Re: [Qemu-devel] [PATCH v15 23/23] qapi: Change visit_type_FOO() to no longer return partial objects

[Markus Armbruster]

Eric Blake <address@hidden> writes:

> Returning a partial object on error is an invitation for a careless
> caller to leak memory.  We already fixed things in an earlier
> patch to guarantee NULL if visit_start fails ("qapi: Guarantee
> NULL obj on input visitor callback error"), but that does not
> help the case where visit_start succeeds but some other failure
> happens before visit_end, such that we leak a partially constructed
> object outside visit_type_FOO(). As no one outside the testsuite
> was actually relying on these semantics, it is cleaner to just
> document and guarantee that ALL pointer-based visit_type_FOO()
> functions always leave a safe value in *obj during an input visitor
> (either the new object on success, or NULL if an error is
> encountered), so callers can now unconditionally use
> qapi_free_FOO() to clean up regardless of whether an error occurred.
>
> The decision is done by adding visit_is_input(), then updating the
> generated code to check if additional cleanup is needed based on
> the type of visitor in use.
>
> Note that we still leave *obj unchanged after a scalar-based
> visit_type_FOO(); I did not feel like auditing all uses of
> visit_type_Enum() to see if the callers would tolerate a specific
> sentinel value (not to mention having to decide whether it would
> be better to use 0 or ENUM__MAX as that sentinel).
>
> Signed-off-by: Eric Blake <address@hidden>
[...]
> diff --git a/qapi/qapi-visit-core.c b/qapi/qapi-visit-core.c
> index e6d57f3..b30a22e 100644
> --- a/qapi/qapi-visit-core.c
> +++ b/qapi/qapi-visit-core.c
> @@ -48,6 +48,7 @@ void visit_end_struct(Visitor *v)
>      v->end_struct(v);
>  }
>
> +
>  void visit_start_list(Visitor *v, const char *name, GenericList **list,
>                        size_t size, Error **errp)
>  {

Spurious hunk.  Can drop on commit.

[...]