[05/56] qmp-test: Cover syntax and lexical errors

Message ID	20180808120334.10970-6-armbru@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: Markus Armbruster <armbru@redhat.com> To: qemu-devel@nongnu.org Date: Wed, 8 Aug 2018 14:02:43 +0200 Message-Id: <20180808120334.10970-6-armbru@redhat.com> In-Reply-To: <20180808120334.10970-1-armbru@redhat.com> References: <20180808120334.10970-1-armbru@redhat.com> Subject: [Qemu-devel] [PATCH 05/56] qmp-test: Cover syntax and lexical errors Precedence: list Cc: marcandre.lureau@redhat.com, mdroth@linux.vnet.ibm.com Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	json: Fixes, error reporting improvements, cleanups \| expand [00/56] json: Fixes, error reporting improvements, cleanups [01/56] check-qjson: Cover multiple JSON objects in same string [02/56] check-qjson: Cover blank and lexically erroneous input [03/56] check-qjson: Cover whitespace more thoroughly [04/56] qmp-cmd-test: Split off qmp-test [05/56] qmp-test: Cover syntax and lexical errors [06/56] test-qga: Clean up how we test QGA synchronization [07/56] check-qjson: Cover escaped characters more thoroughly, part 1 [08/56] check-qjson: Streamline escaped_string()'s test strings [09/56] check-qjson: Cover escaped characters more thoroughly, part 2 [10/56] check-qjson: Drop redundant string tests [11/56] check-qjson: Cover UTF-8 in single quoted strings [12/56] check-qjson: Simplify utf8_string() [13/56] check-qjson: Fix utf8_string() to test all invalid sequences [14/56] check-qjson qmp-test: Cover control characters more thoroughly [15/56] check-qjson: Cover interpolation more thoroughly [16/56] json: Fix lexer to include the bad character in JSON_ERROR token [17/56] json: Reject unescaped control characters [18/56] json: Revamp lexer documentation [19/56] json: Tighten and simplify qstring_from_escaped_str()'s loop [20/56] check-qjson: Document we expect invalid UTF-8 to be rejected [21/56] json: Reject invalid UTF-8 sequences [22/56] json: Report first rather than last parse error [23/56] json: Leave rejecting invalid UTF-8 to parser [24/56] json: Accept overlong \xC0\x80 as U+0000 ("modified UTF-8") [25/56] json: Leave rejecting invalid escape sequences to parser [26/56] json: Simplify parse_string() [27/56] json: Reject invalid \uXXXX, fix \u0000 [28/56] json: Fix \uXXXX for surrogate pairs [29/56] check-qjson: Fix and enable utf8_string()'s disabled part [30/56] json: remove useless return value from lexer/parser [31/56] json-parser: simplify and avoid JSONParserContext allocation [32/56] json: Have lexer call streamer directly [33/56] json: Redesign the callback to consume JSON values [34/56] json: Don't pass null @tokens to json_parser_parse() [35/56] json: Don't create JSON_ERROR tokens that won't be used [36/56] json: Rename token JSON_ESCAPE & friends to JSON_INTERPOL [37/56] json: Treat unwanted interpolation as lexical error [38/56] json: Pass lexical errors and limit violations to callback [39/56] json: Leave rejecting invalid interpolation to parser [40/56] json: Replace %I64d, %I64u by %PRId64, %PRIu64 [41/56] json: Nicer recovery from invalid leading zero [42/56] json: Improve names of lexer states related to numbers [43/56] qjson: Fix qobject_from_json() & friends for multiple values [44/56] json: Fix latent parser aborts at end of input [45/56] json: Fix streamer not to ignore trailing unterminated structures [46/56] json: Assert json_parser_parse() consumes all tokens on success [47/56] qjson: Have qobject_from_json() & friends reject empty and blank [48/56] json: Enforce token count and size limits more tightly [49/56] json: Streamline json_message_process_token() [50/56] json: Unbox tokens queue in JSONMessageParser [51/56] json: Eliminate lexer state IN_ERROR and pseudo-token JSON_MIN [52/56] json: Eliminate lexer state IN_WHITESPACE, pseudo-token JSON_SKIP [53/56] json: Make JSONToken opaque outside json-parser.c [54/56] qobject: Drop superfluous includes of qemu-common.h [55/56] json: Clean up headers [56/56] docs/interop/qmp-spec: How to force known good parser state

