RFC: require error handling for dynamically created objects

[RFC 4/5] qom: introduce object_new_dynamic()

Posted by Daniel P. Berrangé 3 weeks, 2 days ago

object_new() has a failure scenario where it will assert() if given
an abstract type. Callers which are creating objects based on user
input, or unknown/untrusted type names, must manually check the
result of object_class_is_abstract() before calling object_new()
to propagate an Error, instead of asserting.

Introduce a object_new_dynamic() method which is a counterpart to
object_new() that directly returns an Error, instead of asserting.
This new method is to be used where the typename is specified
dynamically by code separate from the immediate caller.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 include/qom/object.h | 27 +++++++++++++++++++++++++++
 qom/object.c         |  6 ++++++
 2 files changed, 33 insertions(+)

diff --git a/include/qom/object.h b/include/qom/object.h
index 222c60e205..8c2f3551c5 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -624,14 +624,41 @@ Object *object_new_with_class(ObjectClass *klass, Error **errp);
  * object_new:
  * @typename: The name of the type of the object to instantiate.
  *
+ * This method should be used where @typename is statically specified
+ * from a const string at build time, where the caller does not expect
+ * failure to be possible.
+ *
  * This function will initialize a new object using heap allocated memory.
  * The returned object has a reference count of 1, and will be freed when
  * the last reference is dropped.
  *
+ * If an instance of @typename is not permitted to be instantiated, an
+ * assert will be raised. This can happen if @typename is abstract.
+ *
  * Returns: The newly allocated and instantiated object.
  */
 Object *object_new(const char *typename);
 
+/**
+ * object_new_dynamic:
+ * @typename: The name of the type of the object to instantiate.
+ * @errp: pointer to be filled with error details on failure
+ *
+ * This method should be used where @typename is dynamically chosen
+ * at runtime, which has the possibility of unexpected choices leading
+ * to failures.
+ *
+ * This function will initialize a new object using heap allocated memory.
+ * The returned object has a reference count of 1, and will be freed when
+ * the last reference is dropped.
+ *
+ * If an instance of @typename is not permitted to be instantiated, an
+ * error will be raised. This can happen if @typename is abstract.
+ *
+ * Returns: The newly allocated and instantiated object.
+ */
+Object *object_new_dynamic(const char *typename, Error **errp);
+
 /**
  * object_new_with_props:
  * @typename:  The name of the type of the object to instantiate.
diff --git a/qom/object.c b/qom/object.c
index 1f139aa9c8..1ed62dc2c9 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -807,6 +807,12 @@ Object *object_new(const char *typename)
     return object_new_with_type(ti, &error_abort);
 }
 
+Object *object_new_dynamic(const char *typename, Error **errp)
+{
+    TypeImpl *ti = type_get_by_name(typename);
+
+    return object_new_with_type(ti, errp);
+}
 
 Object *object_new_with_props(const char *typename,
                               Object *parent,
-- 
2.46.0

Re: [RFC 4/5] qom: introduce object_new_dynamic()

Posted by Peter Xu 3 weeks, 1 day ago

On Thu, Oct 31, 2024 at 03:53:49PM +0000, Daniel P. Berrangé wrote:
> object_new() has a failure scenario where it will assert() if given
> an abstract type. Callers which are creating objects based on user
> input, or unknown/untrusted type names, must manually check the
> result of object_class_is_abstract() before calling object_new()
> to propagate an Error, instead of asserting.
> 
> Introduce a object_new_dynamic() method which is a counterpart to
> object_new() that directly returns an Error, instead of asserting.
> This new method is to be used where the typename is specified
> dynamically by code separate from the immediate caller.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Needs some patch order changes.. v.s. the previous one.

Thanks,

-- 
Peter Xu

Re: [RFC 4/5] qom: introduce object_new_dynamic()

Posted by Daniel P. Berrangé 3 weeks, 1 day ago

On Thu, Oct 31, 2024 at 03:22:07PM -0400, Peter Xu wrote:
> On Thu, Oct 31, 2024 at 03:53:49PM +0000, Daniel P. Berrangé wrote:
> > object_new() has a failure scenario where it will assert() if given
> > an abstract type. Callers which are creating objects based on user
> > input, or unknown/untrusted type names, must manually check the
> > result of object_class_is_abstract() before calling object_new()
> > to propagate an Error, instead of asserting.
> > 
> > Introduce a object_new_dynamic() method which is a counterpart to
> > object_new() that directly returns an Error, instead of asserting.
> > This new method is to be used where the typename is specified
> > dynamically by code separate from the immediate caller.
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> 
> Needs some patch order changes.. v.s. the previous one.

Opps, yes, of course.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[RFC 1/5] qom: refactor checking abstract property when creating instances
[RFC 2/5] qom: allow failure of object_new_with_class
[RFC 3/5] convert code to object_new_dynamic() where appropriate
[RFC 4/5] qom: introduce object_new_dynamic()
[RFC 5/5] qom: enforce use of static, const string with object_new()