Paolo Bonzini <pbonz...@redhat.com> writes: > On 10/12/2015 12:06, Markus Armbruster wrote: >> Paolo Bonzini <pbonz...@redhat.com> writes: >> >>> On 09/12/2015 10:30, Markus Armbruster wrote: >>>> My current working assumption is that passing &error_fatal to >>>> memory_region_init_ram() & friends is okay even in realize() methods and >>>> their supporting code, except when the allocation can be large. >>> >>> I suspect a lot of memory_region_init_ram()s could be considered >>> potentially large (at least in the 16-64 megabytes range). Propagation >>> of memory_region_init_ram() failures is easy enough, thanks to Error**, >>> that we should just do it. >> >> Propagating an out-of-memory error right in realize() is easy. What's >> not so easy is making realize() fail cleanly (all side effects undone; >> we get that wrong in many places), and finding and propagating >> out-of-memory errors hiding deeper in the call tree. > > grep is your friend. We're talking of a subset of these: [...]
Yes, finding just the guest memory allocations isn't hard. But making them fail cleanly is, judging from the code that gets it wrong. [...]
