calloc/free: a preplexing observation

[Peter Nilsson]

How?

True, but how is this different from a program which crashes
because it can't allocate automatic or static storage?

None of those are even remotely under the implementation's control,
though. malloc() is.

It's a question of degrees. An implementation may be constrained by
the operating system and may not be in any better position to guarantee
allocation than a C program which it runs.

The standard only guarantees that a conforming hosted implementation
can allocate one object of 32767 bytes (65535 under C99.)

Implementations using lazy allocation systems will likely be conforming
with regards to this minimum requirement. But they may legitimately
fail
under other circumstances.

But all this really just highlights that an 'implementation' consists
of more than just the development tools used to create an executable.
The operating system itself has influence on conformance. In some
(many!)
cases, the end user is responsible for guaranteeing that a given
program is executed in a conforming environment. But this is certainly
beyond the scope of a library implementation of malloc().

So, in a sense, Keith is correct, but it is not malloc() which is at
fault!

 

[Keith Thompson]

It's a question of degrees. An implementation may be constrained by
the operating system and may not be in any better position to guarantee
allocation than a C program which it runs.

The standard only guarantees that a conforming hosted implementation
can allocate one object of 32767 bytes (65535 under C99.)

Implementations using lazy allocation systems will likely be conforming
with regards to this minimum requirement. But they may legitimately
fail
under other circumstances.

But all this really just highlights that an 'implementation' consists
of more than just the development tools used to create an executable.
The operating system itself has influence on conformance. In some
(many!)
cases, the end user is responsible for guaranteeing that a given
program is executed in a conforming environment. But this is certainly
beyond the scope of a library implementation of malloc().

So, in a sense, Keith is correct, but it is not malloc() which is at
fault!

malloc() is a C library function, part of the C implementation, not
(necessarily) part of the operating system. Whatever requirements the
C standard imposes on malloc(), it's up to the implementer to do
whatever is necessary to make sure that it meets those requirements.

If the OS provides, say, an ALLOCATE() function that allocates space
that isn't necessarily properly aligned, malloc() has to arrange to
return a pointer to properly aligned memory. If ALLOCATE(0) aborts
the calling program, malloc(0) can't invoke ALLOCATE(0). And so on.

If lazy malloc() is non-conforming, an implementation of malloc() can
attempt to access the allocated memory before returning the pointer;
since the code that implements malloc() can be a system-specific as it
needs to be, presumably it can handle any traps, deallocate the
memory, and return a null pointer. I'd much rather have malloc() do
that than expect the caller to take care of it.

The standard says:

The malloc function allocates space for an object whose size is
specified by *size* and whose value is indeterminate.

I argue that if I can't access the space, it wasn't really allocated.

Having said that, I have to admit that my argument against lazy
allocation is largely based on the fact that I don't like the idea, at
least for an explicit allocation request.

 

[Lawrence Kirby]

On Thu, 03 Feb 2005 00:38:23 +0000, Keith Thompson wrote:

....

malloc() is a C library function, part of the C implementation, not
(necessarily) part of the operating system.

Ultimately everything that affects behaviour, including the operating
system, has to be considered part of the implementation.

Whatever requirements the
C standard imposes on malloc(), it's up to the implementer to do
whatever is necessary to make sure that it meets those requirements.

Absolutely. I say though, as I explained in another article, that the
standard does not prohibit memory overcommitment.

If the OS provides, say, an ALLOCATE() function that allocates space
that isn't necessarily properly aligned, malloc() has to arrange to
return a pointer to properly aligned memory.
Agreed.

If ALLOCATE(0) aborts the
calling program, malloc(0) can't invoke ALLOCATE(0). And so on.

As long as the abort process dosn't generate anything that is considered
to be program output or a normal termination condition, it could. Of
course that may be unacceptable on QOI grounds, it depends on the
situation where the abort can happen. The standard has to be very loose in
this area to allow conforming implementations to exist at all.

