mirror of
https://github.com/qemu/qemu.git
synced 2024-11-25 03:43:37 +08:00
d71a243220
Setting errp = NULL is wrong: the automatic error propagation still propagates the dangling pointer _auto_errp_prop.local_err. We need to set *errp = NULL to clear the dangling pointer. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210125132635.1253219-1-armbru@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
535 lines
18 KiB
C
535 lines
18 KiB
C
/*
|
|
* QEMU Error Objects
|
|
*
|
|
* Copyright IBM, Corp. 2011
|
|
* Copyright (C) 2011-2015 Red Hat, Inc.
|
|
*
|
|
* Authors:
|
|
* Anthony Liguori <aliguori@us.ibm.com>
|
|
* Markus Armbruster <armbru@redhat.com>
|
|
*
|
|
* This work is licensed under the terms of the GNU LGPL, version 2. See
|
|
* the COPYING.LIB file in the top-level directory.
|
|
*/
|
|
|
|
/*
|
|
* Error reporting system loosely patterned after Glib's GError.
|
|
*
|
|
* = Rules =
|
|
*
|
|
* - Functions that use Error to report errors have an Error **errp
|
|
* parameter. It should be the last parameter, except for functions
|
|
* taking variable arguments.
|
|
*
|
|
* - You may pass NULL to not receive the error, &error_abort to abort
|
|
* on error, &error_fatal to exit(1) on error, or a pointer to a
|
|
* variable containing NULL to receive the error.
|
|
*
|
|
* - Separation of concerns: the function is responsible for detecting
|
|
* errors and failing cleanly; handling the error is its caller's
|
|
* job. Since the value of @errp is about handling the error, the
|
|
* function should not examine it.
|
|
*
|
|
* - The function may pass @errp to functions it calls to pass on
|
|
* their errors to its caller. If it dereferences @errp to check
|
|
* for errors, it must use ERRP_GUARD().
|
|
*
|
|
* - On success, the function should not touch *errp. On failure, it
|
|
* should set a new error, e.g. with error_setg(errp, ...), or
|
|
* propagate an existing one, e.g. with error_propagate(errp, ...).
|
|
*
|
|
* - Whenever practical, also return a value that indicates success /
|
|
* failure. This can make the error checking more concise, and can
|
|
* avoid useless error object creation and destruction. Note that
|
|
* we still have many functions returning void. We recommend
|
|
* • bool-valued functions return true on success / false on failure,
|
|
* • pointer-valued functions return non-null / null pointer, and
|
|
* • integer-valued functions return non-negative / negative.
|
|
*
|
|
* = Creating errors =
|
|
*
|
|
* Create an error:
|
|
* error_setg(errp, "situation normal, all fouled up");
|
|
* where @errp points to the location to receive the error.
|
|
*
|
|
* Create an error and add additional explanation:
|
|
* error_setg(errp, "invalid quark");
|
|
* error_append_hint(errp, "Valid quarks are up, down, strange, "
|
|
* "charm, top, bottom.\n");
|
|
* This may require use of ERRP_GUARD(); more on that below.
|
|
*
|
|
* Do *not* contract this to
|
|
* error_setg(errp, "invalid quark\n" // WRONG!
|
|
* "Valid quarks are up, down, strange, charm, top, bottom.");
|
|
*
|
|
* = Reporting and destroying errors =
|
|
*
|
|
* Report an error to the current monitor if we have one, else stderr:
|
|
* error_report_err(err);
|
|
* This frees the error object.
|
|
*
|
|
* Likewise, but with additional text prepended:
|
|
* error_reportf_err(err, "Could not frobnicate '%s': ", name);
|
|
*
|
|
* Report an error somewhere else:
|
|
* const char *msg = error_get_pretty(err);
|
|
* do with msg what needs to be done...
|
|
* error_free(err);
|
|
* Note that this loses hints added with error_append_hint().
|
|
*
|
|
* Call a function ignoring errors:
|
|
* foo(arg, NULL);
|
|
* This is more concise than
|
|
* Error *err = NULL;
|
|
* foo(arg, &err);
|
|
* error_free(err); // don't do this
|
|
*
|
|
* Call a function aborting on errors:
|
|
* foo(arg, &error_abort);
|
|
* This is more concise and fails more nicely than
|
|
* Error *err = NULL;
|
|
* foo(arg, &err);
|
|
* assert(!err); // don't do this
|
|
*
|
|
* Call a function treating errors as fatal:
|
|
* foo(arg, &error_fatal);
|
|
* This is more concise than
|
|
* Error *err = NULL;
|
|
* foo(arg, &err);
|
|
* if (err) { // don't do this
|
|
* error_report_err(err);
|
|
* exit(1);
|
|
* }
|
|
*
|
|
* Handle an error without reporting it (just for completeness):
|
|
* error_free(err);
|
|
*
|
|
* Assert that an expected error occurred, but clean it up without
|
|
* reporting it (primarily useful in testsuites):
|
|
* error_free_or_abort(&err);
|
|
*
|
|
* = Passing errors around =
|
|
*
|
|
* Errors get passed to the caller through the conventional @errp
|
|
* parameter.
