From: Avi Kivity <avi@redhat.com>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: qemu-devel@nongnu.org, Paul Brook <paul@codesourcery.com>,
Markus Armbruster <armbru@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] Permit zero-sized qemu_malloc() & friends
Date: Sun, 06 Dec 2009 00:26:28 +0200 [thread overview]
Message-ID: <4B1ADE14.2070809@redhat.com> (raw)
In-Reply-To: <4B1AC96B.7060007@codemonkey.ws>
On 12/05/2009 10:58 PM, Anthony Liguori wrote:
> Avi Kivity wrote:
>> When we see a lengthy and error prone idiom we usually provide a
>> wrapper. That wrapper is qemu_malloc(). If you like, don't see it
>> as a fixed malloc(), but as qemu's way of allocating memory which is
>> totally independent from malloc().
>
> We constantly get patches with qemu_malloc() with a NULL check. Then
> we tell people to remove the NULL check. It feels very weird to ask
> people to remove error handling.
You prefer to explain to them how to do error handling correctly?
>
> I can understand the argument that getting OOM right is very difficult
> but it's not impossible.
There are 755 calls to malloc in the code. And practically every
syscall can return ENOMEM, including the innocuous KVM_RUN ioctl().
It's going to be pretty close to impossible to recover from malloc()
failure, and impossible to recover from KVM_RUN failure (except by
retrying, which you can assume the kernel already has). All for
something which never happens. I propose that fixing OOM handling is
going to introduce some errors into the non-error paths, and many errors
into the error return paths, for zero benefit.
>
>>>
>>> However, this is all personal preference and I'd rather focus my
>>> energy on things that have true functional impact. Markus raised a
>>> valid functional problem with the current implementation and I
>>> proposed a solution that would address that functional problem. I'd
>>> rather see the discussion focus on the merits of that solution than
>>> revisiting whether ANSI got the semantics of malloc() correct in the
>>> standards definition.
>>>
>>
>> Unless ANSI has a say on qemu_malloc(), I think it's worthwhile to
>> get that right rather than wrapping every array caller with useless
>> tests.
>
> If you're concerned about array allocation, introduce an array
> allocation function. Honestly, there's very little reason to open
> code array allocation/manipulation at all. We should either be using
> a list type or if we really need to, we should introduce a vector type.
A NEW(type) and ARRAY_NEW(type, count) marcros would improve type safety
and plug a dormant buffer overflow due to multiplication overflow, yes.
Even qemu_calloc() would be an improvement. But having qemu_malloc()
not fix the zero length array case which we know we have is
irresponsible, IMO.
--
Do not meddle in the internals of kernels, for they are subtle and quick to panic.
next prev parent reply other threads:[~2009-12-05 22:26 UTC|newest]
Thread overview: 119+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-30 13:55 [Qemu-devel] [PATCH] Permit zero-sized qemu_malloc() & friends Markus Armbruster
2009-11-30 14:01 ` Avi Kivity
2009-11-30 14:23 ` Kevin Wolf
2009-12-01 12:40 ` Gerd Hoffmann
2009-12-01 12:57 ` Paul Brook
2009-12-01 13:47 ` Glauber Costa
2009-12-01 14:08 ` Markus Armbruster
2009-12-01 14:47 ` Gerd Hoffmann
2009-12-01 14:21 ` Paul Brook
2009-12-01 12:57 ` Gerd Hoffmann
2009-12-01 13:11 ` Markus Armbruster
2009-12-01 14:34 ` Avi Kivity
2009-12-01 14:53 ` Gerd Hoffmann
2009-12-01 15:32 ` Eduardo Habkost
