From: Anthony Liguori <anthony@codemonkey.ws>
To: Paul Brook <paul@codesourcery.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
Jean-Christophe Dubois <jcd@tribudubois.net>,
qemu-devel@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] use qemu_malloc and friends consistently
Date: Fri, 29 May 2009 09:34:16 -0500 [thread overview]
Message-ID: <4A1FF268.1050500@codemonkey.ws> (raw)
In-Reply-To: <200905291407.26757.paul@codesourcery.com>
Paul Brook wrote:
>> For the purpose of finding broken code returning NULL is IMHO the best
>> option. Although dereferencing NULL is undefined, in practice it will
>> segfault in most cases so the bugs shouldn't stay unnoticed for long.
>>
>
> The best way to find broken code is to have qemu_malloc(0) abort, and avoid
> ever trying to allocate a zero size block. Returning NULL is liable to
> introduce extra bugs because code often attributes special meaning to NULL
> pointers. It also breaks pointer comparison.
>
> To some extent the answer to this question depends how much you trust your
> programmers. If you assume everyone knows the C standard well and always
> writes perfect code then malloc(0) is a legitimate technique, though IMHO of
> fairly limited benefit.
>
I disagree. The wrong reason we introduced oom_check() was because we
don't trust people to check returns. Why would we trust them to check
size arguments especially when a lot of programmers are not going to
check size arguments by convention?
If we really want to fix up code, we can do so in a more benign way.
Instead of aborting, let's return malloc(1) and printf a warning. Then
we can fix sites without worrying about killing guests.
If we only have to fixup a few sites, then yeah, we can switch to
abort(). If it turns out there's a ton of these things and the code is
uglier, then we can give up and just accept these semantics.
Does that sound reasonable?
abort()'ing on malloc(0) is going to result in some really nasty crashes
that were entirely preventable in probably 99% of circumstances.
Regards,
Anthony Liguori
> If you want maximize chances of catching accidental mistakes as early as
> possible then you should have malloc(0) abort, because it probably means
> someone forgot tho consider the empty case.
>
> Paul
>
>
>
next prev parent reply other threads:[~2009-05-29 14:34 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-29 5:58 [Qemu-devel] [PATCH] use qemu_malloc and friends consistently Jean-Christophe Dubois
2009-05-29 8:42 ` Kevin Wolf
2009-05-29 9:05 ` Anthony Liguori
2009-05-29 9:51 ` malc
2009-05-29 10:05 ` Kevin Wolf
2009-05-29 10:23 ` malc
2009-05-29 10:34 ` Kevin Wolf
2009-05-29 10:40 ` malc
2009-05-29 10:49 ` Kevin Wolf
2009-05-29 10:56 ` Anthony Liguori
2009-05-29 11:06 ` malc
2009-05-29 11:14 ` Kevin Wolf
2009-05-29 10:53 ` Anthony Liguori
2009-05-29 11:24 ` malc
2009-05-29 12:36 ` Gerd Hoffmann
2009-05-29 13:07 ` Paul Brook
2009-05-29 13:46 ` Gerd Hoffmann
2009-05-29 13:59 ` Glauber Costa
2009-05-29 14:34 ` Anthony Liguori [this message]
2009-05-29 15:06 ` malc
2009-05-29 17:17 ` Julian Seward
2009-05-29 18:41 ` Gerd Hoffmann
2009-05-29 21:12 ` David Turner
2009-05-29 21:13 ` David Turner
2009-06-02 7:26 ` Gerd Hoffmann
2009-06-02 7:47 ` Anthony Liguori
2009-06-02 8:58 ` Daniel P. Berrange
2009-06-02 18:03 ` David Turner
2009-06-02 8:48 ` Avi Kivity
2009-06-02 18:02 ` David Turner
2009-06-02 18:13 ` Paul Brook
2009-06-02 19:49 ` David Turner
2009-06-02 20:04 ` Paul Brook
2009-06-02 20:42 ` David Turner
2009-06-02 20:45 ` Gerd Hoffmann
2009-06-02 20:48 ` Gerd Hoffmann
2009-06-02 20:58 ` Paul Brook
2009-06-02 21:19 ` David Turner
2009-06-02 19:03 ` Avi Kivity
2009-05-29 12:51 ` Markus Armbruster
2009-05-29 10:57 ` Gerd Hoffmann
2009-05-29 11:28 ` malc
2009-05-29 9:28 ` jcd
2009-05-29 9:38 ` Kevin Wolf
2009-06-01 11:59 ` Jamie Lokier
[not found] <18212122.68761243590277678.JavaMail.root@srv-05.w4a.fr>
2009-05-29 10:00 ` jcd
2009-05-29 10:10 ` Kevin Wolf
[not found] <2171027.69001243598252547.JavaMail.root@srv-05.w4a.fr>
2009-05-29 12:00 ` jcd
2009-05-29 12:05 ` Kevin Wolf
2009-05-29 12:13 ` jcd
2009-05-29 12:32 ` Markus Armbruster
2009-05-29 12:38 ` jcd
[not found] <28932640.69341243603994530.JavaMail.root@srv-05.w4a.fr>
2009-05-29 13:35 ` jcd
[not found] <28912134.69441243608238156.JavaMail.root@srv-05.w4a.fr>
2009-05-29 14:46 ` jcd
[not found] <33383337.69831243610071896.JavaMail.root@srv-05.w4a.fr>
2009-05-29 15:15 ` jcd
[not found] <1758936.71791243858884274.JavaMail.root@srv-05.w4a.fr>
2009-06-01 12:24 ` jcd
2009-06-01 23:46 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A1FF268.1050500@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=jcd@tribudubois.net \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=paul@codesourcery.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).