Re: [PATCH v4 2/3] module: add Error arguments to module_load_one and module_load_qom_one

[Claudio Fontana]

On 9/22/22 15:34, Philippe Mathieu-Daudé wrote:
> On Thu, Sep 22, 2022 at 3:20 PM Markus Armbruster <armbru@redhat.com> wrote:
>>
>> Claudio Fontana <cfontana@suse.de> writes:
>>
>> [...]
>>
>>> I think it would be better to completely make the return value separate 
>>> from the Error,
>>> and really treat Error as an exception and not mix it up with the regular 
>>> execution,
>>>
>>> but if it is the general consensus that I am the only one seeing this 
>>> conflation problem we can model it this way too.
>>
>> It's a matter of language pragmatics.  In Java, you throw an exception
>> on error.  In C, you return an error value.
>>
>> Trying to emulate exceptions in C might be even more unadvisable than
>> trying to avoid them in Java.  Best to work with the language, not
>> against it.
>>
>> Trouble is the error values we can conveniently return in C can't convey
>> enough information.  So we use Error for that.  Just like GLib uses
>> GError.
>>
>> More modern languages do "return error value" much better than C can.  C
>> is what it is.
>>
>> We could certainly argue how to do better than we do now in QEMU's C
>> code.  However, the Error API is used all over the place, which makes
>> changing it expensive.  "Rethinking the whole Error API" (your words)
>> would have to generate benefits worth this expense.  Which seems
>> unlikely.
> 
> QEMU Error* and GLib GError are designed to report recoverable runtime 
> *errors*.
> 
> There is or is no error. A boolean return value seems appropriate.
> 
> We are bikeshedding about the API because we are abusing it in a non-error 
> case.

Agreed.

> 
> If we want to try to load an optional module, the Error* argument is
> not the proper way to return the information regarding why we couldn't
> load.

Mostly agree. If an _actual_ terrible Error happens when loading an optional 
module (I/O error, multiple module exist for the same QOM type, module 
architecture incompatible etc, module directory permissions are wrong, etc) I'd 
argue we have to provide this information too,

ie in the case of a catastrophic error when loading the optional module, we 
should at least provide the information to the caller and let it decide what to 
do with it,
maybe even just warn and continue, maybe do nothing, caller choice.

> 
> In both cases we want to know if the module was loaded. If this is an
> optional module, we don't care why it couldn't be loaded.

We don't care if the module is not present, but the caller _may_ care to at 
least report if the module is present (and thus the user expects the 
functionality to be available),
but it could not be loaded because of a catastrophic I/O error. I am 
deliberately exaggerating for the benefit of clarity.

> 
> So trying to make everybody happy:
> 
>   // Return true if the module could be loaded, otherwise return false
> and errp contains the error.
>  bool module_load_one(const char *prefix, const char *name, Error *errp);
> 
>   // Return true if the module could be loaded, false otherwise.
>   bool module_try_load_one(const char *prefix, const char *name);