|
|
*
|
|
* Create a new error and pass it to the caller:
|
|
* error_setg(errp, "situation normal, all fouled up");
|
|
*
|
|
* Call a function, receive an error from it, and pass it to the caller
|
|
* - when the function returns a value that indicates failure, say
|
|
* false:
|
|
* if (!foo(arg, errp)) {
|
|
* handle the error...
|
|
* }
|
|
* - when it does not, say because it is a void function:
|
|
* ERRP_GUARD();
|
|
* foo(arg, errp);
|
|
* if (*errp) {
|
|
* handle the error...
|
|
* }
|
|
* More on ERRP_GUARD() below.
|
|
*
|
|
* Code predating ERRP_GUARD() still exists, and looks like this:
|
|
* Error *err = NULL;
|
|
* foo(arg, &err);
|
|
* if (err) {
|
|
* handle the error...
|
|
* error_propagate(errp, err); // deprecated
|
|
* }
|
|
* Avoid in new code. Do *not* "optimize" it to
|
|
* foo(arg, errp);
|
|
* if (*errp) { // WRONG!
|
|
* handle the error...
|
|
* }
|
|
* because errp may be NULL without the ERRP_GUARD() guard.
|
|
*
|
|
* But when all you do with the error is pass it on, please use
|
|
* foo(arg, errp);
|
|
* for readability.
|
|
*
|
|
* Receive an error, and handle it locally
|
|
* - when the function returns a value that indicates failure, say
|
|
* false:
|
|
* Error *err = NULL;
|
|
* if (!foo(arg, &err)) {
|
|
* handle the error...
|
|
* }
|
|
* - when it does not, say because it is a void function:
|
|
* Error *err = NULL;
|
|
* foo(arg, &err);
|
|
* if (err) {
|
|
* handle the error...
|
|
* }
|
|
*
|
|
* Pass an existing error to the caller:
|
|
* error_propagate(errp, err);
|
|
* This is rarely needed. When @err is a local variable, use of
|
|
* ERRP_GUARD() commonly results in more readable code.
|
|
*
|
|
* Pass an existing error to the caller with the message modified:
|
|
* error_propagate_prepend(errp, err,
|
|
* "Could not frobnicate '%s': ", name);
|
|
* This is more concise than
|
|
* error_propagate(errp, err); // don't do this
|
|
* error_prepend(errp, "Could not frobnicate '%s': ", name);
|
|
* and works even when @errp is &error_fatal.
|
|
*
|
|
* Receive and accumulate multiple errors (first one wins):
|
|
* Error *err = NULL, *local_err = NULL;
|
|
* foo(arg, &err);
|
|
* bar(arg, &local_err);
|
|
* error_propagate(&err, local_err);
|
|
* if (err) {
|
|
* handle the error...
|
|
* }
|
|
*
|
|
* Do *not* "optimize" this to
|
|
* Error *err = NULL;
|
|
* foo(arg, &err);
|
|
* bar(arg, &err); // WRONG!
|
|
* if (err) {
|
|
* handle the error...
|
|
* }
|
|
* because this may pass a non-null err to bar().
|
|
*
|
|
* Likewise, do *not*
|
|
* Error *err = NULL;
|
|
* if (cond1) {
|
|
* error_setg(&err, ...);
|
|
* }
|
|
* if (cond2) {
|
|
* error_setg(&err, ...); // WRONG!
|
|
* }
|
|
* because this may pass a non-null err to error_setg().
|
|
*
|
|
* = Why, when and how to use ERRP_GUARD() =
|
|
*
|
|
* Without ERRP_GUARD(), use of the @errp parameter is restricted:
|
|
* - It must not be dereferenced, because it may be null.
|
|
* - It should not be passed to error_prepend() or
|
|
* error_append_hint(), because that doesn't work with &error_fatal.
|
|
* ERRP_GUARD() lifts these restrictions.
|
|
*
|
|
* To use ERRP_GUARD(), add it right at the beginning of the function.