2009-12-04 16:49 ` Anthony Liguori
2009-12-05 13:55 ` Markus Armbruster
2009-12-05 14:14 ` Laurent Desnogues
2009-12-05 17:08 ` malc
2009-12-05 17:23 ` Avi Kivity
2009-12-05 18:30 ` Reimar Döffinger
2009-12-06 7:57 ` Markus Armbruster
2009-12-06 8:39 ` malc
2009-12-06 8:59 ` Markus Armbruster
2009-12-06 10:22 ` malc
2009-12-06 10:40 ` Avi Kivity
2009-12-06 11:53 ` malc
2009-12-06 12:07 ` Avi Kivity
2009-12-06 12:11 ` malc
2009-12-06 12:23 ` Avi Kivity
2009-12-06 11:10 ` Markus Armbruster
2009-12-06 12:00 ` malc
2009-12-06 16:23 ` [Qemu-devel] " Paolo Bonzini
2009-12-07 8:35 ` [Qemu-devel] " Kevin Wolf
2009-12-07 9:42 ` Markus Armbruster
2009-12-07 10:00 ` malc
2009-12-07 10:17 ` Kevin Wolf
2009-12-07 10:35 ` Markus Armbruster
2009-12-06 11:35 ` [Qemu-devel] " Paolo Bonzini
2009-12-06 12:02 ` malc
2009-12-06 16:23 ` Paolo Bonzini
2009-12-06 9:02 ` [Qemu-devel] " Blue Swirl
2009-12-06 10:02 ` malc
2009-12-05 17:07 ` Avi Kivity
2009-12-05 17:27 ` Anthony Liguori
2009-12-05 17:40 ` Avi Kivity
2009-12-05 17:54 ` Anthony Liguori
2009-12-05 18:06 ` Avi Kivity
2009-12-05 20:58 ` Anthony Liguori
2009-12-05 22:26 ` Avi Kivity [this message]
2009-12-06 8:24 ` Markus Armbruster
2009-12-06 18:36 ` Jamie Lokier
2009-12-06 8:12 ` Markus Armbruster
2009-12-06 16:52 ` Ian Molton
2009-12-06 17:14 ` Avi Kivity
2009-12-06 17:45 ` malc
2009-12-06 18:02 ` Avi Kivity
2009-12-06 18:12 ` malc
2009-12-06 18:19 ` Avi Kivity
2009-12-06 18:41 ` malc
2009-12-07 9:47 ` Avi Kivity
2009-12-07 10:20 ` Kevin Wolf
2009-12-06 22:38 ` Ian Molton
2009-12-07 2:51 ` Jamie Lokier
2009-12-07 9:39 ` Ian Molton
2009-12-07 9:55 ` [Qemu-devel] " Paolo Bonzini
2009-12-07 13:28 ` Avi Kivity
2009-12-07 9:45 ` [Qemu-devel] " Markus Armbruster
2009-12-07 8:48 ` Kevin Wolf
2009-12-07 17:32 ` Glauber Costa
2009-12-05 17:28 ` Blue Swirl
2009-12-05 17:44 ` Avi Kivity
2009-12-05 18:16 ` Laurent Desnogues
2009-12-05 23:08 ` Ian Molton
2009-12-05 23:11 ` Avi Kivity
2009-12-05 23:25 ` Ian Molton
2009-12-06 13:07 ` Avi Kivity
2009-12-06 16:58 ` Ian Molton
2009-12-06 17:07 ` Avi Kivity
2009-12-06 17:47 ` malc
2009-12-06 17:59 ` Avi Kivity
2009-12-06 18:09 ` malc
2009-12-06 18:16 ` Avi Kivity
2009-12-06 18:21 ` malc
2009-12-06 22:40 ` Ian Molton
2009-12-06 18:31 ` Jamie Lokier
2009-12-07 9:56 ` Markus Armbruster
2009-12-07 11:30 ` malc
2009-12-07 14:45 ` Markus Armbruster
2009-12-07 16:55 ` malc
2009-12-08 8:21 ` Markus Armbruster
2009-12-08 10:22 ` malc
2009-12-07 15:50 ` Anthony Liguori
2009-12-07 16:00 ` Avi Kivity
2009-12-07 16:06 ` Anthony Liguori
2009-12-07 16:11 ` Avi Kivity
2009-12-07 16:20 ` Anthony Liguori
2009-12-07 16:26 ` Avi Kivity
2009-12-07 16:32 ` Anthony Liguori
2009-12-07 16:37 ` Avi Kivity
2009-12-07 16:59 ` Anthony Liguori
2009-12-07 17:07 ` Avi Kivity
2009-12-07 17:09 ` Anthony Liguori
2009-12-07 17:13 ` Avi Kivity
2009-12-07 17:17 ` Anthony Liguori
2009-12-07 17:19 ` Avi Kivity
2009-12-07 17:40 ` Anthony Liguori
2009-12-07 18:25 ` Avi Kivity
2009-12-07 18:59 ` Anthony Liguori
2009-12-07 19:01 ` Avi Kivity
2009-12-07 19:07 ` Anthony Liguori
2009-12-07 16:24 ` Paul Brook
2009-12-07 16:27 ` Anthony Liguori
2009-12-07 16:28 ` Avi Kivity
2009-12-07 16:57 ` malc
2009-12-07 17:01 ` Anthony Liguori
2009-12-07 17:09 ` malc
2009-12-08 9:02 ` Kevin Wolf
2009-12-07 18:12 ` Blue Swirl
2009-12-08 8:30 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B1ADE14.2070809@redhat.com \
--to=avi@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=armbru@redhat.com \
--cc=paul@codesourcery.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).