From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45559)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1ZK6Fl-0000bz-6w
	for qemu-devel@nongnu.org; Tue, 28 Jul 2015 10:53:14 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1ZK6Fh-0002aG-Tp
	for qemu-devel@nongnu.org; Tue, 28 Jul 2015 10:53:13 -0400
Received: from mx1.redhat.com ([209.132.183.28]:50931)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1ZK6Fh-0002aC-MH
	for qemu-devel@nongnu.org; Tue, 28 Jul 2015 10:53:09 -0400
References: <1435782155-31412-1-git-send-email-armbru@redhat.com>
	<1435782155-31412-30-git-send-email-armbru@redhat.com>
	<55B025B9.2060004@redhat.com> <87zj2gohv1.fsf@blackfin.pond.sub.org>
From: Eric Blake <eblake@redhat.com>
Message-ID: <55B79754.6090609@redhat.com>
Date: Tue, 28 Jul 2015 08:53:08 -0600
MIME-Version: 1.0
In-Reply-To: <87zj2gohv1.fsf@blackfin.pond.sub.org>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="uTHtbUBStMjEq9X5Owkdx35RRHnujIeNC"
Subject: Re: [Qemu-devel] [PATCH RFC v2 29/47] qapi: Replace dirty
 is_c_ptr() by method c_null()
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Markus Armbruster <armbru@redhat.com>
Cc: kwolf@redhat.com, berto@igalia.com, qemu-devel@nongnu.org, mdroth@linux.vnet.ibm.com

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--uTHtbUBStMjEq9X5Owkdx35RRHnujIeNC
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 07/28/2015 01:34 AM, Markus Armbruster wrote:
> Let me rephrase to make sure I understand.
>=20
> Ignore the (not rets) case, because retval doesn't exist then.
>=20
> qmp_marshal_output_FOO() visits retval twice.  First, with a QMP output=

> visitor to do the actual marshalling.  Second, with a QAPI dealloc
> visitor to destroy it.

And the use of the dealloc visitor is buried inside the
qmp_marshal_output_FOO() call.

>=20
> If we execute the assignment to retval, we must go on to call
> qmp_marshal_output_FOO(), or else we have a leak.
>=20
> If we can reach qmp_marshal_output_FOO() without executing the
> assignment, we must initialize retval.  If we can't, any initialization=

> is unused.
>=20
> gen_call() generates code of the form
>=20
>         retval =3D qmp_FOO(... args ..., &local_err);
>         if (local_err) {
>             goto out;
>         }
>=20
>         qmp_marshal_output_FOO(retval, ret, &local_err);
>=20

> Observe:
>=20
> 1. The assignment dominates the only use.  Therefore, the initializatio=
n
>    is unused.  Let's drop it in a separate cleanup patch.
>=20
> 2. We can leak retval only when qmp_FOO() returns non-null and local_er=
r
>    is non-null.  This must not happen, because:
>=20
>    a. local_err must be null before the call, and
>=20
>    b. the call must not return non-null when it sets local_err.

We don't state that contract anywhere, but I doubt any of the qmp_FOO()
functions violate it, so it is worth making it part of the contract.

>=20
>    We could right after out: assert(!local_err || !retval).  Not sure
>    it's worthwhile.

I think it IS worthwhile, because it would catch buggy callers.  Not
sure if after out: is the right place (then you'd need an initializer to
cover any other code that jumps to out), but this would do the same

retval =3D qmp_FOO(...);
if (local_err) {
    assert(!retval);
    goto out;
}
qmp_marshal_output_FOO(retval, ...);

>=20
> TL;DR: I concur with your analysis.

Is it worth dropping the dead initializer and adding the assert in the
same pre-req cleanup patch?  Do you want me to submit it since I did the
analysis?

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--uTHtbUBStMjEq9X5Owkdx35RRHnujIeNC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJVt5dUAAoJEKeha0olJ0NqXJoH/jGZwhSVqX6Y+bgPUAgbtZDT
x4SH0WZi1pAcU29gSW+nmd9ixAveBk347cy4nWx8Hxoxg6tbtqFWp7GuKf8c+5EP
5x5NonnAOewSboXJUjCmO78K8JmPEwiUCMqPSSUZSLp5C9kCeSwONLiHH209Ev06
JazJXr/VbAxkSA4+1re0raZS7fs4U0v43IiXJe6IG++vnMYHzBerq63wjP9vPALq
59KiPPXx/lHKH/sY3xL/dkMneEimHqLEhqSROzp58Y8kMOWhakfJHKz9czoV9Ejz
0OpiV7hsOzByGSSoRrOGxGvvLrJaMg0e0wCAJgwlgwrdpuBghvSqEVjoZBNftnU=
=DqyV
-----END PGP SIGNATURE-----

--uTHtbUBStMjEq9X5Owkdx35RRHnujIeNC--