Re: Maximum QMP reply size

[Daniel P . Berrangé]

On Fri, Sep 23, 2022 at 03:51:48PM -0400, John Snow wrote:
> On Wed, Sep 7, 2022 at 7:54 AM Markus Armbruster <armbru@redhat.com> wrote:
> >
> > John Snow <jsnow@redhat.com> writes:
> >
> > > Hi, I suspect I have asked this before, but I didn't write it down in
> > > a comment, so I forget my justification...
> > >
> > > In the QMP lib, we need to set a buffering limit for how big a QMP
> > > message can be -- In practice, I found that the largest possible
> > > response was the QAPI schema reply, and I set the code to this:
> > >
> > >     # Maximum allowable size of read buffer
> > >     _limit = (64 * 1024)
> > >
> > > However, I didn't document if this was a reasonable limit or just a
> > > "worksforme" one. I assume that there's no hard limit for the protocol
> > > or the implementation thereof in QEMU. Is there any kind of value here
> > > that would be more sensible than another?
> > >
> > > I'm worried that if replies get bigger in the future (possibly in some
> > > degenerate case I am presently unaware of) that the library default
> > > will become nonsensical.
> > >
> > > Any pointers/tips?
> >
> > Peter and Daniel already provided some.  I can add a bit of insight into
> > how QMP output works in QEMU, which may or may not help you.
> >
> > QEMU executes one command after the other.  A command's response
> > (success or failure) is a QDict.  Which is then formatted as JSON and
> > appended to the monitor's output buffer.
> >
> > Events work similarly.
> >
> > The conversion to JSON does not limit the resulting string's size.  If
> > it runs out of memory, QEMU dies.
> >
> > The output buffer is also unbounded.  It drains into the monitor's
> > character device.
> >
> > If the QMP client sends enough commands without reading their responses,
> > QEMU can run out of memory and die.
> >
> > Now I'm ready to go back to your question, which is about a *single*
> > message (QMP command response or event): nothing in QEMU limits the size
> > of the QMP output message text.
> >
> > Weak consolation: I guess QEMU is somewhat likely to run out of memory
> > and die before your client software does.  That's because QDict is a
> > pig: an empty one eats 4120 Bytes on my system.  Compares unfavourable
> > to its text representation "{}".
> >
> 
> (Oops, I realize that my response was never sent, sending that now:)
> 
> Thanks for the responses, everyone.
> 
> I think I will leave it at 64KB for now, but the limit is absolutely
> configurable; I will just document what the limit is and document how
> to change it in the case you want to use QMP to do some really heavy
> lifting. In practice, there's no unit test in our tree currently that
> seems to blow through the 64KB, but I'll just make sure to pay some
> attention to it in the docs.
>
> ... Or, maybe I'll set it to 10MB to match libvirt ("Well, it's good
> enough for this other project" is always a fantastic justification),
> but I need to profile how Python actually behaves in this case. If
> it's just an upper-bound, I think that's no problem at all.

I feel like we should have a spec update that gives some guidance for
conforming impls in a few areas now. The current spec as written is
quite flexible, but in practice impls have made some assumptions to
simplify life, and we ought to try to include those as recomendations
to keep alignment. I feel this is especially valuable now that we're
talking about providing many official QEMU language bindings. On my
list so far I see

  1. Maximum message size
  2. Maximum structure nesting
  2. Messages terminated by a newline


> PS: After reading further discussion that has happened since: The
> problem is the readline buffer size in Python; since we don't have a
> "streaming" JSON parser, we rely on readline to get "the next chunk of
> data", and that buffer has a limit it adheres to. It is possible that
> in the future if we switch to a different parsing method that this
> limit would "go away", but it's not clear that this is a great idea.
> In practice, it's probably reasonable that the client dies on input of
> a certain size. Probably.

AFAIK, the readline method does not limit itself by default, it will
just read until newline. It is unsafe to use readline on untrusted
input sources unless you pass the 'limit' parameter to set an upper
limit for line length.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|