qemu/hw
Eric Blake 262a69f428 osdep.h: Prohibit disabling assert() in supported builds
We already have several files that knowingly require assert()
to work, sometimes because refactoring the code for proper
error handling has not been tackled yet; there are probably
other files that have a similar situation but with no comments
documenting the same.  In fact, we have places in migration
that handle untrusted input with assertions, where disabling
the assertions risks a worse security hole than the current
behavior of losing the guest to SIGABRT when migration fails
because of the assertion.  Promote our current per-file
safety-valve to instead be project-wide, and expand it to also
cover glib's g_assert().

Note that we do NOT want to encourage 'assert(side-effects);'
(that is a bad practice that prevents copy-and-paste of code to
other projects that CAN disable assertions; plus it costs
unnecessary reviewer mental cycles to remember whether a project
special-cases the crippling of asserts); and we would LIKE to
fix migration to not rely on asserts (but that takes a big code
audit).  But in the meantime, we DO want to send a message
that anyone that disables assertions has to tweak code in order
to compile, making it obvious that they are taking on additional
risk that we are not going to support.  At the same time, leave
comments mentioning NDEBUG in files that we know still need to
be scrubbed, so there is at least something to grep for.

It would be possible to come up with some other mechanism for
doing runtime checking by default, but which does not abort
the program on failure, while leaving side effects in place
(unlike how crippling assert() avoids even the side effects),
perhaps under the name q_verify(); but it was not deemed worth
the effort (developers should not have to learn a replacement
when the standard C macro works just fine, and it would be a lot
of churn for little gain).  The patch specifically uses #error
rather than #warn so that a user is forced to tweak the header
to acknowledge the issue, even when not using a -Werror
compilation.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>

