[libvirt] [PATCH 2/7] util: make allocation functions abort on OOM
Daniel P. Berrangé
berrange at redhat.com
Thu Sep 12 10:43:09 UTC 2019
On Thu, Sep 05, 2019 at 06:03:57PM -0400, John Ferlan wrote:
>
>
> On 8/29/19 2:02 PM, Daniel P. Berrangé wrote:
> > The functions are left returning an "int" to avoid an immediate
> > big-bang cleanup. They'll simply never return anything other
> > than 0, except for virInsertN which can still return an error
> > if the requested insertion index is out of range. Interestingly
> > in that case, the _QUIET function would none the less report
> > an error.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> > ---
> > src/util/viralloc.c | 201 +++++++++++---------------------------------
> > src/util/viralloc.h | 145 +++++++++++---------------------
> > 2 files changed, 97 insertions(+), 249 deletions(-)
> >
>
>
> FWIW: I applied the series to my Coverity branch to see what (if
> anything) gets shaken there. Good news is - not much. There were a
> couple of things I already reported on that were fixed for 5.7.0 (commit
> ed7e342b0 and be9d259eb).
>
> There's one more false positive in qemuDomainGetNumaParameters that
> probably would be fixed by AUTOFREE stuff (nodeset gets set to NULL
> after virTypedParameterAssign).
>
> Beyond that the only thing is two CHECKED_RETURN's (e.g. N callers check
> the return value, but these 2 don't). I consider both false positives;
> however, it could also be argued that unless any of the functions where
> either 0 or abort occurs, then make them just void, but that's a sh*load
> more work...
>
> [...]
>
> > /**
> > @@ -204,50 +143,35 @@ int virExpandN(void *ptrptr,
> > * @allocptr: pointer to number of elements allocated in array
> > * @count: number of elements currently used in array
> > * @add: minimum number of additional elements to support in array
> > - * @report: whether to report OOM error, if there is one
> > - * @domcode: error domain code
> > - * @filename: caller's filename
> > - * @funcname: caller's funcname
> > - * @linenr: caller's line number
> > *
> > * If 'count' + 'add' is larger than '*allocptr', then resize the
> > * block of memory in 'ptrptr' to be an array of at least 'count' +
> > * 'add' elements, each 'size' bytes in length. Update 'ptrptr' and
> > * 'allocptr' with the details of the newly allocated memory. On
> > * failure, 'ptrptr' and 'allocptr' are not changed. Any newly
> > - * allocated memory in 'ptrptr' is zero-filled. If @report is true,
> > - * OOM errors are reported automatically.
> > - *
> > + * allocated memory in 'ptrptr' is zero-filled.
> > *
> > - * Returns -1 on failure to allocate, zero on success
> > + * Returns zero on success, aborts on OOM
> > */
> > int virResizeN(void *ptrptr,
> > size_t size,
> > size_t *allocptr,
> > size_t count,
> > - size_t add,
> > - bool report,
> > - int domcode,
> > - const char *filename,
> > - const char *funcname,
> > - size_t linenr)
> > + size_t add)
> > {
> > size_t delta;
> >
> > - if (count + add < count) {
> > - if (report)
> > - virReportOOMErrorFull(domcode, filename, funcname, linenr);
> > - errno = ENOMEM;
> > - return -1;
> > - }
> > + if (count + add < count)
> > + abort();
> > +
> > if (count + add <= *allocptr)
> > return 0;
> >
> > delta = count + add - *allocptr;
> > if (delta < *allocptr / 2)
> > delta = *allocptr / 2;
> > - return virExpandN(ptrptr, size, allocptr, delta, report,
> > - domcode, filename, funcname, linenr);
> > + virExpandN(ptrptr, size, allocptr, delta);
> > + return 0;
>
> Could just return virExpandN here...
>
> > }
>
> [...]
>
> > @@ -312,12 +229,7 @@ int
> > virInsertElementsN(void *ptrptr, size_t size, size_t at,
> > size_t *countptr,
> > size_t add, void *newelems,
> > - bool clearOriginal, bool inPlace,
> > - bool report,
> > - int domcode,
> > - const char *filename,
> > - const char *funcname,
> > - size_t linenr)
> > + bool clearOriginal, bool inPlace)
> > {
> > if (at == -1) {
> > at = *countptr;
> > @@ -330,9 +242,8 @@ virInsertElementsN(void *ptrptr, size_t size, size_t at,
> >
> > if (inPlace) {
> > *countptr += add;
> > - } else if (virExpandN(ptrptr, size, countptr, add, report,
> > - domcode, filename, funcname, linenr) < 0) {
> > - return -1;
> > + } else {
> > + virExpandN(ptrptr, size, countptr, add);
> > }
> >
>
> This one's more painful, with using ignore_value() wrapper to just
> pacify Coverity.
>
> [...]
>
> I'm not saying anything has to be done, but I figured it could be a
> useful data point for you -
In this patch I removed the ATTRIBUTE_RETURN_CHECK annotation, but I'm
going to revert that bit.
We don't really want churn from
if (VIR_ALLOC(foo) < 0)
return -1;
to
VIR_ALLOC(foo);
to
foo = g_new0(struct Foo, 1)
By keeping ATTRIBUTE_RETURN_CHECK we forcably avoid the intermediate
conversion step, which will keep things saner I think. That will
avoid creating 100's of new coverity warnings for the intermediate
step.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list