If lazy malloc() is non-conforming, an implementation of malloc() can
attempt to access the allocated memory before returning the pointer;
since the code that implements malloc() can be a system-specific as it
needs to be, presumably it can handle any traps, deallocate the memory,
and return a null pointer. I'd much rather have malloc() do that than
expect the caller to take care of it.

Even if you do that the OS can decide subsequently that it dosn't have
enough memory to go around and yours is the program it is going to kill to
recover some. The kill action might be initiated by your program accessing
part of a malloc'd array that had been paged out. The point is that it
isn't always possible for a C compiler/library to work around what the OS
does.

Consider this another way. It has come to light that many OSs in common
use can overcommit, and there are good reasons (as considered by some
people) for them to do so. This is an OS level issue. It is NOT the
responsibility of a language level standard such as C's to legislate on
this sort of thing. The purpose of a standard like C's is to provide a
language definition that is useful and portable across as many platforms
as possible. If it specified something that made it unimplementable on a
significant class of platforms and the "usefulness" isn't terminally
impacted (overcommitment is presumably deemed acceptable on the systems
that do it), that would have to be considered a MAJOR defect in the
standard. It isn't a matter of liking or hating a feature like
overcommitment it is a matter of recognising that something exists as a
common feature of real systems and it is somebody else's problem (i.e. not
the C standard committee's) to decide whether it is a good thing or not.
If I use an overcommitting system I don't want C programs subverting that
to the detriment of non-C programs. If I don't like overcommitment I
configure the system I have appropriately or use a different one. The
appropriate solution to this is not at the language level, unless you want
to add features for a program to request that its memory be reserved fully
for it.

The standard says:

The malloc function allocates space for an object whose size is
specified by *size* and whose value is indeterminate.

I argue that if I can't access the space, it wasn't really allocated.

In the abstract machine, yes, which is what the majority of the
standard including this describes (see 5.1.2.3p1). OTOH show me the part
of the standard that says an actual implementation can't terminate the
execution of a strictly conforming program at any point it pleases for any
reason, IOW that the program will successfully execute to completion.
There is a requirement for (at least) one program as specified by 5.2.4.1.
But the "at least one program" wouldn't make sense there if it was already
the case for all strictly conforming programs.

Having said that, I have to admit that my argument against lazy
allocation is largely based on the fact that I don't like the idea, at
least for an explicit allocation request.

What you are guaranteed is that while the execution of the program
continues the object created by malloc() will behave correctly as an
object. It just doesn't guarantee continued execution of the
program subsequently.

Lawrence

 

[Keith Thompson]

On Thu, 03 Feb 2005 00:38:23 +0000, Keith Thompson wrote:

...


Ultimately everything that affects behaviour, including the operating
system, has to be considered part of the implementation.

Sure, but the visible interface has to conform to the requirements in
the standard, whether the underlying OS does or not.

Absolutely. I say though, as I explained in another article, that the
standard does not prohibit memory overcommitment.

And that's the point of contention. Is there a DR on this topic? If
a committee response, or a future TC or version of the standard, says
that overcommitment is ok, I'll grit my teeth and accept it. But then
I wonder if there's any point of having malloc() ever return a null
pointer.

As long as the abort process dosn't generate anything that is considered
to be program output or a normal termination condition, it could. Of
course that may be unacceptable on QOI grounds, it depends on the
situation where the abort can happen. The standard has to be very loose in
this area to allow conforming implementations to exist at all.

I contend that the following program is strictly conforming (assuming
that any program that writes to stdout can be strictly conforming):

#include <stdio.h>
#include <stdlib.h>

int main(void)
{
char *ptr = malloc(0);
printf("Hello, world\n");
return 0;
}

If it doesn't print "Hello, world" when I execute it, that's a bug in
the implementation. You seem to be arguing that if any statements
that follow malloc(0) are *never* executed, that's acceptable. (If it
happens to fail because somebody pulled the power plug before it was
able to finish, that's a different story.)

Even if you do that the OS can decide subsequently that it dosn't have
enough memory to go around and yours is the program it is going to kill to
recover some. The kill action might be initiated by your program accessing
part of a malloc'd array that had been paged out. The point is that it
isn't always possible for a C compiler/library to work around what the OS
does.

