[libvirt] [Qemu-devel] QMP; unsigned 64-bit ints; JSON standards compliance

Eric Blake eblake at redhat.com
Tue May 7 16:32:49 UTC 2019 

On 5/7/19 4:39 AM, Daniel P. Berrangé wrote:

>> JSON is terrible at interoperability, so good luck with that.
>>
>> If you reduce your order to "the commonly used JSON libraries we know",
>> we can talk.
> 
> I don't particularly want us to rely on semantics of small known set
> of JSON libs. I really do want us to do something that is capable of
> working with any JSON impl that exists in any programming language.
> 
> My suggested option 2 & 3 at least would manage that I believe, as
> any credible JSON impl will be able to represent 32-bit integers
> or strings without loosing data.
> 
> Option 1 would not cope as some impls can't even cope with
> signed 64-bit ints.
> 
>>>>> I can think of some options:
>>>>>
>>>>>   1. Encode unsigned 64-bit integers as signed 64-bit integers.
>>>>>
>>>>>      This follows the example that most C libraries map JSON ints
>>>>>      to 'long long int'. This is still relying on undefined
>>>>>      behaviour as apps don't need to support > 2^53-1.
>>>>>
>>>>>      Apps would need to cast back to 'unsigned long long' for
>>>>>      those QMP fields they know are supposed to be unsigned.
>>
>> Ugly.  It's also what we did until v2.10, August 2017.  QMP's input
>> direction still does it, for backward compatibility.

Having qemu accept signed ints in place of large unsigned values is easy
enough. But you are right that it loses precision when doubles are
involved on the receiving end, and we cross the 2^53 barrier.

>>
>>>>>
>>>>>
>>>>>   2. Encode all 64-bit integers as a pair of 32-bit integers.
>>>>>     
>>>>>      This is fully compliant with the JSON spec as each half
>>>>>      is fully within the declared limits. App has to split or
>>>>>      assemble the 2 pieces from/to a signed/unsigned 64-bit
>>>>>      int as needed.
>>
>> Differently ugly.

Particularly ugly as we turn 1<<55 from:

"value":36028797018963968

into

"value":[8388608,0]

and now both qemu and the client end have to agree that an array of two
integers is a valid replacement for any larger 64-bit quantity
(presumably, we'd always accept the array form even for small integer
values, but only produce the array form for large values).  And while it
manages just fine for uint64_t values, what rules would you place on
int64_t values? That the resulting 2-integer array is combined with the
first number as a 2's-complement signed value, and the second being a
32-bit unsigned value?

>>
>>>>>
>>>>>
>>>>>   3. Encode all 64-bit integers as strings
>>>>>
>>>>>      The application has todo all parsing/formatting client
>>>>>      side.
>>
>> Yet another ugly.

But less so than option 2.

"value":36028797018963968

vs.

"value":"36028797018963968"

is at least tolerable.

>>
>>>>>
>>>>>
>>>>> None of these changes are backwards compatible, so I doubt we could make
>>>>> the change transparently in QMP.  Instead we would have to have a
>>>>> QMP greeting message capability where the client can request enablement
>>>>> of the enhanced integer handling.
>>
>> We might be able to do option 1 without capability negotiation.  v2.10's
>> change from option 1 to what we have now produced zero complaints.
>>
>> On the other hand, we made that change for a reason, so we may want a
>> "send large integers as negative integers" capability regardless.
>>
>>>>>
>>>>> Any of the three options above would likely work for libvirt, but I
>>>>> would have a slight preference for either 2 or 3, so that we become
>>>>> 100% standards compliant.

If we're going to negotiate something, I'd lean towards option 3
(anywhere the introspection states that we accept 'int64' or similar, it
is also appropriate to send a string value in its place). We'd also have
to decide if we want to allow "0xabcd", or strictly insist on 43981,
when stringizing an integer.  And while qemu should accept a string or a
number on input, we'd still have to decide/document whether it's
response to the client capability negotiation is to output a string
always, or only for values larger than the 2^53 threshold.

>>
>> There's no such thing.  You mean "we maximize interoperability with
>> common implementations of JSON".
> 
> s/common/any/
> 
>> Let's talk implementation for a bit.
>>
>> Encoding and decoding integers in funny ways should be fairly easy in
>> the QObject visitors.  The generated QMP marshallers all use them.
>> Trouble is a few commands still bypass the generated marshallers, and
>> mess with the QObject themselves:
>>
>> * query-qmp-schema: minor hack explained in qmp_query_qmp_schema()'s
>>   comment.  Should be harmless.
>>
>> * netdev_add: not QAPIfied.  Eric's patches to QAPIfy it got stuck
>>   because they reject some abuses like passing numbers and bools as
>>   strings.
>>
>> * device_add: not QAPIfied.  We're not sure QAPIfication is feasible.
>>
>> netdev_add and device_add both use qemu_opts_from_qdict().  Perhaps we
>> could hack that to mirror what the QObject visitor do.
>>
>> Else, we might have to do it in the JSON parser.  Should be possible,
>> but I'd rather not.
>>
>>>> My preference would be 3 with the strings defined as being
>>>> %x lower case hex formated with a 0x prefix and no longer than 18 characters
>>>> ("0x" + 16 nybbles). Zero padding allowed but not required.
>>>> It's readable and unambiguous when dealing with addresses; I don't want
>>>> to have to start decoding (2) by hand when debugging.
>>>
>>> Yep, that's a good point about readability.
>>
>> QMP sending all integers in decimal is inconvenient for some values,
>> such as addresses.  QMP sending all (large) integers in hexadecimal
>> would be inconvenient for other values.
>>
>> Let's keep it simple & stupid.  If you want sophistication, JSON is the
>> wrong choice.

JSON requires decimal-only, but I'm okay if we state that when
negotiating the alternative representation, that we output hex-only.
(JSON5 adds hex support among other things, but it is not an RFC
standard, and even fewer libraries exist that parse JSON5 in addition to
straight JSON).

>>
>>
>> Option 1 feels simplest.
> 
> But will still fail with any JSON impl that uses double precision floating
> point for integers as it will loose precision.
> 
>> Option 2 feels ugliest.  Less simple, more interoperable than option 1.
> 
> If we assume any JSON impl can do 32-bit integers without loss of
> precision, then I think we can say it is guaranteed portable, but
> it is certainly horrible / ugly.
> 
>> Option 3 is like option 2, just not quite as ugly.
> 
> I think option 3 can be guaranteed to be loss-less with /any/ JSON impl
> that exists, since you're delegating all string -> int conversion to
> the application code taking the JSON parser/formatter out of the equation.
> 
> This is close to the approach libvirt takes with YAJL parser today. YAJL
> parses as a int64 and we then ignore its result, and re-parse the string
> again in libvirt as uint64. When generating json we format as uint64
> in libvirt and ignore YAJLs formatting for int64.
> 
>> Can we agree to eliminate option 2 from the race?
> 
> I'm fine with eliminating option 2.

Same here.

> 
> I guess I'd have a preference for option 3 given that it has better
> interoperability

Likewise - if we're going to bother with a capability that changes
output and allows the input validators to accept more forms, I'd prefer
a string form with correct sign over a negative integer that depends on
64-bit 2's-complement arithmetic to intepret correctly.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20190507/5dcf03ad/attachment-0001.sig>

More information about the libvir-list mailing list