The "too small to fail" memory-allocation rule

By Jonathan Corbet
December 23, 2014

Kernel developers have long been told that, with few exceptions, attempts to allocate memory can fail if the system does not have sufficient resources. As a result, in well-written code, every call to a function like kmalloc(), vmalloc(), or __get_free_pages() is accompanied by carefully thought-out error-handling code. It turns out, though, the behavior actually implemented in the memory-management subsystem is a bit different from what is written in the brochure. That difference can lead to unfortunate run-time behavior, but the fix might just be worse.

A discussion on the topic began when Tetsuo Handa posted a question on how to handle a particular problem that had come up. The sequence of events was something like this:

A process that is currently using relatively little memory invokes an XFS filesystem operation that, in turn, needs to perform an allocation to proceed.
The memory management subsystem tries to satisfy the allocation, but finds that there is no memory available. It responds by first trying direct reclaim (forcing pages out of memory to free them), then, if that doesn't produce the needed free memory, it falls back to the out-of-memory (OOM) killer.
The OOM killer picks its victim and attempts to kill it.
To be able to exit, the victim must perform some operations on the same XFS filesystem. That involves acquiring locks that, as it happens, the process attempting to perform the problematic memory allocation is currently holding. Everything comes to a halt.

In other words, the allocating process cannot proceed because it is waiting for its allocation call to return. That call cannot return until memory is freed, which requires the victim process to exit. The OOM killer will also wait for the victim to exit before (possibly) choosing a second process to kill. But the victim process cannot exit because it needs locks held by the allocating process. The system locks up and the owner of the system starts to seriously consider a switch to some version of BSD.

When asked about this problem, XFS maintainer Dave Chinner quickly wondered why the memory-management code was resorting to the OOM killer rather than just failing the problematic memory allocation. The XFS code, he said, is nicely prepared to deal with an allocation failure; to him, using that code seems better than killing random processes and locking up the system as a whole. That is when memory management maintainer Michal Hocko dropped a bomb by saying:

Well, it has been an unwritten rule that GFP_KERNEL allocations for low-order (<=PAGE_ALLOC_COSTLY_ORDER) never fail. This is a long ago decision which would be tricky to fix now without silently breaking a lot of code. Sad...

The resulting explosion could be heard in Dave's incredulous reply:

We have *always* been told memory allocations are not guaranteed to succeed, ever, unless __GFP_NOFAIL is set, but that's deprecated and nobody is allowed to use it any more.

Lots of code has dependencies on memory allocation making progress or failing for the system to work in low memory situations. The page cache is one of them, which means all filesystems have that dependency. We don't explicitly ask memory allocations to fail, we *expect* the memory allocation failures will occur in low memory conditions. We've been designing and writing code with this in mind for the past 15 years.

A "too small to fail" allocation is, in most kernels, one of eight contiguous pages or less — relatively big, in other words. Nobody really knows when the rule that these allocations could not fail went into the kernel; it predates the Git era. As Johannes Weiner explained, the idea was that, if such small allocations could not be satisfied, the system was going to be so unusable that there was no practical alternative to invoking the OOM killer. That may be the case, but locking up the system in a situation where the kernel is prepared to cope with an allocation failure also leads to a situation where things are unusable.

One alternative that was mentioned in the discussion was to add the __GFP_NORETRY flag to specific allocation requests. That flag causes even small allocation requests to fail if the resources are not available. But, as Dave noted, trying to fix potentially deadlocking requests with __GFP_NORETRY is a game of Whack-A-Mole; there are always more moles, and they tend to win in the end.

The alternative would be to get rid of the "too small to fail" rule and make the allocation functions work the way most kernel developers expect them to. Johannes's message included a patch moving things in that direction; it causes the endless reclaim loop to exit (and fail an allocation request) if attempts at direct reclaim do not succeed in actually freeing any memory. But, as he put it, "the thought of failing order-0 allocations after such a long time is scary."

It is scary for a couple of reasons. One is that not all kernel developers are diligent about checking every memory allocation and thinking about a proper recovery path. But it is worse than that: since small allocations do not fail, almost none of the thousands of error-recovery paths in the kernel now are ever exercised. They could be tested if developers were to make use of the the kernel's fault injection framework, but, in practice, it seems that few developers do so. So those error-recovery paths are not just unused and subject to bit rot; chances are that a discouragingly large portion of them have never been tested in the first place.

If the unwritten "too small to fail" rule were to be repealed, all of those error-recovery paths would become live code for the first time. In a sense, the kernel would gain thousands of lines of untested code that only run in rare circumstances where things are already going wrong. There can be no doubt that a number of obscure bugs and potential security problems would result.

That leaves memory-management developers in a bit of a bind. Causing memory allocation functions to behave as advertised seems certain to introduce difficult-to-debug problems into the kernel. But the status quo has downsides of its own, and they could get worse as kernel locking becomes more complicated. It also wastes the considerable development time that goes toward the creation of error-recovery code that will never be executed. Even so, introducing low-order memory-allocation failures at this late date may well prove too scary to be attempted, even if the long-term result would be a better kernel.

Index entries for this article
Kernel	Memory management/Page allocator

to post comments

Small allocations and OOM killer

Posted Dec 23, 2014 22:44 UTC (Tue) by epa (subscriber, #39769) [Link]

If a few kilobytes of memory are requested, but unavailable, is it even worth trying to run the OOM killer? Since the victim process will most likely require some memory allocations in order to exit, as happened here.

I can understand running the OOM killer to free a few hundred megs, but if the system is so short of memory that even a 20kbyte request wasn't satisfied, breaking out the OOM machinery sounds like it will make things worse instead of better.

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 23, 2014 22:55 UTC (Tue) by cesarb (subscriber, #6266) [Link] (13 responses)

All this talk of barely tested error-recovery paths reminded me of the following parable:

> We went to lunch afterward, and I remarked to Dennis that easily half the code I was writing in Multics was error recovery code. He said, "We left all that stuff out. If there's an error, we have this routine called panic, and when it is called, the machine crashes, and you holler down the hall, 'Hey, reboot it.'"

-- http://www.multicians.org/unix.html

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 24, 2014 7:39 UTC (Wed) by jezuch (subscriber, #52988) [Link] (3 responses)

>> easily half the code I was writing in Multics was error recovery code. He said, "We left all that stuff out. If there's an error, we have this routine called panic

And now in Linux we have both! :)

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 24, 2014 21:07 UTC (Wed) by agrover (guest, #55381) [Link] (1 responses)

We've all been writing, reviewing, and debugging error-handling code in the kernel, hundreds of programmer-years of effort. It's a little insulting that it doesn't even get used. Seems to me the sooner we pull off the band-aid and enable all allocations to fail, the better.

If there are bugs that are "too scary" to contemplate fixing the right way, then we are all in BIG trouble.

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 25, 2014 22:28 UTC (Thu) by epa (subscriber, #39769) [Link]

The terminology used is unfortunate. It is not that small allocations "cannot fail". Of course if the memory is unavailable, any memory allocation will fail. The question is what failure mode happens. Is it by a false status being returned to the caller, or is it some other kind of failure such as a kernel panic or hard lockup?

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 27, 2014 0:16 UTC (Sat) by reubenhwk (guest, #75803) [Link]

>> And now in Linux we have both! :)

If only we didn't have all that code we may be able to satisfy that small allocation request.

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 26, 2014 18:24 UTC (Fri) by rwmj (guest, #5474) [Link] (8 responses)

I used to think this was an indictment of Unix, but if you look at modern cloud systems with their multiple virtual machines, any one of which is expected to fail without affecting the service. Or Erlang with its philosophy of failing early and recovering failed processes. Well, now it's writing all that error handling code which looks stupid.

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 29, 2014 14:09 UTC (Mon) by epa (subscriber, #39769) [Link] (7 responses)

Yes, because the next time your mobile phone crashes you can seamlessly switch to one of the cloud of redundant phones you carry with you at all times...

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 29, 2014 21:58 UTC (Mon) by rwmj (guest, #5474) [Link] (2 responses)

You obviously don't understand how erlang works. Not many do which I guess explains the state of programming these days.

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 30, 2014 10:31 UTC (Tue) by epa (subscriber, #39769) [Link] (1 responses)

I'm sure Erlang works reliably, but the kernel cannot be written in Erlang.

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Jan 23, 2015 9:03 UTC (Fri) by Frej (guest, #4165) [Link]

No but the philosophy could be followed. In many ways it is the just the micro vs monolith kernel. If subsystems could be completely separate, you could just restart the subsystem and retry the request. But it's never quite that simple, and especially so for the kernel.