Message ID

20180808120334.10970-6-armbru@redhat.com

State

New

Headers

From: Markus Armbruster <armbru@redhat.com>
To: qemu-devel@nongnu.org
Date: Wed,  8 Aug 2018 14:02:43 +0200
Message-Id: <20180808120334.10970-6-armbru@redhat.com>
In-Reply-To: <20180808120334.10970-1-armbru@redhat.com>
References: <20180808120334.10970-1-armbru@redhat.com>
Subject: [Qemu-devel] [PATCH 05/56] qmp-test: Cover syntax and lexical errors
Precedence: list
Cc: marcandre.lureau@redhat.com, mdroth@linux.vnet.ibm.com
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

json: Fixes, error reporting improvements, cleanups | expand

Signed-off-by: Markus Armbruster <armbru@redhat.com> --- tests/libqtest.c | 17 +++++++++++++++++ tests/libqtest.h | 11 +++++++++++ tests/qmp-test.c | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+)

Comments

Eric Blake Aug. 9, 2018, 1:42 p.m. UTC | #1

On 08/08/2018 07:02 AM, Markus Armbruster wrote:
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
>   tests/libqtest.c | 17 +++++++++++++++++
>   tests/libqtest.h | 11 +++++++++++
>   tests/qmp-test.c | 39 +++++++++++++++++++++++++++++++++++++++
>   3 files changed, 67 insertions(+)
> 

> +    /* lexical error: impossible byte outside string */
> +    qtest_qmp_send_raw(qts, "{\xFF");

\xff is an impossible byte inside a string as well; plus it has special 
meaning to at least QMP for commanding a parser reset. Is a better byte 
more appropriate (maybe \x7f), either in replacement to \xff or as an 
additional test?

> +    resp = qtest_qmp_receive(qts);
> +    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
> +    qobject_unref(resp);
> +    g_assert(recovered(qts));
> +
> +    /* lexical error: impossible byte in string */
> +    qtest_qmp_send_raw(qts, "{'bad \xFF");

Same question about \xff being special as the parser reset command, so 
should we test a different byte instead/as well?

> +    resp = qtest_qmp_receive(qts);
> +    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
> +    qobject_unref(resp);
> +    g_assert(recovered(qts));
> +
> +    /* lexical error: interpolation */
> +    qtest_qmp_send_raw(qts, "%%p\n");
> +    resp = qtest_qmp_receive(qts);
> +    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
> +    qobject_unref(resp);
> +    g_assert(recovered(qts));
> +
>       /* Not even a dictionary */
>       resp = qtest_qmp(qts, "null");
>       g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
>

Markus Armbruster Aug. 10, 2018, 1:52 p.m. UTC | #2

Eric Blake <eblake@redhat.com> writes:

> On 08/08/2018 07:02 AM, Markus Armbruster wrote:
>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>> ---
>>   tests/libqtest.c | 17 +++++++++++++++++
>>   tests/libqtest.h | 11 +++++++++++
>>   tests/qmp-test.c | 39 +++++++++++++++++++++++++++++++++++++++
>>   3 files changed, 67 insertions(+)
>>
>
>> +    /* lexical error: impossible byte outside string */
>> +    qtest_qmp_send_raw(qts, "{\xFF");
>
> \xff is an impossible byte inside a string as well; plus it has
> special meaning to at least QMP for commanding a parser reset. Is a
> better byte more appropriate (maybe \x7f), either in replacement to
> \xff or as an additional test?

\xFF is documented to have special meaning for QGA, but as far as the
code's concerned, it's a lexical error like any other.  I'm fixing the
documentation in PATCH 56.  Want me to move that patch to the front of
the series?

