I've typed error_report("%s", error_get_pretty(ERR)) too many times
already, and I've fixed too many instances of qerror_report_err(ERR)
to error_report("%s", error_get_pretty(ERR)) as well.  Capture the
pattern in a convenience function.

Since it's almost invariably followed by error_free(), stuff that into
the convenience function as well.

The next patch will put it to use.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

uri_resolve_relative() calls strcmp(bas->path, ref->path).  However,
either argument could be null!  Evidence: the code checks for null
after the comparison.  Spotted by Coverity.

I suspect this was screwed up when we stole the code from libxml2.
There the conditional reads

    xmlStrEqual((xmlChar *)bas->path, (xmlChar *)ref->path)

with

    int
    xmlStrEqual(const xmlChar *str1, const xmlChar *str2) {
	if (str1 == str2) return(1);
	if (str1 == NULL) return(0);
	if (str2 == NULL) return(0);
	do {
	    if (*str1++ != *str2) return(0);
	} while (*str2++);
	return(1);
    }

Fix by replicating libxml2's logic faithfully.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Spotted by Coverity with preview checker ALLOC_FREE_MISMATCH enabled
and my "coverity: Model g_free() isn't necessarily free()" model patch
applied.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

get_opt_value() takes a write-only buffer, so zeroing it is pointless.
We don't do it elsewhere, either.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

The size of the stack allocated host[] array didn't account for the
terminating '\0' byte that sscanf() writes. Fix the array size.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NJohn Snow <jsnow@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

bits is checked to be 128, 192 or 256 at the beginning of the function.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Coverity complains about not checking the returned value of mkstemp.  While
at it, also improve error checking for snprintf, and refine error messages
in general.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Asynchronous callbacks provided by call_rcu are particularly important
for QEMU, because the BQL makes it hard to use synchronize_rcu.

In addition, the current RCU implementation is not particularly friendly
to multiple concurrent synchronize_rcu callers, making call_rcu even
more important.
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This includes a (mangled) copy of the liburcu code.  The main changes
are: 1) removing dependencies on many other header files in liburcu; 2)
removing for simplicity the tentative busy waiting in synchronize_rcu,
which has limited performance effects; 3) replacing futexes in
synchronize_rcu with QemuEvents for Win32 portability.  The API is
the same as liburcu, so it should be possible in the future to require
liburcu on POSIX systems for example and use our copy only on Windows.

Among the various versions available I chose urcu-mb, which is the
least invasive implementation even though it does not have the
fastest rcu_read_{lock,unlock} implementation.  The urcu flavor can
be changed later, after benchmarking.
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This had a possible deadlock that was visible with rcutorture.

    qemu_event_set                    qemu_event_wait
    ----------------------------------------------------------------
                                      cmpxchg reads FREE, writes BUSY
                                      futex_wait: pthread_mutex_lock
                                      futex_wait: value == BUSY
    xchg reads BUSY, writes SET
    futex_wake: pthread_cond_broadcast
                                      futex_wait: pthread_cond_wait
                                      <deadlock>

The fix is simply to avoid condvar tricks and do the obvious locking
around pthread_cond_broadcast:

    qemu_event_set        qemu_event_wait
    ----------------------------------------------------------------
                                      cmpxchg reads FREE, writes BUSY
                                      futex_wait: pthread_mutex_lock
                                      futex_wait: value == BUSY
    xchg reads BUSY, writes SET
    futex_wake: pthread_mutex_lock
    (blocks)
                                      futex_wait: pthread_cond_wait
    (mutex unlocked)
    futex_wake: pthread_cond_broadcast
    futex_wake: pthread_mutex_unlock
                                      futex_wait: pthread_mutex_unlock

Cc: qemu-stable@nongnu.org
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Destructors are the main additional feature of pthread TLS compared
to __thread.  If we were using C++ (hint, hint!) we could have used
thread-local objects with a destructor.  Since we are not, instead,
we add a simple Notifier-based API.

Note that the notifier must be per-thread as well.  We can add a
global list as well later, perhaps.

The Win32 implementation has some complications because a) detached
threads used not to have a QemuThreadData; b) the main thread does
not go through win32_start_routine, so we have to use atexit too.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Message-id: 1417518350-6167-3-git-send-email-pbonzini@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Change the message printing code to output a separator for each option
string before it instead of after, then we don't one more extra ' ' in
the end.