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 30, 2014 15:59 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link] (3 responses)

OTOH, Android expects its apps to be able to handle crashes cleanly. When it needs to free up memory, it just kills something in the background, and it's up to the app not to have problems from that. Seamless recovery from being killed is mandatory.

Error recovery (was: The "too small to fail" memory-allocation rule)

Posted Dec 30, 2014 16:40 UTC (Tue) by epa (subscriber, #39769) [Link]

It is sound design to make the application handle crashes cleanly, so it can recover without losing more than a tiny bit of work in progress. And that applies to the kernel too: journalling filesystems are designed so that even a hard crash will not lose data.

That doesn't really mean you can do without error handling code in the kernel, though. It's great if your filesystem doesn't get horribly corrupted when the machine crashes, but still the crash is not appreciated by the user. Yes, if you are running a farm of several machines then you can fail over to another and the service stays up; that doesn't really work as a remedy for your laptop locking up, unless you happen to carry around a redundant laptop with you at all times.

And in the case of Android, the apps are killed and restarted, but it would not be acceptable for the kernel itself to just panic on any error condition and require restarting the phone. Which is what we are talking about here: *kernel* error recovery.

Re: OTOH, Android expects its apps to be able to handle crashes cleanly.

Posted Dec 30, 2014 20:47 UTC (Tue) by ldo (guest, #40946) [Link] (1 responses)

Not quite. The framework will always explicitly call onDestroy() before killing your Activity. If this is happening because the system is running low on resources, not because of direct user action, then onSaveInstanceState() will be called before that so you can save whatever is necessary of the state of your UI so, when the user returns to your app, it can be transparently restarted to make it look like it never stopped.

Re: OTOH, Android expects its apps to be able to handle crashes cleanly.

Posted Dec 30, 2014 21:41 UTC (Tue) by cesarb (subscriber, #6266) [Link]

Not true, see drivers/staging/android/lowmemorykiller.c. It directly sends SIGKILL to the process, without calling any Java function.

The "too small to fail" memory-allocation rule

Posted Dec 23, 2014 22:56 UTC (Tue) by flussence (guest, #85566) [Link] (14 responses)

This isn't the first time I've seen memory management problems and XFS mentioned in the same article. Is that just a side effect of more eyes on the code compared to other FSes, or is there something more to it?

XFS

Posted Dec 23, 2014 23:07 UTC (Tue) by corbet (editor, #1) [Link] (1 responses)

I hope I didn't create the wrong impression; XFS is not the problem here, it just happened to be the filesystem that was in use.

XFS

Posted Dec 24, 2014 3:45 UTC (Wed) by flussence (guest, #85566) [Link]

Oh, you didn't at all!

And I don't mean to sound negative either. If there's any conclusion to be made here, it's that XFS is really good at provoking improvements everyone can benefit from.

The "too small to fail" memory-allocation rule

Posted Dec 23, 2014 23:20 UTC (Tue) by xorbe (guest, #3165) [Link] (7 responses)

Of all the file systems, iirc ZFS would be the memory offender.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 10:40 UTC (Wed) by yoe (guest, #25743) [Link] (6 responses)

ZFS is not a 'memory offender'; it simply has a different approach to caching. Where other file systems assume they're not the only users of the system, ZFS in its default setting assumes the system is a file server and will hard-allocate most of the available RAM as cache. While that does leave little room for other processes, that is an appropriate thing to do if the system is, indeed, a file server and there aren't many other processes. If there are, however, it's only a default which can be changed.

I personally run ZFS on a system with 'only' 2G of ram and a single hard disk. It's not as fast as ZFS can be, but it runs perfectly well, with room to spare in its RAM for plenty of other stuff.

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 18:38 UTC (Thu) by quotemstr (subscriber, #45331) [Link] (1 responses)

Why does ZFS need its own cache? Page cache should be sufficient and system-global. If you want a particular installation to prefer file-backed pages to swap-backed pages at reclaim time, fine, but I don't see why this policy should have to be tied to a specific filesystem. It feels like a step backward from the unified cache era.

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 22:33 UTC (Thu) by yoe (guest, #25743) [Link]

ZFS doesn't necessarily need its own cache, I suppose, but the algorithms involved can be more efficient if they have knowledge of the actual storage layout (which *does* require that they are part of the ZFS code, if done to the extreme). E.g., ZFS has the ability to store a second-level cache on SSDs; if the first-level (in-memory) cache needs to drop something, it may prefer to drop something which it knows to also be stored on the SSD cache over something which isn't. The global page cache doesn't have the intricate knowledge of the storage backend which is required for that sort of thing.

I suppose that's a step backwards if what you want is "mediocre cache performance, but similar performance for *all* file systems". That's not what ZFS is about, though; ZFS wants to provide excellent performance at all costs. That does mean it's not the best choice for all workloads, but it does beat the pants off of most other solutions in the workloads that it was meant for.

The "too small to fail" memory-allocation rule

Posted Dec 26, 2014 16:11 UTC (Fri) by nix (subscriber, #2304) [Link] (1 responses)

You're talking about ZFS, but the post was talking about XFS. They are very different things.

The "too small to fail" memory-allocation rule

Posted Dec 27, 2014 13:09 UTC (Sat) by yoe (guest, #25743) [Link]

I know.

The article was about XFS, but the comment that I replied to was very much about ZFS, not XFS.

The "too small to fail" memory-allocation rule

Posted Jan 6, 2015 20:40 UTC (Tue) by Lennie (subscriber, #49641) [Link] (1 responses)

I thought ZFS was a heavy user of RAM mostly when deduplication is enabled.

The "too small to fail" memory-allocation rule

Posted Feb 28, 2015 13:59 UTC (Sat) by yoe (guest, #25743) [Link]

Dedup is a large memory eater, yes, but doesn't have an influence on how much memory gets used (it just gets terribly slow if you don't have enough...)

The "too small to fail" memory-allocation rule

Posted Dec 23, 2014 23:22 UTC (Tue) by cesarb (subscriber, #6266) [Link]

> This isn't the first time I've seen memory management problems and XFS mentioned in the same article. Is that just a side effect of more eyes on the code compared to other FSes, or is there something more to it?

I'd guess it's a side effect of XFS's focus on performance and code quality. As a high-performance filesystem, it puts more stress on the VM subsystem. And as for code quality, there's a reason why the filesystem testing tool every filesystem uses is called "xfstests".

The "too small to fail" memory-allocation rule

Posted Dec 23, 2014 23:25 UTC (Tue) by alan (subscriber, #4018) [Link]

With XFS as the new default filesystem in RHEL systems, you may see it mentioned even more.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 5:13 UTC (Wed) by zblaxell (subscriber, #26385) [Link]

If you're comparing XFS to vfat or ext3, remember that those are really simple filesystems. Almost everything is in fixed-size arrays or bitmaps, and disk blocks have a 1:1 relationship with page cache. Not much interesting for MM to do.

Comparing XFS to reiserfs, NTFS, ZFS: these filesystems have similar complexity, but they're not developed any more, or their best implementations are not in the Linux kernel proper, so their developers don't have newsworthy interactions with MM developers.

Comparing XFS to btrfs: btrfs has MM bugs. but it also has lots of other kinds of bugs, so the MM bugs don't stand out as much. ;)

If you count up lines of code and commits in the last two years, XFS is one of the most actively developed filesystems in Linux, second only to btrfs among non-network filesystems by those crude metrics.

The "too small to fail" memory-allocation rule

Posted Dec 26, 2014 22:56 UTC (Fri) by dgc (subscriber, #6611) [Link]

It more that XFS is more deeply intertwined with memory allocation and reclaim architecture than other filesystems. We've long had problems with memory reclaim recursion doing things like deadlocking and/or blowing the stack, but over the past few years XFS has made use of the shrinker subsystem to vastly expand scalability and performance above what the generic memory reclaim algorithms can provide.

To do this, we have to have some idea of how the MM subsystem works, how it is architected, the rules we have to play under, the capabilities and deficiencies it has, etc. Just because we work on filesystems doesn't mean we only understand filesystems...

Further, most XFS developers come from a strong engineering background where we are taught to understand and solve the root cause of whatever issue is occurring, not just slap a band-aid over the symptom being reported. Hence you see us pointing out warts in other parts of the system that haven't been well thought out, work around some issue or are just plain broken.

This thread was a prime example - "XFS deadlocked under low memory conditions" was the bug report, but a little bit of investigation of the report points out the underlying cause of the hang is not a filesystem problem at all...

-Dave.

