[libcamera-devel] [PATCH 1/2] libcamera: utils: Add Cleaner class
Kieran Bingham
kieran.bingham at ideasonboard.com
Tue Oct 11 17:03:20 CEST 2022
Quoting Laurent Pinchart via libcamera-devel (2022-10-07 16:26:00)
> Hi Jacopo,
>
> On Fri, Oct 07, 2022 at 05:01:57PM +0200, Jacopo Mondi wrote:
> > On Tue, Oct 04, 2022 at 05:18:41AM +0300, Laurent Pinchart via libcamera-devel wrote:
> > > The Cleaner class is a simple object that performs user-provided actions
> > > upon destruction. As its name implies, it is meant to simplify cleanup
> > > tasks in error handling paths.
> > >
> > > Signed-off-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
> > > ---
> > > include/libcamera/base/utils.h | 13 ++++
> > > src/libcamera/base/utils.cpp | 130 +++++++++++++++++++++++++++++++++
> > > 2 files changed, 143 insertions(+)
> > >
> > > diff --git a/include/libcamera/base/utils.h b/include/libcamera/base/utils.h
> > > index ed88b7163770..0de80eb89d15 100644
> > > --- a/include/libcamera/base/utils.h
> > > +++ b/include/libcamera/base/utils.h
> > > @@ -9,6 +9,7 @@
> > >
> > > #include <algorithm>
> > > #include <chrono>
> > > +#include <functional>
> > > #include <iterator>
> > > #include <memory>
> > > #include <ostream>
> > > @@ -381,6 +382,18 @@ struct defopt_t {
> > >
> > > constexpr details::defopt_t defopt;
> > >
> > > +class Cleaner
> > > +{
> > > +public:
> > > + ~Cleaner();
> > > +
> > > + void defer(std::function<void()> &&action);
> > > + void clear();
> > > +
> > > +private:
> > > + std::vector<std::function<void()>> actions_;
> > > +};
> > > +
> > > } /* namespace utils */
> > >
> > > #ifndef __DOXYGEN__
> > > diff --git a/src/libcamera/base/utils.cpp b/src/libcamera/base/utils.cpp
> > > index 9cd6cb197243..45e115b7031e 100644
> > > --- a/src/libcamera/base/utils.cpp
> > > +++ b/src/libcamera/base/utils.cpp
> > > @@ -484,6 +484,136 @@ std::string toAscii(const std::string &str)
> > > * default-constructed T.
> > > */
> > >
> > > +/**
> > > + * \class Cleaner
> > > + * \brief An object that performs actions upon destruction
> > > + *
> > > + * The Cleaner class is a simple object that performs user-provided actions
> > > + * upon destruction. As its name implies, it is meant to simplify cleanup tasks
> > > + * in error handling paths.
> > > + *
> > > + * When the code flow performs multiple sequential actions that each need a
> > > + * corresponding cleanup action, error handling quickly become tedious:
> > > + *
> > > + * \code{.cpp}
> > > + * {
> > > + * int ret = allocateMemory();
> > > + * if (ret)
> > > + * return ret;
> > > + *
> > > + * ret = startProducder();
> > > + * if (ret) {
> > > + * freeMemory();
> > > + * return ret;
> > > + * }
> > > + *
> > > + * ret = startConsumer();
> > > + * if (ret) {
> > > + * stopProducer();
> > > + * freeMemory();
> > > + * return ret;
> > > + * }
> > > + *
> > > + * return 0;
> > > + * }
> > > + * \endcode
> > > + *
> > > + * This is prone to programming mistakes, as cleanup actions can easily be
> > > + * forgotten or ordered incorrectly. One strategy to simplify error handling is
> > > + * to use goto statements:
> > > + *
> > > + * \code{.cpp}
> > > + * {
> > > + * int ret = allocateMemory();
> > > + * if (ret)
> > > + * return ret;
> > > + *
> > > + * ret = startProducder();
> > > + * if (ret)
> > > + * goto error_free;
> > > + *
> > > + * ret = startConsumer();
> > > + * if (ret)
> > > + * goto error_stop;
> > > + *
> > > + * return 0;
> > > + *
> > > + * error_stop:
> > > + * stopProducer();
> > > + * error_free:
> > > + * freeMemory();
> > > + * return ret;
> > > + * }
> > > + * \endcode
> > > + *
> > > + * While this may be considered better, this solution is still quite
> > > + * error-prone. Beside the risk of picking the wrong error label, the error
> > > + * handling logic is separated from the normal code flow, which increases the
> > > + * risk of error when refactoring the code. Additionally, C++ doesn't allow
> > > + * goto statements to jump over local variable declarations, which can make
> > > + * usage of this pattern more difficult.