To update qemu-iotests output files, most of the times one would just
copy the *.out.bad to *.out. With this change we will not have the
space disliked by checkpatch.pl.
Signed-off-by: NFam Zheng <famz@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Message-id: 1418110684-19528-3-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
for two reasons.  One, it catches multiplication overflowing size_t.
Two, it returns T * rather than void *, which lets the compiler catch
more type errors.

This commit only touches allocations with size arguments of the form
sizeof(T).
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

introduce memory_region_get_alignment() that returns
underlying memory block alignment or 0 if it's not
relevant/implemented for backend.
Signed-off-by: NIgor Mammedov <imammedo@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

If 'i != index' for all acl->entries, variable
entry leaks the storage it points to.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Currently, when the preallocating guest memory process fails, a not
so helpful error message is printed out:

    # virsh start migt10
    error: Failed to start domain migt10
    error: internal error: process exited while connecting to monitor:
    os_mem_prealloc: failed to preallocate pages

From the error message it's not clear at the first glance where the
problem lies. However, changing the error message might give users a
clue.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

An error value here would be quite handy and more consistent
with the rest of the code.
Signed-off-by: NCorey Minyard <cminyard@mvista.com>
[Make sure SO_ERROR value is passed to error_setg_errno. - Paolo]
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Needed to nicely print socket error reports.
Signed-off-by: NCorey Minyard <cminyard@mvista.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

IDs have long spread beyond QemuOpts: not everything with an ID
necessarily goes through QemuOpts.  Commit 9aebf3b8 is about such a
case: block layer names are meant to be well-formed IDs, but some of
them don't go through QemuOpts, and thus weren't checked.  The commit
fixed that the straightforward way: rename the internal QemuOpts
helper id_wellformed() to qemu_opts_id_wellformed() and give it
external linkage.

Instead of using it directly in block.c, the commit adds wrapper
bdrv_is_valid_name(), probably to hide the connection to QemuOpts.

Go one logical step further: emancipate IDs from QemuOpts.  Rename the
function back to id_wellformed(), and put it in another file.  While
there, clean up its value to bool.  Peel off the bdrv_is_valid_name()
wrapper.

[Replaced stray return 0 with return false to match bool returns used
elsewhere in id_wellformed().
--Stefan]
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The QERR_ macros are leftovers from the days of "rich" error objects.
They're used with error_set() and qerror_report(), and expand into the
first *two* arguments.  This trickiness has become pointless.  Clean
up.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

The device_name of a BlockDriverState is currently checked because it is
always used as a QemuOpts ID and qemu_opts_create() checks whether such
IDs are wellformed.

node-name is supposed to share the same namespace, but it isn't checked
currently. This patch adds explicit checks both for device_name and
node-name so that the same rules will still apply even if QemuOpts won't
be used any more at some point.

qemu-img used to use names with spaces in them, which isn't allowed any
more. Replace them with underscores.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

Currently you can specify whether you want a UDP chardev backend
to be IPv4 or IPv6 using the ipv4 or ipv6 options if you use the
QemuOpts parsing code in inet_dgram_opts(). However the QMP struct
parsing code in socket_dgram() doesn't provide this flexibility
(which in turn prevents us from converting the UDP backend handling
to the new style QAPI framework).

Use the existing inet_addr_to_opts() function to convert the
remote->inet address to option strings; this handles ipv4 and
ipv6 flags as well as host and port. (It will also convert any
'to' specification, which is harmless as it is ignored in this
context.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1409653457-27863-3-git-send-email-peter.maydell@linaro.org

Reported-by: NPeter Maydell <peter.maydell@linaro.org>
Tested-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

So that we won't have an empty getauxval.o which is disliked by ranlib.
Reported-by: NPeter Maydell <peter.maydell@linaro.org>
Tested-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

In this file, we don't check the return value of malloc/strdup/realloc which may fail.
Instead of using these routines, we use the GLib memory APIs g_malloc/g_strdup/g_realloc.
They will exit on allocation failure, so there is no need to test for failure,
which would be fine for setup.
Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: NAlex Bennée <alex.bennee@linaro.org>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

imitate nearby code about using '!value' or 'value == NULL'
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

This function returns NULL instead of aborting when an allocation fails.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NBenoit Canet <benoit@irqsave.net>

The current implementation depends on a configure-time generated list of
block modules. When any of them is absent, module_load() emits a warning.

This is suboptimal because extracting code to modules was mainly done to
allow separate packaging of modules with intrusive dependencies. Absence
of optional packages then leads to absence of modules and an error
message, which users may recognize as new and report as error.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The file path is not used for error reporting, so we can free it
directly after use.
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

If the size of the scatter/gather list isn't a multiple of 512, the
number of sectors for the block layer request is rounded down, resulting
in a qiov that doesn't match the request length. Truncate the qiov to the
new length of the request.

