[Libvir] RFC: safer memory allocation APIs with compile time checking

Richard W.M. Jones rjones at redhat.com
Mon Apr 28 21:36:29 UTC 2008


On Mon, Apr 28, 2008 at 08:16:02PM +0100, Daniel P. Berrange wrote:
> I agree with Havoc that it is not worth checking for OOM unless you
> take the time to prove it is correctly handled. As mentioned earlier
> in this thread one of the core problems making it impractical is
> the API contract of malloc() which means you need manual code inspection
> to verify you checked all mallocs().

We could actually verify this automatically with CIL.  Needs me to be
free of distractions for a week to code it up mind you ...

> The API contract I proposed for
> virAlloc at least addresses that 1/2 of the problem by letting the
> compiler tell us whether any allocations have missing checks. That
> leaves the second part of the problem - the cleanup paths. We need 
> to have the cleanup paths in the code regardless because arbitrary
> syscalls (eg, write(), socket(), etc) we invoke may fail.  If we are
> making sure those cleanup paths are correct anyway, then handling OOM
> in this codepaths is minor incremental code & thus a much more tractable
> problem.

And these too ...

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v




More information about the libvir-list mailing list