But in this case, it's not only possible, it's easy. Regardless of
whether lazy allocation is conforming or not, an implementer who wants
to provide a non-lazy malloc() can do so.

The requirement for malloc() is that it has to behave as the standard
requires, not as some OS routine happens to behave.

[...]

If I use an overcommitting system I don't want C programs subverting that
to the detriment of non-C programs.

[...]

Is your concern that C programs using a non-overcommitting malloc()
would consume more resources, to the detriment of non-C programs
running simultaneously on the system? (When I first read that, I
thought you meant that non-C programs would be forced to do
non-overcommitting allocations, but I don't think that's what you
meant.)

In the abstract machine, yes, which is what the majority of the
standard including this describes (see 5.1.2.3p1). OTOH show me the part
of the standard that says an actual implementation can't terminate the
execution of a strictly conforming program at any point it pleases for any
reason, IOW that the program will successfully execute to completion.
There is a requirement for (at least) one program as specified by 5.2.4.1.
But the "at least one program" wouldn't make sense there if it was already
the case for all strictly conforming programs.

Sure, a program can die at any time due to external influences
(somebody kills the process, the OS runs out of resources, somebody
pulls the power plug). And it's very difficult to define when this
constitutes a violation of the C standard and when it's just a case of
"oh well, stuff happens". If my program dies when my infinitely
recursive function call attempts to allocate a terabyte of memory, I
have no grounds for complaint. If it dies whenever I try to compute
2+2 in a strictly conforming program, that's a bug in the
implementation. If it dies when I try to access memory that was
allocated by an apparently successful malloc() call, I'm going to be
grumpy.

What you are guaranteed is that while the execution of the program
continues the object created by malloc() will behave correctly as an
object. It just doesn't guarantee continued execution of the
program subsequently.

What I am guaranteed is that if malloc() returns a non-null result,
the memory I requested was allocated. The question is what
"allocated" means.

There's also the issue of which behavior is more useful (which is
separate from the question of what the standard actually requires).
If C programs commonly use malloc() to allocate huge amounts of
memory, and then only use part of it, overallocation makes sense. If,
on the other hand, a program malloc()s a block of memory only if it's
actually going to use all of it, overallocation merely causes certain
errors to be detected later and without any recourse. If I request a
megabyte of memory that the system can't or won't give me, I'd rather
have the malloc() fail cleanly than have my program abort later on.

I would think that it's rare for C programs to malloc() memory that
they're not actually going to use, and I would argue that programs
that do so are misbehaving.

 

[Chris Croughton]

I contend that the following program is strictly conforming (assuming
that any program that writes to stdout can be strictly conforming):

#include <stdio.h>
#include <stdlib.h>

int main(void)
{
char *ptr = malloc(0);
printf("Hello, world\n");
return 0;
}

If it doesn't print "Hello, world" when I execute it, that's a bug in
the implementation. You seem to be arguing that if any statements
that follow malloc(0) are *never* executed, that's acceptable. (If it
happens to fail because somebody pulled the power plug before it was
able to finish, that's a different story.)

Define 'acceptable'. It could be failing for a number of reasons and
still be compliant with the standard (as far as I can see it is only
guaranteed that a C program exists and works which has a data block of
up to 64K-1 bytes, but it might be required that this block is
statically allocated).

But in this case, it's not only possible, it's easy. Regardless of
whether lazy allocation is conforming or not, an implementer who wants
to provide a non-lazy malloc() can do so.

The requirement for malloc() is that it has to behave as the standard
requires, not as some OS routine happens to behave.

But there is nothing to say that events outside its control might not
stop it from working.

Sure, a program can die at any time due to external influences
(somebody kills the process, the OS runs out of resources, somebody
pulls the power plug).

Or ir unexpectedly runs out of memory (perhaps someone did "swapoff" in
the middle of execution, or the OS did it automatically).