The "too small to fail" memory-allocation rule

Posted Dec 23, 2014 23:15 UTC (Tue) by cesarb (subscriber, #6266) [Link] (2 responses)

> That leaves memory-management developers in a bit of a bind. Causing memory allocation functions to behave as advertised seems certain to introduce difficult-to-debug problems into the kernel. But the status quo has downsides of its own, and they could get worse as kernel locking becomes more complicated.

If I understood it correctly, the problem is a "recursive locking" deadlock: the filesystem does a memory allocation under a lock, which waits for a process to exit, which calls into the filesystem, which needs the same lock again.

Doesn't the kernel already have a way of saying "I'm the filesystem, do not call the filesystem to free memory", that is, GFP_NOFS (and the related GFP_NOIO)? Couldn't the meaning of that flag be extended to also mean "don't wait for the OOM killer even for small allocations", since filesystem and memory management code have a higher probability of having a good quality error recovery code?

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 3:13 UTC (Wed) by neilbrown (subscriber, #359) [Link]

This looks to me to be a valid and relevant observation.

The allocation is question is __GFP_NOWAIT which is equivalent to GFP_NOIO.
Such an allocation must not risk waiting for FS or IO activity. Yet waiting for the OOM killer can clearly do that. This is a violation of the interface whether you accept the "too small to fail" rule or not.

Invoking the OOM killer is reasonable, waiting a little while is reasonable, but waiting for the killed processes to flush data or close files is not..... Hmmm. The out_of_memory() function chooses a processes, kills it, then waits one second ("schedule_timeout_killable(1);"), so it seems to be behaving as I would expect.

Reading more of the email threads it seems that TIF_MEMDIE is an important part of the problem. This is set on a thread when it has been chosen to die. As long as any thread has this set, "select_bad_process()" will not select anything else so nothing else gets killed.

So the "real" problem seems to be that if a process with TIF_MEMDIE set enters filesystem (or IO) code and blocks, a GFP_NOIO allocation can be made to wait for that filesystem code to complete - which could deadlock.

Looking at the original patch which started this: http://marc.info/?l=linux-mm&m=141839249819519&w=2 the problem seems to involve a process with TIF_MEMDIE set, which has already released its memory, but is now stuck in the filesystem, probably closing some files.

As it has TIF_MEMDIE set, nothing else will be killed. So no memory will become available, so it will stay stuck in the filesystem...

This deadlock could possibly be avoided by having oom_scan_process_thread() not abort the scan if TIF_MEMDIE is set on a process which has already dropped its memory. Then another process can be killed even if the first one blocked

But that analysis was very hasty and probably misses something important. "Here be dragons" is how I would mark this code on a map of Linux.

The "too small to fail" memory-allocation rule

Posted Jan 15, 2015 19:40 UTC (Thu) by ksandstr (guest, #60862) [Link]

Indeed it's bizarre that an automatic attempt to avert malloc failure would potentially re-enter its caller and therefore guarantee a lock-ordering violation. First, the allocator is at all called with a lock held, implying that allocation length follows from state which the lock is used to guard; which in turn implies overly eager design.

Second, that the allocator enters the OOM killer on its own volition, changing malloc's locking behaviour from "only ever the heap lock" to "everything an asynchronous OOM killer might end up with". That might well cover all of the kernel, when the caller is expecting malloc to be atomic by itself.

What's surprising isn't so much the reams of untested malloc-failure handling code, but that this bug comes up as late as 2014.

The "too small to fail" memory-allocation rule

Posted Dec 23, 2014 23:41 UTC (Tue) by xorbe (guest, #3165) [Link] (2 responses)

An important piece of code such as XFS should reserve the minimal needed memory on driver load. Then, it should have local management of its own resources. It could have optional dynamic reservation for non-critical purposes, such as caching, where it doesn't matter if the data is dropped (only a performance impact).

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 0:54 UTC (Wed) by cwillu (guest, #67268) [Link] (1 responses)

The problem isn't that xfs can't deal with the memory allocation failing; the problem is that the allocation routines don't give it an opportunity to handle a failure before they've already gone ahead and tried to kill a process (at which point they've deadlocked).

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 7:35 UTC (Wed) by epa (subscriber, #39769) [Link]

I think the OP's point may have been that ideally cleanup tasks like killing a process should not require fresh allocations. Sufficient memory should be allocated in advance, so you can always close files (etc) without allocating.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 4:35 UTC (Wed) by zblaxell (subscriber, #26385) [Link] (24 responses)

> XFS maintainer Dave Chinner quickly wondered why the memory-management code was resorting to the OOM killer rather than just failing the problematic memory allocation.

I wonder this too, and have done so for as long as the OOM killer has existed. It seems that instead of returning ENOMEM or calling panic(), we've decided that inflicting a Chaos Monkey on userspace (and adding a bunch of latency for the allocating process) is somehow the best of all feasible alternatives.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 7:53 UTC (Wed) by ibukanov (subscriber, #3942) [Link] (22 responses)

OOM killer is a consequence of memory overcommit which in turn originated in copy-on-write semantics of the fork.

For example, Linux allows to fork a process even if its image has more then halve the memory on the system. The assumption is that the child process most likely would either use exec soon or parent/child would use the allocated memory in read-only way. Now consider what should happen when the processes start to write to the memory. That may lead to OOM errors. Now, who should be blamed for it? The child or parent? In addition, applications are typically not prepared to deal with a situation when an arbitrary write may trigger OOM. So OOM killer is pretty reasonable solution.

Compare that with Windows where overcommit is not available (lack of fork in Windows API allows for that). Immediately memory accounting becomes simple and OS can guarantee that if a process has a pointer to writable memory, then memory is always available for writing.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 9:23 UTC (Wed) by epa (subscriber, #39769) [Link] (10 responses)

fork-exec is one of the aspects of classical Unix which looks really neat in a textbook but hasn't held up quite so well in the real world. Remembering that 'things should be as simple as possible, but no simpler', it is just a bit too simple. POSIX does define spawn functions which userspace code might call instead.

Essentially, when you fork() the kernel has no way of knowing that you are just about to call exec() immediately afterwards, so it has to either reserve space for a complete copy of all your process's memory, or end up overcommitting and resorting to an OOM killer if it guessed wrong. If userland can give the kernel a bit more information then the kernel can do its job better.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 9:35 UTC (Wed) by roc (subscriber, #30627) [Link] (9 responses)

One great feature of the fork()/exec() model is that you can set up the child's environment by running code in the child before exec --- setting resource limits, manipulating file descriptors, dropping privileges, etc. It's easy to do this in a race-free way. With Windows' CreateProcess you can't do this, so it takes 10 parameters including a flags word with 16 flags and a STARTUPINFO struct with over a dozen members, and it's still less flexible than fork()/exec().

Also, copy-on-write fork()ing has other valuable uses. In rr we use it to create checkpoints very efficiently.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 9:54 UTC (Wed) by epa (subscriber, #39769) [Link] (3 responses)

This is true. But the manipulation of file descriptors shouldn't require a complete copy of the parent process's memory. It would be handy if you could fork passing a buffer of memory and a function pointer. The child process will be given a copy of that buffer and will jump to the function given. Then you have some flexibility in what you can do before exec() but you can still be frugal in memory usage without relying on overcommit.

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 18:44 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

> The child process will be given a copy of that buffer and will jump to the function given

vfork does what you want. The "child" shares memory with the parent until it calls exec, so you avoid not only the commit charge catastrophe of copy-on-write fork, but also gain a significant performance boost from not having to copy the page tables.

Re: shouldn't require a complete copy of the parent process's memory

Posted Dec 25, 2014 22:18 UTC (Thu) by ldo (guest, #40946) [Link] (1 responses)

That issue was solved a long time ago, which is why the vfork(2) hack is obsolete nowadays.

Re: shouldn't require a complete copy of the parent process's memory

Posted Dec 26, 2014 7:33 UTC (Fri) by epa (subscriber, #39769) [Link]

Sorry what issue are you referring to? The conjecture so far is that there is a problem, since a forked process gets a copy of its parent's address space, which requires either reserving enough memory (RAM or swap) to provide that, or else overcommitting and crossing your fingers (with OOM killer for when you get it wrong). It is true that copy-on-write means the kernel doesn't have to copy all the pages straight away, but that is just a time saving; it doesn't resolve the underlying issue of needing overcommit.

vfork() doesn't make a copy of the address space and so doesn't require either over-caution or over-committing. But it has other limitations.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 10:18 UTC (Wed) by ibukanov (subscriber, #3942) [Link] (4 responses)

> One great feature of the fork()/exec() model is that you can set up the child's environment by running code in the child before exec

To customize the child before exec one does not need full fork, vfork is enough and does not require overcommit.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 11:34 UTC (Wed) by pbonzini (subscriber, #60935) [Link] (3 responses)

Only in Linux. The POSIX description is "you can store the return value from vfork(), then you have to call _exit or exec".

