From owner-freebsd-current@FreeBSD.ORG Thu Feb 19 08:46:15 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70DD716A527 for ; Thu, 19 Feb 2004 08:46:15 -0800 (PST) Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net [66.166.149.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5266D43D1D for ; Thu, 19 Feb 2004 08:46:15 -0800 (PST) (envelope-from tim@kientzle.com) Received: from kientzle.com ([66.166.149.54]) by kientzle.com (8.12.9/8.12.9) with ESMTP id i1JGj3kX064708; Thu, 19 Feb 2004 08:45:03 -0800 (PST) (envelope-from tim@kientzle.com) Message-ID: <4034E80C.5060505@kientzle.com> Date: Thu, 19 Feb 2004 08:45:00 -0800 From: Tim Kientzle User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Poul-Henning Kamp References: <24950.1077179049@critter.freebsd.dk> In-Reply-To: <24950.1077179049@critter.freebsd.dk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: current@freebsd.org cc: kientzle@acm.org Subject: Re: standard error handling for malloc() broken for user root and group wheel X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kientzle@acm.org List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 16:46:15 -0000 Poul-Henning Kamp wrote: > In message <4034700C.9090107@kientzle.com>, Tim Kientzle writes: > >>Aborting the program >>on a failure to allocate memory is pretty clearly a violation >>of the standard, which requires the malloc function to >>always return. > > There is neither requirements nor guarantees how any function in > the ansi/iso regime reacts if you grossly violate the API or stomp > on random memory. If malloc's internal data structures are corrupted, I completely agree that a prompt abort is appropriate. My concern is that the current 'A' flag aborts on a failure to allocate, which is not a "gross violation" of the API. (I can see where it would be a useful debugging crutch, but it should not be enabled by default for any production code.) For example, consider a program with a dynamically-sized cache; a failure to grow the cache is not a reason to abort the program. Even for programs where an allocation failure is fatal, well-written programs can and do handle this failure gracefully and give the user useful feeedback. > - > - if (malloc_abort && result == NULL) > - wrterror("allocation failed\n"); Removing the abort on a failed allocation would address my concerns with the current behavior. Tim Kientzle