| malloc() and friends may always return NULL. From the man page: If successful, calloc(), malloc(), realloc(), reallocf(), valloc(), and aligned_alloc() functions return a pointer to allocated memory. If there is an error, they return a NULL pointer and set errno to ENOMEM. In practice, I find a lot of code that does not check for NULL, which is rather distressing. |
| |
| ▲ | johncolanduoni 2 days ago | parent | next [-] | | No non-embedded libc will actually return NULL. Very, very little practical C code actually relies only on specified behavior of the spec and will work with literally any compliant C compiler on any architecture, so I don’t find this particularly concerning. Usefully handling allocation errors is very hard to do well, since it infects literally every error handling path in your codebase. Any error handling that calls a function that might return an indirect allocation error needs to not allocate itself. Even if you have a codepath that speculatively allocates and can fallback, the process is likely so close to ruin that some other function that allocates will fail soon. It’s almost universally more effective (not to mention easier) to keep track of your large/variable allocations proactively, and then maintain a buffer for little “normal” allocations that should have an approximate constant bound. | | |
| ▲ | jclulow 2 days ago | parent | next [-] | | > No non-embedded libc will actually return NULL This is just a Linux ecosystem thing. Other full size operating systems do memory accounting differently, and are able to correctly communicate when more memory is not available. | | |
| ▲ | johncolanduoni 2 days ago | parent [-] | | There are functions on many C allocators that are explicitly for non-trivial allocation scenarios, but what major operating system malloc implementation returns NULL? MSVC’s docs reserve the right to return NULL, but the actual code is not capable of doing so (because it would be a security nightmare). | | |
| ▲ | throw0101c 2 days ago | parent | next [-] | | > There are functions on many C allocators that are explicitly for non-trivial allocation scenarios, but what major operating system malloc implementation returns NULL? Solaris (and FreeBSD?) have overcommitting disabled by default. | | |
| ▲ | inkyoto a day ago | parent [-] | | Solaris, AIX, *BSD and others do not offer overcommit, which is a Linux construct, and they all require enough swap space to be available. Installation manuals provide explicit guidelines on the swap partition sizing, with the rule of thumb being «at least double the RAM size», but almost always more in practice. That is the conservative design used by several traditional UNIX systems for anonymous memory and MAP_PRIVATE mappings: the kernel accounts for, and may reserve, enough swap to back the potential private pages up front. Tools and docs in the Solaris and BSD family talk explicitly in those terms. An easy way to test it out in a BSD would be disabling the swap partition and trying to launch a large process – it will get killed at startup, and it is not possible to modify this behaviour. Linux’s default policy is the opposite end of that spectrum: optimistic memory allocation, where allocations and private mappings can succeed without guaranteeing backing store (i.e. swap), with failure deferred to fault time and handled by the OOM killer – that is what Linux calls overcommit. |
| |
| ▲ | qhwudbebd 2 days ago | parent | prev [-] | | I hack on various C projects on a linux/musl box, and I'm pretty sure I've seen musl's malloc() return 0, although possibly the only cases where I've triggered that fall into the 'unreasonably huge' category, where a typo made my enormous request fail some sanity check before even trying to allocate. |
|
| |
| ▲ | jenadine 2 days ago | parent | prev [-] | | > No non-embedded libc will actually return NULL. malloc(-1) should always return NULL.
Malloc returns NULL if the virtual address space for a given process is exhausted. It will not return NULL when the system is out of memory (depending on the overcommit settings) |
| |
| ▲ | sidewndr46 3 days ago | parent | prev [-] | | It's been a while but while I agree the man page says that, my limited understanding was the typical libc on linux won't really return NULL under any sane scenario. Even when the memory can't be backed | | |
| ▲ | LordGrey 3 days ago | parent | next [-] | | I think you're right, but "typical" is the key word. Embedded systems, systems where overcommit is disabled, bumping into low ulimit -v settings, etc can all trigger an immediate failure with malloc(). Those are edge cases, to be sure, but some of them could be applied to a typical Linux system and me, as a coder, won't be aware of it. As an aside: To me, checking malloc() for NULL is easier than checking a pointer returned by malloc on first use. That's what you're supposed to do in the presence of overcommit. | |
| ▲ | nextaccountic 2 days ago | parent | prev | next [-] | | Even with overcommit enabled, malloc may fail if there is no contiguous address space available. Not a problem in 64 bits but may occasionally happen in 32 bits | |
| ▲ | Bjartr 2 days ago | parent | prev [-] | | But why would you want to violate the docs on something as fundamental as malloc? Why risk relying on implementation specific quirks in the first place? | | |
| ▲ | im3w1l 2 days ago | parent [-] | | Because it's orders of magnitudes easier not to handle it. It's really as simple as that. |
|
|
|
