[v4,03/45] error: Document Error API usage rules

Message ID	20200707160613.848843-4-armbru@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: Markus Armbruster <armbru@redhat.com> To: qemu-devel@nongnu.org Subject: [PATCH v4 03/45] error: Document Error API usage rules Date: Tue, 7 Jul 2020 18:05:31 +0200 Message-Id: <20200707160613.848843-4-armbru@redhat.com> In-Reply-To: <20200707160613.848843-1-armbru@redhat.com> References: <20200707160613.848843-1-armbru@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=207.211.31.120; envelope-from=armbru@redhat.com; helo=us-smtp-1.mimecast.com Precedence: list Cc: peter.maydell@linaro.org, vsementsov@virtuozzo.com, berrange@redhat.com, ehabkost@redhat.com, qemu-block@nongnu.org, groug@kaod.org, pbonzini@redhat.com Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	Less clumsy error checking \| expand [v4,00/45] Less clumsy error checking [v4,01/45] error: Fix examples in error.h's big comment [v4,02/45] error: Improve error.h's big comment [v4,03/45] error: Document Error API usage rules [v4,04/45] qdev: Use returned bool to check for qdev_realize() etc. failure [v4,05/45] macio: Tidy up error handling in macio_newworld_realize() [v4,06/45] virtio-crypto-pci: Tidy up virtio_crypto_pci_realize() [v4,07/45] qemu-option: Check return value instead of @err where convenient [v4,08/45] qemu-option: Make uses of find_desc_by_name() more similar [v4,09/45] qemu-option: Factor out helper find_default_by_name() [v4,10/45] qemu-option: Simplify around find_default_by_name() [v4,11/45] qemu-option: Factor out helper opt_create() [v4,12/45] qemu-option: Replace opt_set() by cleaner opt_validate() [v4,13/45] qemu-option: Make functions taking Error return bool, not void [v4,14/45] qemu-option: Use returned bool to check for failure [v4,15/45] block: Avoid error accumulation in bdrv_img_create() [v4,16/45] hmp: Eliminate a variable in hmp_migrate_set_parameter() [v4,17/45] qapi: Make visitor functions taking Error return bool, not void [v4,18/45] qapi: Use returned bool to check for failure, Coccinelle part [v4,19/45] qapi: Use returned bool to check for failure, manual part [v4,20/45] s390x/pci: Fix harmless mistake in zpci's property fid's setter [v4,21/45] qom: Use error_reportf_err() instead of g_printerr() in examples [v4,22/45] qom: Rename qdev_get_type() to object_get_type() [v4,23/45] qom: Crash more nicely on object_property_get_link() failure [v4,24/45] qom: Don't handle impossible object_property_get_link() failure [v4,25/45] qom: Use return values to check for error where that's simpler [v4,26/45] qom: Put name parameter before value / visitor parameter [v4,27/45] qom: Make functions taking Error return bool, not void [v4,28/45] qom: Use returned bool to check for failure, Coccinelle part [v4,29/45] qom: Use returned bool to check for failure, manual part [v4,30/45] qom: Make functions taking Error return bool, not 0/-1 [v4,31/45] qdev: Make functions taking Error ** return bool, not void [v4,32/45] qdev: Use returned bool to check for failure, Coccinelle part [v4,33/45] error: Avoid unnecessary error_propagate() after error_setg() [v4,34/45] error: Eliminate error_propagate() with Coccinelle, part 1 [v4,35/45] error: Eliminate error_propagate() with Coccinelle, part 2 [v4,36/45] error: Eliminate error_propagate() manually [v4,37/45] error: Reduce unnecessary error propagation [v4,38/45] block/parallels: Simplify parallels_open() after previous commit [v4,39/45] qapi: Smooth another visitor error checking pattern [v4,40/45] qapi: Smooth visitor error checking in generated code [v4,41/45] qapi: Purge error_propagate() from QAPI core [v4,42/45] error: Avoid error_propagate() after migrate_add_blocker() [v4,43/45] qemu-img: Ignore Error objects where the return value suffices [v4,44/45] qdev: Ignore Error objects where the return value suffices [v4,45/45] hmp: Ignore Error objects where the return value suffices