And it's very difficult to define when this
constitutes a violation of the C standard and when it's just a case of
"oh well, stuff happens". If my program dies when my infinitely
recursive function call attempts to allocate a terabyte of memory, I
have no grounds for complaint. If it dies whenever I try to compute
2+2 in a strictly conforming program, that's a bug in the
implementation.

Only if you include the hardware in the implementation as well.

If it dies when I try to access memory that was
allocated by an apparently successful malloc() call, I'm going to be
grumpy.

Quite possibly, but that's a QoI issue not a standard compliance one.

What I am guaranteed is that if malloc() returns a non-null result,
the memory I requested was allocated. The question is what
"allocated" means.
Ecaxtly.

There's also the issue of which behavior is more useful (which is
separate from the question of what the standard actually requires).
If C programs commonly use malloc() to allocate huge amounts of
memory, and then only use part of it, overallocation makes sense. If,
on the other hand, a program malloc()s a block of memory only if it's
actually going to use all of it, overallocation merely causes certain
errors to be detected later and without any recourse. If I request a
megabyte of memory that the system can't or won't give me, I'd rather
have the malloc() fail cleanly than have my program abort later on.

How about (as is far more likely) it just waits until memory is
available? The standard says nothing about performance, if the OS is
swapping "unused" memory to mag tape and prompts the operator to load
the other mag tape, and they don't get round to it for a couple of days,
you may well get pissed off but it isn't against the standard. Or if
they decide "your program is using too much memory so I'll kill it" (or
if the OS decides the same) it isn't a violation of the standard, it's
just a QoI issue.

I would think that it's rare for C programs to malloc() memory that
they're not actually going to use, and I would argue that programs
that do so are misbehaving.

I would argue that it is common and that they are not misbehaving at
all. Any program allocating large arrays (where 'large' means more than
a few KB) as uninitialised variabled will probably not have that data in
"real" memory (RAM or swap) until the program writes to it on most Unix
systems. The same may even be true of large arrays on the stack on some
systems. It's not something whicvh is unique to malloc and dynamic
memory allocation.

If you don't like the QoI, you are free to use another system, or turn
off the 'lazy' memory allocation if you have that privilege, but it is
still standard conformming.

Chris C

 

[CBFalconer]

.... snip ...

I would think that it's rare for C programs to malloc() memory that
they're not actually going to use, and I would argue that programs
that do so are misbehaving.

Yet it is essential for systems to guard against such misbehavior,
for self-protection if nothing else.

I still see several justifications for lazy allocation and eventual
failure. One is to simply block the process until the request can
be satisfied (although how to detect that point may be a problem).
Another is to treat it as if that memory chip just failed.

 

[Keith Thompson]

Define 'acceptable'. It could be failing for a number of reasons and
still be compliant with the standard (as far as I can see it is only
guaranteed that a C program exists and works which has a data block of
up to 64K-1 bytes, but it might be required that this block is
statically allocated).

Sure the standard only really requires that one hypothetical program
be accepted. Other programs, even strictly conforming ones, can fail
for any of a variety of reasons.

But, well, there's quality-of-implementation, and then there's
quality-of-implementation.

As I mentioned before, an implementation in which any attempt to
evaluate 2+2 causes the program to abort might be conforming if you
read the standard strictly enough. But nobody would consider such an
implementation to be acceptable (and if there's some valid reason that
the hardware can't compute 2+2, it's up to the compiler to generate
alternative code that yields 4 as the result).

It's all a matter of degree. I'm arguing that a malloc() that does
overallocation isn't *quite* as bad as an implementation that aborts
on 2+2, but it's more severe than one that refuses to allocate a
terabyte on the stack.

But there is nothing to say that events outside its control might not
stop it from working.

But overallocation isn't outside malloc()'s control. If necessary, it
can access the memory before returning the pointer, and return NULL if
the access fails.

[...]

How about (as is far more likely) it just waits until memory is
available?

That would be fine (as far as conformance is concerned).

[...]

