[libvirt] [PATCH] don't test "res == NULL" after we've already dereferenced it

Daniel Veillard veillard at redhat.com
Fri Jan 8 13:30:15 UTC 2010 

On Fri, Jan 08, 2010 at 12:13:24PM +0100, Jim Meyering wrote:
> Daniel Veillard wrote:
> ...
> >> However, the point is still valid, so I'll wait for confirmation.
> >> This is still about defensive coding, i.e., ensuring that
> >> maintenance doesn't violate invariants in harder-to-diagnose ways.
> >> If you get a bug report, which would you rather hear?
> >> "libvirt sometimes segfaults" or
> >> "I get an assertion failure on file.c:999"
> >
> >   I guess it's mostly a matter of coding style, I'm not sure it makes
> > such a difference in practice, libvirt output will likely be burried
> > in a log file, unless virsh or similar CLI tool is used.
> >   We have only 4 asserts in the code currently, I think it shows that
> > so far we are not relying on it. On one hand this mean calling exit()
> 
> Is "don't use assert" libvirt policy?  I hope not.

  The policy is "use defensive programming rather than exit or crash"
this means that assert has his place only in very untractable cases.

> It is important to distinguish two types of errors:
> 
>   - conditions that may arise due to user input or environment
>   (misbehaving client or server, malformed packet, I/O error, etc.)
> 
>   - internal API abuse, violation of an internal assumption or invariant
> 
> Using "assert" is appropriate only in the latter case, for detecting
> conditions that typically are provoked only by developer-introduced errors.

  Hum, that's where we disagree. If libvirtd goes down because the
configuration for one VM used a little used construct which happened
to trigger a bug, exiting gives troubles to all the running domains.
We must be more permissive to developer-introduced errors than
for a single user program instance. The key point is that the error
is being reported while avoiding crashing.

> Here's the revised patch, followed by the tiny nonnull-one.
> (also fixes typos s/ret/res/ in log message)
> 
> 
> >From 2a7fed9238667ff75a6ecd662b663549bc8fb7b5 Mon Sep 17 00:00:00 2001
> From: Jim Meyering <meyering at redhat.com>
> Date: Wed, 6 Jan 2010 12:45:07 +0100
> Subject: [PATCH] don't test "res == NULL" after we've already dereferenced "res"
> 
> * src/xen/proxy_internal.c (xenProxyCommand): "res" is known to be
> non-NULL at that point, so remove the "res == NULL" guard.
> ---
>  src/xen/proxy_internal.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c
> index ec4522b..ee4678a 100644
> --- a/src/xen/proxy_internal.c
> +++ b/src/xen/proxy_internal.c
> @@ -1,7 +1,7 @@
>  /*
>   * proxy_client.c: client side of the communication with the libvirt proxy.
>   *
> - * Copyright (C) 2006, 2008, 2009 Red Hat, Inc.
> + * Copyright (C) 2006, 2008, 2009, 2010 Red Hat, Inc.
>   *
>   * See COPYING.LIB for the License of this software
>   *
> @@ -444,7 +444,7 @@ retry:
>      /*
>       * do more checks on the incoming packet.
>       */
> -    if ((res == NULL) || (res->version != PROXY_PROTO_VERSION) ||
> +    if ((res->version != PROXY_PROTO_VERSION) ||
>          (res->len < sizeof(virProxyPacket))) {
>          virProxyError(conn, VIR_ERR_INTERNAL_ERROR, "%s",
>                        _("Communication error with proxy: malformed packet\n"));
> --
> 1.6.6.425.g4dc2d
> 
> 
> 
> >From eb6f7f0478ce510de8dc5fc9add4eaaca1c2bfc1 Mon Sep 17 00:00:00 2001
> From: Jim Meyering <meyering at redhat.com>
> Date: Thu, 7 Jan 2010 19:48:05 +0100
> Subject: [PATCH] proxy_internal.c: mark "request" parameter as nonnull
> 
> * src/xen/proxy_internal.c (xenProxyCommand): Mark "request"
> as an always-non-NULL parameter.
> ---
>  src/xen/proxy_internal.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/src/xen/proxy_internal.c b/src/xen/proxy_internal.c
> index ee4678a..73a0469 100644
> --- a/src/xen/proxy_internal.c
> +++ b/src/xen/proxy_internal.c
> @@ -340,7 +340,7 @@ xenProxyClose(virConnectPtr conn)
>      return 0;
>  }
> 
> -static int
> +static int ATTRIBUTE_NONNULL(2)
>  xenProxyCommand(virConnectPtr conn, virProxyPacketPtr request,
>                  virProxyFullPacketPtr answer, int quiet) {
>      static int serial = 0;
> --
> 1.6.6.425.g4dc2d

 ACK, fine by me,

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the libvir-list mailing list