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 12:31 UTC (Wed) by ibukanov (subscriber, #3942) [Link] (1 responses)

Linux semantic of vfork is one of the most usable as it blocks only the thread in parent that calls it. Thus one can get rather safe and efficient alternative to fork/exec by creating a new thread, calling vfork from it, preparing the child and calling the exec. Compare that with, say, FreeBSD or Solaris that, according to the manual pages, suspends the whole parent process during the vfork call.

The "too small to fail" memory-allocation rule

Posted Dec 30, 2014 0:04 UTC (Tue) by klossner (subscriber, #30046) [Link]

By "create a new thread" do you mean call pthread_create? That just ends up in do_fork(), which creates a new process with which to call vfork(), which ends up in do_fork() to create another new process. Safe, okay, but not really efficient.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 14:27 UTC (Wed) by justincormack (subscriber, #70439) [Link]

Most versions allow you to do more than this though, not just the Linux one. Makes it all rather non portable though.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 14:12 UTC (Wed) by patrakov (subscriber, #97174) [Link]

This phrase is not 100% accurate:

"overcommit is not available (lack of fork in Windows API allows for that)"

It is not the lack of fork() that makes overcommit "unneeded", but an explicit decision. Windows MapViewOfFile() API allows creation of copy-on-write mappings (which are usually the basis for overcommit) through the FILE_MAP_COPY flag. Although, as documented, Windows does always reserve the whole size of the memory region in the pagefile.

See http://msdn.microsoft.com/en-us/library/windows/desktop/a...

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 15:33 UTC (Wed) by dumain (subscriber, #82016) [Link] (6 responses)

The copy-on-write fork semantics don't have to lead to the OOM killer. Selecting strategy 2 in /proc/sys/vm/overcommit_memory should allow a linux box to overcommit real memory without overcommiting virtual memory. The penalty for actually using the memory then becomes swapping rather than random process death.

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 18:50 UTC (Thu) by quotemstr (subscriber, #45331) [Link] (5 responses)

overcommit=2 is not usable in practice on general-purpose systems: MAP_NORESERVE is ignored in that mode. Many programs (like the JVM) reserve large chunks of address space on startup and internally allocate out of that. Because the kernel ignores [1] MAP_NORESERVE, these address space reservations become actual *commit charge* claims on the system and require resource allocations far in excess of what's actually needed even ignoring COW fork considerations.

MAP_NORESERVE being ignored when overcommit=2 isn't a "gotcha". It's fundamental brokenness.

[1] https://www.kernel.org/doc/Documentation/vm/overcommit-ac...

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 19:04 UTC (Thu) by fw (subscriber, #26023) [Link] (4 responses)

OpenJDK has been fixed and uses PROT_NONE mappings to reserve uncommitted address space (which is then committed with mprotect calls, as needed).

MAP_NORESERVE is not named appropriately, but it does what it does. The problem is that programmers do not know about overcommit mode 2, do not test with it, and hence never realize the need for the PROT_NONE approach.

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 19:58 UTC (Thu) by quotemstr (subscriber, #45331) [Link] (3 responses)

Agreed on the lack of testing --- but what bugs me is that MAP_NORESERVE is documented as doing the right thing, and doesn't. That means that programs written by the few well-intentioned developers are aware of overcommit issues frequently don't end up working correctly.

Sadly, the commit charge implications of MAP_NORESERVE are documented but silently broken, but the commit charge implications of PROT_NONE are undocumented and in theory mutable in future releases. All this gives mmap(2) a Rusty Russel score of around -4.

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 20:14 UTC (Thu) by fw (subscriber, #26023) [Link] (2 responses)

Which documentation? The manual page talks about error reporting through SIGSEGV, which should be sufficiently discouraging to anyone who actually reads it.

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 20:23 UTC (Thu) by quotemstr (subscriber, #45331) [Link] (1 responses)

The man page says this about MAP_NORESERVE:

Do not reserve swap space for this mapping. When swap space is reserved, one has the guarantee that it is possible to modify the mapping. When swap space is not reserved one might get SIGSEGV upon a write if no physical memory is available. See also the discussion of the file /proc/sys/vm/overcommit_memory in proc(5). In kernels before 2.6, this flag had effect only for private writable mappings.

That looks a lot like a a flag for mapping that doesn't reserve commit charge. There's no mention of the flag not actually working; there's no reference to better techniques. MAP_NORESERVE is just an attractive nuisance.

There's just tremendous confusion over exactly Linux does with commit charge even among people well-versed in memory management fundamentals. There's no clarity in the API either. MAP_NORESERVE is dangerous because it's the only publicly-documented knob for managing commit charge and it's a broken knob nobody is interested in fixing.

(And no, SIGSEGV is not something that will discourage use. Those who know what they're doing can write code that recovers perfectly safely from SIGSEGV.)

The "too small to fail" memory-allocation rule

Posted Apr 18, 2019 6:36 UTC (Thu) by thestinger (guest, #91827) [Link]

In case anyone comes across this old comment, the official documentation is at https://www.kernel.org/doc/Documentation/vm/overcommit-ac... and is accurate. It covers the rules properly.

The linux-man-pages project is not the official kernel documentation and has often been inaccurate about important things for many years. MAP_NORESERVE doesn't work as it describes at all.

It has no impact in the full overcommit mode or the memory accounting mode, which makes sense. It only has an impact in the heuristic overcommit mode, where it disables the heuristic for causing immediate failure.

Note how a read-only (or PROT_NONE) mapping with not data has no accounting cost:

For an anonymous or /dev/zero map
SHARED - size of mapping
PRIVATE READ-only - 0 cost (but of little use)
PRIVATE WRITABLE - size of mapping per instance

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 22:24 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

That's not exactly true. Windows supports overcommit just fine. There are two main ways to overcommit:

1) Map a file with copy-on-write semantics from several processes. Windows does this just fine with the MapViewOfFile function.

2) Reserve a large amount of virtual RAM but don't actually allocate physical pages for it. It's also supported with MEM_RESERVE flag for the VirtualAllocEx function ( http://msdn.microsoft.com/en-us/library/windows/desktop/a... )

The main distinction is that Windows programs by default try to avoid OOM situations.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 23:32 UTC (Wed) by ibukanov (subscriber, #3942) [Link]

These are not the overcommit in the Linux sense.

On Windows after MEM_RESERVE the memory is not available. One has to explicitly commit it using MEM_COMMIT. As for copy-on-write for mmap files Windows explicitly reserves the allocated memory in advance. In both cases Windows ensure as long as a program has a pointer to a writable memory, that memory is always available. That is, on Windows OOM failure can only happen during allocation calls, not during an arbitrary write in a program as it happens on Linux

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 19:17 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

Your comment is incorrect according to a conventional understanding of "overcommit". The misunderstanding probably stems from a general confusion even among very senior Linux developers between allocating address space and allocating memory. In Linux, programs call mmap and expect that operations on the memory returned will never[2] fail. There is no distinction in practice [1] between setting aside a N pages of virtual addresses and reserving storage for N distinct pages of information.

In NT, the operations are separate. A program can set aside N pages of its address space, but it's only when it commits some of those pages that the kernel guarantees that it will be able to provide M, M<=N, distinct pages of information. After a commit operation succeeds, the system guarantees that it will be able to provide the requested pages. There is no OOM killer because the kernel can never work itself into a position where one might be necessary. While it's true that a process can reserve more address space than memory exists on the system, in order to use that memory, it must first make a commit system call, and *that call* can fail. That's not overcommit. That's sane, strict accounting. Your second point is based on a misunderstanding.

Your first point is also based on a misunderstanding. If two processes have mapped writable sections of a file, these mappings are either shared or private (and copy-on-write). Shared mappings do not incur a commit charge overhead because the pages in file-backed shared mappings are backed by the mapped files themselves. Private mappings are copy-on-write, but the entire commit charge for a copy-on-write mapping is assessed *at the time the mapping is created*, and operations that create file mappings can fail. Once they succeed, COW mappings are as committed as any other private, pagefile-backed mapping of equal size. Again, no overcommit. Just regular strict accounting.

From MSDN:

"When copy-on-write access is specified, the system and process commit charge taken is for the entire view because the calling process can potentially write to every page in the view, making all pages private. The contents of the new page are never written back to the original file and are lost when the view is unmapped."

