread
From: Peter Xu @ 2024-11-14 20:04 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: qemu-devel, Paolo Bonzini, Markus Armbruster
On Mon, Nov 11, 2024 at 03:55:49PM +0000, Daniel P. Berrangé wrote:
> Since object_new_with_class() accepts a non-const parameter for
> the class, callers should be prepared for failures from unexpected
> input. Add an Error parameter for this and make callers check.
> If the caller does not already have an Error parameter, it is
> satisfactory to use &error_abort if the class parameter choice is
> not driven by untrusted user input.
>
> This conversion allows removal of any object_class_is_abstract()
> checks immediately before object_new_with_class().
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
--
Peter Xu
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v2 3/8] qom: introduce object_new_dynamic()
2024-11-11 15:55 ` [PATCH v2 3/8] qom: introduce object_new_dynamic() Daniel P. Berrangé
@ 2024-11-14 20:15 ` Peter Xu
0 siblings, 0 replies; 18+ messages in thread
From: Peter Xu @ 2024-11-14 20:15 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: qemu-devel, Paolo Bonzini, Markus Armbruster
On Mon, Nov 11, 2024 at 03:55:50PM +0000, Daniel P. Berrangé wrote:
> object_new() has a failure scenario where it will assert() if given
> an abstract type. Callers which are creating objects based on user
> input, or unknown/untrusted type names, must manually check the
> result of object_class_is_abstract() before calling object_new()
> to propagate an Error, instead of asserting.
>
> Introduce a object_new_dynamic() method which is a counterpart to
> object_new() that directly returns an Error, instead of asserting.
> This new method is to be used where the typename is specified
> dynamically by code separate from the immediate caller.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
--
Peter Xu
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v2 4/8] convert code to object_new_dynamic() where appropriate
2024-11-11 15:55 ` [PATCH v2 4/8] convert code to object_new_dynamic() where appropriate Daniel P. Berrangé
@ 2024-11-14 20:24 ` Peter Xu
0 siblings, 0 replies; 18+ messages in thread
From: Peter Xu @ 2024-11-14 20:24 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: qemu-devel, Paolo Bonzini, Markus Armbruster
On Mon, Nov 11, 2024 at 03:55:51PM +0000, Daniel P. Berrangé wrote:
> In cases where object_new() is not being passed a static, const
> string, the caller cannot be sure what type they are instantiating.
> There is a risk that instantiation could fail, if it is an abstract
> type.
>
> Convert such cases over to use object_new_dynamic() such that they
> are forced to expect failure. In some cases failure can be easily
> propagated, but in others using &error_abort or &error_fatal will
> maintain existnig behaviour.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
--
Peter Xu
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v2 5/8] qom: enforce use of static, const string with object_new()
2024-11-11 15:55 ` [PATCH v2 5/8] qom: enforce use of static, const string with object_new() Daniel P. Berrangé
@ 2024-11-14 20:28 ` Peter Xu
0 siblings, 0 replies; 18+ messages in thread
From: Peter Xu @ 2024-11-14 20:28 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: qemu-devel, Paolo Bonzini, Markus Armbruster
On Mon, Nov 11, 2024 at 03:55:52PM +0000, Daniel P. Berrangé wrote:
> Since object_new() will assert(), it should only be used in scenarios
> where the caller knows exactly what type it is asking to be created,
> and can thus be confident in avoiding abstract types.
>
> Enforce this by using a macro wrapper which types to paste "" to the
> type name. This will generate a compile error if not passed a static
> const string, forcing callers to use object_new_dynamic() instead.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
--
Peter Xu
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v2 6/8] qom: introduce qdev_new_dynamic()
2024-11-11 15:55 ` [PATCH v2 6/8] qom: introduce qdev_new_dynamic() Daniel P. Berrangé
@ 2024-11-14 20:47 ` Peter Xu
2024-11-15 17:26 ` Daniel P. Berrangé
0 siblings, 1 reply; 18+ messages in thread
From: Peter Xu @ 2024-11-14 20:47 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: qemu-devel, Paolo Bonzini, Markus Armbruster
On Mon, Nov 11, 2024 at 03:55:53PM +0000, Daniel P. Berrangé wrote:
> qdev_new() has a failure scenario where it will assert() if given
> an abstract type. Callers which are creating qdevs based on user
> input, or unknown/untrusted type names, must manually check the
> result of qdev_class_is_abstract() before calling qdev_new()
> to propagate an Error, instead of asserting.
>
> Introduce a qdev_new_dynamic() method which is a counterpart to
> qdev_new() that directly returns an Error, instead of asserting.
> This new method is to be used where the typename is specified
> dynamically by code separate from the immediate caller.
>
> Do likewise with qdev_try_new_dynamic() as a counterpart to
> qdev_try_new().
Since at it, would it make sense to simply replace qdev_try_new() with
qdev_new_dynamic(), assuming it plays similar role of "it can fail" version
of qdev_new()?
Then instead of four helpers, we stick with two helpers, one that asserts
the qdev new will succeed (qdev_new()), the other one that allows any kind
of errors (qdev_new_dynamic()). Then we can drop qdev_try_new()
altogether, and avoid adding one more for it too.
The qdev_try_new() four call sites can still pass in errp==NULL, which
should be the old behavior, so we don't need to touch isa/usb callers.
PS: looks like usb_try_new() only has one caller.. so maybe prone to be
dropped altogether..