Message ID

20200707160613.848843-4-armbru@redhat.com

State

New

Headers

From: Markus Armbruster <armbru@redhat.com>
To: qemu-devel@nongnu.org
Subject: [PATCH v4 03/45] error: Document Error API usage rules
Date: Tue,  7 Jul 2020 18:05:31 +0200
Message-Id: <20200707160613.848843-4-armbru@redhat.com>
In-Reply-To: <20200707160613.848843-1-armbru@redhat.com>
References: <20200707160613.848843-1-armbru@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=207.211.31.120; envelope-from=armbru@redhat.com;
 helo=us-smtp-1.mimecast.com
X-Spam_score_int: -40
X-Spam_score: -4.1
X-Spam_bar: ----
X-Spam_report: (-4.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: peter.maydell@linaro.org, vsementsov@virtuozzo.com, berrange@redhat.com,
 ehabkost@redhat.com, qemu-block@nongnu.org, groug@kaod.org,
 pbonzini@redhat.com
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

Less clumsy error checking | expand

Commit Message

Markus Armbruster July 7, 2020, 4:05 p.m. UTC

This merely codifies existing practice, with one exception: the rule
advising against returning void, where existing practice is mixed.

When the Error API was created, we adopted the (unwritten) rule to
return void when the function returns no useful value on success,
unlike GError, which recommends to return true on success and false on
error then.

When a function returns a distinct error value, say false, a checked
call that passes the error up looks like

    if (!frobnicate(..., errp)) {
        handle the error...
    }

When it returns void, we need

    Error *err = NULL;

    frobnicate(..., &err);
    if (err) {
        handle the error...
        error_propagate(errp, err);
    }

Not only is this more verbose, it also creates an Error object even
when @errp is null, &error_abort or &error_fatal.

People got tired of the additional boilerplate, and started to ignore
the unwritten rule.  The result is confusion among developers about
the preferred usage.

Make the rule advising against returning void official by putting it
in writing.  This will hopefully reduce confusion.

Update the examples accordingly.

The remainder of this series will update a substantial amount of code
to honor the rule.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
---
 include/qapi/error.h | 50 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 44 insertions(+), 6 deletions(-)

Comments

Eric Blake July 7, 2020, 6:46 p.m. UTC | #1

On 7/7/20 11:05 AM, Markus Armbruster wrote:
> This merely codifies existing practice, with one exception: the rule
> advising against returning void, where existing practice is mixed.
> 
> When the Error API was created, we adopted the (unwritten) rule to
> return void when the function returns no useful value on success,
> unlike GError, which recommends to return true on success and false on
> error then.
> 

> Make the rule advising against returning void official by putting it
> in writing.  This will hopefully reduce confusion.
> 
> Update the examples accordingly.
> 
> The remainder of this series will update a substantial amount of code
> to honor the rule.
> 
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> Reviewed-by: Eric Blake <eblake@redhat.com>
> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> Reviewed-by: Greg Kurz <groug@kaod.org>
> ---

> @@ -95,14 +122,12 @@
>    * Create a new error and pass it to the caller:
>    *     error_setg(errp, "situation normal, all fouled up");
>    *
> - * Call a function and receive an error from it:
> - *     Error *err = NULL;
> - *     foo(arg, &err);
> - *     if (err) {
> + * Call a function, receive an error from it, and pass it to caller

maybe s/to caller/to the caller/

> + * when the function returns a value that indicates failure, say false:
> + *     if (!foo(arg, errp)) {
>    *         handle the error...
>    *     }
> - *
> - * Receive an error and pass it on to the caller:
> + * when it doesn't, say a void function:

Hmm. It looks like you have a single sentence "Call a function... when 
the function returns", but this line now makes it obvious that you have 
a single prefix: "Call a function, ...and pass it to the caller:"
with two choices "when the function returns" and "when it doesn't".  I'm 
not sure if there is a nicer way to typeset it, adding yet another ":" 
at the end of the line looks odd.  The idea behind the text is fine, I'm 
just trying to paint the bikeshed to see if there is a better presentation.

