| Message ID | 20201006235817.3280413-9-jsnow@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | python/qemu: strictly typed mypy conversion, pt2 | expand |
Am 07.10.2020 um 01:58 hat John Snow geschrieben: > As always, Optional[T] causes problems with unchecked access. Add a > helper that asserts the pipe is present before we attempt to talk with > it. > > Signed-off-by: John Snow <jsnow@redhat.com> First a question about the preexisting state: I see that after initialising self._popen once, we never reset it to None. Should we do so on shutdown? > python/qemu/machine.py | 16 +++++++++++----- > 1 file changed, 11 insertions(+), 5 deletions(-) > > diff --git a/python/qemu/machine.py b/python/qemu/machine.py > index 3e9cf09fd2d..4e762fcd529 100644 > --- a/python/qemu/machine.py > +++ b/python/qemu/machine.py > @@ -131,7 +131,7 @@ def __init__(self, binary, args=None, wrapper=None, name=None, > # Runstate > self._qemu_log_path = None > self._qemu_log_file = None > - self._popen = None > + self._popen: Optional['subprocess.Popen[bytes]'] = None Another option that we have, especially if it's an attribute that is never reset, would be to set the attribute only when it first gets a value other than None. Accessing it while it hasn't been set yet automatically results in an AttributeError. I don't think that's much worse than the exception raised explicitly in a property wrapper. In this case, you would only declare the type in __init__, but not assign a value to it: self._popen: Optional['subprocess.Popen[bytes]'] Maybe a nicer alternative in some cases than adding properties around everything. Instead of checking for None, you would then have to use hasattr(), which is a bit uglier, so I guess it's mainly for attributes where you can assume that you will always have a value (if the caller isn't buggy) and therefore don't even have a check in most places. > self._events = [] > self._iolog = None > self._qmp_set = True # Enable QMP monitor by default. > @@ -244,6 +244,12 @@ def is_running(self): > """Returns true if the VM is running.""" > return self._popen is not None and self._popen.poll() is None > > + @property > + def _subp(self) -> 'subprocess.Popen[bytes]': > + if self._popen is None: > + raise QEMUMachineError('Subprocess pipe not present') > + return self._popen > + > def exitcode(self): > """Returns the exit code if possible, or None.""" > if self._popen is None: Of course, even if an alternative is possible, what you have is still correct. Reviewed-by: Kevin Wolf <kwolf@redhat.com>
On 10/7/20 6:07 AM, Kevin Wolf wrote: > Am 07.10.2020 um 01:58 hat John Snow geschrieben: >> As always, Optional[T] causes problems with unchecked access. Add a >> helper that asserts the pipe is present before we attempt to talk with >> it. >> >> Signed-off-by: John Snow <jsnow@redhat.com> > > First a question about the preexisting state: I see that after > initialising self._popen once, we never reset it to None. Should we do > so on shutdown? > Yup, we should. >> python/qemu/machine.py | 16 +++++++++++----- >> 1 file changed, 11 insertions(+), 5 deletions(-) >> >> diff --git a/python/qemu/machine.py b/python/qemu/machine.py >> index 3e9cf09fd2d..4e762fcd529 100644 >> --- a/python/qemu/machine.py >> +++ b/python/qemu/machine.py >> @@ -131,7 +131,7 @@ def __init__(self, binary, args=None, wrapper=None, name=None, >> # Runstate >> self._qemu_log_path = None >> self._qemu_log_file = None >> - self._popen = None >> + self._popen: Optional['subprocess.Popen[bytes]'] = None > > Another option that we have, especially if it's an attribute that is > never reset, would be to set the attribute only when it first gets a > value other than None. Accessing it while it hasn't been set yet > automatically results in an AttributeError. I don't think that's much > worse than the exception raised explicitly in a property wrapper. > > In this case, you would only declare the type in __init__, but not > assign a value to it: > > self._popen: Optional['subprocess.Popen[bytes]'] > If you do this, you can just declare it as non-Optional. Whenever it exists, it is definitely a subprocess.Popen[bytes]. > Maybe a nicer alternative in some cases than adding properties around > everything. > > Instead of checking for None, you would then have to use hasattr(), > which is a bit uglier, so I guess it's mainly for attributes where you > can assume that you will always have a value (if the caller isn't buggy) > and therefore don't even have a check in most places. > As long as the style checkers are OK with that sort of thing. After a very quick test, it seems like they might be. Generally, we run into trouble because pylint et al want variables to be declared in __init__, but doing so requires Optional[T] most of the time to allow something to be initialized later. A lot of our stateful objects have this kind of pattern. QAPIGen has a ton of it. machine.py has a ton of it too. You can basically imply the stateful check by just foregoing the actual initialization, which trades the explicit check for the implicit one when you get the AttributeError. This is maybe more convenient -- less code to write, certainly. The error message you get I think is going to be a little worse, though. I think I have been leaning towards the cute little @property shims because it follows a familiar OO model where a specific class always has a finite set of properties that does not grow or shrink. You can also use the shim to give a meaningful error that might be nicer to read than the AttributeError. I'm open to suggestions on better patterns. I had considered at one point that it might be nice to split Machine out into a version with and without the console to make stronger typing guarantees. It has implications for how shutdown and cleanup and so on is handled, too. (I had some WIP patches to do this, but I think I got a little stuck making the code pretty, and then the release, and then I got busy, and...) >> self._events = [] >> self._iolog = None >> self._qmp_set = True # Enable QMP monitor by default. >> @@ -244,6 +244,12 @@ def is_running(self): >> """Returns true if the VM is running.""" >> return self._popen is not None and self._popen.poll() is None >> >> + @property >> + def _subp(self) -> 'subprocess.Popen[bytes]': >> + if self._popen is None: >> + raise QEMUMachineError('Subprocess pipe not present') >> + return self._popen >> + >> def exitcode(self): >> """Returns the exit code if possible, or None.""" >> if self._popen is None: > > Of course, even if an alternative is possible, what you have is still > correct. > > Reviewed-by: Kevin Wolf <kwolf@redhat.com> > Thanks; I'll continue with this for now, but I really am open to talking about better ways to model the common pattern of "Optional sub-feature for a class that can be engaged post-initialization". It's an interesting typing problem. If we were using semantic types, what we are describing is an f(x) such that: f(object-without-feature) -> object-with-feature It's a kind of semantic cast where we are doing something akin to an in-place transformation of a base type to a subtype. I'm not sure I have encountered any language that actually intentionally supports such a paradigm. (Maybe haskell? I just assume haskell can do everything if you learn to lie to computers well enough.) --js
Am 07.10.2020 um 20:44 hat John Snow geschrieben: > On 10/7/20 6:07 AM, Kevin Wolf wrote: > > Am 07.10.2020 um 01:58 hat John Snow geschrieben: > > > As always, Optional[T] causes problems with unchecked access. Add a > > > helper that asserts the pipe is present before we attempt to talk with > > > it. > > > > > > Signed-off-by: John Snow <jsnow@redhat.com> > > > > First a question about the preexisting state: I see that after > > initialising self._popen once, we never reset it to None. Should we do > > so on shutdown? > > > > Yup, we should. > > > > python/qemu/machine.py | 16 +++++++++++----- > > > 1 file changed, 11 insertions(+), 5 deletions(-) > > > > > > diff --git a/python/qemu/machine.py b/python/qemu/machine.py > > > index 3e9cf09fd2d..4e762fcd529 100644 > > > --- a/python/qemu/machine.py > > > +++ b/python/qemu/machine.py > > > @@ -131,7 +131,7 @@ def __init__(self, binary, args=None, wrapper=None, name=None, > > > # Runstate > > > self._qemu_log_path = None > > > self._qemu_log_file = None > > > - self._popen = None > > > + self._popen: Optional['subprocess.Popen[bytes]'] = None > > > > Another option that we have, especially if it's an attribute that is > > never reset, would be to set the attribute only when it first gets a > > value other than None. Accessing it while it hasn't been set yet > > automatically results in an AttributeError. I don't think that's much > > worse than the exception raised explicitly in a property wrapper. > > > > In this case, you would only declare the type in __init__, but