[Development] QtCore missing check for memory allocation

Thiago Macieira thiago.macieira at intel.com
Fri Feb 27 18:26:14 CET 2015 

On Friday 27 February 2015 09:20:54 Oswald Buddenhagen wrote:
> the whole point would be *not* using unwrapped malloc and new(nothrow).
> this can be trivially verified for our own code with a grepping bot.

There's an easier solution.

See the reply to Louai.

> > > then explain edd2d9bd0a7f5dbe059aea0902d519b728acc01a.
> > 
> > Who says that's good code? I fixed a warning, I didn't make the code good.
> > 
> > If the compiler starts removing the undefined behaviour, we'll get a test
> > failure and we can easily correct it. We can't do that in a library
> > because we don't know when it will fail.
> 
> clang suggests to do precisely what the patch did. are you saying it is
> making an unsafe suggestion?

I'm suggesting that Clang suggested something that works for Clang today. That 
does not mean it will work:
 * for other compilers
 * for past or future versions of Clang

Undefined behaviour is undefined behaviour. The compiler can implement whatever 
it chooses.

> > The argument is that even if we happened to catch all failures to malloc()
> > in all libraries, there's also all those pesky system calls that may
> > return ENOMEM and we're not checking those. So wrapping malloc() and
> > operator new are not enough: we need to check system calls too. And
> > extend that to all the calls to libraries that do catch malloc() and
> > system call failures and report errors to us.
> 
> the failure to check the return value of system calls needs to be
> addressed irrespective of what we decide about memory management. it's
> simply irresponsible to not handle syscall return values, and can even
> lead to security holes.

That may be.

> > The argument is that chain is as strong as its weakest link. If we don't
> > fix all the holes, the bucket will still leak (pardon my switch of
> > metaphors).
> you can let this be somebody else's worry. our task is to enable a use
> case, not to make it bullet-proof ourselves. the first step is not being
> actively hostile to it.

I am actively against it while it's a huge burden on us for little perceived 
benefit. You have to convince me of the benefit against the cost.

> > And even if I had no technical arguments, my opinion counts. I'm not
> > pulling this out of thin air. I have over a decade of experience, so if I
> > say that it sounds wrong, it probably is. And I'm the maintainer for
> > QtCore, so I'm the one that needs to be convinced, not the other way
> > around.
> 
> you can pull an argument to authority when no unanswered technical
> arguments remain and it's still a draw.

I can pull this when I think this isn't technical, but social. The problem I 
perceive is that the solution you're proposing is a hugely complex task, 
requiring constant maintenance, places a big burden on all our developers, and 
is a leaking bucket. You're going to run into Pareto's Law really quickly too.

And we have better things to do.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center

More information about the Development mailing list