From: Avi Kivity <avi@redhat.com>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: qemu-devel@nongnu.org, Paul Brook <paul@codesourcery.com>,
Markus Armbruster <armbru@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] Permit zero-sized qemu_malloc() & friends
Date: Sun, 06 Dec 2009 00:26:28 +0200 [thread overview]
Message-ID: <4B1ADE14.2070809@redhat.com> (raw)
In-Reply-To: <4B1AC96B.7060007@codemonkey.ws>
On 12/05/2009 10:58 PM, Anthony Liguori wrote:
> Avi Kivity wrote:
>> When we see a lengthy and error prone idiom we usually provide a
>> wrapper. That wrapper is qemu_malloc(). If you like, don't see it
>> as a fixed malloc(), but as qemu's way of allocating memory which is
>> totally independent from malloc().
>
> We constantly get patches with qemu_malloc() with a NULL check. Then
> we tell people to remove the NULL check. It feels very weird to ask
> people to remove error handling.
You prefer to explain to them how to do error handling correctly?
>
> I can understand the argument that getting OOM right is very difficult
> but it's not impossible.
There are 755 calls to malloc in the code. And practically every
syscall can return ENOMEM, including the innocuous KVM_RUN ioctl().
It's going to be pretty close to impossible to recover from malloc()
failure, and impossible to recover from KVM_RUN failure (except by
retrying, which you can assume the kernel already has). All for
something which never happens. I propose that fixing OOM handling is
going to introduce some errors into the non-error paths, and many errors
into the error return paths, for zero benefit.
>
>>>
>>> However, this is all personal preference and I'd rather focus my
>>> energy on things that have true functional impact. Markus raised a
>>> valid functional problem with the current implementation and I
>>> proposed a solution that would address that functional problem. I'd
>>> rather see the discussion focus on the merits of that solution than
>>> revisiting whether ANSI got the semantics of malloc() correct in the
>>> standards definition.
>>>
>>
>> Unless ANSI has a say on qemu_malloc(), I think it's worthwhile to
>> get that right rather than wrapping every array caller with useless
>> tests.
>
> If you're concerned about array allocation, introduce an array
> allocation function. Honestly, there's very little reason to open
> code array allocation/manipulation at all. We should either be using
> a list type or if we really need to, we should introduce a vector type.
A NEW(type) and ARRAY_NEW(type, count) marcros would improve type safety
and plug a dormant buffer overflow due to multiplication overflow, yes.
Even qemu_calloc() would be an improvement. But having qemu_malloc()
not fix the zero length array case which we know we have is
irresponsible, IMO.
--
Do not meddle in the internals of kernels, for they are subtle and quick to panic.
next prev parent reply other threads:[~2009-12-05 22:26 UTC|newest]
Thread overview: 119+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-30 13:55 [Qemu-devel] [PATCH] Permit zero-sized qemu_malloc() & friends Markus Armbruster
2009-11-30 14:01 ` Avi Kivity
2009-11-30 14:23 ` Kevin Wolf
2009-12-01 12:40 ` Gerd Hoffmann
2009-12-01 12:57 ` Paul Brook
2009-12-01 13:47 ` Glauber Costa
2009-12-01 14:08 ` Markus Armbruster
2009-12-01 14:47 ` Gerd Hoffmann
2009-12-01 14:21 ` Paul Brook
2009-12-01 12:57 ` Gerd Hoffmann
2009-12-01 13:11 ` Markus Armbruster
2009-12-01 14:34 ` Avi Kivity
2009-12-01 14:53 ` Gerd Hoffmann
2009-12-01 15:32 ` Eduardo Habkost
