[Libguestfs] [libnbd PATCH] docs: Clarify how callbacks should handle errors
Richard W.M. Jones
rjones at redhat.com
Thu Feb 3 10:38:15 UTC 2022
On Wed, Feb 02, 2022 at 10:58:10AM -0600, Eric Blake wrote:
> Recent patches have demonstrated confusion on which order callbacks
> are reached, when it is safe or dangerous to ignore *error, and what a
> completion callback should do when auto-retirement is in use. Add
> wording to make it more obvious that:
>
> - mid-command callbacks are reached before the completion callback,
> and returning -1 does not prevent future callbacks
> - ignoring *error in a mid-command callback is safe
> - completion callbacks are reached unconditionally, and must NOT ignore
> *error
> - if auto-retirement is in use, completion callbacks should always use
> it rather than trying to return -1 on error
> - the contents of buf after nbd_pread and friends is unspecified on
> error
> ---
> docs/libnbd.pod | 44 +++++++++++++++++++++++++++++++++++---------
> generator/API.ml | 24 ++++++++++++++++++------
> 2 files changed, 53 insertions(+), 15 deletions(-)
>
> diff --git a/docs/libnbd.pod b/docs/libnbd.pod
> index 32088f64..006d530c 100644
> --- a/docs/libnbd.pod
> +++ b/docs/libnbd.pod
> @@ -870,15 +870,41 @@ still needs to be retired.
> =head2 Callbacks with C<int *error> parameter
>
> Some of the high-level commands (L<nbd_pread_structured(3)>,
> -L<nbd_block_status(3)>) involve the use of a callback function invoked by
> -the state machine at appropriate points in the server's reply before
> -the overall command is complete. These callback functions, along with
> -all of the completion callbacks, include a parameter C<error>
> -containing the value of any error detected so far; if the callback
> -function fails, it should assign back into C<error> and return C<-1>
> -to change the resulting error of the overall command. Assignments
> -into C<error> are ignored for any other return value; similarly,
> -assigning C<0> into C<error> does not have an effect.
> +L<nbd_block_status(3)>) involve the use of a callback function invoked
> +by the state machine at appropriate points in the server's reply
> +before the overall command is complete. These callback functions,
> +along with all of the completion callbacks, include a parameter
> +C<error> containing the value of any error detected so far. If a
> +callback function fails and wants to change the resulting error of the
> +overall command visible later in the API sequence, it should assign
> +back into C<error> and return C<-1>. Assignments into C<error> are
> +ignored for any other return value; similarly, assigning C<0> into
> +C<error> does not have an effect.
> +
> +Note that a mid-command callback might never be reached, such as if
> +libnbd detects that the command was invalid to send (see
> +L<nbd_set_strict_mode(3)>) or if the server reports a failure. It is
> +safe for a mid-command callback to ignore non-zero C<error>: all the
> +other parameters to the mid-command callback will still be valid
> +(corresponding to the current portion of the server's reply), and the
> +overall command will still fail (at the completion callback or
> +L<nbd_aio_command_completed(3)> for an asynchronous command, or as the
> +result of the overall synchronous command). Returing C<-1> from a
> +mid-command callback does not prevent that callback from being reached
> +again, if the server sends more mid-command replies that warrant
> +another use of that callback. A mid-command callback may be reached
> +more times than expected if the server is non-compliant.
> +
> +On the other hand, if a completion callback is supplied (only possible
> +with asynchronous commands), it will always be reached exactly once,
> +and the completion callback must not ignore the value of C<error>. In
> +particular, the content of a buffer passed to L<nbd_aio_pread(3)> or
> +L<nbd_aio_pread_structured(3)> is unspecified if C<error> is set on
> +entry to the completion callback. It is recommended that if your code
> +uses automatic command retirement, then the completion function should
> +return C<1> on all control paths, even when handling errors (note that
> +with automatic retirement, assigning into C<error> is pointless as
> +there is no later API to see that value).
>
> =head1 COMPILING YOUR PROGRAM
>
> diff --git a/generator/API.ml b/generator/API.ml
> index cf2e7543..bdb8e7c8 100644
> --- a/generator/API.ml
> +++ b/generator/API.ml
> @@ -1,6 +1,6 @@
> (* hey emacs, this is OCaml code: -*- tuareg -*- *)
> (* nbd client library in userspace: the API
> - * Copyright (C) 2013-2021 Red Hat Inc.
> + * Copyright (C) 2013-2022 Red Hat Inc.
> *
> * This library is free software; you can redistribute it and/or
> * modify it under the terms of the GNU Lesser General Public
> @@ -1829,7 +1829,9 @@ "pread", {
> L<nbd_get_block_size(3)>.
>
> The C<flags> parameter must be C<0> for now (it exists for future NBD
> -protocol extensions)."
> +protocol extensions).
> +
> +Note that if this command fails, the contents of C<buf> are unspecified."
> ^ strict_call_description;
> see_also = [Link "aio_pread"; Link "pread_structured";
> Link "get_block_size"; Link "set_strict_mode"];
> @@ -1914,7 +1916,9 @@ "pread_structured", {
> C<LIBNBD_CMD_FLAG_DF> meaning that the server should not reply with
> more than one fragment (if that is supported - some servers cannot do
> this, see L<nbd_can_df(3)>). Libnbd does not validate that the server
> -actually obeys the flag."
> +actually obeys the flag.
> +
> +Note that if this command fails, the contents of C<buf> are unspecified."
> ^ strict_call_description;
> see_also = [Link "can_df"; Link "pread";
> Link "aio_pread_structured"; Link "get_block_size";
> @@ -2155,7 +2159,8 @@ "block_status", {
> for contexts known to libnbd, B<E<lt>libnbd.hE<gt>> contains constants
> beginning with C<LIBNBD_STATE_> that may help decipher the values.
> On entry to the callback, the C<error> parameter contains the errno
> -value of any previously detected error.
> +value of any previously detected error, but even if an earlier error
> +was detected, the current C<metacontext> and C<entries> are valid.
>
> It is possible for the extent function to be called
> more times than you expect (if the server is buggy),
> @@ -2454,7 +2459,10 @@ "aio_pread", {
> as described in L<libnbd(3)/Completion callbacks>.
>
> Note that you must ensure C<buf> is valid until the command has
> -completed. Other parameters behave as documented in L<nbd_pread(3)>."
> +completed. Furthermore, the contents of C<buf> are unspecified if the
> +C<error> parameter to C<completion_callback> is set, or if
> +L<nbd_aio_command_completed(3)> reports failure. Other parameters behave
> +as documented in L<nbd_pread(3)>."
> ^ strict_call_description;
> example = Some "examples/aio-connect-read.c";
> see_also = [SectionLink "Issuing asynchronous commands";
> @@ -2478,7 +2486,11 @@ "aio_pread_structured", {
> Or supply the optional C<completion_callback> which will be invoked
> as described in L<libnbd(3)/Completion callbacks>.
>
> -Other parameters behave as documented in L<nbd_pread_structured(3)>."
> +Note that you must ensure C<buf> is valid until the command has
> +completed. Furthermore, the contents of C<buf> are unspecified if the
> +C<error> parameter to C<completion_callback> is set, or if
> +L<nbd_aio_command_completed(3)> reports failure. Other parameters behave
> +as documented in L<nbd_pread_structured(3)>."
> ^ strict_call_description;
> see_also = [SectionLink "Issuing asynchronous commands";
> Link "aio_pread"; Link "pread_structured";
> --
ACK
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
More information about the Libguestfs
mailing list