I would argue that it is common and that they are not misbehaving at
all. Any program allocating large arrays (where 'large' means more than
a few KB) as uninitialised variabled will probably not have that data in
"real" memory (RAM or swap) until the program writes to it on most Unix
systems. The same may even be true of large arrays on the stack on some
systems. It's not something whicvh is unique to malloc and dynamic
memory allocation.

The misbehavior I'm taking about is a program allocating a large array
and *never* writing to it.

 

[Keith Thompson]

Yet it is essential for systems to guard against such misbehavior,
for self-protection if nothing else.

Sure, and the system can guard against it by making the malloc() call
fail.

 

[CBFalconer]

Sure, and the system can guard against it by making the malloc() call
fail.

Please tell me how the system can differentiate between a malloc
whose space will be used, and a malloc whose space will not be
used?

 

[Keith Thompson]

Please tell me how the system can differentiate between a malloc
whose space will be used, and a malloc whose space will not be
used?

Ok, it can't -- but in my opinion it doesn't need to.

A program requests memory; the system either allocates it or reports
that it can't.

I see your point, though. Lazy allocation means that a program that
requests a huge amount of memory and doesn't use it will have less
impact on the rest of the system. I'm just not convinced that it's
worth the drawbacks.

 

[Ben Pfaff]

Please tell me how the system can differentiate between a malloc
whose space will be used, and a malloc whose space will not be
used?

Incidentally, it is quite common to allocate memory that will
never be used. For example, a table I'm preparing for a paper
here says that Mozilla, in one particular experiment we ran,
dynamically allocated 135 MB RAM but only ever wrote to 71% of
those bytes; Apache allocated 57 MB RAM but only ever wrote to 9%
of it.

 

[Chris Croughton]

Sure the standard only really requires that one hypothetical program
be accepted. Other programs, even strictly conforming ones, can fail
for any of a variety of reasons.

But, well, there's quality-of-implementation, and then there's
quality-of-implementation.

As I mentioned before, an implementation in which any attempt to
evaluate 2+2 causes the program to abort might be conforming if you
read the standard strictly enough. But nobody would consider such an
implementation to be acceptable (and if there's some valid reason that
the hardware can't compute 2+2, it's up to the compiler to generate
alternative code that yields 4 as the result).

Or not, it's not up to the compiler to check every detail of every
system on which it might be run. The compiler can be fine, but if the
program I generate and run on a possibly different platform fails that
is not the fault of the compiler or the library.

It's all a matter of degree. I'm arguing that a malloc() that does
overallocation isn't *quite* as bad as an implementation that aborts
on 2+2, but it's more severe than one that refuses to allocate a
terabyte on the stack.

It's nowhere near as 'bad' in the Real World(tm). If you are running
your program on a system with insufficient resources, that's your
problem not that of the implementation.

But overallocation isn't outside malloc()'s control. If necessary, it
can access the memory before returning the pointer, and return NULL if
the access fails.

Not necessarily, it might just hang, or even bomb out (just as it would
later when it tried to access the memory). There is also no value with
which it could overwrite the memory which is necessarily going to make
sure that it is really owned.

The misbehavior I'm taking about is a program allocating a large array
and *never* writing to it.

If I allocate a buffer of (say) 64KB, and it happens that all of the
lines I read in are 80 characters or less, most of that is unused. The
same in many other Real Workd(tm) applications. Using "lazy allocation"
means that it doesn't matter, a program can allocate as much as it might
need and it only gets used when it needs it, instead of the inefficiency
of allocating lots of small chunks. A number of replacement memory
handling systems, for instance, allocate memory in increasing powers of
2 as they find that they need more, in a lot of cases the last block
allocated will be mostly unused.

Perhaps allocating a large chunk of memory and never writing to it at
all is wasteful, but it's hardly 'misbehaving'.

Chris C

 

[Richard Tobin]

Incidentally, it is quite common to allocate memory that will
never be used. For example, a table I'm preparing for a paper
here says that Mozilla, in one particular experiment we ran,
dynamically allocated 135 MB RAM but only ever wrote to 71% of
those bytes; Apache allocated 57 MB RAM but only ever wrote to 9%
of it.

