[Libvir] RFC: safer memory allocation APIs with compile time checking
Richard W.M. Jones
rjones at redhat.com
Mon Apr 28 21:36:29 UTC 2008
On Mon, Apr 28, 2008 at 08:16:02PM +0100, Daniel P. Berrange wrote:
> I agree with Havoc that it is not worth checking for OOM unless you
> take the time to prove it is correctly handled. As mentioned earlier
> in this thread one of the core problems making it impractical is
> the API contract of malloc() which means you need manual code inspection
> to verify you checked all mallocs().
We could actually verify this automatically with CIL. Needs me to be
free of distractions for a week to code it up mind you ...
> The API contract I proposed for
> virAlloc at least addresses that 1/2 of the problem by letting the
> compiler tell us whether any allocations have missing checks. That
> leaves the second part of the problem - the cleanup paths. We need
> to have the cleanup paths in the code regardless because arbitrary
> syscalls (eg, write(), socket(), etc) we invoke may fail. If we are
> making sure those cleanup paths are correct anyway, then handling OOM
> in this codepaths is minor incremental code & thus a much more tractable
> problem.
And these too ...
Rich.
--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
More information about the libvir-list
mailing list