Eric Blake <ebl...@redhat.com> writes: > Returning a partial object on error is an invitation for a careless > caller to leak memory. We already fixed things in an earlier > patch to guarantee NULL if visit_start fails ("qapi: Guarantee > NULL obj on input visitor callback error"), but that does not > help the case where visit_start succeeds but some other failure > happens before visit_end, such that we leak a partially constructed > object outside visit_type_FOO(). As no one outside the testsuite > was actually relying on these semantics, it is cleaner to just > document and guarantee that ALL pointer-based visit_type_FOO() > functions always leave a safe value in *obj during an input visitor > (either the new object on success, or NULL if an error is > encountered), so callers can now unconditionally use > qapi_free_FOO() to clean up regardless of whether an error occurred. > > The decision is done by adding visit_is_input(), then updating the > generated code to check if additional cleanup is needed based on > the type of visitor in use. > > Note that we still leave *obj unchanged after a scalar-based > visit_type_FOO(); I did not feel like auditing all uses of > visit_type_Enum() to see if the callers would tolerate a specific > sentinel value (not to mention having to decide whether it would > be better to use 0 or ENUM__MAX as that sentinel). > > Signed-off-by: Eric Blake <ebl...@redhat.com> [...] > diff --git a/qapi/qapi-visit-core.c b/qapi/qapi-visit-core.c > index e6d57f3..b30a22e 100644 > --- a/qapi/qapi-visit-core.c > +++ b/qapi/qapi-visit-core.c > @@ -48,6 +48,7 @@ void visit_end_struct(Visitor *v) > v->end_struct(v); > } > > + > void visit_start_list(Visitor *v, const char *name, GenericList **list, > size_t size, Error **errp) > {
Spurious hunk. Can drop on commit. [...]