[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [olpc-software] graceful handling of out-of-memory conditions



On Fri, Mar 17, 2006 at 11:23:29AM +0530, Joshua N Pritikin wrote:
> Wrap mmap, sbrk, and friends (via LD_PRELOAD or whatever).  If sbrk
> finds that memory cannot be allocated then it writes the process ID
> and the # of bytes to a UNIX domain socket a la ucspi-unix[1] and waits
> for a policy decision.

It can't. Its out of memory. You just deadlocked. Also a lot of out of memory
situations arise from fork or exec so there is nothing to do the telling.

> Anyway, with this solution we don't have to audit all the callers of
> malloc and we can still uphold the illusion that malloc never returns
> a NULL pointer if that's the decision of the holistic system policy.

I still see it differently. If your code does not check a malloc return then
it is broken. Since low memory accesses on some systems might allow patching
of code it must also be considered unfit to ship for security reasons. Most
modern code gets this right, in part because the old BSD approach of 'its hard
so lets not bother' has been replaced by rigour in all the camps, notably
OpenBSD. In addition tools both free (sparse) and non-free (eg Coverity) can
systematically identify missing NULL checks.

At the point we have run out of memory it is too late to take action. This is
why the kernel overcommit manager deals in address space to ensure the total
mappings that could end up with pages attached will always fit on disk and
swap plus some %age of RAM.

This is important because it is possible to take some actions when available
address space is low and the current totals are in /proc so can be monitored.
So on out of memory we can't do a lot, something has to die that instant. On
out of address space we can fail a malloc and if used carefully we can then
flag that up to other code with care. Failing that if you can't program then

static void *malloc_for_clueless_people(size_t len)
{
	void *p = malloc(len);
	if (p)
		return p;
	exit(1);
}

#define malloc malloc_for_clueless_people

at the top of the code or as a preload library

Alan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]