-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Roaring64 doesn't handle out of memory #630
Comments
We try to catch null pointers. Would you propose a pull request? |
I can do so later this week. I'm looking at the C++ 64bit wrapper right now. |
I took a quick look at this. Actually, the 32bit version doesn't handle this very well either. For example we see things like:
Note that (a) the return code of NULL is already used by this method to denote "invalid input" so overloading it to also mean "out of memory" seems problematic, and (b) we do not check the return of And that's not all, of course, there are many places which internally allocate memory and could return NULL where they aren't checked; see below for examples. It seems if we really want to get serious about handling this we'll need a lot of extra checks throughout all the functions we have, where if we get a NULL back we have to clean up whatever allocations we may have made, then return the NULL (if we're returning a pointer) or an error code. I wonder if this is worthwhile for something that we hardly ever expect to happen and if it DOES happen would be almost impossible for our caller to cleanly recover from, anyway. Are there really programs out there which attempt to recover from this? All the software I've been involved with (even production software) more or less gives up and exits if malloc() returns NULL. Another option to consider would be have Of course people can already install such a It's not great, but the alternative is to make extensive changes to both the 32bit and 64bit implementations to fully plumb through checks for NULL. Just as an example: many places we call If we don't want to commit to that then maybe it's better to just admit this up-front and make it part of the interface, rather than whistling past the graveyard. |
There are some memory cleanups that we certainly should do: for example I notice that |
@madscientist You are correct, hence my wording... We try to catch null pointers. We definitively do not succeed. |
Well, I'm not sure where to go from here. Does it make sense to change roaring64 to be "more or less as good" as roaring and check in the same places? It seems to me like we really only reliably check in places which are pretty unlikely to cause problems; for example allocating a roaring_bitmap_t (40 bytes or so) is unlikely to fail compared to expanding internal structures which are likely to be a lot larger. Here's another idea: we could create a new method in Then someone who cares can do something holistically, and there's some kind of story to tell in the docs. Thoughts? |
I guess, users can already have this "out of memory" facility if they want it by just providing replacement alloc functions. |
To be honest, I’m was hoping that static analysis could help. |
Note that this is rather theoretical. In practice, under many operating systems, you will get back a non-nul value, and the failure occurs where you try to page in the memory. |
In the 32bit version of croaring the returned value of roaring_malloc() is checked and if it's NULL (the runtime cannot allocate more memory) then NULL is returned and we don't try to dereference that pointer.
In the 64bit version of croaring, the return value of roaring_malloc() is not checked: the code assumes that it can never return NULL. If it does, we'll definitely get a SIGSEGV due to dereferencing a NULL pointer.
What is the correct memory model we should be using here?
The text was updated successfully, but these errors were encountered: