Qubes: Error handling

[deeplow]

We need to accommodate exceptions for all edge-cases in the client binary-protocol-parsing code. This was out of scope of the alpha stage (https://github.com/freedomofpress/dangerzone/issues/411).

Errors to check on server:

• [x] document wasn't immediately received: probably the user exited dangerzone mid-conversion. Safely exit from dangerzone so that there isn't a dangling disposable qube
  • [x] The number of received pages was (> MAX_PAGES)
  • note: this one is probably going to have to be done server-side. The (Qubes) client retrieves 2 bytes for pages. "Overflows" won't be detected.

Errors to check on the client:

• [x] The disposable qube could not start due to memory issues.
• [x] The disposable qube could not start because dz-dvm does not exist. (**update: done in https://github.com/freedomofpress/dangerzone/pull/564)
• [x] The width and the height of the pages are too large.
• [x] Page conversion timeout reached
• [x] Timed out receiving a page
• [x] Consume stderr (source)
• [x] Show helpful message if OCR step fails (e.g., OCR failed)
• [x] Stop disposable VMs when aborting conversions update: will be tackled separately since it also affects containers. Moved to https://github.com/freedomofpress/dangerzone/issues/563

Errors to check on the client:

Also, we need to sanitize tracebacks and errors from the disposable qube, in a way that does not affect the user's terminal (e.g., remove control characters). update: this will be done in https://github.com/freedomofpress/dangerzone/pull/386

[deeplow]

I moved the "number of pages received" to be a server-side check. The client won't have a way of knowing this.

[apyrgio]

Note that it's possible that one of our read functions may receive an early EOF, when its the process in the disp qube that has died. In that case, we should always check first the exit code of the process, and then raise the proper exception.

[apyrgio]

We were a bit overeager to close this issue, as there are still some error cases that are missing:

• [x] The disposable qube could not start because dz-dvm does not exist. (**Update: done in https://github.com/freedomofpress/dangerzone/pull/564)
  • Currently, we return a wrong error message here, that the system was out of RAM, but this is not the case.
  • It's probably best to return a generic message here "Could not start disp qube dz-dvm. Consult your system logs". Qubes UI shows a notification with more context, after all.
• [ ] If we cannot start disposable qubes due to RAM issues, then the user will be bombarded with error messages. moved to #567
  • We should check if it makes sense to stop after the first failed conversion, assuming that there are no transient issues with qrexec.
• [x] Show helpful message if OCR step fails (e.g., unsupported language)
  • Admittedly, this error is unlikely to happen, because we now install every OCR language available.
  • ~I propose moving this to the stabilization effort.~ We ended up fixing this in our beta phase.
• [ ] Stop disposable VMs when aborting conversions (update:** to be tackled separately https://github.com/freedomofpress/dangerzone/issues/563)
  • This is important and we need to fix it. I haven't managed to do so yet, sorry.
  • EDIT: This actually applies to containers as well. When we quit the Dangerzone window, we don't kill the container, so we should fix it properly.

• [ ] Get notified about the command that failed while doing document conversion: moved to #567

  • In practice, we have at most three commands that may run:

    1. [not required for PDFs] libreoffice , gm
    2. pdfinfo
    3. pdftoppm

    An error during pdftoppm is easy to detect, as we are in the middle of getting pages back. Errors between pdfinfo and libreoffice | gm are less easy to detect, so this still warrants a fix, although it's not very pressing. I'd move this to the stabilization effort as well.