When you say it allocated 135MB do you mean that it malloc()ed 135MB,
or that the system allocated 135MB in response to malloc() calls? On
systems that use power-of-two allocation, the operating system may
allocate up to twice as much as is requested by malloc. And even
systems that return blocks of the "right" size may have an
unnecessarily large pool from which they provide them.

In these cases overcommit avoids rejecting requests for memory that
could actually be satisfied.

-- Richard

 

[Ben Pfaff]

When you say it allocated 135MB do you mean that it malloc()ed 135MB,
or that the system allocated 135MB in response to malloc() calls?

The former. The bytes it requested from malloc() over its
execution summed to 135 MB.

 

[Michael Wojcik]

And that's the point of contention. Is there a DR on this topic? If
a committee response, or a future TC or version of the standard, says
that overcommitment is ok, I'll grit my teeth and accept it. But then
I wonder if there's any point of having malloc() ever return a null
pointer.

Of course there is. An overcommitting implementation can still reject
an allocation request, and indeed all of the ones I've used do so.

On AIX, for example, the data ulimit is typically set, and will cause
malloc to fail if the heap would need to be extended past that limit.
(This is a Good Thing.)

Commitment and permitting allocation are two separate issues.

If it dies when I try to access memory that was
allocated by an apparently successful malloc() call, I'm going to be
grumpy.

This can easily happen even on a strict-allocating system, for any of
a wide range of reasons (read error from a swap partition, for
example). Be grumpy. That doesn't make the implementation
non-conforming.

I would think that it's rare for C programs to malloc() memory that
they're not actually going to use,

Not in my experience. For performance reasons, many programs I've
seen allocate buffers in relatively large chunks and don't bother
shrinking and enlarging them to fit the current size of their
contents, for example. And, of course, there are various sparse data
structures implemented with large lazily-allocated areas.

I've seen a lot of C code, but I doubt I've seen a statistically
meaningful sample of *all* C code, and I wouldn't know who has. That
makes guessing what's "rare" in C programs tricky.

and I would argue that programs that do so are misbehaving.

And the people who write such programs would argue that they aren't.
I think this one's a non-starter.

 

[Michael Wojcik]

But overallocation isn't outside malloc()'s control. If necessary, it
can access the memory before returning the pointer, and return NULL if
the access fails.

That assumption is not true for all overcommitting OSes.

On AIX, for example, the failure to back overcommitted memory does
not result in a "failed access" that malloc could detect as it's
touching pages. (AIX, incidentally, provides a malloc variant that
does just this, for people who mysteriously cannot write their own.)

When the AIX virtual storage manager - which handles all main
memory and disk access, including filesystems and swap - determines
that additional pages are needed, no more are available, and no more
can be made available automatically, it begins a series of actions
designed to let both system administrators and processes correct the
condition. If no correction is forthcoming, the OS will escalate to
forcibly freeing storage by terminating user processes which are
consuming the most memory.

There's no guarantee that this situation will occur while *your*
process is accessing memory - whether that happens in your code or
in malloc. You might preallocate all of your memory, only to have
some other process push the system into an overcommittment failure.
Further, even if your process is the instigator (insofar as that's
a well-defined role in this scheme), there's no guarantee that it
will be the first process notified of the situation.

Further, malloc is not the only consumer of storage, and the
overcommittment failure could occur outside of malloc. Changing
the behavior of malloc has little impact in general on the system's
allocation scheme or behavior in allocation failure.

This may not be to your liking. Fine. But it *is not a C library
implementation issue* in this case. It's an OS one, and there is
nothing malloc can do to change how the OS behaves.

--
Michael Wojcik (e-mail address removed)

Pocket #9: A complete "artificial glen" with rocks, and artificial moon,
and forester's station. Excellent for achieving the effect of the
sublime without going out-of-doors. -- Joe Green

 

[Keith Thompson]

On Fri, 04 Feb 2005 02:41:41 GMT, Keith Thompson


Or not, it's not up to the compiler to check every detail of every
system on which it might be run. The compiler can be fine, but if the
program I generate and run on a possibly different platform fails that
is not the fault of the compiler or the library.

