[U-Boot] New discussion proposal for u-boot summit: "switch malloc to succeed or die model, as glib does"
Hi All,
Sorry for the poor timing in bringing this up, but this just came up when discussing the review of some sunxi patches.
Ian asked me to add error handling for mmc_create failing, which, if used properly, only ever fails if calloc fails.
This made me thinking that we should switch u-boot to the glib memory alloc failure handling model, which is put a die() / abort() inside the low level malloc routines when they fail.
The reasoning is that if malloc fails, you're typically looking at a fatal error anyways, and this will allow removing error handling from a lot of higher level users, reducing code, and removing a lot of code paths which are in essence unused and as such also very much untested.
I guess there may be some special cases where we don't want the malloc_or_die behavior I'm advocating for, for those we could introduce a malloc_unchecked function.
Detlev any chance you could squeeze this into the schedule somewhere?
Regards,
Hans
Hi,
On 10/12/2014 10:42 AM, Hans de Goede wrote:
Hi All,
Sorry for the poor timing in bringing this up, but this just came up when discussing the review of some sunxi patches.
Ian asked me to add error handling for mmc_create failing, which, if used properly, only ever fails if calloc fails.
This made me thinking that we should switch u-boot to the glib memory alloc failure handling model, which is put a die() / abort() inside the low level malloc routines when they fail.
I remembered that I've already seen something like this in u-boot, so after some grepping around I've found that at least common/cli_hush.c already does this. It introduces a (private) xmalloc and xrealloc which have the malloc_or_die behavior.
Regards,
Hans
Hi Hans,
Sorry for the poor timing in bringing this up, but this just came up when discussing the review of some sunxi patches.
Ian asked me to add error handling for mmc_create failing, which, if used properly, only ever fails if calloc fails.
This made me thinking that we should switch u-boot to the glib memory alloc failure handling model, which is put a die() / abort() inside the low level malloc routines when they fail.
The reasoning is that if malloc fails, you're typically looking at a fatal error anyways, and this will allow removing error handling from a lot of higher level users, reducing code, and removing a lot of code paths which are in essence unused and as such also very much untested.
I guess there may be some special cases where we don't want the malloc_or_die behavior I'm advocating for, for those we could introduce a malloc_unchecked function.
Detlev any chance you could squeeze this into the schedule somewhere?
I'll note it for the list of things to discuss in the discussion round in the evening.
Cheers Detlev
participants (2)
-
Detlev Zundel -
Hans de Goede