Coverity reported a potential resource leak. While it's probably not
a real-world scenario, the code could technically jump to cleanup
between the time that vdpafd is opened and when it is used. Ensure that
it gets cleaned up in that case.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
---
src/qemu/qemu_command.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 5c4e37bd9e..cbe7a6e331 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -8135,6 +8135,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
addfdarg = g_strdup_printf("%s,opaque=%s", fdset,
net->data.vdpa.devicepath);
virCommandAddArgList(cmd, "-add-fd", addfdarg, NULL);
+ vdpafd = -1;
}
if (chardev)
@@ -8204,6 +8205,8 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
VIR_FREE(tapfdName);
VIR_FREE(vhostfd);
VIR_FREE(tapfd);
+ if (vdpafd >= 0)
+ VIR_FORCE_CLOSE(vdpafd);
return ret;
}
--
2.26.2
On 10/21/20 5:50 PM, Jonathon Jongsma wrote: > Coverity reported a potential resource leak. While it's probably not > a real-world scenario, the code could technically jump to cleanup > between the time that vdpafd is opened and when it is used. Ensure that > it gets cleaned up in that case. > > Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> > --- > src/qemu/qemu_command.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c > index 5c4e37bd9e..cbe7a6e331 100644 > --- a/src/qemu/qemu_command.c > +++ b/src/qemu/qemu_command.c > @@ -8135,6 +8135,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, > addfdarg = g_strdup_printf("%s,opaque=%s", fdset, > net->data.vdpa.devicepath); > virCommandAddArgList(cmd, "-add-fd", addfdarg, NULL); > + vdpafd = -1; > } > > if (chardev) > @@ -8204,6 +8205,8 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, > VIR_FREE(tapfdName); > VIR_FREE(vhostfd); > VIR_FREE(tapfd); > + if (vdpafd >= 0) > + VIR_FORCE_CLOSE(vdpafd); VIR_FORCE_CLOSE() ==>virForceCloseHelper() ==> virFileClose() and virFileClose() is a NOP if fd < 0, so this doesn't need the conditional. I *was* going to say "With that change, Reviewed-by: Laine Stump <laine@redhat.com> " but this got me looking at the code of the entire function rather than just the diffs in the patch, and I've got a question - is there any reason that you only ope n the vdpa device inside the switch, and save everything else related to it until later (at the "if (vdpafd)")? You could then device vpafd only within that case of the switch, and make it VIR_AUTOCLOSE vpafd = -1; Then just set it back to -1 immediately after calling virCommandPassFD (because once it is in the set of fd's being passed to qemu, it will be closed by virCommand* functions in the libvirtd process, whether qemu is successfully run or not). Does that make sense? > return ret; > } >
On Wed, Oct 21, 2020 at 22:31:09 -0400, Laine Stump wrote: > On 10/21/20 5:50 PM, Jonathon Jongsma wrote: > > Coverity reported a potential resource leak. While it's probably not > > a real-world scenario, the code could technically jump to cleanup > > between the time that vdpafd is opened and when it is used. Ensure that > > it gets cleaned up in that case. > > > > Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> > > --- > > src/qemu/qemu_command.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c > > index 5c4e37bd9e..cbe7a6e331 100644 > > --- a/src/qemu/qemu_command.c > > +++ b/src/qemu/qemu_command.c > > @@ -8135,6 +8135,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, > > addfdarg = g_strdup_printf("%s,opaque=%s", fdset, > > net->data.vdpa.devicepath); > > virCommandAddArgList(cmd, "-add-fd", addfdarg, NULL); > > + vdpafd = -1; > > } > > if (chardev) > > @@ -8204,6 +8205,8 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, > > VIR_FREE(tapfdName); > > VIR_FREE(vhostfd); > > VIR_FREE(tapfd); > > + if (vdpafd >= 0) > > + VIR_FORCE_CLOSE(vdpafd); > > > VIR_FORCE_CLOSE() ==>virForceCloseHelper() ==> virFileClose() > > and virFileClose() is a NOP if fd < 0, so this doesn't need the conditional. > > > I *was* going to say "With that change, > > > Reviewed-by: Laine Stump <laine@redhat.com> > > " > > > but this got me looking at the code of the entire function rather than just > the diffs in the patch, and I've got a question - is there any reason that > you only ope n the vdpa device inside the switch, and save everything else > related to it until later (at the "if (vdpafd)")? You could then device I'd like to point out that opening anything in the command line formatters is IMO bad practice. The command line formatter should format the commandline and nothing more. This is visible by the necessity to have a lot of mock override functions which prevent the command line formatter from touching resources on the host in the first place. Better approach is to open resources in 'qemuProcessPrepareHost' and store them in private data for command line formatting. Fake data for tests are added in 'testCompareXMLToArgvCreateArgs'. I'm aware though that there's a lot of "prior art" in this area though.
