From: Marek Vasut <marek.vasut@gmail.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH] Prevent malloc with size 0
Date: Mon, 2 Apr 2012 02:13:07 +0200 [thread overview]
Message-ID: <201204020213.07816.marek.vasut@gmail.com> (raw)
In-Reply-To: <CALButCKnA4Fmp5aqnFS00WFKT-6WvPyNiDW_cnBc2y+kc_YjwA@mail.gmail.com>
Dear Graeme Russ,
> Hi Marek,
>
> On Mon, Apr 2, 2012 at 9:45 AM, Marek Vasut <marek.vasut@gmail.com> wrote:
> > Dear Graeme Russ,
> >
> >> Hi All
> >>
> >> Here we go again ;)
> >
> > Yay (polishing my flamethrower)!
> >
> >> On Mon, Apr 2, 2012 at 12:21 AM, Marek Vasut <marek.vasut@gmail.com> wrote:
> >> > Dear Joakim Tjernlund,
> >> >
> >> >> Marek Vasut <marek.vasut@gmail.com> wrote on 2012/04/01 16:01:56:
> >> >> > Dear Joakim Tjernlund,
> >> >> >
> >> >> > > > Dear Mike Frysinger,
> >> >> > > >
> >> >> > > > > On Thursday, October 21, 2010 17:10:31 Graeme Russ wrote:
> >> >> > > > > > On 22/10/10 06:51, Mike Frysinger wrote:
> >> >> > > > > > > have u-boot return an error.
> >> >> > > > > >
> >> >> > > > > > Is NULL what you consider to be an error
> >> >> > > > >
> >> >> > > > > yes
> >> >> > > > >
> >> >> > > > > > Besides, is not free(NULL) valid (does nothing) as well?
> >> >> > > > >
> >> >> > > > > yes, free(NULL) should work fine per POSIX
> >> >> > > > > -mike
> >> >> > > >
> >> >> > > > Well then, this patch wasn't accepted yet and I consider it OK
> >> >> > > > to apply. Any objections?
> >> >> > >
> >> >> > > There was a long debate on the list regarding this where I argued
> >> >> > > that malloc(0) should not be an error and malloc should return a
> >> >> > > ptr != NULL I guess that is why it hasn't been applied.
> >> >> > >
> >> >> > > Jocke
> >> >> >
> >> >> > Ok, let's restart. Is there any objection why malloc(0) should not
> >> >> > return NULL in uboot?
> >> >>
> >> >> Yes, read the thread to see why.
> >> >
> >> > Well I did, that's why I have no objections to applying this patch
> >> >
> >> >> > Is it coliding with any spec?
> >> >>
> >> >> No, both are valid.
> >>
> >> <quote author="Reinhard Meyer">
> >> Out of principle I would say that malloc(0) should return a non-NULL
> >> pointer of an area where exactly 0 bytes may be used. And, of course,
> >> free() of that area shall not fail or crash the system.
> >> </quote>
> >>
> >> I'm wondering how exactly this would work - In theory, if you tried to
> >> access this pointer you should get a segv. But I suppose if you
> >> malloc(1) and try to access beyond the first byte there probably won't
> >> be a segv either....
> >>
> >> So to review the facts:
> >>
> >> - The original complaint was that malloc(0) corrupts the malloc data
> >> structures, not that U-Boot's malloc(0) behaviour is non-standard
> >> - Both the malloc(0) returns NULL and malloc(0) returns a uniquely
> >> free'able block of memory solutions are standard compliant
> >> - malloc(0) returning NULL may break code which, for the sake of code
> >> simplicity, does not bother to check for zero-size before calling
> >> malloc()
> >
> > Well but you said malloc(0) corrupts the mallocator's data structures.
> > Therefore malloc(0) used in code right now is broken anyway.
>
> Correct, but the breakage is in malloc() not the caller
And what are the consequences of such a breakage?
> >> - malloc(0) returning NULL may help to identify brain-dead use-cases
> >
> > Agreed.
> >
> >> My vote:
> >>
> >> if ((long)bytes == 0) {
> >> DEBUG("Warning: malloc of zero block size\n");
> >> bytes = 1;
> >
> > Well ... no, how can malloc(0) returning NULL break code that's already
> > broken any more? It's silently roughing the mallocator structures up and
> > it means the code is sitting on a ticking a-bomb anyway.
> >
> > So we should add this like:
> >
> > if (bytes == 0) {
> > debug("You're sitting on a ticking A-Bomb doing this");
>
> Because you just set it off - Right now, that code is assuming malloc(0)
> will return a valid pointer and thus not throw an E_NOMEM error - Now
> all that code will fail with E_NOMEM
Well ... that code worked with invalid memory (most probably not even R/W
because it was some completely random hunk) and worked only by sheer
coincidence. Let's break it, it was broken anyway.