2009-12-04 16:49 ` Anthony Liguori
2009-12-05 13:55 ` Markus Armbruster
2009-12-05 14:14 ` Laurent Desnogues
2009-12-05 17:08 ` malc
2009-12-05 17:23 ` Avi Kivity
2009-12-05 18:30 ` Reimar Döffinger
2009-12-06 7:57 ` Markus Armbruster
2009-12-06 8:39 ` malc
2009-12-06 8:59 ` Markus Armbruster
2009-12-06 10:22 ` malc
2009-12-06 10:40 ` Avi Kivity
2009-12-06 11:53 ` malc
2009-12-06 12:07 ` Avi Kivity
2009-12-06 12:11 ` malc
2009-12-06 12:23 ` Avi Kivity
2009-12-06 11:10 ` Markus Armbruster
2009-12-06 12:00 ` malc
2009-12-06 16:23 ` [Qemu-devel] " Paolo Bonzini
2009-12-07 8:35 ` [Qemu-devel] " Kevin Wolf
2009-12-07 9:42 ` Markus Armbruster
2009-12-07 10:00 ` malc
2009-12-07 10:17 ` Kevin Wolf
2009-12-07 10:35 ` Markus Armbruster
2009-12-06 11:35 ` [Qemu-devel] " Paolo Bonzini
2009-12-06 12:02 ` malc
2009-12-06 16:23 ` Paolo Bonzini
2009-12-06 9:02 ` [Qemu-devel] " Blue Swirl
2009-12-06 10:02 ` malc
2009-12-05 17:07 ` Avi Kivity
2009-12-05 17:27 ` Anthony Liguori
2009-12-05 17:40 ` Avi Kivity
2009-12-05 17:54 ` Anthony Liguori
2009-12-05 18:06 ` Avi Kivity
2009-12-05 20:58 ` Anthony Liguori
2009-12-05 22:26 ` Avi Kivity [this message]
2009-12-06 8:24 ` Markus Armbruster
2009-12-06 18:36 ` Jamie Lokier
2009-12-06 8:12 ` Markus Armbruster
2009-12-06 16:52 ` Ian Molton
2009-12-06 17:14 ` Avi Kivity
2009-12-06 17:45 ` malc
2009-12-06 18:02 ` Avi Kivity
2009-12-06 18:12 ` malc
2009-12-06 18:19 ` Avi Kivity
2009-12-06 18:41 ` malc
2009-12-07 9:47 ` Avi Kivity
2009-12-07 10:20 ` Kevin Wolf
2009-12-06 22:38 ` Ian Molton
2009-12-07 2:51 ` Jamie Lokier
2009-12-07 9:39 ` Ian Molton
2009-12-07 9:55 ` [Qemu-devel] " Paolo Bonzini
2009-12-07 13:28 ` Avi Kivity
2009-12-07 9:45 ` [Qemu-devel] " Markus Armbruster
2009-12-07 8:48 ` Kevin Wolf
2009-12-07 17:32 ` Glauber Costa
2009-12-05 17:28 ` Blue Swirl
2009-12-05 17:44 ` Avi Kivity
2009-12-05 18:16 ` Laurent Desnogues
2009-12-05 23:08 ` Ian Molton
2009-12-05 23:11 ` Avi Kivity
2009-12-05 23:25 ` Ian Molton
2009-12-06 13:07 ` Avi Kivity
2009-12-06 16:58 ` Ian Molton
2009-12-06 17:07 ` Avi Kivity
2009-12-06 17:47 ` malc
2009-12-06 17:59 ` Avi Kivity
2009-12-06 18:09 ` malc
2009-12-06 18:16 ` Avi Kivity
2009-12-06 18:21 ` malc
2009-12-06 22:40 ` Ian Molton
2009-12-06 18:31 ` Jamie Lokier
2009-12-07 9:56 ` Markus Armbruster
2009-12-07 11:30 ` malc
2009-12-07 14:45 ` Markus Armbruster
2009-12-07 16:55 ` malc
2009-12-08 8:21 ` Markus Armbruster
2009-12-08 10:22 ` malc
2009-12-07 15:50 ` Anthony Liguori
2009-12-07 16:00 ` Avi Kivity
2009-12-07 16:06 ` Anthony Liguori
2009-12-07 16:11 ` Avi Kivity
2009-12-07 16:20 ` Anthony Liguori
2009-12-07 16:26 ` Avi Kivity
2009-12-07 16:32 ` Anthony Liguori
2009-12-07 16:37 ` Avi Kivity
2009-12-07 16:59 ` Anthony Liguori
2009-12-07 17:07 ` Avi Kivity
2009-12-07 17:09 ` Anthony Liguori
2009-12-07 17:13 ` Avi Kivity
2009-12-07 17:17 ` Anthony Liguori
2009-12-07 17:19 ` Avi Kivity
2009-12-07 17:40 ` Anthony Liguori
2009-12-07 18:25 ` Avi Kivity
2009-12-07 18:59 ` Anthony Liguori
2009-12-07 19:01 ` Avi Kivity
2009-12-07 19:07 ` Anthony Liguori
2009-12-07 16:24 ` Paul Brook
2009-12-07 16:27 ` Anthony Liguori
2009-12-07 16:28 ` Avi Kivity
2009-12-07 16:57 ` malc
2009-12-07 17:01 ` Anthony Liguori
2009-12-07 17:09 ` malc
2009-12-08 9:02 ` Kevin Wolf
2009-12-07 18:12 ` Blue Swirl
2009-12-08 8:30 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B1ADE14.2070809@redhat.com \
--to=avi@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=armbru@redhat.com \
--cc=paul@codesourcery.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.