This fixes the IDE qtest case /x86_64/ide/bmdma/short_prdt.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Newer versions of gcc report a warning (or an error with -Werror) when
compiler option -Wclobbered (or -Wextra) is active:

util/oslib-posix.c:372:12: error:
 variable ‘hpagesize’ might be clobbered by ‘longjmp’ or ‘vfork’ [-Werror=clobbered]

The rewritten code fixes this warning: variable 'hpagesize' is now set and
used in a block without any call of sigsetjmp or similar functions.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

When running a libvirt test suite I've noticed the qemu-img is
crashing occasionally. Tracing the problem down led me to the
following valgrind output:

qemu.git $ valgrind -q ./qemu-img create -f qed -obacking_file=/dev/null,backing_fmt=raw qed
==14881== Invalid write of size 8
==14881==    at 0x1D263F: qemu_opts_create (qemu-option.c:692)
==14881==    by 0x130782: bdrv_img_create (block.c:5531)
==14881==    by 0x118DE0: img_create (qemu-img.c:462)
==14881==    by 0x11E7E4: main (qemu-img.c:2830)
==14881==  Address 0x11fedd38 is 24 bytes inside a block of size 232 free'd
==14881==    at 0x4C2CA5E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14881==    by 0x592D35E: g_realloc (in /usr/lib64/libglib-2.0.so.0.3800.2)
==14881==    by 0x1D38D8: qemu_opts_append (qemu-option.c:1129)
==14881==    by 0x13075E: bdrv_img_create (block.c:5528)
==14881==    by 0x118DE0: img_create (qemu-img.c:462)
==14881==    by 0x11E7E4: main (qemu-img.c:2830)
==14881==
Formatting 'qed', fmt=qed size=0 backing_file='/dev/null' backing_fmt='raw' cluster_size=65536
==14881== Invalid write of size 8
==14881==    at 0x1D28BE: qemu_opts_del (qemu-option.c:750)
==14881==    by 0x130BF3: bdrv_img_create (block.c:5638)
==14881==    by 0x118DE0: img_create (qemu-img.c:462)
==14881==    by 0x11E7E4: main (qemu-img.c:2830)
==14881==  Address 0x11fedd38 is 24 bytes inside a block of size 232 free'd
==14881==    at 0x4C2CA5E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14881==    by 0x592D35E: g_realloc (in /usr/lib64/libglib-2.0.so.0.3800.2)
==14881==    by 0x1D38D8: qemu_opts_append (qemu-option.c:1129)
==14881==    by 0x13075E: bdrv_img_create (block.c:5528)
==14881==    by 0x118DE0: img_create (qemu-img.c:462)
==14881==    by 0x11E7E4: main (qemu-img.c:2830)
==14881==

The problem is apparently in the qemu_opts_append(). Well, if it
gets called twice or more. On the first call, when @dst is NULL
some initialization is done during which @dst->head list gets
initialized. The list is initialized in a way, so that the list
tail points at the list head. However, the next time
qemu_opts_append() is called for new options to be added,
g_realloc() may move @dst to a new address making the old list tail
point at an invalid address. If that's the case, we must update the
list pointers.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

SPICE_INITIALIZED, SPICE_CONNECTED, SPICE_DISCONNECTED and
SPICE_MIGRATE_COMPLETED are converted in one patch, since they
use some common functions. inet_strfamily() is removed since no
callers exist anymore.

Note that there is no existing doc for SPICE_MIGRATE_COMPLETED
in docs/qmp/qmp-events.txt before this patch.
Signed-off-by: NWenchao Xia <wenchaoqemu@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

In order to let event defines use existing types later, instead of
redefine new ones, some old type defines for spice and vnc are changed,
and BlockErrorAction is moved from block.h to qapi schema. Note that
BlockErrorAction is not merged with BlockdevOnError.

At this point, VncInfo is not made a child of VncBasicInfo, because
VncBasicInfo has mandatory fields where VncInfo makes them optional.
Signed-off-by: NWenchao Xia <wenchaoqemu@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

As a "utility", it only supported ppc, and in a way that other
tcg backends provided directly in tcg-target.h.  Removing this
disparity is easier now that the two ppc backends are merged.
Tested-by: NTom Musta <tommusta@gmail.com>
Signed-off-by: NRichard Henderson <rth@twiddle.net>