not > > assign a value to it: > > > > self._popen: Optional['subprocess.Popen[bytes]'] > > > > If you do this, you can just declare it as non-Optional. Whenever it exists, > it is definitely a subprocess.Popen[bytes]. Sorry, yes, copied too much while thinking too little. Getting rid of Optional was the whole point of the suggestion. > > Maybe a nicer alternative in some cases than adding properties around > > everything. > > > > Instead of checking for None, you would then have to use hasattr(), > > which is a bit uglier, so I guess it's mainly for attributes where you > > can assume that you will always have a value (if the caller isn't buggy) > > and therefore don't even have a check in most places. > > > > As long as the style checkers are OK with that sort of thing. After a very > quick test, it seems like they might be. > > Generally, we run into trouble because pylint et al want variables to be > declared in __init__, but doing so requires Optional[T] most of the time to > allow something to be initialized later. > > A lot of our stateful objects have this kind of pattern. QAPIGen has a ton > of it. machine.py has a ton of it too. > > You can basically imply the stateful check by just foregoing the actual > initialization, which trades the explicit check for the implicit one when > you get the AttributeError. > > This is maybe more convenient -- less code to write, certainly. The error > message you get I think is going to be a little worse, though. Whether this matters depends on the meaning of the individual attribute. There can be attributes that can legitimately be None during most of the lifetime of the object. These should clearly be Optional. In many cases, however, the contract say that you must first call method A that initialises the attribute and then you can call method B which uses it. Calling B without A would be a bug, so it's not an error message that users should ever see. For developers who will then look at the stack trace anyway, I don't think it should make a big difference. Here, it's usually expected that the attribute is not None except during phases where the object is mostly inactive anyway (like VMs before launch or after shutdown). Then you can just not add the attribute yet and access it without checks (which would only throw an exception anyway) elsewhere. > I think I have been leaning towards the cute little @property shims because > it follows a familiar OO model where a specific class always has a finite > set of properties that does not grow or shrink. You can also use the shim to > give a meaningful error that might be nicer to read than the AttributeError. > > I'm open to suggestions on better patterns. I had considered at one point > that it might be nice to split Machine out into a version with and without > the console to make stronger typing guarantees. It has implications for how > shutdown and cleanup and so on is handled, too. > > (I had some WIP patches to do this, but I think I got a little stuck making > the code pretty, and then the release, and then I got busy, and...) I guess the way to have everything static would be splitting QEMUMachine into QEMUVMConfig (which exists without a running QEMU instance) and QEMUVMInstance (which gets a QEMUVMConfig passed to its constructor and is directly tied to a QEMU process). Not sure if it would be worth such a major change. > > > self._events = [] > > > self._iolog = None > > > self._qmp_set = True # Enable QMP monitor by default. > > > @@ -244,6 +244,12 @@ def is_running(self): > > > """Returns true if the VM is running.""" > > > return self._popen is not None and self._popen.poll() is None > > > + @property > > > + def _subp(self) -> 'subprocess.Popen[bytes]': > > > + if self._popen is None: > > > + raise QEMUMachineError('Subprocess pipe not present') > > > + return self._popen The major downside that I saw while reviewing this patch (besides having extra code just for making the error message of what essentially a failed assertion nicer) is that we have two names for the same thing, we have both names in active use in the other methods, and I'll never be able to remember which of _subp and _popen is the real attribute and which is the property (or that they are related at all and changing one will actually change the other, too) without looking it up. I mean, I guess tools will tell me after getting it wrong, but still... Properties can make a nice external