> > > + *
> > > + * The Cleaner class solves these issues by allowing code that requires cleanup
> > > + * actions to be grouped with its corresponding deferred error handling code:
> > > + *
> > > + * \code{.cpp}
> > > + * {
> > > + * Cleaner cleaner;
> > > + *
> > > + * int ret = allocateMemory();
> > > + * if (ret)
> > > + * return ret;
> > > + *
> > > + * cleaner.defer([&]() { freeMemory(); });
> > > + *
> > > + * ret = startProducder();
> > > + * if (ret)
> > > + * return ret;
> > > + *
> > > + * cleaner.defer([&]() { stopProducer(); });
> > > + *
> > > + * ret = startConsumer();
> > > + * if (ret)
> > > + * return ret;
> > > + *
> > > + * cleaner.clear();
> > > + * return 0;
> > > + * }
> > > + * \endcode
> >
> > I just wonder if
> >
> > {
> > Cleaner cleaner;
> >
> > int ret = allocateMemory();
> > if (ret)
> > return ret;
> >
> > cleaner.defer([&]() { freeMemory(); });
> >
> > ret = startProducder();
> > if (ret) {
> > cleaner.clean();
> > return ret;
> > }
> >
> > cleaner.defer([&]() { stopProducer(); });
> >
> > ret = startConsumer();
> > if (ret) {
> > cleaner.clean();
> > return ret;
> > }
> >
> > return 0;
> > }
> >
> >
> > IOW make Claner::clean() execute the cleaning actions while
> > destruction is a no-op.
>
> I've thought about it, and I like the idea of having no additional
> function call in the success path. However, that brings other issues:
>
> - There are usually more error paths than success paths, so there will
> be more clean() calls needed, with more risks of forgetting one of
> them.
>
> - Error paths are less tested. A missing clear() in the success path
> will likely be detected very quickly (as all the deferred cleaner
> actions will be executed), while a missing clean() in one error path
> has a much higher chance to end up not being detected for a long time.
Aha, looks like I should have started here. I think both of the above
are why I prefer automatic cleanup on error paths, and an explicit
cancellation of deferred work on success. (Assuming a single success
path).
> Another option would be to have dedicated calls for both the error and
> success paths, and warn loudly if the object is destructed without any
> of these functions having been called. It will ensure we get a warning
> the first time an incorrect error path is taken, but we'll still have
> risks of missing calls in error paths being detected.
>
> Yet another option is to hook up the Cleaner class in the return
> statement itself, writing
>
> return cleaner.return(ret);
>
> ret == 0 would be considered a success and ret != 0 an error. Again,
> nothing will guarantee that a stray
>
> return ret;
But that would only work on integer/boolean return function types?
Unless ... there was a ScopedReturn return type that /enforced/ use of
an explicit return type whenever a ScopedExit / Cleaner class was in use
in a function?
(I'm not sure how that would be handled though, and it would be just
another wrapper around return types to cause confusion perhaps)
>
> gets added to an error path, but it may be easier to visually catch the
> offending code during review (not entirely sure about that).
>
> Yet another option would be to change the function to return a Result
> instead of an int, with the Cleaner::return() (or Cleaner::result(),
> name bikeshading is allowed) function returning a Result. Here again,
> someone may create a Result directly, so it may not help much.
Damnit ... You have the same ideas before I get there...
> If we were using exceptions the Cleaner destructor could differentiate
> between the success and failure cases more easily. I can't see another
> elegant method to achieve the same with error values, but maybe I'm
> missing something.
>
> > It just feel more natural to have a clean() call on error paths and
> > not having to call clean() on a succesfull return.
>
> Note that it's "clear", not "clean", in the success path. I think I'll
> rename it to release() to avoid confusion, and match
> https://en.cppreference.com/w/cpp/experimental/scope_fail.
Hrm... release() makes sense too, though for some reason I still think
of it as a cancellation ... .cancel() ... but I'm not opposed to a
.release().
>
> > > + *
> > > + * Deferred error handlers are executed when the Cleaner instance is destroyed,
> > > + * in the reverse order of their addition.
> > > + */
> > > +
> > > +Cleaner::~Cleaner()
> > > +{
> > > + for (const auto &action : utils::reverse(actions_))
> > > + action();
> > > +}
> > > +
> > > +/**
> > > + * \brief Add a deferred cleanup action
> > > + * \param[in] action The cleanup action
> > > + *
> > > + * Add a deferred cleanup action to the Cleaner. Cleanup actions will be called
> > > + * upon destruction in the reverse order of their addition.
> > > + */
> > > +void Cleaner::defer(std::function<void()> &&action)
> > > +{
> > > + actions_.push_back(std::move(action));
> > > +}
> > > +
> > > +/**
> > > + * \brief Clear all deferred cleanup actions
> > > + *
> > > + * This function should be called in the success path to clear all deferred
> > > + * error cleanup actions.
> > > + */
> > > +void Cleaner::clear()
> > > +{
> > > + actions_.clear();
> > > +}
> > > +
> > > } /* namespace utils */
> > >
> > > #ifndef __DOXYGEN__
>
> --
> Regards,
>
> Laurent Pinchart
More information about the libcamera-devel
mailing list