On Mon, Apr 28, 2008 at 08:16:02PM +0100, Daniel P. Berrange wrote:
I agree with Havoc that it is not worth checking for OOM unless you take the time to prove it is correctly handled. As mentioned earlier in this thread one of the core problems making it impractical is the API contract of malloc() which means you need manual code inspection to verify you checked all mallocs().
We could actually verify this automatically with CIL. Needs me to be free of distractions for a week to code it up mind you ...
The API contract I proposed for virAlloc at least addresses that 1/2 of the problem by letting the compiler tell us whether any allocations have missing checks. That leaves the second part of the problem - the cleanup paths. We need to have the cleanup paths in the code regardless because arbitrary syscalls (eg, write(), socket(), etc) we invoke may fail. If we are making sure those cleanup paths are correct anyway, then handling OOM in this codepaths is minor incremental code & thus a much more tractable problem.
And these too ... Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v