I'm not talking about a different platform. I'm assuming an
(obviously hypothetical and very stupid) implementation in which the
CPU aborts the current program on any attempt to compute 2+2. It's a
documented feature of the ADD instruction; *no* instance of that CPU
is capable of computing 2+2. A usefully conforming C implementation
on such a system would have to work around this limitation.

[...]

Not necessarily, it might just hang, or even bomb out (just as it would
later when it tried to access the memory). There is also no value with
which it could overwrite the memory which is necessarily going to make
sure that it is really owned.

There's no portable way to do it, but the implementation of malloc()
doesn't have to be portable; it can do whatever system-specific stuff
it needs to to do its job.

 

[Keith Thompson]

That assumption is not true for all overcommitting OSes.

On AIX, for example, the failure to back overcommitted memory does
not result in a "failed access" that malloc could detect as it's
touching pages. (AIX, incidentally, provides a malloc variant that
does just this, for people who mysteriously cannot write their own.)

[...]

Just to be clear on what "does just this" refers to, does the malloc
variant attempt to access the allocated memory (and possibly terminate
the process, or another one, if it fails)?

 

[Michael Wojcik]

Just to be clear on what "does just this" refers to, does the malloc
variant attempt to access the allocated memory (and possibly terminate
the process, or another one, if it fails)?

The malloc variant (the name escapes me, and I don't recall whether
it was provided as an additional library function or simply as source)
touches each page of the newly-allocated area after successful
allocation. It can't "fail" in that process because there is no
failure mode for touching a page. There's a failure mode for the
system running short on virtual storage, but it's not tied directly
to the malloc-variant's operation.

To be frank, I think strict commitment is the wrong approach. If
you're worried about overcommitment, the proper fix is to ensure it
doesn't happen by setting the appropriate OS restrictions (number of
processes and process data limits) and not letting things run wild on
the system.

Production code should run on production systems. I don't have a lot
of sympathy for people worried about overcommitment while they're
running web browsers and the like.

Computer systems are loaded with compromises. It'd be swell to run
everything on A1-secure fault-tolerant systems with transparent
geographically-separated backups, but that's not an option. Over-
commitment is a compromise that trades an additional - rare - failure
mode for performance and simplicity. For systems build on the sands
of Unix, amateur software, commodity hardware, and the like, that
seems pretty reasonable to me.

But I recognize that this is a controversial issue, and people whose
opinions I respect - such as Doug Gwyn, Dan Bernstein, and yourself -
believe that overcommitment is undesirable. From that perspective,
at least one aspect of the Linux implementation is superior to the
AIX one: Linux lets you disable overcommitment system-wide.

 

[Chris Croughton]

I'm not talking about a different platform. I'm assuming an
(obviously hypothetical and very stupid) implementation in which the
CPU aborts the current program on any attempt to compute 2+2. It's a
documented feature of the ADD instruction; *no* instance of that CPU
is capable of computing 2+2. A usefully conforming C implementation
on such a system would have to work around this limitation.

Or not exist, because the system on which it runs is broken. It seems
that in your opinion systems using lazy allocation are broken, but that
is the fault of the system not that of the C implementation which might
not be able to get around the system behaviour.

[...]

Not necessarily, it might just hang, or even bomb out (just as it would
later when it tried to access the memory). There is also no value with
which it could overwrite the memory which is necessarily going to make
sure that it is really owned.

There's no portable way to do it, but the implementation of malloc()
doesn't have to be portable; it can do whatever system-specific stuff
it needs to to do its job.

I didn't say portable. There might be no way to do it at all, at all.
The OS is at liberty to swap the memory out to tape and then allow the
operator to change tapes, causaing any program which tries to access the
memory to crash. Or any other behaviour it wants. There may be a
system flag which says whether 'lazy' allocation is permitted which the
C library can't access, or the system may just 'hang' if it runs out of
memory, or many other behaviours.

Chris C