On Thu, 22 Oct 2020 09:01:13 +0200 Peter Krempa <pkrempa@redhat.com> wrote: > On Wed, Oct 21, 2020 at 22:31:09 -0400, Laine Stump wrote: > > On 10/21/20 5:50 PM, Jonathon Jongsma wrote: > > > Coverity reported a potential resource leak. While it's probably > > > not a real-world scenario, the code could technically jump to > > > cleanup between the time that vdpafd is opened and when it is > > > used. Ensure that it gets cleaned up in that case. > > > > > > Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> > > > --- > > > src/qemu/qemu_command.c | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c > > > index 5c4e37bd9e..cbe7a6e331 100644 > > > --- a/src/qemu/qemu_command.c > > > +++ b/src/qemu/qemu_command.c > > > @@ -8135,6 +8135,7 @@ > > > qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, addfdarg = > > > g_strdup_printf("%s,opaque=%s", fdset, net->data.vdpa.devicepath); > > > virCommandAddArgList(cmd, "-add-fd", addfdarg, NULL); > > > + vdpafd = -1; > > > } > > > if (chardev) > > > @@ -8204,6 +8205,8 @@ > > > qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, > > > VIR_FREE(tapfdName); VIR_FREE(vhostfd); > > > VIR_FREE(tapfd); > > > + if (vdpafd >= 0) > > > + VIR_FORCE_CLOSE(vdpafd); > > > > > > VIR_FORCE_CLOSE() ==>virForceCloseHelper() ==> virFileClose() > > > > and virFileClose() is a NOP if fd < 0, so this doesn't need the > > conditional. > > > > > > I *was* going to say "With that change, > > > > > > Reviewed-by: Laine Stump <laine@redhat.com> > > > > " > > > > > > but this got me looking at the code of the entire function rather > > than just the diffs in the patch, and I've got a question - is > > there any reason that you only ope n the vdpa device inside the > > switch, and save everything else related to it until later (at the > > "if (vdpafd)")? You could then device > > I'd like to point out that opening anything in the command line > formatters is IMO bad practice. The command line formatter should > format the commandline and nothing more. This is visible by the > necessity to have a lot of mock override functions which prevent the > command line formatter from touching resources on the host in the > first place. > > Better approach is to open resources in 'qemuProcessPrepareHost' and > store them in private data for command line formatting. Fake data for > tests are added in 'testCompareXMLToArgvCreateArgs'. > > I'm aware though that there's a lot of "prior art" in this area > though. These are good points. I fell into the trap of modeling the new code on some existing code that did similar things rather than thinking critically enough about the best way to do it. I'll look into a better approach. Jonathon
On Thu, Oct 22, 2020 at 14:08:51 -0500, Jonathon Jongsma wrote: > On Thu, 22 Oct 2020 09:01:13 +0200 > Peter Krempa <pkrempa@redhat.com> wrote: > > > On Wed, Oct 21, 2020 at 22:31:09 -0400, Laine Stump wrote: > > > On 10/21/20 5:50 PM, Jonathon Jongsma wrote: > > > > Coverity reported a potential resource leak. While it's probably > > > > not a real-world scenario, the code could technically jump to > > > > cleanup between the time that vdpafd is opened and when it is > > > > used. Ensure that it gets cleaned up in that case. > > > > > > > > Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> > > > > --- > > > > src/qemu/qemu_command.c | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c > > > > index 5c4e37bd9e..cbe7a6e331 100644 > > > > --- a/src/qemu/qemu_command.c > > > > +++ b/src/qemu/qemu_command.c > > > > @@ -8135,6 +8135,7 @@ > > > > qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, addfdarg = > > > > g_strdup_printf("%s,opaque=%s", fdset, net->data.vdpa.devicepath); > > > > virCommandAddArgList(cmd, "-add-fd", addfdarg, NULL); > > > > + vdpafd = -1; > > > > } > > > > if (chardev) > > > > @@ -8204,6 +8205,8 @@ > > > > qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, > > > > VIR_FREE(tapfdName); VIR_FREE(vhostfd); > > > > VIR_FREE(tapfd); > > > > + if (vdpafd >= 0) > > > > + VIR_FORCE_CLOSE(vdpafd); > > > > > > > > > VIR_FORCE_CLOSE() ==>virForceCloseHelper() ==> virFileClose() > > > > > > and virFileClose() is a NOP if fd < 0, so this doesn't need the > > > conditional. > > > > > > > > > I *was* going to say "With that change, > > > > > > > > > Reviewed-by: Laine Stump <laine@redhat.com> > > > > > > " > > > > > > > > > but this got me looking at the code of the entire function rather > > > than just the diffs in the patch, and I've got a question - is > > > there any reason that you only ope n the vdpa device inside the > > > switch, and save everything else related to it until later (at the > > > "if (vdpafd)")? You could then device > > > > I'd like to point out that opening anything in the command line > > formatters is IMO bad practice. The command line formatter should > > format the commandline and nothing more. This is visible by the > > necessity to have a lot of mock override functions which prevent the > > command line formatter from touching resources on the host in the > > first place. > > > > Better approach is to open resources in 'qemuProcessPrepareHost' and > > store them in private data for command line formatting. Fake data for > > tests are added in 'testCompareXMLToArgvCreateArgs'. > > > > I'm aware though that there's a lot of "prior art" in this area > > though. > > These are good points. I fell into the trap of modeling the new code on > some existing code that did similar things rather than thinking > critically enough about the best way to do it. I'll look into a better > approach. Just keep this as a note for future code. No need to refactor your addition, since there's a lot of other code which does the same. The fix in this patch is fine once you drop the unneeded conditional.
On 10/22/20 3:01 AM, Peter Krempa wrote: > On Wed, Oct 21, 2020 at 22:31:09 -0400, Laine Stump wrote: >> On 10/21/20 5:50 PM, Jonathon Jongsma wrote: >>> Coverity reported a potential resource leak. While it's probably not >>> a real-world scenario, the code could technically jump to cleanup >>> between the time that vdpafd is opened and when it is used. Ensure that >>> it gets cleaned up in that case. >>> >>> Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> >>> --- >>> src/qemu/qemu_command.c | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c >>> index 5c4e37bd9e..cbe7a6e331 100644 >>> --- a/src/qemu/qemu_command.c >>> +++ b/src/qemu/qemu_command.c >>> @@ -8135,6 +8135,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, >>> addfdarg = g_strdup_printf("%s,opaque=%s", fdset, >>> net->data.vdpa.devicepath); >>> virCommandAddArgList(cmd, "-add-fd", addfdarg, NULL); >>> + vdpafd = -1; >>> } >>> if (chardev) >>> @@ -8204,6 +8205,8 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, >>> VIR_FREE(tapfdName); >>> VIR_FREE(vhostfd); >>> VIR_FREE(tapfd); >>> + if (vdpafd >= 0) >>> + VIR_FORCE_CLOSE(vdpafd); >> >> VIR_FORCE_CLOSE() ==>virForceCloseHelper() ==> virFileClose() >> >> and virFileClose() is a NOP if fd < 0, so this doesn't need the conditional. >> >> >> I *was* going to say "With that change, >> >> >> Reviewed-by: Laine Stump <laine@redhat.com> >> >> " >> >> >> but this got me looking at the code of the entire function rather than just >> the diffs in the patch, and I've got a question - is there any reason that >> you only ope n the vdpa device inside the switch, and save everything else >> related to it until later (at the "if (vdpafd)")? You could then device > I'd like to point out that opening anything in the command line > formatters is IMO bad practice. Well... I agree that it is an ugly design, but that's pretty much what's in place for almost everything. > The command line formatter should format > the commandline and nothing more. It would be nice if that was the case, but it already isn't. :-/ > This is visible by the necessity to > have a lot of mock override functions which prevent the command line > formatter from touching resources on the host in the first place. > > Better approach is to open resources in 'qemuProcessPrepareHost' and > store them in private data for command line formatting. Fake data for > tests are added in 'testCompareXMLToArgvCreateArgs'. That's nice in the fact that it eliminates the need for mock overrides (would be even *nicer* if that function had even a single line of documentation included that described its purpose, and what code in the qemu driver it should be mimicking, amirite?). But it's bad because the code in qemuProcessPrepareHost() won't be tested (can't be tested if there are no mocks for the system functions it calls). Basically you're trading the extra work of mocking system-level functions for the extra work of filling in stuff in the privateData (and the maintenance of that code), and eliminating testing of the code that's been moved (pretty *lame* testing, I'll admit, since it's getting back canned results from the fake system calls). So it's not really the panacea your advocacy implies :-) (Don't get me wrong! I've always disliked