From nobody Thu Nov 6 16:05:57 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1489386368485160.35828784819205; Sun, 12 Mar 2017 23:26:08 -0700 (PDT) Received: from localhost ([::1]:50382 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnJQk-0004BC-AS for importer@patchew.org; Mon, 13 Mar 2017 02:26:06 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52288) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnJJn-0007YO-V9 for qemu-devel@nongnu.org; Mon, 13 Mar 2017 02:19:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cnJJj-0003Yp-Tv for qemu-devel@nongnu.org; Mon, 13 Mar 2017 02:18:55 -0400 Received: from mx1.redhat.com ([209.132.183.28]:33480) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cnJJj-0003XP-Lp for qemu-devel@nongnu.org; Mon, 13 Mar 2017 02:18:51 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C745761B86; Mon, 13 Mar 2017 06:18:51 +0000 (UTC) Received: from blackfin.pond.sub.org (ovpn-116-55.ams2.redhat.com [10.36.116.55]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v2D6IoKo018099 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 13 Mar 2017 02:18:51 -0400 Received: by blackfin.pond.sub.org (Postfix, from userid 1000) id 294AA11386CE; Mon, 13 Mar 2017 07:18:47 +0100 (CET) From: Markus Armbruster To: qemu-devel@nongnu.org Date: Mon, 13 Mar 2017 07:18:05 +0100 Message-Id: <1489385927-6735-6-git-send-email-armbru@redhat.com> In-Reply-To: <1489385927-6735-1-git-send-email-armbru@redhat.com> References: <1489385927-6735-1-git-send-email-armbru@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Mon, 13 Mar 2017 06:18:51 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-2.9 05/47] qapi: Have each QAPI schema declare its returns white-list X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: marcandre.lureau@redhat.com, mdroth@linux.vnet.ibm.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" qapi.py has a hardcoded white-list of command names that may violate the rules on permitted return types. Add a new pragma directive 'returns-whitelist', and use it to replace the hard-coded white-list. Signed-off-by: Markus Armbruster Reviewed-by: Eric Blake --- docs/qapi-code-gen.txt | 13 +++++++------ qapi-schema.json | 12 ++++++++++++ qga/qapi-schema.json | 15 +++++++++++++++ scripts/qapi.py | 30 +++++++++-------------------= -- tests/qapi-schema/qapi-schema-test.json | 7 +++++++ tests/qapi-schema/returns-whitelist.err | 2 +- tests/qapi-schema/returns-whitelist.json | 4 ++++ 7 files changed, 55 insertions(+), 28 deletions(-) diff --git a/docs/qapi-code-gen.txt b/docs/qapi-code-gen.txt index d9c1f91..e907e57 100644 --- a/docs/qapi-code-gen.txt +++ b/docs/qapi-code-gen.txt @@ -315,6 +315,9 @@ The dictionary's entries are pragma names and values. Pragma 'doc-required' takes a boolean value. If true, documentation is required. Default is false. =20 +Pragma 'returns-whitelist' takes a list of command names that may +violate the rules on permitted return types. Default is none. + =20 =3D=3D=3D Struct types =3D=3D=3D =20 @@ -563,12 +566,10 @@ The member is optional from the command declaration; = if absent, the "return" member will be an empty dictionary. If 'returns' is present, it must be the string name of a complex or built-in type, a one-element array containing the name of a complex or built-in type. -Although it is permitted to have the 'returns' member name a built-in -type or an array of built-in types, any command that does this cannot -be extended to return additional information in the future; thus, new -commands should strongly consider returning a dictionary-based type or -an array of dictionaries, even if the dictionary only contains one -member at the present. +To return anything else, you have to list the command in pragma +'returns-whitelist'. If you do this, the command cannot be extended +to return additional information in the future. Use of +'returns-whitelist' for new commands is strongly discouraged. =20 All commands in Client JSON Protocol use a dictionary to report failure, with no way to specify that in QAPI. Where the error return diff --git a/qapi-schema.json b/qapi-schema.json index d5438ee..93e9e98 100644 --- a/qapi-schema.json +++ b/qapi-schema.json @@ -51,6 +51,18 @@ =20 { 'pragma': { 'doc-required': true } } =20 +# Whitelists to permit QAPI rule violations; think twice before you +# add to them! +{ 'pragma': { + # Commands allowed to return a non-dictionary: + 'returns-whitelist': [ + 'human-monitor-command', + 'qom-get', + 'query-migrate-cache-size', + 'query-tpm-models', + 'query-tpm-types', + 'ringbuf-read' ] } } + # QAPI common definitions { 'include': 'qapi/common.json' } =20 diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index 3f3d428..a8e4bda 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -13,6 +13,21 @@ =20 { 'pragma': { 'doc-required': true } } =20 +# Whitelists to permit QAPI rule violations; think twice before you +# add to them! +{ 'pragma': { + # Commands allowed to return a non-dictionary: + 'returns-whitelist': [ + 'guest-file-open', + 'guest-fsfreeze-freeze', + 'guest-fsfreeze-freeze-list', + 'guest-fsfreeze-status', + 'guest-fsfreeze-thaw', + 'guest-get-time', + 'guest-set-vcpus', + 'guest-sync', + 'guest-sync-delimited' ] } } + ## # @guest-sync-delimited: # diff --git a/scripts/qapi.py b/scripts/qapi.py index 29a8b77..a90b682 100644 --- a/scripts/qapi.py +++ b/scripts/qapi.py @@ -41,26 +41,7 @@ builtin_types =3D { doc_required =3D False =20 # Whitelist of commands allowed to return a non-dictionary -returns_whitelist =3D [ - # From QMP: - 'human-monitor-command', - 'qom-get', - 'query-migrate-cache-size', - 'query-tpm-models', - 'query-tpm-types', - 'ringbuf-read', - - # From QGA: - 'guest-file-open', - 'guest-fsfreeze-freeze', - 'guest-fsfreeze-freeze-list', - 'guest-fsfreeze-status', - 'guest-fsfreeze-thaw', - 'guest-get-time', - 'guest-set-vcpus', - 'guest-sync', - 'guest-sync-delimited', -] +returns_whitelist =3D [] =20 # Whitelist of entities allowed to violate case conventions case_whitelist =3D [ @@ -317,12 +298,19 @@ class QAPISchemaParser(object): self.docs.extend(exprs_include.docs) =20 def _pragma(self, name, value, info): - global doc_required + global doc_required, returns_whitelist if name =3D=3D 'doc-required': if not isinstance(value, bool): raise QAPISemError(info, "Pragma 'doc-required' must be boolean") doc_required =3D value + elif name =3D=3D 'returns-whitelist': + if (not isinstance(value, list) + or any([not isinstance(elt, str) for elt in value])): + raise QAPISemError(info, + "Pragma returns-whitelist must be" + " a list of strings") + returns_whitelist =3D value else: raise QAPISemError(info, "Unknown pragma '%s'" % name) =20 diff --git a/tests/qapi-schema/qapi-schema-test.json b/tests/qapi-schema/qa= pi-schema-test.json index 1719463..842ea3c 100644 --- a/tests/qapi-schema/qapi-schema-test.json +++ b/tests/qapi-schema/qapi-schema-test.json @@ -3,6 +3,13 @@ # This file is a stress test of supported qapi constructs that must # parse and compile correctly. =20 +# Whitelists to permit QAPI rule violations +{ 'pragma': { + # Commands allowed to return a non-dictionary: + 'returns-whitelist': [ + 'guest-get-time', + 'guest-sync' ] } } + { 'struct': 'TestStruct', 'data': { 'integer': 'int', 'boolean': 'bool', 'string': 'str' } } =20 diff --git a/tests/qapi-schema/returns-whitelist.err b/tests/qapi-schema/re= turns-whitelist.err index f47c1ee..b2ba7a9 100644 --- a/tests/qapi-schema/returns-whitelist.err +++ b/tests/qapi-schema/returns-whitelist.err @@ -1 +1 @@ -tests/qapi-schema/returns-whitelist.json:10: 'returns' for command 'no-way= -this-will-get-whitelisted' cannot use built-in type 'int' +tests/qapi-schema/returns-whitelist.json:14: 'returns' for command 'no-way= -this-will-get-whitelisted' cannot use built-in type 'int' diff --git a/tests/qapi-schema/returns-whitelist.json b/tests/qapi-schema/r= eturns-whitelist.json index e8b3cea..da20932 100644 --- a/tests/qapi-schema/returns-whitelist.json +++ b/tests/qapi-schema/returns-whitelist.json @@ -1,4 +1,8 @@ # we enforce that 'returns' be a dict or array of dict unless whitelisted + +{ 'pragma': { 'returns-whitelist': [ + 'human-monitor-command', 'query-tpm-models', 'guest-get-time' ] } } + { 'command': 'human-monitor-command', 'data': {'command-line': 'str', '*cpu-index': 'int'}, 'returns': 'str' } --=20 2.7.4