Re: [Libvir] RFC: safer memory allocation APIs with compile time checking
On Mon, Apr 28, 2008 at 08:16:02PM +0100, Daniel P. Berrange wrote:
I agree with Havoc that it is not worth checking for OOM unless you
take the time to prove it is correctly handled. As mentioned earlier
in this thread one of the core problems making it impractical is
the API contract of malloc() which means you need manual code inspection
to verify you checked all mallocs().
We could actually verify this automatically with CIL. Needs me to be
free of distractions for a week to code it up mind you ...
The API contract I proposed for
virAlloc at least addresses that 1/2 of the problem by letting the
compiler tell us whether any allocations have missing checks. That
leaves the second part of the problem - the cleanup paths. We need
to have the cleanup paths in the code regardless because arbitrary
syscalls (eg, write(), socket(), etc) we invoke may fail. If we are
making sure those cleanup paths are correct anyway, then handling OOM
in this codepaths is minor incremental code & thus a much more tractable
problem.
And these too ...
Rich.
--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v