interface, but I feel using them internally while you don't avoid accessing the real attribute in methods other than the property implementation is more confusing than helpful. > > > def exitcode(self): > > > """Returns the exit code if possible, or None.""" > > > if self._popen is None: > > > > Of course, even if an alternative is possible, what you have is still > > correct. > > > > Reviewed-by: Kevin Wolf <kwolf@redhat.com> > > > > Thanks; I'll continue with this for now, but I really am open to talking > about better ways to model the common pattern of "Optional sub-feature for a > class that can be engaged post-initialization". > > It's an interesting typing problem. If we were using semantic types, what we > are describing is an f(x) such that: > > f(object-without-feature) -> object-with-feature > > It's a kind of semantic cast where we are doing something akin to an > in-place transformation of a base type to a subtype. I'm not sure I have > encountered any language that actually intentionally supports such a > paradigm. > > (Maybe haskell? I just assume haskell can do everything if you learn to lie > to computers well enough.) You can always express this kind of thing as object-with-feature containing an object-without-feature. Kevin
On 10/8/20 3:04 AM, Kevin Wolf wrote: > The major downside that I saw while reviewing this patch (besides having > extra code just for making the error message of what essentially a > failed assertion nicer) is that we have two names for the same thing, we > have both names in active use in the other methods, and I'll never be > able to remember which of _subp and _popen is the real attribute and > which is the property (or that they are related at all and changing one > will actually change the other, too) without looking it up. > > I mean, I guess tools will tell me after getting it wrong, but still... > > Properties can make a nice external interface, but I feel using them > internally while you don't avoid accessing the real attribute in methods > other than the property implementation is more confusing than helpful. Good point. I'll see if I can find a nicer cleanup soon. For now I will suggest relying on the type checker to spot if we get it wrong. I do think the little property wrappers are kind of distracting, but seemed like the quickest means to an end at the time. With type checking fully in place, refactors can be a little more fearless going forward, I think. --js
diff --git a/python/qemu/machine.py b/python/qemu/machine.py index 3e9cf09fd2d..4e762fcd529 100644 --- a/python/qemu/machine.py +++ b/python/qemu/machine.py @@ -131,7 +131,7 @@ def __init__(self, binary, args=None, wrapper=None, name=None, # Runstate self._qemu_log_path = None self._qemu_log_file = None - self._popen = None + self._popen: Optional['subprocess.Popen[bytes]'] = None self._events = [] self._iolog = None self._qmp_set = True # Enable QMP monitor by default. @@ -244,6 +244,12 @@ def is_running(self): """Returns true if the VM is running.""" return self._popen is not None and self._popen.poll() is None + @property + def _subp(self) -> 'subprocess.Popen[bytes]': + if self._popen is None: + raise QEMUMachineError('Subprocess pipe not present') + return self._popen + def exitcode(self): """Returns the exit code if possible, or None.""" if self._popen is None: @@ -254,7 +260,7 @@ def get_pid(self): """Returns the PID of the running process, or None.""" if not self.is_running(): return None - return self._popen.pid + return self._subp.pid def _load_io_log(self): if self._qemu_log_path is not None: @@ -415,8 +421,8 @@ def _hard_shutdown(self) -> None: waiting for the QEMU process to terminate. """ self._early_cleanup() - self._popen.kill() - self._popen.wait(timeout=60) + self._subp.kill() + self._subp.wait(timeout=60) def _soft_shutdown(self, timeout: Optional[int], has_quit: bool = False) -> None: @@ -440,7 +446,7 @@ def _soft_shutdown(self, timeout: Optional[int], self._qmp.cmd('quit') # May raise subprocess.TimeoutExpired - self._popen.wait(timeout=timeout) + self._subp.wait(timeout=timeout) def _do_shutdown(self, timeout: Optional[int], has_quit: bool = False) -> None:
As always, Optional[T] causes problems with unchecked access. Add a helper that asserts the pipe is present before we attempt to talk with it. Signed-off-by: John Snow <jsnow@redhat.com> --- python/qemu/machine.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)