>> +    resp = qtest_qmp_receive(qts);
>> +    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
>> +    qobject_unref(resp);
>> +    g_assert(recovered(qts));
>> +
>> +    /* lexical error: impossible byte in string */
>> +    qtest_qmp_send_raw(qts, "{'bad \xFF");
>
> Same question about \xff being special as the parser reset command, so
> should we test a different byte instead/as well?
>
>> +    resp = qtest_qmp_receive(qts);
>> +    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
>> +    qobject_unref(resp);
>> +    g_assert(recovered(qts));
>> +
>> +    /* lexical error: interpolation */
>> +    qtest_qmp_send_raw(qts, "%%p\n");
>> +    resp = qtest_qmp_receive(qts);
>> +    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
>> +    qobject_unref(resp);
>> +    g_assert(recovered(qts));
>> +
>>       /* Not even a dictionary */
>>       resp = qtest_qmp(qts, "null");
>>       g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
>>

Eric Blake Aug. 10, 2018, 2:06 p.m. UTC | #3

On 08/10/2018 08:52 AM, Markus Armbruster wrote:

>>> +    /* lexical error: impossible byte outside string */
>>> +    qtest_qmp_send_raw(qts, "{\xFF");
>>
>> \xff is an impossible byte inside a string as well; plus it has
>> special meaning to at least QMP for commanding a parser reset. Is a
>> better byte more appropriate (maybe \x7f), either in replacement to
>> \xff or as an additional test?
> 
> \xFF is documented to have special meaning for QGA, but as far as the
> code's concerned, it's a lexical error like any other.  I'm fixing the
> documentation in PATCH 56.  Want me to move that patch to the front of
> the series?

Might not hurt. We also have a potential design decision to make: for 
most lexical errors, we report the error (with QGA, the user then 
requests that the first valid command after the client's induced lexical 
error also include an 0xff reply byte so that the client can easily skip 
over all the line noise, including said error reports).  Thus, we COULD 
decide to make our parser specifically accept 0xff as a new token, 
different from the lexical error token, so that it inhibits wasted error 
messages to the client on the grounds that the client sent it on 
purpose, differently from all other ways the client can use a lexical 
error to cause a reset.

Markus Armbruster Aug. 16, 2018, 12:44 p.m. UTC | #4

Eric Blake <eblake@redhat.com> writes:

> On 08/10/2018 08:52 AM, Markus Armbruster wrote:
>
>>>> +    /* lexical error: impossible byte outside string */
>>>> +    qtest_qmp_send_raw(qts, "{\xFF");
>>>
>>> \xff is an impossible byte inside a string as well; plus it has
>>> special meaning to at least QMP for commanding a parser reset. Is a
>>> better byte more appropriate (maybe \x7f), either in replacement to
>>> \xff or as an additional test?
>>
>> \xFF is documented to have special meaning for QGA, but as far as the
>> code's concerned, it's a lexical error like any other.  I'm fixing the
>> documentation in PATCH 56.  Want me to move that patch to the front of
>> the series?
>
> Might not hurt. We also have a potential design decision to make: for
> most lexical errors, we report the error (with QGA, the user then
> requests that the first valid command after the client's induced
> lexical error also include an 0xff reply byte so that the client can
> easily skip over all the line noise, including said error reports).
> Thus, we COULD decide to make our parser specifically accept 0xff as a
> new token, different from the lexical error token, so that it inhibits
> wasted error messages to the client on the grounds that the client
> sent it on purpose, differently from all other ways the client can use
> a lexical error to cause a reset.

I don't think that's worthwhile.  Let me explain.

I see one and a half use cases.

The full use case is of course QGA synchronization.  Why is that even
necessary?  I believe it's a work-around for transports that fail to
provide proper connection semantics, such as virtio-serial.

When a transport provides it (sockets do), every connection starts with
a clean slate.  The only way it can get de-synchronized is either peer
getting confused enough to send garbage, and then it's probably best to
close the session and start over.  Evidence: we don't bother with
synchronization for QMP, which commonly uses socket transports.

I guess the problem for QGA is reconnecting with virtio-serial.  The
slate isn't clean then.  If the previous connection left some of the
peer's output unread, you'll get that before your own, and it may not be
valid JSON.  Same for the other direction.

To reset the peer's parser, we provoke a lexical error by sending \xFF.

We still have to read and ignore stale peer output.  We do that with the
help of command guest-sync-delimited.  Whether lexical error caused by
\xFF are suppressed or not makes no appreciable difference.

I therefore think suppressing it is not worth the bother.  What we have
seems good enough.