>    *     Error *err = NULL;
>    *     foo(arg, &err);
>    *     if (err) {
> @@ -120,6 +145,19 @@
>    *     foo(arg, errp);
>    * for readability.
>    *
> + * Receive an error, and handle it locally
> + * when the function returns a value that indicates failure, say false:
> + *     Error *err = NULL;
> + *     if (!foo(arg, &err)) {
> + *         handle the error...
> + *     }
> + * when it doesn't, say a void function:

It helps that you have repeated the same pattern as above.  But that 
means if you change the layout, both groupings should have the same 
layout.  Maybe:

Intro for a task:
- when the function returns...
- when it doesn't

Also, are there functions that have a return type other than void, but 
where the return value is not an indication of error?  If there are, 
then the "say a void function" clause makes sense (but we should 
probably recommend against such functions); if there are not, then "say 
a void function" reads awkwardly.  Maybe:

- when it does not, because it is a void function:

> + *     Error *err = NULL;
> + *     foo(arg, &err);
> + *     if (err) {
> + *         handle the error...
> + *     }
> + *
>    * Receive and accumulate multiple errors (first one wins):
>    *     Error *err = NULL, *local_err = NULL;
>    *     foo(arg, &err);
>

Markus Armbruster July 7, 2020, 7:23 p.m. UTC | #2

Eric Blake <eblake@redhat.com> writes:

> On 7/7/20 11:05 AM, Markus Armbruster wrote:
>> This merely codifies existing practice, with one exception: the rule
>> advising against returning void, where existing practice is mixed.
>>
>> When the Error API was created, we adopted the (unwritten) rule to
>> return void when the function returns no useful value on success,
>> unlike GError, which recommends to return true on success and false on
>> error then.
>>
>
>> Make the rule advising against returning void official by putting it
>> in writing.  This will hopefully reduce confusion.
>>
>> Update the examples accordingly.
>>
>> The remainder of this series will update a substantial amount of code
>> to honor the rule.
>>
>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>> Reviewed-by: Eric Blake <eblake@redhat.com>
>> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
>> Reviewed-by: Greg Kurz <groug@kaod.org>
>> ---
>
>> @@ -95,14 +122,12 @@
>>    * Create a new error and pass it to the caller:
>>    *     error_setg(errp, "situation normal, all fouled up");
>>    *
>> - * Call a function and receive an error from it:
>> - *     Error *err = NULL;
>> - *     foo(arg, &err);
>> - *     if (err) {
>> + * Call a function, receive an error from it, and pass it to caller
>
> maybe s/to caller/to the caller/

Yes.

>> + * when the function returns a value that indicates failure, say false:
>> + *     if (!foo(arg, errp)) {
>>    *         handle the error...
>>    *     }
>> - *
>> - * Receive an error and pass it on to the caller:
>> + * when it doesn't, say a void function:
>
> Hmm. It looks like you have a single sentence "Call a function... when
> the function returns", but this line now makes it obvious that you
> have a single prefix: "Call a function, ...and pass it to the caller:"
> with two choices "when the function returns" and "when it doesn't".
> I'm not sure if there is a nicer way to typeset it, adding yet another
> ":" at the end of the line looks odd.  The idea behind the text is
> fine, I'm just trying to paint the bikeshed to see if there is a
> better presentation.
>
>>    *     Error *err = NULL;
>>    *     foo(arg, &err);
>>    *     if (err) {
>> @@ -120,6 +145,19 @@
>>    *     foo(arg, errp);
>>    * for readability.
>>    *
>> + * Receive an error, and handle it locally
>> + * when the function returns a value that indicates failure, say false:
>> + *     Error *err = NULL;
>> + *     if (!foo(arg, &err)) {
>> + *         handle the error...
>> + *     }
>> + * when it doesn't, say a void function:
>
> It helps that you have repeated the same pattern as above.  But that
> means if you change the layout, both groupings should have the same
> layout.  Maybe:
>
> Intro for a task:
> - when the function returns...
> - when it doesn't
>
> Also, are there functions that have a return type other than void, but
> where the return value is not an indication of error?  If there are,

Yes, there are such functions.

