VIP9 - Expanding VCL object support

Martin Blix Grydeland martin at
Fri Nov 11 12:06:47 CET 2016

Hi Reza,

I like this a lot. Though I am not completely sure about the way the
scoping is expressed. It seems to me that the scoping is (mostly) implicit
from where the new keyword is placed. If it's in vcl_backend_*, the scope
is bereq. If it's in vcl_init the scope is global, and if it is in the
others the scope is req (except when it's top). This leaves top as the only
odd scope, and if we found some other way to deal with that special case,
we would not need the scope cast in most places making it prettier. Perhaps
only require the scope cast for (top)?

Also how the scoping tests are performed in the vcc compiler leaves things
to be desired. The first attached test case shows something that fails as a
compiler error, but that I believe should be perfectly valid VCL (and the
ordering is certainly something I've seen in plenty of messy user VCLs). In
the test the vcl_deliver method comes before the vcl_recv in the input
text, and the scoping then errors out on seeing the object in vcl_deliver
that is defined in vcl_recv. The execution of vcl_recv is always before
vcl_deliver, so the code isn't wrong, and would work just fine if it wasn't
for the use of the object. I assume that the same issue is also present for
vcl_init today. I believe we should address this, and could do so by
enforcing an order in which the VCL functions are compiled. So after having
read all of the source code, the compiler should in order do vcl_init,
vcl_recv ... vcl_deliver, vcl_synth, vcl_backend_*.

The 2nd attached test case demonstrates another concern on uninitialised
objects. This test case fails with an assertion in the debug vmod for
obvious reasons. My concern is that it is tempting to write VCL code like
this, and having the Varnish assert itself by a simple VCL mistake is bad.
(I do believe that similar issues exist for our current vcl_init-only
director objects, though it's less error prone because noone writes
if-clauses in vcl_init).

One way of looking at this issue is to say that the debug object used here
is in the wrong to assert when it's uninitialised, and that the
uninitialised state is a valid vmod object state. The vmods then need to
define correct behaviour for these cases (e.g. do nothing for the right
meaning of nothing, for this case I guess return the empty string). And we
should formally define this in the nonexistant vmod developer guide.

Another approach is to define that object initialisation can't fail, which
is more in-spirit with the VCL language. So make the VCC compiler give
compiler errors if it can't say for sure that the new statement for an
object has been executed before the object method invocation. E.g. an
object method can't be used in vcl_recv for an object that is created in
vcl_deliver. This would then drag with it new scopes for every curly
bracket opening inside of the VCL functions. So an object can be new'ed and
used inside the if-statement, but is out-of-scope outside of it.

If we do define that object initialisation can't fail, I would also like to
see a proper exception mechanism build in. So vmods can throw exceptions
that halt VCL execution and safely call the priv free callbacks to clean
up, before presenting an error. Details unclear.

Lastly I think we should have the calling scope limits as vmod metadata in
place before allowing this. So a vmod object that's only meant to be called
in a global scope can declare that in its vcc file.

So in conclusion I am concerned about the Pandora's box this is opening,
and there are building blocks that are missing today that should be
addressed first.


On Wed, 9 Nov 2016 at 23:13 Reza Naghibi <reza at> wrote:

> This is another discussion for VIP9. The previous mailing list thread is
> linked below [0].
> This allows objects to live in req,, and bereq scopes. Currently
> objects are global to the VCL and can only be defined in vcl_init.
> The driver for this is allowing for multiple VMOD objects to exist in a
> single request, each with their own attributes. There is a usecase where we
> need to make multiple HTTP requests from VCL to 3rd party services and then
> build multiple security related digests on several aspects of the request,
> response, and 3rd party services. So having proper objects here would make
> the VMOD based solution extremely clean and easy to understand.
> I have a branch ready for a PR, but it was requested to have another
> discussion. Branch is located here [1] and based on master, 5.0, as of last
> week. m00026.vtc shows how the VCL looks [2]. The goal would be to have
> this available to VMODs in the next major release, Q1 2017.
> I will briefly address several of the concerns that have been brought up:
> * Syntax is too verbose. I agree that the first iteration kind of went
> overboard with the syntax. Currently, the syntax requires a (scope) style
> cast when you define the object and thats it. Please see [2].
> * This implementation is completely backwards compatible with how objects
> are defined in 4.X and does not require VMOD code to change. Object VMODs
> will be immediately available to these new scopes and will still go thru
> the _init() _fini() lifecycle.
> * Conflicts with VIP1. This VIP is only concerned with exposing PRIV_TASK
> and PRIV_TOP into existing objects at the VCL level. I believe VIP1 is
> concerned with PRIV_* at the VMOD level. So I believe these are a bit
> orthogonal and independent.
> * VMOD safety. Im pretty confident that VMOD objects actually allow for
> higher levels of reference and memory safety because objects have explicit
> _init() and _fini() methods and are passed in a struct for tracking state.
> So if you wanted to reference objects from other objects, then you could
> implement your own ref counting algorithm ontop of __init(), __finish(),
> and the state (or a gc implementation or whatever algorithm you want). I
> think this argument is a bit arbitrary because if we look at something as
> simple as VCL_STRING, which all VMODs have access to via req/resp headers,
> if you were to reference that in a VMOD, it will be freed from under you
> and leave you with unsafe code and memory. So any kind of unsafe VMOD
> example probably extends to the entire VMOD universe and should not be
> limited to this one VIP. Safe coding practices used today in VMODs should
> not be abandoned in context of this VIP :)
> It might be more helpful to see the compiled VCL code interact with the
> VRT to understand how this PR will work. So the C code for m00026.vtc is
> located here [3]. Just grep for g0, r0, r1, t0, and b0 to better see how
> this is implemented.
> [0]
> [1]
> [2]
> [3]
> --
> Reza Naghibi
> Varnish Software
> _______________________________________________
> varnish-dev mailing list
> varnish-dev at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: scope.vtc
Type: application/octet-stream
Size: 340 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: scope2.vtc
Type: application/octet-stream
Size: 376 bytes
Desc: not available
URL: <>

More information about the varnish-dev mailing list