Do you know about any such code? That's why I suggest adding such a debug() only
in case there's malloc(0) called. Maybe even add a printf() instead.
> > return NULL;
> > } else if (bytes < 0) {
> > return NULL;
> > }
> >
> >> } else if ((long)bytes < 0) {
> >> DEBUG("Error: malloc of negative block size\n");
> >> return 0;
> >> }
>
> Regards,
>
> Graeme
next prev parent reply other threads:[~2012-04-02 0:13 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-21 9:24 [U-Boot] [PATCH] Prevent malloc with size 0 Kostaras Nikolaos
2010-10-21 11:25 ` Joakim Tjernlund
2010-10-21 11:32 ` Wolfgang Denk
2010-10-21 11:45 ` Joakim Tjernlund
2010-10-21 11:51 ` Wolfgang Denk
2010-10-21 11:56 ` Joakim Tjernlund
2010-10-21 12:02 ` Wolfgang Denk
2010-10-21 12:54 ` Joakim Tjernlund
2010-10-21 19:51 ` Mike Frysinger
2010-10-21 21:10 ` Graeme Russ
2010-10-21 21:27 ` Mike Frysinger
2012-03-31 19:59 ` Marek Vasut
2012-04-01 12:25 ` Joakim Tjernlund
2012-04-01 14:01 ` Marek Vasut
2012-04-01 14:15 ` Joakim Tjernlund
2012-04-01 14:21 ` Marek Vasut
2012-04-01 22:40 ` Graeme Russ
2012-04-01 23:45 ` Marek Vasut
2012-04-01 23:52 ` Graeme Russ
2012-04-02 0:13 ` Marek Vasut [this message]
2012-04-02 0:25 ` Graeme Russ
2012-04-02 1:04 ` Marek Vasut
2012-04-02 1:40 ` Graeme Russ
2012-04-02 2:51 ` Marek Vasut
2012-04-02 3:05 ` Graeme Russ
2012-04-02 6:39 ` Joakim Tjernlund
2012-04-02 3:12 ` Mike Frysinger
2012-04-02 3:16 ` Graeme Russ
2012-04-02 3:36 ` Marek Vasut
2012-04-02 3:43 ` Graeme Russ
2012-04-02 4:23 ` Marek Vasut
2012-04-02 4:27 ` Graeme Russ
2012-04-02 6:55 ` Joakim Tjernlund
2012-04-02 7:17 ` Graeme Russ
2012-04-02 7:40 ` Joakim Tjernlund
2012-04-02 14:05 ` Marek Vasut
2012-04-02 14:26 ` Joakim Tjernlund
2012-04-02 14:42 ` Marek Vasut
2012-04-02 15:08 ` Joakim Tjernlund
2012-04-02 15:23 ` Marek Vasut
2012-04-02 16:00 ` Joakim Tjernlund
2012-04-02 16:39 ` Marek Vasut
2012-04-02 17:22 ` Joakim Tjernlund
2012-04-02 18:00 ` Marek Vasut
2012-04-02 18:40 ` Joakim Tjernlund
2012-04-02 19:14 ` Mike Frysinger
2012-04-02 21:02 ` Joakim Tjernlund
2012-04-02 19:23 ` Marek Vasut
2012-04-02 20:28 ` Graeme Russ
2012-04-02 20:56 ` Joakim Tjernlund
2012-04-02 20:59 ` Graeme Russ
2012-04-02 21:14 ` Joakim Tjernlund
2012-04-02 23:35 ` Graeme Russ
2012-04-03 10:35 ` Graeme Russ
2012-10-16 6:31 ` Marek Vasut
2012-10-16 9:22 ` Joakim Tjernlund
2012-10-16 10:43 ` Marek Vasut
2012-10-16 11:46 ` Joakim Tjernlund
2012-10-16 10:43 ` Wolfgang Denk
2012-10-16 22:41 ` Graeme Russ
2012-04-02 3:10 ` Mike Frysinger
2012-04-02 3:36 ` Marek Vasut
2010-10-22 6:10 ` Joakim Tjernlund
2010-10-22 7:18 ` Reinhard Meyer
2010-10-22 7:47 ` Joakim Tjernlund
2010-10-22 7:20 ` Mike Frysinger
2010-10-22 7:37 ` Joakim Tjernlund
2010-10-22 7:55 ` Mike Frysinger
2010-10-22 8:34 ` Joakim Tjernlund
2010-10-22 15:18 ` Mike Frysinger
2010-10-22 16:40 ` Joakim Tjernlund
2010-10-22 17:06 ` Mike Frysinger
2010-10-23 9:14 ` Joakim Tjernlund
2010-10-22 17:36 ` Scott Wood
2010-10-23 9:23 ` Joakim Tjernlund
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201204020213.07816.marek.vasut@gmail.com \
--to=marek.vasut@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox