* Paolo Bonzini (pbonz...@redhat.com) wrote: > > > On 09/12/2015 10:30, Markus Armbruster wrote: > > My current working assumption is that passing &error_fatal to > > memory_region_init_ram() & friends is okay even in realize() methods and > > their supporting code, except when the allocation can be large. > > I suspect a lot of memory_region_init_ram()s could be considered > potentially large (at least in the 16-64 megabytes range). Propagation > of memory_region_init_ram() failures is easy enough, thanks to Error**, > that we should just do it. > > Even if we don't, we should use &error_abort, not &error_fatal > (programmer error---due to laziness---rather than user error). > &error_fatal should really be restricted to code that is running very > close to main().
No, we used to have error_abort and changed them out for error_fatal because we were getting flooded with crash reports due to the aborts of people trying to run VMs too big for their machine. Dave > > Paolo > > > Even > > then, &error_fatal is better than buggy recovery code (which I can see > > all over the place, but that's a separate topic). -- Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
