R
Richard Heathfield wrote:
And what do you object to?
Richard Heathfield wrote:
From the OpenSSH 4.6 source code:
--------
void *
xmalloc(size_t size)
{
void *ptr;
if (size == 0)
fatal("xmalloc: zero size");
ptr = malloc(size);
if (ptr == NULL)
fatal("xmalloc: out of memory (allocating %lu bytes)",
(u_long) size);
return ptr;
}
I wouldn't exactly call SSH "not real world". I think you'd have
trouble arguing that the people who wrote this code didn't carefully
consider what was and wasn't appropriate behavior on memory allocation
failure before they wrote it this way, even if you disagree with their
conclusion.
Richard Heathfield said:What I can argue is that a library function has no business taking the
decision of whether to continue or to terminate out of the hands of the
application programmer. Since xmalloc does take that decision out of
the hands of the programmer, I wouldn't want it in any program I ever
wrote.
Or perhaps you're arguing that the decision has been taken out of the
hands of programmers who call functions that call xmalloc(), assuming
that those functions are intended to be used as a library.
Yes.
Ideally
they would return an error status, but often it would be a great
overhead to be able to clean up enough to continue after a malloc()
failure. Whether it's worth the effort is just one of those tradeoffs
you make all the time - do we expect users to need to recover? will
enough of them need it to justify the work? will writing the program
become so boring that I won't bother writing it if I have to do that?
Provided it documents what it does, you have the decision of whether
to call it or not. Frequently the purpose of a function called
"xmalloc" is to provide the application programmer with a quick way to
"malloc() or quit".
Or perhaps you're arguing that the decision has been taken out of the
hands of programmers who call functions that call xmalloc(), assuming
that those functions are intended to be used as a library. Ideally
they would return an error status, but often it would be a great
overhead to be able to clean up enough to continue after a malloc()
failure. Whether it's worth the effort is just one of those tradeoffs
you make all the time - do we expect users to need to recover? will
enough of them need it to justify the work? will writing the program
become so boring that I won't bother writing it if I have to do that?
Quitting the program without giving anybody a clue of why?CBFalconer said:And what do you object to? Kindly elide 'missing braces' and the
possibility of sz == 0.
#include <iso646.h>Richard Tobin said:to call it or not. Frequently the purpose of a function called
"xmalloc" is to provide the application programmer with a quick way to
"malloc() or quit".
Richard Heathfield said:Malcolm McLean said:
No-one wants to play games written by incompetent programmers, either.
Quite so, but the fact that no one wants to run an OS written by
incompetent programmers unfortunately does not remove the necessity of
doing so. If the choice is between releasing a game with bugs (which
may or may not be fixed) and not releasing the game, the choice for
most game developers is clear.
Richard Heathfield said:Richard Tobin said:
Yes.
[/QUOTE]Ideally
they would return an error status, but often it would be a great
overhead to be able to clean up enough to continue after a malloc()
failure. Whether it's worth the effort is just one of those tradeoffs
you make all the time - do we expect users to need to recover? will
enough of them need it to justify the work? will writing the program
become so boring that I won't bother writing it if I have to do that?
Suits me. I'll write it instead, once the cheque clears.
Eric Sosman said:Program-level decisions are feasible because their scope
is known: You know what the program's purposes and context
are. Library-level decisions are made *without* knowledge
of scope, and hence should follow the "first, do no harm"
rule.
From the OpenSSH 4.6 source code:
--------
void *
xmalloc(size_t size)
{
void *ptr;
if (size == 0)
fatal("xmalloc: zero size");
ptr = malloc(size);
if (ptr == NULL)
fatal("xmalloc: out of memory (allocating %lu bytes)", (u_long) size);
return ptr;
}
--------
fatal() writes an error message and terminates; this is the only
place in any of the OpenSSH tools (except ssh-keyscan, which isn't
typically used other than for configuration purposes) where malloc
is called directly, and everything else goes through here. Similar
wrappers exist for every other function that dynamically allocates
memory.
I wouldn't exactly call SSH "not real world". I think you'd have
trouble arguing that the people who wrote this code didn't carefully
consider what was and wasn't appropriate behavior on memory
allocation failure before they wrote it this way, even if you
disagree with their conclusion.
Richard said:Exiting without an error message is very unhelpful. If there's no
practical way to recover from the error, you should at least say what
the error is.
I'd also recommend saying how many bytes you were trying to allocate:
I've more than once seen messages along the lines of "failed to
allocate 4294967295 bytes" which immediately pointed to bugs in the
code.
Richard said:.... snip ...
Well, since I wasn't in on their discussion I obviously can't argue
that they did, or that they did not, carefully consider any of the
above. What I can argue is that a library function has no business
taking the decision of whether to continue or to terminate out of
the hands of the application programmer. Since xmalloc does take
that decision out of the hands of the programmer, I wouldn't want
it in any program I ever wrote. Student programming, through and
through.
There is no pleasing some people.Richard Heathfield said:Flash Gordon said:
I took a brief look, but I felt that *either* Malcolm was trying to
write bad code (in which case he was being disingenuous at best) or he
was trying to write good code (in which case I pity his customers).
Hanlon's Razor suggests the latter.
The choice depends what your program is doing.CBFalconer said:Nonsense. It is entirely up to the programmer whether to call
xmalloc or malloc.
If we were releasing a medical app which was not debugged and in consequenceRichard Heathfield said:Christopher Benson-Manica said:
Oh, the choice they /do/ make is clear, yes. And the choice they
/should/ make is clear, too. And they are not the same.
From the OpenSSH 4.6 source code:
--------
void *
xmalloc(size_t size)
{
void *ptr;
if (size == 0)
fatal("xmalloc: zero size");
ptr = malloc(size);
if (ptr == NULL)
fatal("xmalloc: out of memory (allocating %lu bytes)", (u_long) size);
return ptr;
}
I wouldn't exactly call SSH "not real world". I think you'd have trouble
arguing that the people who wrote this code didn't carefully consider
what was and wasn't appropriate behavior on memory allocation failure
before they wrote it this way, even if you disagree with their conclusion.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.