J
jacob navia
Very good message Richard. This is one of the best posts
I have read lately here. Comments below
Exactly. It is not the cost o writing
if (mp == NULL)
but the cost of figuring out for each individual allocation request
what should be done.
This means that the test harness becomes *impossible* big
because of all the complicated flow of the tests for each
individual malloc request. Consequence: the test harness can't be
written and all that code is not tested at all.
It depends if you write the code in the morning, you are fresh,
just took your coffee and make a detailed analysis of the function
and where to redirect the flow when an allocation fails, or if you write
it at 17:55 PM and you are in a hurry because you promised to leave
work at 18.00 PM!
[snip]
This is a very important point. The scattering of the tests all
around the code produce precisely a lack of control of what to do
in case of malloc failure. It is impossible to change the behavior
of the program in a general manner since all those tests are
not in a single place.
I have read lately here. Comments below
Richard said:Writing "check for errors and writing response code" for each
call to malloc is, of course, a viable strategy. However there
are issues to be considered. Three such are (a) the
unreliability of "fixup" code, (b) the non-uniformity of error
response, and (c) code littering.
(A) Unreliability: The code in these "failure to allocate"
clauses isn't easy to test properly, and, in the absence of an
allocator wrapper, isn't easy to test at all. This may not
matter if the only action is to write a message to stderr and
call exit, but it definitely is an issue for more elaborate
responses such as request size retries and alternate algorithms.
Exactly. It is not the cost o writing
if (mp == NULL)
but the cost of figuring out for each individual allocation request
what should be done.
In my view, reliable programs (and if we are not interested in
reliable programs why bother to test at all) are developed and
maintained with test harnesses that test the alternatives.
This means that the test harness becomes *impossible* big
because of all the complicated flow of the tests for each
individual malloc request. Consequence: the test harness can't be
written and all that code is not tested at all.
(B) Non-uniformity: Since each "failure to allocate" test clause
is individually written there is no guaranteed uniformity of
response to error conditions.
It depends if you write the code in the morning, you are fresh,
just took your coffee and make a detailed analysis of the function
and where to redirect the flow when an allocation fails, or if you write
it at 17:55 PM and you are in a hurry because you promised to leave
work at 18.00 PM!
[snip]
All of that said, what is one to do? My suggestion is to use a
wrapper for malloc for almost all storage allocation requests.
The "failure to allocate" test and the subsequent error response
(e.g., write an error message and call exit) is in one place
rather than being scattered as multiple copies throughout the
code.
This is a very important point. The scattering of the tests all
around the code produce precisely a lack of control of what to do
in case of malloc failure. It is impossible to change the behavior
of the program in a general manner since all those tests are
not in a single place.