Date: Thu, 19 Feb 2004 08:45:00 -0800 From: Tim Kientzle <tim@kientzle.com> To: Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: kientzle@acm.org Subject: Re: standard error handling for malloc() broken for user root and group wheel Message-ID: <4034E80C.5060505@kientzle.com> In-Reply-To: <24950.1077179049@critter.freebsd.dk> References: <24950.1077179049@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Poul-Henning Kamp wrote:
> In message <4034700C.9090107@kientzle.com>, Tim Kientzle writes:
>
>>Aborting the program
>>on a failure to allocate memory is pretty clearly a violation
>>of the standard, which requires the malloc function to
>>always return.
>
> There is neither requirements nor guarantees how any function in
> the ansi/iso regime reacts if you grossly violate the API or stomp
> on random memory.
If malloc's internal data structures are corrupted, I
completely agree that a prompt abort is appropriate.
My concern is that the current 'A' flag aborts on a failure
to allocate, which is not a "gross violation" of the API.
(I can see where it would be a useful debugging crutch, but it
should not be enabled by default for any production code.)
For example, consider a program with a dynamically-sized cache;
a failure to grow the cache is not a reason to abort
the program. Even for programs where an allocation failure
is fatal, well-written programs can and do handle this
failure gracefully and give the user useful feeedback.
> -
> - if (malloc_abort && result == NULL)
> - wrterror("allocation failed\n");
Removing the abort on a failed allocation would
address my concerns with the current behavior.
Tim Kientzle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4034E80C.5060505>