the mixing of device/file/whatever init with the commandline generating functions.) (actually a couple months ago I looked into putting the network interface "prepare" stuff into privateData similar to what's done with the slirp stuff now. In the end I gave up because it didn't provide the result I wanted - I was trying to keep track of what device prep actions had been done for which devices during domain startup so that the shutdown in case of startup failure would only shutdown those things that had actually been setup; it ended up being too complicated to make it work correctly both in the case of an aborted startup and a normal shutdown, once you took into account the possibility of libvirtd being restarted as part of a libvirt package update. I'll point out that during all my searches through the code during the experiment referenced in the previous paragraph, I never ran across testCompareXMLToArgvCreateArgs(), and didn't know of its existence (or at least didn't remember it, if I had known about it before). Is this documented somewhere? Or is it expected to be learned by reading every patch coming across the mailing list (I unfortunately fail at that in a major way)? > I'm aware though that there's a lot of "prior art" in this area though. ... and nothing in the code or the coding practices to warn against it, point people in the other direction. This sounds like another "saga" in the making - split all commandline generating functions into separate "prepare device" and "generate commandline" parts. I don't know that we should require Jonathon to change his code that much just to fix a memory leak though ... (too bad I hadn't kept up with the latest cool stuff so I would have pointed it out in review of the original patch).
On Thu, Oct 22, 2020 at 23:20:20 -0400, Laine Stump wrote: > On 10/22/20 3:01 AM, Peter Krempa wrote: > > On Wed, Oct 21, 2020 at 22:31:09 -0400, Laine Stump wrote: > > > On 10/21/20 5:50 PM, Jonathon Jongsma wrote: > > > > Coverity reported a potential resource leak. While it's probably not > > > > a real-world scenario, the code could technically jump to cleanup > > > > between the time that vdpafd is opened and when it is used. Ensure that > > > > it gets cleaned up in that case. > > > > > > > > Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> > > > > --- > > > > src/qemu/qemu_command.c | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c > > > > index 5c4e37bd9e..cbe7a6e331 100644 > > > > --- a/src/qemu/qemu_command.c > > > > +++ b/src/qemu/qemu_command.c > > > > @@ -8135,6 +8135,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, > > > > addfdarg = g_strdup_printf("%s,opaque=%s", fdset, > > > > net->data.vdpa.devicepath); > > > > virCommandAddArgList(cmd, "-add-fd", addfdarg, NULL); > > > > + vdpafd = -1; > > > > } > > > > if (chardev) > > > > @@ -8204,6 +8205,8 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, > > > > VIR_FREE(tapfdName); > > > > VIR_FREE(vhostfd); > > > > VIR_FREE(tapfd); > > > > + if (vdpafd >= 0) > > > > + VIR_FORCE_CLOSE(vdpafd); > > > > > > VIR_FORCE_CLOSE() ==>virForceCloseHelper() ==> virFileClose() > > > > > > and virFileClose() is a NOP if fd < 0, so this doesn't need the conditional. > > > > > > > > > I *was* going to say "With that change, > > > > > > > > > Reviewed-by: Laine Stump <laine@redhat.com> > > > > > > " > > > > > > > > > but this got me looking at the code of the entire function rather than just > > > the diffs in the patch, and I've got a question - is there any reason that > > > you only ope n the vdpa device inside the switch, and save everything else > > > related to it until later (at the "if (vdpafd)")? You could then device > > I'd like to point out that opening anything in the command line > > formatters is IMO bad practice. > > > Well... I agree that it is an ugly design, but that's pretty much what's in > place for almost everything. Sure, but it shouldn't be used as an argument to not use a better approach. > > The command line formatter should format > > the commandline and nothing more. > > > It would be nice if that was the case, but it already isn't. :-/ No. Please don't put it this way. My message is that while the old code isn't compliant, it shouldn't be an excuse to make it worse! In this instace the code is commited. We don't need to change it, but any further change should be encouraged to use the better approach. > > This is visible by the necessity to > > have a lot of mock override functions which prevent the command line > > formatter from touching resources on the host in the first place. > > > > Better approach is to open resources in 'qemuProcessPrepareHost' and > > store them in private data for command line formatting. Fake data for > > tests are added in 'testCompareXMLToArgvCreateArgs'. > > > That's nice in the fact that it eliminates the need for mock overrides > (would be even *nicer* if that function had even a single line of > documentation included that described its purpose, and what code in the qemu > driver it should be mimicking, amirite?). I agree, documentation is lacking in many parts. This is the not-so-obvious techincal debt. > But it's bad because the code in qemuProcessPrepareHost() won't be tested > (can't be tested if there are no mocks for the system functions it calls). IMO this statement is misrepresenting what's happening. Sure qemuProcessPrepareHost can't be tested by unit testing. It's replaced by another function which fakes inputs. But that is EXACTLY what the mock functions preloaded into our tests are doing! With qemuProcessPrepareHost() you at least have one place and one function where all the code is aggregated rather than spreading it trhough the command line generator and it being very hard to audit afterwards. > Basically you're trading the extra work of mocking system-level functions > for the extra work of filling in stuff in the privateData (and the > maintenance of that code), and eliminating testing of the code that's been > moved (pretty *lame* testing, I'll admit, since it's getting back canned > results from the fake system calls). As noted before the extent of testing is exactly identical. The difference is that all the code which is touching the host is aggregated in one place and replaced by another function vs scattered accross the whole file and LD_PRELOAD-ed. > So it's not really the panacea your advocacy implies :-) > > > (Don't get me wrong! I've always disliked the mixing of device/file/whatever > init with the commandline generating functions.) > > > (actually a couple months ago I looked into putting the network interface > "prepare" stuff into privateData similar to what's done with the slirp stuff > now. In the end I gave up because it didn't provide the result I wanted - I > was trying to keep track of what device prep actions had been done for which > devices during domain startup so that the shutdown in case of startup > failure would only shutdown those things that had actually been setup; it > ended up being too complicated to make it work correctly both in the case of > an aborted startup and a normal shutdown, once you took into account the > possibility of libvirtd being restarted as part of a libvirt package update. > > > I'll point out that during all my searches through the code during the > experiment referenced in the previous paragraph, I never ran across > testCompareXMLToArgvCreateArgs(), and didn't know of its existence (or at Yup, sorry I've extracted it recently. Previously we've just piled up all the "init" code into testCompareXMLToArgv without thinking twice. > least didn't remember it, if I had known about it before). Is this > documented somewhere? Or is it expected to be learned by reading every patch > coming across the mailing list (I unfortunately fail at that in a major > way)? You see, I've failed the same way pointing out that the approach used was outdated. Also given that the documentation of the new approach would be applied via a patch, you could have missed it the same way as the patch implementing the new approach to initialize host-specific data (or it would be added at the same time). I doubt that any of us is re-reading contribution guidelines just for fun. > > I'm aware though that there's a lot of "prior art" in this area though. > > > ... and nothing in the code or the coding practices to warn against it, > point people in the other direction. Patches are welcome! :P > This sounds like another "saga" in the making - split all commandline > generating functions into separate "prepare device" and "generate > commandline" parts. I don't know that we should require Jonathon to change > his code that much just to fix a memory leak though ... (too bad I hadn't > kept up with the latest cool stuff so I would have pointed it out in review > of the original patch). As said, I'm fine with prior art. We should encourage any further contributions to avoid this pattern though. Obviously if Jonathon wants to fix it I'm all for it. The fd leak fix is fine though.
On 10/23/20 1:28 AM, Peter Krempa wrote: > On Thu, Oct 22, 2020 at 23:20:20 -0400, Laine Stump wrote: >> On 10/22/20 3:01 AM, Peter Krempa wrote: >>> On Wed, Oct 21, 2020 at 22:31:09 -0400, Laine Stump wrote: >>>> On 10/21/20 5:50 PM, Jonathon Jongsma wrote: >>>>> Coverity reported a potential resource leak. While it's probably not >>>>> a real-world scenario, the code could technically jump to cleanup >>>>> between the time that vdpafd is opened and when it is used. Ensure that >>>>> it gets cleaned up in that case. >>>>> >>>>> Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> >>>>> --- >>>>> src/qemu/qemu_command.c | 3 +++ >>>>> 1 file changed, 3 insertions(+) >>>>> >>>>> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c >>>>> index 5c4e37bd9e..cbe7a6e331 100644 >>>>> --- a/src/qemu/qemu_command.c >>>>> +++ b/src/qemu/qemu_command.c >>>>> @@ -8135,6 +8135,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, >>>>> addfdarg = g_strdup_printf("%s,opaque=%s", fdset, >>>>> net->data.vdpa.devicepath); >>>>> virCommandAddArgList(cmd, "-add-fd", addfdarg, NULL); >>>>> + vdpafd = -1; >>>>> } >>>>> if (chardev) >>>>> @@ -8204,6 +8205,8 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, >>>>> VIR_FREE(tapfdName); >>>>> VIR_FREE(vhostfd); >>>>> VIR_FREE(tapfd); >>>>> + if (vdpafd >= 0) >>>>> + VIR_FORCE_CLOSE(vdpafd); >>>> VIR_FORCE_CLOSE() ==>virForceCloseHelper() ==> virFileClose() >>>> >>>> and virFileClose() is a NOP if fd < 0, so this doesn't need the conditional. >>>> >>>> >>>> I *was* going to say "With that change, >>>> >>>> >>>> Reviewed-by: Laine Stump <laine@redhat.com> >>>> >>>> " >>>> >>>> >>>> but this got me looking at the code of the entire function rather than just >>>> the diffs in the patch, and I've got a question - is there any reason that >>>> you only ope n the vdpa device inside the switch, and save everything else >>>> related to it until later (at the "if (vdpafd)")? You could then device >>> I'd like to point out that opening anything in the command line >>> formatters is IMO bad practice. >> >> Well... I agree that it is an ugly design, but that's pretty much what's in >> place for almost everything. > Sure, but it shouldn't be used as an argument to not use a better > approach. > > >>> The command line formatter should format >>> the commandline and nothing more. >> >> It would be nice if that was the case, but it already isn't. :-/ > No. Please don't put it this way. My message is that while the old code > isn't compliant, it shouldn't be an excuse to make it worse! Yes, I can see how my statement might be misunderstood as "the battle is already lost! Give up!!", which wasn't my intent. > > In this instace the code is commited. We don't need to change it, ^^ that was more my intent, and it seems we agree. > but > any further change should be encouraged to use the better approach. > >>> This is visible by the necessity to >>> have a lot of mock override functions which prevent the command line >>> formatter from touching resources on the host in the first place. >>> >>> Better approach is to open resources in 'qemuProcessPrepareHost' and >>> store them in private data for command line formatting. Fake data for >>> tests are added in 'testCompareXMLToArgvCreateArgs'. >> >> That's nice in the fact that it eliminates the need for mock overrides >> (would be even *nicer* if that function had even a single line of >> documentation included that described its purpose, and what code in the qemu >> driver it should be mimicking, amirite?). > I agree, documentation is lacking in many parts. This is the > not-so-obvious techincal debt. > >> But it's bad because the code in qemuProcessPrepareHost() won't be tested >> (can't be tested if there are no mocks for the system functions it calls). > IMO this statement is misrepresenting what's happening. Sure > qemuProcessPrepareHost can't be tested by unit testing. It's replaced by > another function which fakes inputs. But that is EXACTLY what the mock > functions preloaded into our tests are doing! > > With qemuProcessPrepareHost() you at least have one place and one > function where all the code is aggregated Where all the code *to prepare/setup devices* is aggregated. But in the process of aggregating that code, you've *split* the code for each individual device into multiple places with possibly no overt connection between them. Which of those is better depends on what you're doing. If you're adding a new feature, it means there is one more place you have to seek out and add something to. If there is something in each of those places that causes a build error when its omitted from the additions (e.g. a switch statement that needs a new case) then everything is great, but if it's just something that people are expected to find themselves by following the bread crumbs of a similar existing feature, then it becomes more trouble. Keep in mind, I'm not saying that this is worse than the old way, just that it brings in its own new set of issues. > rather than spreading it > trhough the command line generator and it being very hard to audit > afterwards. > >> Basically you're trading the extra work of mocking system-level functions >> for the extra work of filling in stuff in the privateData (and the >> maintenance of that code), and eliminating testing of the code that's been >> moved (pretty *lame* testing, I'll admit, since it's getting back canned >> results from the fake system calls). > As noted before the extent of testing is exactly identical. Not identical. With the old method of mocking system calls, the code that, e.g., opens a file in sysfs and processes its contents is still tested (although with canned data that may not be representative of reality). With the new method, that code is segregated off and never called during testing - the "mock" is still there, just at a higher level and done by explicitly calling a different function rather than by faking out the dynamic linking. If we wanted to satisfy both the segregation of the "prepare" code and its testing, then we would need to still maintain the mocked system library functions, and initialize the privateData by calling the actual prepare code rather than the replacements in testCompareXMLToArgvCreateArgs(). (Not that I'm suggesting that's what we should do - there is a limit to everything!) > The > difference is that all the code which is touching the host is aggregated > in one place and replaced by another function vs scattered accross the > whole file and LD_PRELOAD-ed. > > >> So it's not really the panacea your advocacy implies :-) >> >> >> (Don't get me wrong! I've always disliked the mixing of device/file/whatever >> init with the commandline generating functions.) >> >> >> (actually a couple months ago I looked into putting the network interface >> "prepare" stuff into privateData similar to what's done with the slirp stuff >> now. In the end I gave up because it didn't provide the result I wanted - I >> was trying to keep track of what device prep actions had been done for which >> devices during domain startup so that the shutdown in case of startup >> failure would only shutdown those things that had actually been setup; it >> ended up being too complicated to make it work correctly both in the case of >> an aborted startup and a normal shutdown, once you took into account the >> possibility of libvirtd being restarted as part of a libvirt package update. >> >> >> I'll point out that during all my searches through the code during the >> experiment referenced in the previous paragraph, I never ran across >> testCompareXMLToArgvCreateArgs(), and didn't know of its existence (or at > Yup, sorry I've extracted it recently. Previously we've just piled up > all the "init" code into testCompareXMLToArgv without thinking twice. > >> least didn't remember it, if I had known about it before). Is this >> documented somewhere? Or is it expected to be learned by reading every patch >> coming across the mailing list (I unfortunately fail at that in a major >> way)? > You see, I've failed the same way pointing out that the approach used > was outdated. > > Also given that the documentation of the new approach would be applied > via a patch, you could have missed it the same way as the patch > implementing the new approach to initialize host-specific data (or it > would be added at the same time). I doubt that any of us is re-reading > contribution guidelines just for fun. yup. Information overload is a real thing. :-/ > >>> I'm aware though that there's a lot of "prior art" in this area though. >> >> ... and nothing in the code or the coding practices to warn against it, >> point people in the other direction. > Patches are welcome! :P Dang it!! I had that in the original draft of my message, but removed it! (Being the first person to call "Patches are welcome" in an OSS mailing list discussion is similar to being the first to call "Shotgun!!" when everyone is heading for the car to drive someplace (for non-English speakers, the "shotgun" position in a car is the front row passenger's seat, next to the window. I guess this comes from the days of stagecoaches, when the only people sitting outside were the driver, and a man sitting next to him with a shotgun (or some other type of gun), to defend the coach from roadside bandits.) > >> This sounds like another "saga" in the making - split all commandline >> generating functions into separate "prepare device" and "generate >> commandline" parts. I don't know that we should require Jonathon to change >> his code that much just to fix a memory leak though ... (too bad I hadn't >> kept up with the latest cool stuff so I would have pointed it out in review >> of the original patch). > As said, I'm fine with prior art. We should encourage any further > contributions to avoid this pattern though. Obviously if Jonathon wants > to fix it I'm all for it. The fd leak fix is fine though. > Okay, we're in agreement then. Move along! Nothing to see here! :-)
© 2016 - 2024 Red Hat, Inc.