[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] RFC: safer memory allocation APIs with compile time checking



On Mon, Apr 28, 2008 at 08:16:02PM +0100, Daniel P. Berrange wrote:
> I agree with Havoc that it is not worth checking for OOM unless you
> take the time to prove it is correctly handled. As mentioned earlier
> in this thread one of the core problems making it impractical is
> the API contract of malloc() which means you need manual code inspection
> to verify you checked all mallocs().

We could actually verify this automatically with CIL.  Needs me to be
free of distractions for a week to code it up mind you ...

> The API contract I proposed for
> virAlloc at least addresses that 1/2 of the problem by letting the
> compiler tell us whether any allocations have missing checks. That
> leaves the second part of the problem - the cleanup paths. We need 
> to have the cleanup paths in the code regardless because arbitrary
> syscalls (eg, write(), socket(), etc) we invoke may fail.  If we are
> making sure those cleanup paths are correct anyway, then handling OOM
> in this codepaths is minor incremental code & thus a much more tractable
> problem.

And these too ...

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]