|
|
* @errp can then be used without worrying about the argument being
|
|
* NULL or &error_fatal.
|
|
*
|
|
* Using it when it's not needed is safe, but please avoid cluttering
|
|
* the source with useless code.
|
|
*
|
|
* = Converting to ERRP_GUARD() =
|
|
*
|
|
* To convert a function to use ERRP_GUARD():
|
|
*
|
|
* 0. If the Error ** parameter is not named @errp, rename it to
|
|
* @errp.
|
|
*
|
|
* 1. Add an ERRP_GUARD() invocation, by convention right at the
|
|
* beginning of the function. This makes @errp safe to use.
|
|
*
|
|
* 2. Replace &err by errp, and err by *errp. Delete local variable
|
|
* @err.
|
|
*
|
|
* 3. Delete error_propagate(errp, *errp), replace
|
|
* error_propagate_prepend(errp, *errp, ...) by error_prepend(errp, ...)
|
|
*
|
|
* 4. Ensure @errp is valid at return: when you destroy *errp, set
|
|
* *errp = NULL.
|
|
*
|
|
* Example:
|
|
*
|
|
* bool fn(..., Error **errp)
|
|
* {
|
|
* Error *err = NULL;
|
|
*
|
|
* foo(arg, &err);
|
|
* if (err) {
|
|
* handle the error...
|
|
* error_propagate(errp, err);
|
|
* return false;
|
|
* }
|
|
* ...
|
|
* }
|
|
*
|
|
* becomes
|
|
*
|
|
* bool fn(..., Error **errp)
|
|
* {
|
|
* ERRP_GUARD();
|
|
*
|
|
* foo(arg, errp);
|
|
* if (*errp) {
|
|
* handle the error...
|
|
* return false;
|
|
* }
|
|
* ...
|
|
* }
|
|
*
|
|
* For mass-conversion, use scripts/coccinelle/errp-guard.cocci.
|
|
*/
|
|
|
|
#ifndef ERROR_H
|
|
#define ERROR_H
|
|
|
|
#include "qapi/qapi-types-error.h"
|
|
|
|
/*
|
|
* Overall category of an error.
|
|
* Based on the qapi type QapiErrorClass, but reproduced here for nicer
|
|
* enum names.
|
|
*/
|
|
typedef enum ErrorClass {
|
|
ERROR_CLASS_GENERIC_ERROR = QAPI_ERROR_CLASS_GENERICERROR,
|
|
ERROR_CLASS_COMMAND_NOT_FOUND = QAPI_ERROR_CLASS_COMMANDNOTFOUND,
|
|
ERROR_CLASS_DEVICE_NOT_ACTIVE = QAPI_ERROR_CLASS_DEVICENOTACTIVE,
|
|
ERROR_CLASS_DEVICE_NOT_FOUND = QAPI_ERROR_CLASS_DEVICENOTFOUND,
|
|
ERROR_CLASS_KVM_MISSING_CAP = QAPI_ERROR_CLASS_KVMMISSINGCAP,
|
|
} ErrorClass;
|
|
|
|
/*
|
|
* Get @err's human-readable error message.
|
|
*/
|
|
const char *error_get_pretty(const Error *err);
|
|
|
|
/*
|
|
* Get @err's error class.
|
|
* Note: use of error classes other than ERROR_CLASS_GENERIC_ERROR is
|
|
* strongly discouraged.
|
|
*/
|
|
ErrorClass error_get_class(const Error *err);
|
|
|
|
/*
|
|
* Create a new error object and assign it to *@errp.
|
|
* If @errp is NULL, the error is ignored. Don't bother creating one
|
|
* then.
|
|
* If @errp is &error_abort, print a suitable message and abort().
|
|
* If @errp is &error_fatal, print a suitable message and exit(1).
|
|
* If @errp is anything else, *@errp must be NULL.
|
|
* The new error's class is ERROR_CLASS_GENERIC_ERROR, and its
|
|
* human-readable error message is made from printf-style @fmt, ...
|
|
* The resulting message should be a single phrase, with no newline or
|
|
* trailing punctuation.
|
|
* Please don't error_setg(&error_fatal, ...), use error_report() and
|
|
* exit(), because that's more obvious.
|
|
* Likewise, don't error_setg(&error_abort, ...), use assert().
|
|
*/
|
|
#define error_setg(errp, fmt, ...) \
|
|
error_setg_internal((errp), __FILE__, __LINE__, __func__, \
|
|
(fmt), ## __VA_ARGS__)
|
|
void error_setg_internal(Error **errp,
|
|
const char *src, int line, const char *func,
|
|
const char *fmt, ...)
|
|
GCC_FMT_ATTR(5, 6);
|
|
|
|
/*
|
|
* Just like error_setg(), with @os_error info added to the message.
|
|
* If @os_error is non-zero, ": " + strerror(os_error) is appended to
|
|
* the human-readable error message.
|
|
*
|
|
* The value of errno (which usually can get clobbered by almost any
|
|
* function call) will be preserved.
|
|
*/
|
|
#define error_setg_errno(errp, os_error, fmt, ...) \
|
|
error_setg_errno_internal((errp), __FILE__, __LINE__, __func__, \
|
|
(os_error), (fmt), ## __VA_ARGS__)
|
|
void error_setg_errno_internal(Error **errp,
|
|
const char *fname, int line, const char *func,
|
|
int os_error, const char *fmt, ...)
|
|
GCC_FMT_ATTR(6, 7);
|
|
|
|
#ifdef _WIN32
|
|
/*
|
|
* Just like error_setg(), with @win32_error info added to the message.
|
|
* If @win32_error is non-zero, ": " + g_win32_error_message(win32_err)
|
|
* is appended to the human-readable error message.
|
|
*/
|
|
#define error_setg_win32(errp, win32_err, fmt, ...) \
|
|
error_setg_win32_internal((errp), __FILE__, __LINE__, __func__, \
|
|
(win32_err), (fmt), ## __VA_ARGS__)
|
|
void error_setg_win32_internal(Error **errp,
|
|
const char *src, int line, const char *func,
|
|
int win32_err, const char *fmt, ...)
|
|
GCC_FMT_ATTR(6, 7);
|
|
#endif
|
|
|
|
/*
|
|
* Propagate error object (if any) from @local_err to @dst_errp.
|
|
* If @local_err is NULL, do nothing (because there's nothing to
|
|
* propagate).
|
|
* Else, if @dst_errp is NULL, errors are being ignored. Free the
|
|
* error object.
|
|
* Else, if @dst_errp is &error_abort, print a suitable message and
|
|
* abort().
|
|
* Else, if @dst_errp is &error_fatal, print a suitable message and
|
|
* exit(1).
|
|
* Else, if @dst_errp already contains an error, ignore this one: free
|
|
* the error object.
|
|
* Else, move the error object from @local_err to *@dst_errp.
|
|
* On return, @local_err is invalid.
|
|
* Please use ERRP_GUARD() instead when possible.
|
|
* Please don't error_propagate(&error_fatal, ...), use
|
|
* error_report_err() and exit(), because that's more obvious.
|
|
*/
|
|
void error_propagate(Error **dst_errp, Error *local_err);
|
|
|
|
|
|
/*
|
|
* Propagate error object (if any) with some text prepended.
|
|
* Behaves like
|
|
* error_prepend(&local_err, fmt, ...);
|
|
* error_propagate(dst_errp, local_err);
|
|
* Please use ERRP_GUARD() and error_prepend() instead when possible.
|
|
*/
|
|
void error_propagate_prepend(Error **dst_errp, Error *local_err,
|
|
const char *fmt, ...)
|
|
GCC_FMT_ATTR(3, 4);
|
|
|
|
/*
|
|
* Prepend some text to @errp's human-readable error message.
|
|
* The text is made by formatting @fmt, @ap like vprintf().
|
|
*/
|
|
void error_vprepend(Error *const *errp, const char *fmt, va_list ap)
|
|
GCC_FMT_ATTR(2, 0);
|
|
|
|
/*
|
|
* Prepend some text to @errp's human-readable error message.
|
|
* The text is made by formatting @fmt, ... like printf().
|
|
*/
|
|
void error_prepend(Error *const *errp, const char *fmt, ...)
|
|
GCC_FMT_ATTR(2, 3);
|
|
|
|
/*
|
|
* Append a printf-style human-readable explanation to an existing error.
|
|
* If the error is later reported to a human user with
|
|
* error_report_err() or warn_report_err(), the hints will be shown,
|
|
* too. If it's reported via QMP, the hints will be ignored.
|
|
* Intended use is adding helpful hints on the human user interface,
|
|
* e.g. a list of valid values. It's not for clarifying a confusing
|
|
* error message.
|
|
* @errp may be NULL, but not &error_fatal or &error_abort.
|
|
* Trivially the case if you call it only after error_setg() or
|
|
* error_propagate().
|
|
* May be called multiple times. The resulting hint should end with a
|
|
* newline.
|
|
*/
|
|
void error_append_hint(Error *const *errp, const char *fmt, ...)
