Date: Thu, 19 Feb 2004 08:45:00 -0800 From: Tim Kientzle <tim@kientzle.com> To: Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: kientzle@acm.org Subject: Re: standard error handling for malloc() broken for user root and group wheel Message-ID: <4034E80C.5060505@kientzle.com> In-Reply-To: <24950.1077179049@critter.freebsd.dk> References: <24950.1077179049@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Poul-Henning Kamp wrote: > In message <4034700C.9090107@kientzle.com>, Tim Kientzle writes: > >>Aborting the program >>on a failure to allocate memory is pretty clearly a violation >>of the standard, which requires the malloc function to >>always return. > > There is neither requirements nor guarantees how any function in > the ansi/iso regime reacts if you grossly violate the API or stomp > on random memory. If malloc's internal data structures are corrupted, I completely agree that a prompt abort is appropriate. My concern is that the current 'A' flag aborts on a failure to allocate, which is not a "gross violation" of the API. (I can see where it would be a useful debugging crutch, but it should not be enabled by default for any production code.) For example, consider a program with a dynamically-sized cache; a failure to grow the cache is not a reason to abort the program. Even for programs where an allocation failure is fatal, well-written programs can and do handle this failure gracefully and give the user useful feeedback. > - > - if (malloc_abort && result == NULL) > - wrterror("allocation failed\n"); Removing the abort on a failed allocation would address my concerns with the current behavior. Tim Kientzle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4034E80C.5060505>