The half use case is human interactive use.  It's fairly easy to
miscount parenthesis and get the peer into some unresponsive state.
Provoking a lexical error lets me start over.  However, I'd rather not
use \xFF to provoke it, because how do you type that?  Sending a
suitable ASCII control character is easier, and will do the trick after
PATCH 17 fixes our JSON parser.

diff --git a/tests/libqtest.c b/tests/libqtest.c
index 3706f30aa2..c02fc91b37 100644
--- a/tests/libqtest.c
+++ b/tests/libqtest.c
@@ -586,6 +586,23 @@  void qtest_qmp_send(QTestState *s, const char *fmt, ...)
     va_end(ap);
 }
 
+void qtest_qmp_send_raw(QTestState *s, const char *fmt, ...)
+{
+    bool log = getenv("QTEST_LOG") != NULL;
+    va_list ap;
+    char *str;
+
+    va_start(ap, fmt);
+    str = g_strdup_vprintf(fmt, ap);
+    va_end(ap);
+
+    if (log) {
+        fprintf(stderr, "%s", str);
+    }
+    socket_send(s->qmp_fd, str, strlen(str));
+    g_free(str);
+}
+
 QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event)
 {
     QDict *response;
diff --git a/tests/libqtest.h b/tests/libqtest.h
index def1edaafa..1e831973ff 100644
--- a/tests/libqtest.h
+++ b/tests/libqtest.h
@@ -96,6 +96,17 @@  QDict *qtest_qmp(QTestState *s, const char *fmt, ...)
 void qtest_qmp_send(QTestState *s, const char *fmt, ...)
     GCC_FMT_ATTR(2, 3);
 
+/**
+ * qtest_qmp_send_raw:
+ * @s: #QTestState instance to operate on.
+ * @fmt...: text to send, formatted like sprintf()
+ *
+ * Sends text to the QMP monitor verbatim.  Need not be valid JSON;
+ * this is useful for negative tests.
+ */
+void qtest_qmp_send_raw(QTestState *s, const char *fmt, ...)
+    GCC_FMT_ATTR(2, 3);
+
 /**
  * qtest_qmpv:
  * @s: #QTestState instance to operate on.
diff --git a/tests/qmp-test.c b/tests/qmp-test.c
index b6eff4fe97..5e56be105e 100644
--- a/tests/qmp-test.c
+++ b/tests/qmp-test.c
@@ -42,10 +42,49 @@  static void test_version(QObject *version)
     visit_free(v);
 }
 
+static bool recovered(QTestState *qts)
+{
+    QDict *resp;
+    bool ret;
+
+    resp = qtest_qmp(qts, "{ 'execute': 'no-such-cmd' }");
+    ret = !strcmp(get_error_class(resp), "CommandNotFound");
+    qobject_unref(resp);
+    return ret;
+}
+
 static void test_malformed(QTestState *qts)
 {
     QDict *resp;
 
+    /* syntax error */
+    qtest_qmp_send_raw(qts, "{]\n");
+    resp = qtest_qmp_receive(qts);
+    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
+    qobject_unref(resp);
+    g_assert(recovered(qts));
+
+    /* lexical error: impossible byte outside string */
+    qtest_qmp_send_raw(qts, "{\xFF");
+    resp = qtest_qmp_receive(qts);
+    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
+    qobject_unref(resp);
+    g_assert(recovered(qts));
+
+    /* lexical error: impossible byte in string */
+    qtest_qmp_send_raw(qts, "{'bad \xFF");
+    resp = qtest_qmp_receive(qts);
+    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
+    qobject_unref(resp);
+    g_assert(recovered(qts));
+
+    /* lexical error: interpolation */
+    qtest_qmp_send_raw(qts, "%%p\n");
+    resp = qtest_qmp_receive(qts);
+    g_assert_cmpstr(get_error_class(resp), ==, "GenericError");
+    qobject_unref(resp);
+    g_assert(recovered(qts));
+
     /* Not even a dictionary */
     resp = qtest_qmp(qts, "null");
     g_assert_cmpstr(get_error_class(resp), ==, "GenericError");

[05/56] qmp-test: Cover syntax and lexical errors

Commit Message

Comments

Patch