> then the "say a void function" clause makes sense (but we should
> probably recommend against such functions); if there are not, then
> "say a void function" reads awkwardly.  Maybe:
>
> - when it does not, because it is a void function:

What about

  - when it does not, say because it is a void function:

>> + *     Error *err = NULL;
>> + *     foo(arg, &err);
>> + *     if (err) {
>> + *         handle the error...
>> + *     }
>> + *
>>    * Receive and accumulate multiple errors (first one wins):
>>    *     Error *err = NULL, *local_err = NULL;
>>    *     foo(arg, &err);
>>

Thanks!

Eric Blake July 7, 2020, 7:47 p.m. UTC | #3

On 7/7/20 2:23 PM, Markus Armbruster wrote:

>> It helps that you have repeated the same pattern as above.  But that
>> means if you change the layout, both groupings should have the same
>> layout.  Maybe:
>>
>> Intro for a task:
>> - when the function returns...
>> - when it doesn't
>>
>> Also, are there functions that have a return type other than void, but
>> where the return value is not an indication of error?  If there are,
> 
> Yes, there are such functions.
> 
>> then the "say a void function" clause makes sense (but we should
>> probably recommend against such functions); if there are not, then
>> "say a void function" reads awkwardly.  Maybe:
>>
>> - when it does not, because it is a void function:
> 
> What about
> 
>    - when it does not, say because it is a void function:

Reasonable.

diff --git a/include/qapi/error.h b/include/qapi/error.h
index 6d079c58b7..3fed49747d 100644
--- a/include/qapi/error.h
+++ b/include/qapi/error.h
@@ -15,6 +15,33 @@ 
 /*
  * Error reporting system loosely patterned after Glib's GError.
  *
+ * = Rules =
+ *
+ * - Functions that use Error to report errors have an Error **errp
+ *   parameter.  It should be the last parameter, except for functions
+ *   taking variable arguments.
+ *
+ * - You may pass NULL to not receive the error, &error_abort to abort
+ *   on error, &error_fatal to exit(1) on error, or a pointer to a
+ *   variable containing NULL to receive the error.
+ *
+ * - Separation of concerns: the function is responsible for detecting
+ *   errors and failing cleanly; handling the error is its caller's
+ *   job.  Since the value of @errp is about handling the error, the
+ *   function should not examine it.
+ *
+ * - On success, the function should not touch *errp.  On failure, it
+ *   should set a new error, e.g. with error_setg(errp, ...), or
+ *   propagate an existing one, e.g. with error_propagate(errp, ...).
+ *
+ * - Whenever practical, also return a value that indicates success /
+ *   failure.  This can make the error checking more concise, and can
+ *   avoid useless error object creation and destruction.  Note that
+ *   we still have many functions returning void.  We recommend
+ *   • bool-valued functions return true on success / false on failure,
+ *   • pointer-valued functions return non-null / null pointer, and
+ *   • integer-valued functions return non-negative / negative.
+ *
  * = Creating errors =
  *
  * Create an error:
@@ -95,14 +122,12 @@ 
  * Create a new error and pass it to the caller:
  *     error_setg(errp, "situation normal, all fouled up");
  *
- * Call a function and receive an error from it:
- *     Error *err = NULL;
- *     foo(arg, &err);
- *     if (err) {
+ * Call a function, receive an error from it, and pass it to caller
+ * when the function returns a value that indicates failure, say false:
+ *     if (!foo(arg, errp)) {
  *         handle the error...
  *     }
- *
- * Receive an error and pass it on to the caller:
+ * when it doesn't, say a void function:
  *     Error *err = NULL;
  *     foo(arg, &err);
  *     if (err) {
@@ -120,6 +145,19 @@ 
  *     foo(arg, errp);
  * for readability.
  *
+ * Receive an error, and handle it locally
+ * when the function returns a value that indicates failure, say false:
+ *     Error *err = NULL;
+ *     if (!foo(arg, &err)) {
+ *         handle the error...
+ *     }
+ * when it doesn't, say a void function:
+ *     Error *err = NULL;
+ *     foo(arg, &err);
+ *     if (err) {
+ *         handle the error...
+ *     }
+ *
  * Receive and accumulate multiple errors (first one wins):
  *     Error *err = NULL, *local_err = NULL;
  *     foo(arg, &err);

[v4,03/45] error: Document Error API usage rules

Commit Message

Comments

Patch