--
Peter Xu
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v2 7/8] convert code to qdev_new_dynamic() where appropriate
2024-11-11 15:55 ` [PATCH v2 7/8] convert code to qdev_new_dynamic() where appropriate Daniel P. Berrangé
@ 2024-11-14 21:00 ` Peter Xu
0 siblings, 0 replies; 18+ messages in thread
From: Peter Xu @ 2024-11-14 21:00 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: qemu-devel, Paolo Bonzini, Markus Armbruster
On Mon, Nov 11, 2024 at 03:55:54PM +0000, Daniel P. Berrangé wrote:
> In cases where qdev_new() is not being passed a static, const
> string, the caller cannot be sure what type they are instantiating.
> There is a risk that instantiation could fail, if it is an abstract
> type.
>
> Convert such cases over to use qdev_new_dynamic() such that they
> are forced to expect failure. In some cases failure can be easily
> propagated, but in others using &error_abort or &error_fatal will
> maintain existing behaviour.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
--
Peter Xu
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v2 1/8] qom: refactor checking abstract property when creating instances
2024-11-14 19:58 ` Peter Xu
@ 2024-11-15 10:41 ` Daniel P. Berrangé
0 siblings, 0 replies; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-15 10:41 UTC (permalink / raw)
To: Peter Xu; +Cc: qemu-devel, Paolo Bonzini, Markus Armbruster
On Thu, Nov 14, 2024 at 02:58:56PM -0500, Peter Xu wrote:
> On Mon, Nov 11, 2024 at 03:55:48PM +0000, Daniel P. Berrangé wrote:
> > @@ -753,7 +761,7 @@ typedef union {
> > } qemu_max_align_t;
> > #endif
> >
> > -static Object *object_new_with_type(Type type)
> > +static Object *object_new_with_type(Type type, Error **errp)
> > {
> > Object *obj;
> > size_t size, align;
> > @@ -777,7 +785,10 @@ static Object *object_new_with_type(Type type)
> > obj_free = qemu_vfree;
> > }
> >
> > - object_initialize_with_type(obj, size, type);
> > + if (!object_initialize_with_type(obj, size, type, errp)) {
> > + g_free(obj);
>
> obj_free(obj)?
Opps, yes indeed.
>
> > + return NULL;
> > + }
> > obj->free = obj_free;
> >
> > return obj;
>
> --
> Peter Xu
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v2 6/8] qom: introduce qdev_new_dynamic()
2024-11-14 20:47 ` Peter Xu
@ 2024-11-15 17:26 ` Daniel P. Berrangé
0 siblings, 0 replies; 18+ messages in thread
From: Daniel P. Berrangé @ 2024-11-15 17:26 UTC (permalink / raw)
To: Peter Xu; +Cc: qemu-devel, Paolo Bonzini, Markus Armbruster
On Thu, Nov 14, 2024 at 03:47:20PM -0500, Peter Xu wrote:
> On Mon, Nov 11, 2024 at 03:55:53PM +0000, Daniel P. Berrangé wrote:
> > qdev_new() has a failure scenario where it will assert() if given
> > an abstract type. Callers which are creating qdevs based on user
> > input, or unknown/untrusted type names, must manually check the
> > result of qdev_class_is_abstract() before calling qdev_new()
> > to propagate an Error, instead of asserting.
> >
> > Introduce a qdev_new_dynamic() method which is a counterpart to
> > qdev_new() that directly returns an Error, instead of asserting.
> > This new method is to be used where the typename is specified
> > dynamically by code separate from the immediate caller.
> >
> > Do likewise with qdev_try_new_dynamic() as a counterpart to
> > qdev_try_new().
>
> Since at it, would it make sense to simply replace qdev_try_new() with
> qdev_new_dynamic(), assuming it plays similar role of "it can fail" version
> of qdev_new()?
That is tricky as callers of qdev_try_new have to distinguish between
expected failures and unexpected failures.
That said you made me look at the usage patterns and I concluded these
xxx_try_new() methods are a bad design for other reasons, so I have
simply eliminated them entirely in v3.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2024-11-15 17:27 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-11 15:55 [PATCH v2 0/8] Require error handling for dynamically created objects Daniel P. Berrangé
2024-11-11 15:55 ` [PATCH v2 1/8] qom: refactor checking abstract property when creating instances Daniel P. Berrangé
2024-11-14 19:58 ` Peter Xu
2024-11-15 10:41 ` Daniel P. Berrangé
2024-11-11 15:55 ` [PATCH v2 2/8] qom: allow failure of object_new_with_class Daniel P. Berrangé
2024-11-14 20:04 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 3/8] qom: introduce object_new_dynamic() Daniel P. Berrangé
2024-11-14 20:15 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 4/8] convert code to object_new_dynamic() where appropriate Daniel P. Berrangé
2024-11-14 20:24 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 5/8] qom: enforce use of static, const string with object_new() Daniel P. Berrangé
2024-11-14 20:28 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 6/8] qom: introduce qdev_new_dynamic() Daniel P. Berrangé
2024-11-14 20:47 ` Peter Xu
2024-11-15 17:26 ` Daniel P. Berrangé
2024-11-11 15:55 ` [PATCH v2 7/8] convert code to qdev_new_dynamic() where appropriate Daniel P. Berrangé
2024-11-14 21:00 ` Peter Xu
2024-11-11 15:55 ` [PATCH v2 8/8] hw: enforce use of static, const string with qdev_new() Daniel P. Berrangé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).