Re: [PATCH 1/2] qdev: Separate implementations of qdev_get_machine() for user and system

From: Greg Kurz <groug@kaod.org>
To: Markus Armbruster <armbru@redhat.com>
Cc: "Paolo Bonzini" <pbonzini@redhat.com>,
	"Thomas Huth" <thuth@redhat.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	qemu-devel@nongnu.org, "Eduardo Habkost" <ehabkost@redhat.com>
Subject: Re: [PATCH 1/2] qdev: Separate implementations of qdev_get_machine() for user and system
Date: Thu, 15 Apr 2021 10:26:58 +0200	[thread overview]
Message-ID: <20210415102658.6221d0ed@bahia.lan> (raw)
In-Reply-To: <87zgy6cy6q.fsf@dusky.pond.sub.org>

On Sat, 10 Apr 2021 10:59:25 +0200
Markus Armbruster <armbru@redhat.com> wrote:

> Greg Kurz <groug@kaod.org> writes:
> 
> > Despite its simple name and common usage of "getting a pointer to
> > the machine" in system-mode emulation, qdev_get_machine() has some
> > subtilities.
> >
> > First, it can be called when running user-mode emulation : this is
> > because user-mode partly relies on qdev to instantiate its CPU
> > model.
> >
> > Second, but not least, it has a side-effect : if it cannot find an
> > object at "/machine" in the QOM tree, it creates a dummy "container"
> > object and put it there. A simple check on the type returned by
> > qdev_get_machine() allows user-mode to run the common qdev code,
> > skipping the parts that only make sense for system-mode.
> >
> > This side-effect turns out to complicate the use of qdev_get_machine()
> > for the system-mode case though. Most notably, qdev_get_machine() must
> > not be called before the machine object is added to the QOM tree by
> > qemu_create_machine(), otherwise the existing dummy "container" object
> > would cause qemu_create_machine() to fail with something like :
> 
> Stupid trap.
> 

Still armed and ready for subtle bugs.

> > Unexpected error in object_property_try_add() at ../../qom/object.c:1223:
> > qemu-system-ppc64: attempt to add duplicate property 'machine' to
> >  object (type 'container')
> > Aborted (core dumped)
> >
> > This situation doesn't exist in the current code base, mostly because
> > of preventive fixing of some "latent bugs" in QEMU 4.0 (see 1a3ec8c1564
> > and e2fb3fbbf9c for details).
> 
> I lacked the stamina to address the root problem: automatic creation of
> dummy containers where real ones may be needed.
> 
> Is /machine the only such container?  Have you reviewed the other uses
> of container_get()?
> 

No. I've only looked at the /machine case.

> > A new kind of breakage was spotted very recently though :
> >
> > $ ./qemu-system-ppc64 -device power8_v2.0-spapr-cpu-core,help
> > /home/thuth/devel/qemu/include/hw/boards.h:24:
> >  MACHINE: Object 0x5635bd53af10 is not an instance of type machine
> > Aborted (core dumped)
> >
> > This comes from the change 3df261b6676b in QEMU 5.0. It unwillingly
> > added a new condition for qdev_get_machine() to be called too early,
> > breaking MACHINE(qdev_get_machine()) in generic cpu-core code this
> > time.
> >
> > In order to avoid further subtle breakages like this, change the
> > implentation of qdev_get_machine() to:
> > - keep the existing behaviour of creating the dummy "container"
> >   object for the user-mode case only ;
> > - abort() if the machine doesn't exist yet in the QOM tree for
> >   the system-mode case. This gives a precise hint to developpers
> >   that calling qdev_get_machine() too early is a programming bug.
> 
> In other words, we fail right away instead of planting a landmine for
> later.  Good.
> 
> The alternative would be mandating "must create /machine before first
> use" for all programs, not just qemu-system-FOO, but that might be more
> invasive.  Not sure.
> 

This would mean all user emulation binaries and a bunch of test
programs as well. I'll give a try in this direction.

> > This is achieved with a new do_qdev_get_machine() function called
> 
> container_get() is a suboptimal name for a function that creates
> containers, qdev_get_machine() is a suboptimal name for a function that
> creates /machine, and so is do_qdev_get_machine().  Observation, not
> demand.
> 

/**
 * container_get:
 * @root: root of the #path, e.g., object_get_root()
 * @path: path to the container
 *
 * Return a container object whose path is @path.  Create more containers
 * along the path if necessary.
 *
 * Returns: the container object.
 */
Object *container_get(Object *root, const char *path);

My understanding is that container_get()'s main mission is to
return a "container" object. The creation part looks like
a fallback to "fill the holes" in the QOM tree...

I'd rather try to get rid of that side-effect entirely rather
than coming up with a sensible name => auditing other users
of container_get() as you asked above seems to be the next
step :)

Thanks!

> > from qdev_get_machine(), with different implementations for system
> > and user mode.
> >
> > $ ./qemu-system-ppc64 -device power8_v2.0-spapr-cpu-core,help
> > qemu-system-ppc64: ../../hw/core/machine.c:1290:
> >  qdev_get_machine: Assertion `machine != NULL' failed.
> > Aborted (core dumped)
> >
> > Reported-by: Thomas Huth <thuth@redhat.com>
> > Signed-off-by: Greg Kurz <groug@kaod.org>
> 