[Spice-devel] spice-server, logging and style
Jonathon Jongsma
jjongsma at redhat.com
Wed Nov 25 09:32:58 PST 2015
On Tue, 2015-11-24 at 06:20 -0500, Frediano Ziglio wrote:
> >
> > On Mon, Nov 23, 2015 at 12:28:49PM -0500, Frediano Ziglio wrote:
> > > > Maybe you are suggesting more or less the same thing :).
> > > > To me, from worst to "less worse", when something unexpected happens:
> > > > - not detected, code continues running but behaves unpredictably (can
> > > > easily lead to a security vulnerability if this can be triggered from
> > > > the guest)
> > > > - detect the condition, and abort (assert())
> > > > - detect the condition, log it, and keep running (return_if_fail())
> > > >
> > >
> > > In some condition point 3 can be the same at point 1 so the order is a
> > > bit scary to me. The return create two paths (taken or not) which
> > > should be considered. The spice_assert has only one path; the condition
> > > is met!
> > >
> > > > asserting is more comfortable for us developers, and probably easier,
> > > > but this also means we are killing a user VM, so this should not be done
> > > > lightly, which is why return_if_fail() is vastly better.
> > > > It's probably not always possible to easily deal gracefully with such
> > > > conditions, so yes, assert() is still an option when we don't have
> > > > better choices.
> > > >
> > > > Christophe
> > > >
> > >
> > > Well, what's worst than killing a VM? Leaving the host die because we
> > > are too lazy!
> >
> > Yes, this is #1 in my list, and it's listed as worst than #2...
> >
> > Christophe
> >
>
> #3 (g_return_if family) can lead to host crash too.
I think the point is to only use return_if_fail() in cases that don't lead to
crashes
Jonathon
More information about the Spice-devel
mailing list