The key problem with the Linux scheme is that, in NT terms, all mappings are SEC_RESERVE and are made SEC_COMMIT lazily on first access, and the penalty for a failed commit operation is sudden death of your process or a randomly chosen other process on the system. IMHO, Linux gets all this tragically wrong, and NT gets it right.

[1] Yes MAP_NORESERVE exists. Few people use it. Why bother? It's broken anyway, especially with overcommit off, when you most care about MAP_NORESERVE in the first place!

[2] Sure, the OOM killer might run in response to a page fault, but the result will either be the death of some *other* process or the death of the process performing the page fault. Either way, that process never observes a failure, in the latter case because it's dead already. Let's ignore file-backed memory on volatile media too.

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 8:01 UTC (Wed) by jezuch (subscriber, #52988) [Link]

> I wonder this too, and have done so for as long as the OOM killer has existed.

That's all about promises. When you call malloc(), and it returns a success, the kernel promises that the memory will be available. But then there's overcommit, which means that the kernel might be making empty promises - "don't worry, I know things are tight right now, but trust me, I *will* have the money^Hmemory". And when things are really tight, it scrambles and goes to the pawn shop to fence some memory of some poor innocent process. Because at this point there's no other way - malloc() was reported as success and the process is trying to use this supposedly allocated memory by simply accessing it. But it's not there.

But it looks like this particular case is a different thing. There's no overcommit for the kernel allocations, right?

The "too small to fail" memory-allocation rule

Posted Dec 24, 2014 7:15 UTC (Wed) by ibukanov (subscriber, #3942) [Link] (1 responses)

The fear of untested OOM recovery code reminded me about OOM errors in Java. Formally recovery is possible, but in practice at least in earlier Java those error popping up in arbitrary places could easily lead to unexpected states from which the system could not recover.

What helped on a memory-constrained system was to preallocate a buffer and monitor available memory. When it became low, the buffer was dropped with a global flag set indicating for the application to switch to a recovery mode. In that mode most of normal activities lead to errors. The application remained in it until enough memory was freed to be able to allocate the buffer back.

The "too small to fail" memory-allocation rule

Posted Dec 25, 2014 19:07 UTC (Thu) by fw (subscriber, #26023) [Link]

OutOfMemoryError is an VirtualMachineError, not an exception. You can catch it, but the specification about that error says it indicates “the Java Virtual Machine is broken or has run out of resources necessary for it to continue operating”, i.e., VM restart is required. So even formally, you cannot recover from it.

Or You Could Simplify The Error-Recovery Paths

Posted Dec 25, 2014 21:19 UTC (Thu) by ldo (guest, #40946) [Link] (117 responses)

I have written a lot of code according to the following paradigm:

ptr = NULL;
... similarly initialize any other pointers ... do /*once*/
  {
    ...
    allocate ptr;
    if (failure)
        break;
    ...
    futher processing, including further pointer allocations as necessary
    ...
  }
while (false);
free(ptr);
... free any other allocations ...

This kind of thing makes it easy to convince yourself, by visual inspection, that the allocated storage will be freed once, and only once, no matter what control path is taken. A key simplifying point is that the free(3) call is idempotent: freeing a NULL pointer is a no-op.

If you want to see a more elaborate example, including loops and nested do-once-within-do-once, have a look at this spuhelper.c Python extension module.

Or You Could Simplify The Error-Recovery Paths

Posted Dec 25, 2014 21:34 UTC (Thu) by cesarb (subscriber, #6266) [Link] (66 responses)

> do {
> if (failure)
> break;
> } while (false);

Wouldn't it be simpler and more readable to use a goto instead of a pseudo-loop?

(The Linux kernel does use the "set pointers to NULL and on error free them if they are not NULL" paradigm, of course using a "goto error" instead of a pseudo-loop, but the error-recovery paths being discussed are not merely "freeing locally allocated memory"; they can also have things like "unlocking a mutex" or "updating the filesystem block allocation structures to mark as free the blocks which had been reserved for this task".)

Re: Wouldn't it be simpler and more readable to use a goto instead of a pseudo-loop?

Posted Dec 25, 2014 22:08 UTC (Thu) by ldo (guest, #40946) [Link] (65 responses)

No! No GOTOs. They don’t nest easily, and they lead to spaghetti code. Look at the example code I linked above, and think how it would look with GOTOs all over the place. Avoid GOTOs!

Re: Wouldn't it be simpler and more readable to use a goto instead of a pseudo-loop?

Posted Dec 25, 2014 22:23 UTC (Thu) by mchapman (subscriber, #66589) [Link] (27 responses)

> Look at the example code I linked above, and think how it would look with GOTOs all over the place.

There would be precisely as many "goto" statements as you have "break" statements. It's much of a muchness, in my opinion.

Re: There would be precisely as many "goto" statements

Posted Dec 25, 2014 23:07 UTC (Thu) by ldo (guest, #40946) [Link] (26 responses)

And you would need a different label for each. And the extra visual burden of ensuring that each goto is paired with the right label. Which is unnecessary with a break, since that can only ever terminate one enclosing construct.

And the further burden of getting things wrong when you try refactoring the code.

Like I said: NO GOTOs!

Re: There would be precisely as many "goto" statements

Posted Dec 26, 2014 0:01 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

Except that NOW you have an extra burden to check that break actually breaks out of a right loop.

So, YES to gotos for error handling!

Re: So, YES to gotos for error handling!

Posted Dec 26, 2014 0:37 UTC (Fri) by ldo (guest, #40946) [Link]

Put your money where your mouth is. You have my code; go rewrite it!

Re: There would be precisely as many "goto" statements

Posted Dec 26, 2014 7:38 UTC (Fri) by epa (subscriber, #39769) [Link] (3 responses)

Perl allows 'last' (its equivalent of 'break') to take a loop label. That would be a useful enhancement to C.

Re: There would be precisely as many "goto" statements

Posted Dec 26, 2014 7:43 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

That's a different issue - exit from multiple nested loops. In languages lacking labeled loops (C, C++) it's often a place where 'goto' is used.

Re: There would be precisely as many "goto" statements

Posted Jan 16, 2015 5:10 UTC (Fri) by CameronNemo (guest, #94700) [Link]

Rust got that recently. It is interesting, but a little strange/complicated.

Re: There would be precisely as many "goto" statements

Posted Jan 16, 2015 18:23 UTC (Fri) by zlynx (guest, #2285) [Link]

Whenever I got to wanting labeled blocks in C, I sat down (OK,really I was already sitting down) and decided to add another function instead.

That almost always made the code cleaner, and let me exit the block (which was now a function) with a simple "return."

Re: There would be precisely as many "goto" statements

Posted Dec 26, 2014 7:34 UTC (Fri) by WolfWings (subscriber, #56790) [Link] (19 responses)

Um... since when?

if (error1) {
  goto label;
}

/* ... more code ... */

if (error2) {
  goto label;
}

/* ... more code ... */

label: free(pointer);

You can use a single label for any number of goto's, so each label is specifically describing it's use case (freeAndExit perhaps, or whatever semantic name you want to give it) and there's no more/less lines than your do{}while(false); construct but copy-pasting code inside/outside the strcture can't break it as easily.

Just saying you're wrong about the claim of needing a billion labels, goto is many-to-one not one-to-one in that regard.

Re: you're wrong about the claim of needing a billion labels

Posted Dec 26, 2014 21:15 UTC (Fri) by ldo (guest, #40946) [Link] (17 responses)

Fine. Try reworking the example I gave above, then. That has allocations nested up to three levels deep, as well as loops. See how well that works using GOTOs.

Re: you're wrong about the claim of needing a billion labels

Posted Dec 27, 2014 0:47 UTC (Sat) by reubenhwk (guest, #75803) [Link] (7 responses)

GOTO statements are fine. I like them and find it leads to cleaner, easier to understand code. The speghetti code thing is a myth with plenty of examples to disprove it in the Linux kernel.

The deeply nested allocations example *should* be solved by factoring out local/static helper functions...In other words: if your code is too complicated to use GOTO's properly for cleanup, then your code is too complicated.

Re: deeply nested allocations example should be solved by factoring out

Posted Dec 27, 2014 20:42 UTC (Sat) by ldo (guest, #40946) [Link] (6 responses)

Fine. I have offered my example; feel free to rewrite it to prove your point, and then we can compare.

Re: deeply nested allocations example should be solved by factoring out

Posted Dec 27, 2014 20:56 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

I rewrote a sample. It's shorter and easier to read and understand. I provided you a sample of non-trivial cleanup logic from a big project.

