Re: [Qemu-devel] [PATCH] Permit zero-sized qemu_malloc() & friends

[Avi Kivity]

On 12/05/2009 07:54 PM, Anthony Liguori wrote:
> Avi Kivity wrote:
> > A zero-supporting qemu_malloc() is fully compatible with malloc(), 
> > we're only restricting the possible returns.  So we're not misleading 
> > any caller.  In fact, taking your argument to the extreme, a malloc 
> > implementation would need to
>
> This is really the crux of the whole argument.  You're arguing that 
> while most people rely on incorrect idioms with malloc(), the problem 
> is not the idioms themselves but the definition of malloc().  The 
> opposing argument is that instead of providing a "fixed" version of 
> malloc(), we should encourage people to use a proper idiom.

When we see a lengthy and error prone idiom we usually provide a 
wrapper.  That wrapper is qemu_malloc().  If you like, don't see it as a 
fixed malloc(), but as qemu's way of allocating memory which is totally 
independent from malloc().

> I dislike the entire notion of qemu_malloc().  I've always disliked 
> the fact that it abort()s on OOM.  I'd rather see us use a normal 
> malloc() and code to that malloc currently which means avoiding size=0 
> and checking NULL results.

I believe that's impossible.  Many times, when the guest writes to a 
register, you have no way to indicate failure.  Sometimes you can 
indicate failure (say, time out on IDE write requests) but will likely 
cause much damage to the guest.  Preallocating memory is likely to be 
very difficult and also very wasteful (since you'll have to account for 
the worst case).

Furthermore, Linux under its default configuration will never fail a 
small allocation, instead oom-killing a semi-random process.  So all 
that work will not help on that platform.

> However, this is all personal preference and I'd rather focus my 
> energy on things that have true functional impact.  Markus raised a 
> valid functional problem with the current implementation and I 
> proposed a solution that would address that functional problem.  I'd 
> rather see the discussion focus on the merits of that solution than 
> revisiting whether ANSI got the semantics of malloc() correct in the 
> standards definition.

Unless ANSI has a say on qemu_malloc(), I think it's worthwhile to get 
that right rather than wrapping every array caller with useless tests.

--
Do not meddle in the internals of kernels, for they are subtle and quick to 
panic.