Re: [PATCH 08/20] python/machine.py: fix _popen access

[John Snow]

On 10/7/20 6:07 AM, Kevin Wolf wrote:
> Am 07.10.2020 um 01:58 hat John Snow geschrieben:
> > As always, Optional[T] causes problems with unchecked access. Add a
> > helper that asserts the pipe is present before we attempt to talk with
> > it.
> >
> > Signed-off-by: John Snow <jsnow@redhat.com>
>
> First a question about the preexisting state: I see that after
> initialising self._popen once, we never reset it to None. Should we do
> so on shutdown?

Yup, we should.

> >   python/qemu/machine.py | 16 +++++++++++-----
> >   1 file changed, 11 insertions(+), 5 deletions(-)
> >
> > diff --git a/python/qemu/machine.py b/python/qemu/machine.py
> > index 3e9cf09fd2d..4e762fcd529 100644
> > --- a/python/qemu/machine.py
> > +++ b/python/qemu/machine.py
> > @@ -131,7 +131,7 @@ def __init__(self, binary, args=None, wrapper=None, 
> > name=None,
> >           # Runstate
> >           self._qemu_log_path = None
> >           self._qemu_log_file = None
> > -        self._popen = None
> > +        self._popen: Optional['subprocess.Popen[bytes]'] = None
>
> Another option that we have, especially if it's an attribute that is
> never reset, would be to set the attribute only when it first gets a
> value other than None. Accessing it while it hasn't been set yet
> automatically results in an AttributeError. I don't think that's much
> worse than the exception raised explicitly in a property wrapper.
>
> In this case, you would only declare the type in __init__, but not
> assign a value to it:
>
>      self._popen: Optional['subprocess.Popen[bytes]']

If you do this, you can just declare it as non-Optional. Whenever it 
exists, it is definitely a subprocess.Popen[bytes].

> Maybe a nicer alternative in some cases than adding properties around
> everything.
>
> Instead of checking for None, you would then have to use hasattr(),
> which is a bit uglier, so I guess it's mainly for attributes where you
> can assume that you will always have a value (if the caller isn't buggy)
> and therefore don't even have a check in most places.

As long as the style checkers are OK with that sort of thing. After a 
very quick test, it seems like they might be.

Generally, we run into trouble because pylint et al want variables to be 
declared in __init__, but doing so requires Optional[T] most of the time 
to allow something to be initialized later.

A lot of our stateful objects have this kind of pattern. QAPIGen has a 
ton of it. machine.py has a ton of it too.

You can basically imply the stateful check by just foregoing the actual 
initialization, which trades the explicit check for the implicit one 
when you get the AttributeError.

This is maybe more convenient -- less code to write, certainly. The 
error message you get I think is going to be a little worse, though.

I think I have been leaning towards the cute little @property shims 
because it follows a familiar OO model where a specific class always has 
a finite set of properties that does not grow or shrink. You can also 
use the shim to give a meaningful error that might be nicer to read than 
the AttributeError.

I'm open to suggestions on better patterns. I had considered at one 
point that it might be nice to split Machine out into a version with and 
without the console to make stronger typing guarantees. It has 
implications for how shutdown and cleanup and so on is handled, too.

(I had some WIP patches to do this, but I think I got a little stuck 
making the code pretty, and then the release, and then I got busy, and...)

> >           self._events = []
> >           self._iolog = None
> >           self._qmp_set = True   # Enable QMP monitor by default.
> > @@ -244,6 +244,12 @@ def is_running(self):
> >           """Returns true if the VM is running."""
> >           return self._popen is not None and self._popen.poll() is None
> >   
> > +    @property
> > +    def _subp(self) -> 'subprocess.Popen[bytes]':
> > +        if self._popen is None:
> > +            raise QEMUMachineError('Subprocess pipe not present')
> > +        return self._popen
> > +
> >       def exitcode(self):
> >           """Returns the exit code if possible, or None."""
> >           if self._popen is None:
>
> Of course, even if an alternative is possible, what you have is still
> correct.
>
> Reviewed-by: Kevin Wolf <kwolf@redhat.com>

Thanks; I'll continue with this for now, but I really am open to talking 
about better ways to model the common pattern of "Optional sub-feature 
for a class that can be engaged post-initialization".

It's an interesting typing problem. If we were using semantic types, 
what we are describing is an f(x) such that:

f(object-without-feature) -> object-with-feature

It's a kind of semantic cast where we are doing something akin to an 
in-place transformation of a base type to a subtype. I'm not sure I have 
encountered any language that actually intentionally supports such a 
paradigm.

(Maybe haskell? I just assume haskell can do everything if you learn to 
lie to computers well enough.)

--js