What else do you want?

Re: What else do you want?

Posted Dec 27, 2014 21:33 UTC (Sat) by ldo (guest, #40946) [Link]

An example that proves that you can deal gracefully with all the cases that my code manages.

Re: deeply nested allocations example should be solved by factoring out

Posted Jan 1, 2015 0:27 UTC (Thu) by reubenhwk (guest, #75803) [Link] (3 responses)

Please keep an eye out for pull requests...

https://github.com/ldo/dvd_menu_animator/pull/2

Re: deeply nested allocations example should be solved by factoring out

Posted Jan 1, 2015 4:23 UTC (Thu) by flussence (guest, #85566) [Link] (1 responses)

Methinks the crank is polishing his résumé to go apply for GNOME commit access.

Re: deeply nested allocations example should be solved by factoring out

Posted Jan 1, 2015 4:40 UTC (Thu) by reubenhwk (guest, #75803) [Link]

Is there an open position?

Re: deeply nested allocations example should be solved by factoring out

Posted May 23, 2017 13:10 UTC (Tue) by mirabilos (subscriber, #84359) [Link]

Interestingly enough, this got *deleted* (probably by ldo?).

goto bike shed

Posted Dec 27, 2014 17:44 UTC (Sat) by itvirta (guest, #49997) [Link] (8 responses)

> No! No GOTOs. They don’t nest easily, and they lead to spaghetti code. Look at the
> example code I linked above, and think how it would look with GOTOs all over the place.
> Avoid GOTOs!

> for(...) {
> if (PyErr_Occurred()) break;
> }
> if (PyErr_Occurred()) break;

I'm not sure I'd agree that breaking out of a loop just to test the same error condition,
to then only break out of another loop is any clearer than just jumping out directly.

Like someone mentioned, some other programming languages have dedicated constructs
(like exceptions) that can break out of multiple loops. It's not very different from what goto
was recommended for in this case.

(The thing with absolute rules is, that they absolutely forbid one from thinking. That usually
doesn't lead to anything good, so I would advise against it.)

> Fine. Try reworking the example I gave above, then. That has allocations nested up to three levels
> deep, as well as loops. See how well that works using GOTOs.

Reducing the nesting level and using a less space-hungry indenting style would be what I'd start with,
if I were to do this exercise for you.

Re: not sure I'd agree that breaking out of a loop just to test the same error condition

Posted Dec 27, 2014 20:46 UTC (Sat) by ldo (guest, #40946) [Link] (7 responses)

If you look at my code, you will see that each nested level has to do its own cleanup before propagating the error condition onwards. That is the whole point of the nesting.

Re: not sure I'd agree that breaking out of a loop just to test the same error condition

Posted Dec 27, 2014 20:57 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Really? What cleanup is performed here: https://github.com/ldo/dvd_menu_animator/blob/master/spuh... ?

Or here: https://github.com/ldo/dvd_menu_animator/blob/master/spuh... ?

I actually don't see complicated cleanups anywhere in your code.

Re: What cleanup is performed here:

Posted Dec 27, 2014 21:36 UTC (Sat) by ldo (guest, #40946) [Link]

Try here or here.

Re: not sure I'd agree that breaking out of a loop just to test the same error condition

Posted Dec 28, 2014 3:27 UTC (Sun) by reubenhwk (guest, #75803) [Link] (4 responses)

>> If you look at my code, you will see that each nested level has to do its own cleanup before
>> propagating the error condition onwards. That is the whole point of the nesting.

Better yet, use a function for each of those nested levels. Worried about spaghetti code? Then factor out the nesting and call smaller functions with less looping and less nested resource management. Use the return value to propagate error conditions onward.

Re: Better yet, use a function for each of those nested levels.

Posted Dec 28, 2014 6:34 UTC (Sun) by ldo (guest, #40946) [Link] (3 responses)

Fine. Rewrite some suitably representative part of my code to show us an example of what you mean. There seems to be an enormous reluctance among you so-called programmers to actually do this. Perhaps because every time you try it, you get it wrong.

Re: Better yet, use a function for each of those nested levels.

Posted Dec 29, 2014 2:58 UTC (Mon) by reubenhwk (guest, #75803) [Link]

Perhaps we're on vacation and, even if we weren't, we have better things to do..

Re: Better yet, use a function for each of those nested levels.

Posted Dec 29, 2014 3:19 UTC (Mon) by bronson (guest, #4806) [Link] (1 responses)

Interesting use of the word "us". The royal we?

Re: Better yet, use a function for each of those nested levels.

Posted Dec 29, 2014 17:30 UTC (Mon) by nix (subscriber, #2304) [Link]

Probably the millions of lurkers who support him in email, using his fabulously readable coding style. I know I've encountered it everywhere! (... wait, that should be "nowhere".)

The argument from popularity is not a good one, but if something is not popular it is not terribly wise to imply that in fact it is.

Re: There would be precisely as many "goto" statements

Posted May 23, 2017 13:09 UTC (Tue) by mirabilos (subscriber, #84359) [Link]

It’d even be _easier_ in the case of nested loops, as something like shell’s “break 2” does not exist in C. A sole goto, to the shared exit path.

Avoiding GOTO at all cost is overreacting. The “rule” is probably good to teach to novice programmers, but experts are beyond it. Error handling is *the* prime example in favour of GOTO, although I agree there may be others.

Re: Wouldn't it be simpler and more readable to use a goto instead of a pseudo-loop?

Posted Dec 25, 2014 22:36 UTC (Thu) by vonbrand (subscriber, #4458) [Link] (7 responses)

Please, no knee-jerk "no goto ever" reactions, go read Knuth's "Structured programming with goto statements", ACM Computing Surveys 6(4), dec 1974, pp 261-301. Check how goto is used in the kernel, write up gotoless code doing the same. You'll find that the gotoless code is easier to understand and often significantly more efficient.

Re: Please, no knee-jerk "no goto ever" reactions

Posted Dec 25, 2014 23:08 UTC (Thu) by ldo (guest, #40946) [Link] (6 responses)

Fine. Go and rewrite my code to use GOTOs, and see how you do.

Re: Please, no knee-jerk "no goto ever" reactions

Posted Dec 30, 2014 2:10 UTC (Tue) by filipjoelsson (guest, #2622) [Link] (2 responses)

I thought it would be a fun exercise to rewrite your code with the exact same structure that you used. But instead of the do { /* code */ } while (false); construct - I'd use goto cleanup. The point of this would have been to prove to you that what you are doing is in fact to use goto, but in a circumspect manner.

You do realize that your construct will optimize to exactly the same code, when compiled, right? So, that all you do is add empty words and pointless levels of indent, that may or may not help compilers and other programmers understand what you mean?

So I took a dive into your code, stripped out all the comments and newlines, ran it through indent, and tried again.

And I must say that I believe that do { /* code */ } while (false); is one of your smaller sins!

Why the f*ck do you for instance do things like this?

for (i=0;;) { 

if (i == nrcolors) break; 

/* code */ 

++i;

}

Breaking expectations like that do not anything of value, and makes sure nobody else will want to bother helping out on your project.

You also have nuggets like:

if (nrhistentries <= 4 || /* other condition */)

      {

        if (nrhistentries > 0) {

          histogram[0].index = 0;

          if (nrhistentries > 1) {

            histogram[1].index = 1;

            if (nrhistentries > 2) {

              histogram[2].index = 2;

              if (nrhistentries > 3) {

                histogram[3].index = 3;

              }

            }

          }

        }

Which I would like to replace with:


int max_histentries = (nrhistentries>4)?4:nrhistentries;

for (i=0; i<max_histentries; ++i) {

    histogram[i].index = i;

}

I also wonder what the point is of putting semicolons after comments.

In conclusion: I was in your camp until this discussion started - I really never ever use goto. You, however, have convinced me that there are reasonable exceptions to that rule.

Re: Why the f*ck do you for instance do things like this?

Posted Dec 30, 2014 20:42 UTC (Tue) by ldo (guest, #40946) [Link] (1 responses)

I have this convention: if one of the exits from a loop is via an explicit break, then all exits from the loop shall be via explicit breaks. That way you don’t have to look for more than one kind of termination condition, just look for the breaks. Only if there are none will there be something like a for-loop termination condition. Never mix the two.

Re: Why the f*ck do you for instance do things like this?

Posted Dec 30, 2014 21:12 UTC (Tue) by filipjoelsson (guest, #2622) [Link]

Then don't use a for-loop for that. Use a do-while-loop. A for-loop is for iterating until a certain condition is met. The compiler is built to warn on relevant error patterns. Since you use the for-loop in this unexpected way - no one but you can contribute to your project. In effect it's only so much dead code.

