[Libvir] RFC: safer memory allocation APIs with compile time checking

Daniel P. Berrange berrange at redhat.com
Mon Apr 28 19:19:52 UTC 2008 

On Mon, Apr 28, 2008 at 06:45:54PM +0000, David Lutterkort wrote:
> 
> On Mon, 2008-04-28 at 13:38 +0100, Richard W.M. Jones wrote:
> > On Mon, Apr 28, 2008 at 03:39:41AM -0400, Daniel Veillard wrote:
> > >   Calling abort() in a library is a major NO-NO and one of the reasons
> > > I avoided glib in most of the code I developped. You just can't exit()/abort()
> > > from a library.
> > 
> > That depends ... If you can override the abort() function with an
> > error handler, then I'd say it is OK.
> 
> I used to not think very highly of calling abort() by default, but
> reading Havoc's blog post about that a while ago[1] is making me doubt
> conventional wisdom. He cites libxml2 as one example where OOM leads to
> crashes - I take that not as an indication that there is something wrong
> with libxml2, but with the approach of checking and correctly handling
> all allocation failures.
> 
> Allocation failure happens very rarely, and testing it properly is near
> impossible; allocation failures amount to an additional input stream
> that is read deep down in the call hierarchy and can generally not be
> checked by the caller like other arguments.
> 
> So maybe taking a hint from all the languages that contain 'fat'
> runtimes isn't the worst of strategies: die loudly by default, and let
> the application specify other handlers. In practice, the usefulness of
> those handlers is limited by their inability to unwind the stack and
> free dead memory on the way out. Has anybody seen such handlers be
> useful short of a full exception implementation ?



> 
> David
> 
> [1] http://log.ometer.com/2008-02.html#4

To quote

  "dbus-daemon was the motivation for OOM handling, since dbus-daemon 
   can't crash."

dbus-daemon is a critical piece of any modern Linux OS so this paranoia
is worth it. libvirtd is arguably even more critical, because failure
can take out *every* OS. Which reminds me that as well as beefing up
the OOM handling, we need to make the daemon more failure tolerant by
switching to using UNIX sockets for talking to the monitor, thus allowing
restarts without killing the VMs.

Dan.
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list