|
|
GCC_FMT_ATTR(2, 3);
|
|
|
|
/*
|
|
* Convenience function to report open() failure.
|
|
*/
|
|
#define error_setg_file_open(errp, os_errno, filename) \
|
|
error_setg_file_open_internal((errp), __FILE__, __LINE__, __func__, \
|
|
(os_errno), (filename))
|
|
void error_setg_file_open_internal(Error **errp,
|
|
const char *src, int line, const char *func,
|
|
int os_errno, const char *filename);
|
|
|
|
/*
|
|
* Return an exact copy of @err.
|
|
*/
|
|
Error *error_copy(const Error *err);
|
|
|
|
/*
|
|
* Free @err.
|
|
* @err may be NULL.
|
|
*/
|
|
void error_free(Error *err);
|
|
|
|
/*
|
|
* Convenience function to assert that *@errp is set, then silently free it.
|
|
*/
|
|
void error_free_or_abort(Error **errp);
|
|
|
|
/*
|
|
* Convenience function to warn_report() and free @err.
|
|
* The report includes hints added with error_append_hint().
|
|
*/
|
|
void warn_report_err(Error *err);
|
|
|
|
/*
|
|
* Convenience function to error_report() and free @err.
|
|
* The report includes hints added with error_append_hint().
|
|
*/
|
|
void error_report_err(Error *err);
|
|
|
|
/*
|
|
* Convenience function to error_prepend(), warn_report() and free @err.
|
|
*/
|
|
void warn_reportf_err(Error *err, const char *fmt, ...)
|
|
GCC_FMT_ATTR(2, 3);
|
|
|
|
/*
|
|
* Convenience function to error_prepend(), error_report() and free @err.
|
|
*/
|
|
void error_reportf_err(Error *err, const char *fmt, ...)
|
|
GCC_FMT_ATTR(2, 3);
|
|
|
|
/*
|
|
* Just like error_setg(), except you get to specify the error class.
|
|
* Note: use of error classes other than ERROR_CLASS_GENERIC_ERROR is
|
|
* strongly discouraged.
|
|
*/
|
|
#define error_set(errp, err_class, fmt, ...) \
|
|
error_set_internal((errp), __FILE__, __LINE__, __func__, \
|
|
(err_class), (fmt), ## __VA_ARGS__)
|
|
void error_set_internal(Error **errp,
|
|
const char *src, int line, const char *func,
|
|
ErrorClass err_class, const char *fmt, ...)
|
|
GCC_FMT_ATTR(6, 7);
|
|
|
|
/*
|
|
* Make @errp parameter easier to use regardless of argument value
|
|
*
|
|
* This macro is for use right at the beginning of a function that
|
|
* takes an Error **errp parameter to pass errors to its caller. The
|
|
* parameter must be named @errp.
|
|
*
|
|
* It must be used when the function dereferences @errp or passes
|
|
* @errp to error_prepend(), error_vprepend(), or error_append_hint().
|
|
* It is safe to use even when it's not needed, but please avoid
|
|
* cluttering the source with useless code.
|
|
*
|
|
* If @errp is NULL or &error_fatal, rewrite it to point to a local
|
|
* Error variable, which will be automatically propagated to the
|
|
* original @errp on function exit.
|
|
*
|
|
* Note: &error_abort is not rewritten, because that would move the
|
|
* abort from the place where the error is created to the place where
|
|
* it's propagated.
|
|
*/
|
|
#define ERRP_GUARD() \
|
|
g_auto(ErrorPropagator) _auto_errp_prop = {.errp = errp}; \
|
|
do { \
|
|
if (!errp || errp == &error_fatal) { \
|
|
errp = &_auto_errp_prop.local_err; \
|
|
} \
|
|
} while (0)
|
|
|
|
typedef struct ErrorPropagator {
|
|
Error *local_err;
|
|
Error **errp;
|
|
} ErrorPropagator;
|
|
|
|
static inline void error_propagator_cleanup(ErrorPropagator *prop)
|
|
{
|
|
error_propagate(prop->errp, prop->local_err);
|
|
}
|
|
|
|
G_DEFINE_AUTO_CLEANUP_CLEAR_FUNC(ErrorPropagator, error_propagator_cleanup);
|
|
|
|
/*
|
|
* Special error destination to abort on error.
|
|
* See error_setg() and error_propagate() for details.
|
|
*/
|
|
extern Error *error_abort;
|
|
|
|
/*
|
|
* Special error destination to exit(1) on error.
|
|
* See error_setg() and error_propagate() for details.
|
|
*/
|
|
extern Error *error_fatal;
|
|
|
|
#endif
|