Is there any construct that you use as intended?

Re: Please, no knee-jerk "no goto ever" reactions

Posted Dec 30, 2014 3:00 UTC (Tue) by flussence (guest, #85566) [Link] (2 responses)

Your code already uses gotos - albeit each one rendered with an indented, gaudy costume of do-break-while-0 euphemism.

But the compiler can see your royal highness is stark naked. And so can we.

Re: Please, no knee-jerk "no goto ever" reactions

Posted Dec 30, 2014 9:47 UTC (Tue) by anselm (subscriber, #2796) [Link] (1 responses)

GOTO used to be a real problem when it was all that people had for control flow (think 1960s-era FORTRAN).

Right now with the proper discipline I don't have a huge problem with “goto” in C. As far as I'm concerned it is way less of a problem for program structure than the style that ldo is advocating. ldo's style also seems to presuppose that “cleanup” consists exclusively of undoing earlier things in reverse order; in general one might have to do things in an error branch that one might not have to do during normal flow, and sorting these cases out just serves to make the code even more convoluted on top of all the extraneous “do { … } while (0)” and “if (…) break” constructs.

I teach programming as my day job (some of the time, anyway), and I can guarantee that anybody who came to me with code like ldo's would get a very stern talking-to.

Re: in general one might have to do things in an error branch that one might not have to do during normal flow

Posted Dec 30, 2014 20:53 UTC (Tue) by ldo (guest, #40946) [Link]

I believe this is another instance of the “cleanup” versus “rollback” argument made elsewhere. See my comments about idempotency of deallocation routines and NULLing subsumed pointers.

Re: Wouldn't it be simpler and more readable to use a goto instead of a pseudo-loop?

Posted Dec 25, 2014 22:41 UTC (Thu) by viro (subscriber, #7872) [Link] (28 responses)

Don't get religious, please. goto can easily be abused, but your cute trick with do-while(false) is no better - it avoids the Bad Word(tm), but it's limited to idempotent cleanups (i.e. you'll end up breeding a bunch of flags for "do I need to drop this lock", etc., and it makes for hard-to-verify logics just as easy as goto abuse) *and* it's asking for trouble when you modify the code around that break. E.g. a loop or switch added, with location in question ending up inside the body.

It's both unidiomatic and brittle. Avoiding goto is generally a good idea, but this isn't a good way to do it.

Re: E.g. a loop or switch added,

Posted Dec 25, 2014 23:10 UTC (Thu) by ldo (guest, #40946) [Link] (27 responses)

That code already has plenty of loops in it, and you can see for yourself how to keep the interactions simple in that situation.

This isn’t a question of “religion”, it’s one of “bitter experience”. Learn from it!

Re: E.g. a loop or switch added,

Posted Dec 26, 2014 0:03 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (26 responses)

Actually, no. That's a religion.

Experience shows that idiomatic "goto error_exit" is far better than the alternatives with fake loops and flags.

Re: Experience shows that idiomatic "goto error_exit" is far better than the alternatives with fake loops and flags.

Posted Dec 26, 2014 0:36 UTC (Fri) by ldo (guest, #40946) [Link] (25 responses)

Prove it. You have my code. Go rewrite it.

Re: Experience shows that idiomatic "goto error_exit" is far better than the alternatives with fake loops and flags.

Posted Dec 26, 2014 1:32 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (24 responses)

This particular piece? In ANSI C it'll be something like the code below. In a more sane language I'd use automatic resource management (even in C with GCC extensions).

I won't bother to rewrite all of the code, so only for ParseColorTuple: https://gist.github.com/Cyberax/4546471dcb026c141369 (sorry for possible issues with indentation).

It's now 10 lines less and much more concise (WTF are you incrementing the for-loop variable manually and then manually check conditions?).

I've also fixed a bug in line 246 (failure to check error immediately).

Re: I won't bother to rewrite all of the code, so only for ParseColorTuple:

Posted Dec 26, 2014 2:12 UTC (Fri) by ldo (guest, #40946) [Link] (23 responses)

At least you made the effort, even if you “fixed” a non-bug and succeeded in introducing a real bug.

This was a simple, almost trivial case. Now try a more complex one. Elsewhere you will see do-once constructs nested up to 3 deep. And then there’s loops. Try and see how well your goto constructs scale up to those complexities.

Re: I won't bother to rewrite all of the code, so only for ParseColorTuple:

Posted Dec 26, 2014 4:59 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (22 responses)

> and succeeded in introducing a real bug.
Where?

> This was a simple, almost trivial case. Now try a more complex one.
You can do it _automatically_ by rewriting do-nothing loops into 'goto cleanup' and merging cleanup actions if needed.

> Elsewhere you will see do-once constructs nested up to 3 deep.
That's not something to be proud of, you know. It means that you've failed to decompose your logic into smaller fragments.

And the rest of your code...

It pretty much falls into the 'unmaintainable crap' bin. Everything is just perfect: eclectic code style, exotic constructs (inner functions in... C?), profligate usage of goto disguised as do..nothing loops, functions spanning hundreds of lines, etc.

Re: It pretty much falls into the 'unmaintainable crap' bin

Posted Dec 26, 2014 5:34 UTC (Fri) by ldo (guest, #40946) [Link] (20 responses)

Too bad, that your programming ideas only work with toy examples, not with real-world code.

Come back when you’ve learned a bit more about programming.

Re: It pretty much falls into the 'unmaintainable crap' bin

Posted Dec 26, 2014 5:40 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (13 responses)

> Too bad, that your programming ideas only work with toy examples, not with _real-world code_.
Like... I don't know, say an OS kernel?

Or perhaps an audio codec? Nah, can't write those with gotos: https://git.xiph.org/?p=opus.git;a=blob;f=src/opus_encoder.c;...

Re: Or perhaps an audio codec?

Posted Dec 26, 2014 21:21 UTC (Fri) by ldo (guest, #40946) [Link] (12 responses)

While I’m sure it is quite complex code, it doesn’t seem to do much with dynamic storage: I found just two calls to opus_free in those 2500-odd lines.

While my example is half that size, it has 39 calls to PY_{,X}DECREF.

Come back when you can cope with that kind of complexity.

Re: Or perhaps an audio codec?

Posted Dec 26, 2014 21:25 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (11 responses)

Your wish is my command: http://lxr.free-electrons.com/source/drivers/net/tun.c#L1741

Re: Your wish is my command

Posted Dec 27, 2014 20:56 UTC (Sat) by ldo (guest, #40946) [Link] (10 responses)

Now try one with a loop.

Re: Your wish is my command

Posted Dec 27, 2014 20:58 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (9 responses)

What do you mean by "with a loop"? And feel free to try it yourself, since you're such a religious fanatic of do-nothing loops.

Re: What do you mean by "with a loop"?

Posted Dec 27, 2014 21:43 UTC (Sat) by ldo (guest, #40946) [Link] (8 responses)

My code has examples of loops where errors can occur in them. So I need to deal gracefully with that. Let’s see you offer an example that does the same.

And while we’re at it, your tun.c example fails to recover if it cannot create its sysfs device files.

Re: What do you mean by "with a loop"?

Posted Dec 27, 2014 22:01 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (7 responses)

> My code has examples of loops where errors can occur in them. So I need to deal gracefully with that.
No you don't. Just split them up into free-standing functions, instead of 300-line monstrosities.

The Linux kernel manages to do that just fine, somehow.

In particular, your block near line 480 will look like this:
https://gist.github.com/Cyberax/3a7796231be66d0f64cc
(no, I'm not going to check it in details). It's pretty clear that simply by splitting some logic into a function you can decrease nesting level by 3.

And let me reiterate, your code is a mess. For example, you use 'break' to normally exit the outer loop from within the 'if' statement here: https://github.com/ldo/dvd_menu_animator/blob/master/spuh...

Why do you even bother with 'for' loops?

Re: And let me reiterate, your code is a mess.

Posted Dec 28, 2014 6:29 UTC (Sun) by ldo (guest, #40946) [Link] (6 responses)

At least it works, unlike your code.

Your for-loop will never iterate.
Where is PixBuf supposed to be local to?

Pot calling the kettle black, as it were?

Re: And let me reiterate, your code is a mess.

Posted Dec 28, 2014 6:31 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

I have not claimed that my code works (as I wrote it on a dumb web form without even automatic indentation). But it's far easier to understand and fix than your mess of twisty little loops, all alike.