Message-Id: <20170911211320.25385-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-09-19 16:20:49 +02:00
..
9pfs 9pfs: local: clarify fchmodat_nofollow() implementation 2017-09-05 17:56:58 +02:00
acpi Convert multi-line fprintf() to warn_report() 2017-09-19 14:09:34 +02:00
adc
alpha alpha: replace cpu_alpha_init() with cpu_generic_init() 2017-09-01 11:54:24 -03:00
arm General warn report fixups 2017-09-19 14:09:34 +02:00
audio audio: intel-hda: do not use old_mmio accesses 2017-09-18 13:13:32 +02:00
block scsi: move block/scsi.h to include/scsi/constants.h 2017-09-19 14:09:31 +02:00
bt bt: stop the sdp memory allocation craziness 2017-08-01 17:27:33 +02:00
char qapi: Mechanically convert FOO_lookup[...] to FOO_str(...) 2017-09-04 13:09:13 +02:00
core fw_cfg: rename read callback 2017-09-08 16:15:17 +03:00
cpu cpu: don't allow negative core id 2017-08-02 18:30:13 -03:00
cris cris: replace cpu_cris_init() with cpu_generic_init() 2017-09-01 11:54:24 -03:00
display virtio-gpu: don't clear QemuUIInfo information on reset 2017-09-13 09:39:32 +02:00
dma xilinx_axidma: Convert to DEFINE_PROP_LINK 2017-09-07 13:54:51 +01:00
gpio qdev: Replace cannot_instantiate_with_device_add_yet with !user_creatable 2017-05-17 10:37:00 -03:00
i2c ppc4xx_i2c: Move to hw/i2c 2017-09-08 09:30:55 +10:00
i386 General warn report fixups 2017-09-19 14:09:34 +02:00
ide hw/ide: Convert DeviceClass init to realize 2017-09-18 19:43:38 -04:00
input qapi: Mechanically convert FOO_lookup[...] to FOO_str(...) 2017-09-04 13:09:13 +02:00
intc ppc patch queue 2017-09-15 2017-09-15 19:00:16 +01:00
ipack
ipmi qom: enforce readonly nature of link's check callback 2017-07-14 12:04:42 +02:00
isa trace-events: fix code style: print 0x before hex numbers 2017-08-01 12:13:07 +01:00
lm32 lm32: replace cpu_lm32_init() with cpu_generic_init() 2017-09-01 11:54:25 -03:00
m68k m68k: replace cpu_m68k_init() with cpu_generic_init() 2017-09-01 11:54:24 -03:00
mem qmp: introduce query-memory-size-summary command 2017-09-14 15:52:10 +01:00
microblaze hw: Use new memory_region_init_{ram, rom, rom_device}() functions 2017-07-14 17:59:42 +01:00
mips General warn report fixups 2017-09-19 14:09:34 +02:00
misc Convert single line fprintf(.../n) to warn_report() 2017-09-19 14:09:34 +02:00
moxie moxie: replace cpu_moxie_init() with cpu_generic_init() 2017-09-01 11:54:25 -03:00
net net: Add SunGEM device emulation as found on Apple UniNorth 2017-09-15 10:29:48 +10:00
nios2 nios2: replace cpu_nios2_init() with cpu_generic_init() 2017-09-01 11:54:24 -03:00
nvram pc, pci, virtio: patches queued before 2.10 2017-09-08 16:04:42 +01:00
openrisc openrisc: replace cpu_openrisc_init() with cpu_generic_init() 2017-09-01 11:54:25 -03:00
pci net: Add SunGEM device emulation as found on Apple UniNorth 2017-09-15 10:29:48 +10:00
pci-bridge hw/pci: add QEMU-specific PCI capability to the Generic PCI Express Root Port 2017-09-08 16:15:17 +03:00
pci-host hw/pci-host/gpex: Implement PCI INTx routing 2017-09-14 18:43:19 +01:00
pcmcia
ppc spapr_events: use QTAILQ_FOREACH_SAFE() in spapr_clear_pending_events() 2017-09-15 10:29:48 +10:00
s390x General warn report fixups 2017-09-19 14:09:34 +02:00
scsi osdep.h: Prohibit disabling assert() in supported builds 2017-09-19 16:20:49 +02:00
sd trace-events: fix code style: print 0x before hex numbers 2017-08-01 12:13:07 +01:00
sh4 sh4: replace cpu_sh4_init() with cpu_generic_init() 2017-09-01 11:54:24 -03:00
smbios stubs: move smbios stubs to hw/smbios 2017-01-16 17:52:35 +01:00
sparc sparc: replace cpu_sparc_init() with cpu_generic_init() 2017-09-01 11:54:24 -03:00
sparc64 apb: fix up PCI bus nomenclature 2017-09-04 18:41:01 +01:00
ssi xlnx-qspi: add a property for mmio-execution 2017-08-14 14:17:18 +01:00
timer i8254: use QEMU_ALIGN_DOWN 2017-08-31 12:29:07 +02:00
tpm clean-up: removed duplicate #includes 2016-10-28 18:17:24 +03:00
tricore tricore: replace cpu_tricore_init() with cpu_generic_init() 2017-09-01 11:54:24 -03:00
unicore32 unicore32: replace uc32_cpu_init() with cpu_generic_init() 2017-09-01 11:54:25 -03:00
usb Convert single line fprintf(.../n) to warn_report() 2017-09-19 14:09:34 +02:00
vfio vfio, spapr: Fix levels calculation 2017-09-15 10:29:48 +10:00
virtio osdep.h: Prohibit disabling assert() in supported builds 2017-09-19 16:20:49 +02:00
watchdog watchdog: wdt_aspeed: Add support for the reset width register 2017-09-04 15:21:54 +01:00
xen trace-events: fix code style: %# -> 0x% 2017-08-01 12:13:07 +01:00
xenpv xenfb: remove xen_init_display "temporary" hack 2017-07-07 11:10:03 -07:00
xtensa xtensa: replace cpu_xtensa_init() with cpu_generic_init() 2017-09-01 11:54:24 -03:00
Makefile.objs 9pfs: fix dependencies 2017-08-30 18:23:25 +02:00