Re: I have not claimed that my code works

Posted Dec 28, 2014 6:36 UTC (Sun) by ldo (guest, #40946) [Link] (4 responses)

Then what is the point? I thought you were trying to demonstrate that you could do the same thing more simply and/or clearly than I could. But instead you have totally stuffed it up.

Re: I have not claimed that my code works

Posted Dec 28, 2014 6:41 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

I don't really care to try to understand what your code actually means. It's so convoluted that it's absolute unmaintainable.

If you can make a reasonable description of what it does - I can guarantee that it's possible to write it far cleaner then what you have.

Re: If you can make a reasonable description of what it does

Posted Dec 28, 2014 21:33 UTC (Sun) by ldo (guest, #40946) [Link] (2 responses)

Did you not read the comments? There are even Python docstrings; did you not see those?

Re: If you can make a reasonable description of what it does

Posted Dec 28, 2014 22:37 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

No, they don't describe the algorithm. Please, provide a coherent description in a natural language (I understand English, Russian, Ukrainian, German and Polish) then I can provide you its implementation that will be more compact and easy-to-understand than yours.

Re: Please, provide a coherent description

Posted Dec 29, 2014 17:26 UTC (Mon) by ldo (guest, #40946) [Link]

Funny, I didn’t see any such thing in the code examples you saw fit to refer me to. Yet you expected me to cope with them. And my code already has far more comments than they did.

What’s good for the goose, eh?

Re: It pretty much falls into the 'unmaintainable crap' bin

Posted Dec 26, 2014 16:14 UTC (Fri) by mb (subscriber, #50428) [Link] (5 responses)

>Too bad, that your programming ideas only work with toy examples, not with real-world code.

This is like the guy complaining about _all_ those damn ghost drivers on the highway.

Huge projects use goto for error handling successfully. See the Linux kernel for instance.
And your "nested pseudo loops error handler" argument is void, because thouse unmaintainable monsters should be split into sub-routines anyway. And then it can use plain gotos. Which gains the additional opportunity to write structured error paths instead of "one must handle all errors" error paths.

Re: Huge projects use goto for error handling successfully

Posted Dec 26, 2014 21:15 UTC (Fri) by ldo (guest, #40946) [Link] (4 responses)

Or perhaps not so successfully. Otherwise we would not have this article.

Re: Huge projects use goto for error handling successfully

Posted Dec 27, 2014 11:32 UTC (Sat) by mb (subscriber, #50428) [Link] (3 responses)

The article talks (as a side note) about untested error paths.
Your complex pseudo-loop can't help here at all. It just adds extra complexity. The error paths will still be untested.

Re: The error paths will still be untested.

Posted Dec 27, 2014 20:40 UTC (Sat) by ldo (guest, #40946) [Link] (2 responses)

It makes them easier to see. That helps in writing the code in the first place.

Re: The error paths will still be untested.

Posted Dec 27, 2014 23:14 UTC (Sat) by vonbrand (subscriber, #4458) [Link] (1 responses)

The pseudo-loops hide the error processing in a structure that could be anything else, and which BTW I haven't seen anywhere else either. ln comparison, the "label: <error handling code>" pattern is easy to spot.

Re: The pseudo-loops hide the error processing

Posted Dec 28, 2014 6:33 UTC (Sun) by ldo (guest, #40946) [Link]

No, the cleanups always happen after the do-once constructs. That’s how you can be sure they will always be executed.

Re: I won't bother to rewrite all of the code, so only for ParseColorTuple:

Posted Dec 26, 2014 16:30 UTC (Fri) by nix (subscriber, #2304) [Link]

(do/once constructs nested up to three deep)

That's not something to be proud of, you know. It means that you've failed to decompose your logic into smaller fragments.

Actually it means he's probably trying to do multiple things which need unwinding, but because he can't use three goto labels and rely on fallthrough he has to add a layer of almost-entirely-redundant nesting for each one.

This is not something that you'd call out as an advantage and a sign of great experience unless you didn't actually have much. (But it's been worth reading this thread anyway: it's not every day you see people telling Al Viro that he doesn't have enough experience to judge the relative worth of exception-handling goto versus other techniques!)

Or You Could Simplify The Error-Recovery Paths

Posted Dec 26, 2014 0:08 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (42 responses)

> If you want to see a more elaborate example, including loops and nested do-once-within-do-once, have a look at this spuhelper.c Python extension module.
Ugh. This is an unmaintainable mess.

For example: https://github.com/ldo/dvd_menu_animator/blob/master/spuh... - does this 'break' exits the loop or is it simply an error exit?

Also, it looks like the outer loop will still do additional steps since 'break' only affects the inner loop, possibly causing more errors.

And what then? Ah, there's a dependency on a hidden state ('PyErr_Occurred').

Ugh once more.

Re: does this 'break' exits the loop or is it simply an error exit?

Posted Dec 26, 2014 0:38 UTC (Fri) by ldo (guest, #40946) [Link] (41 responses)

Hint: check the condition.

Re: does this 'break' exits the loop or is it simply an error exit?

Posted Dec 27, 2014 1:10 UTC (Sat) by reubenhwk (guest, #75803) [Link] (40 responses)

Are you choosing this...

for (i = 0; i < MAX; ++i) {
   do { /*once*/
       if (err) {
           i = MAX;
           break;
       }
   } while (false);
}

over this?

goto cleanup;

Re: does this 'break' exits the loop or is it simply an error exit?

Posted Dec 27, 2014 1:24 UTC (Sat) by reubenhwk (guest, #75803) [Link] (39 responses)

This isn't good...

for (i = 0; i < IMAX; ++i)
{
    for (j = 0; j < JMAX; ++j)
    {
        do { /* once */
            if (PyErr_Occurred())
                break;
        } while (false);
        if (PyErr_Occurred())
            break;
    }
    if (PyErr_Occurred())
        break;
}

This is far better...

for (i = 0; i < IMAX; ++i)
{
    for (j = 0; j < JMAX; ++j)
    {
        if (PyErr_Occurred())
            goto done;
    }
}

done:

Dealing with complexity means splitting a complex problem up into simple things people can understand. Good programmers don't write complex code. Good programmers write simple code. Also, the *ONLY* time you should use a pseudo-loop like this is in a macro so the compiler will accept the semi-colon following it...

#define COMPLEX_MACRO_SHOULD_BE_A_FUNC(x) do { \
    /* complex macro code isn't good either */ \
} while (0)

later...

COMPLEX_MACRO_SHOULD_BE_A_FUNC("hello world");

Re: This is far better...

Posted Dec 27, 2014 20:44 UTC (Sat) by ldo (guest, #40946) [Link] (38 responses)

You do realize that PyErr_Occurred() is checking for an error from other API calls, right? So where do you put these API calls in your example?

Re: This is far better...

Posted Dec 27, 2014 20:55 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (37 responses)

Right before the PyErr_Occurred.

Re: Right before the PyErr_Occurred.

Posted Dec 27, 2014 21:32 UTC (Sat) by ldo (guest, #40946) [Link] (36 responses)

You need to fill in your example some more. Try, say, your version of the block beginning on line 480.

Re: Right before the PyErr_Occurred.

Posted Dec 28, 2014 3:51 UTC (Sun) by reubenhwk (guest, #75803) [Link] (35 responses)

for (i = 0; i < IMAX; ++i)
{
    for (j = 0; j < JMAX; ++j)
    {
        /* Some Python C calls, allocations, etc */

        if (PyErr_Occurred())
            goto done;
    }
}

done:
    free(whatever);
    if (fileptr)
        fclose(fileptr);

Don't fight it. Embrace goto statements. Goto is clearly better than calling PyErr_Occurred multiple times. For all we know, PyErr_Occurred checks the entire state of the Python interpreter (possible a non-trivial, expensive, operation). goto done will emit one machine instruction. Don't abuse other language constructions (do nothing loops) just to avoid using a goto...especially when you're effectively doing the same thing. Try it. You'll like it.

Re: Right before the PyErr_Occurred.

Posted Dec 28, 2014 6:19 UTC (Sun) by ldo (guest, #40946) [Link] (34 responses)

You need to make it more explicit. Rewrite the part of my code that I pointed you to, so we can compare and see which is better.

There seems to be a marked reluctance among most of you nay-sayers to do this. But that is the only way you can prove that there is something to your point, more than mere hand-waving hot air.

Re: Right before the PyErr_Occurred.

Posted Dec 28, 2014 12:44 UTC (Sun) by mm7323 (subscriber, #87386) [Link] (33 responses)

Laurence - discussion of goto usage is historically well trodden territory and this thread seems a little off topic and repetitive.

Did you read the LWN Christmas/end of year message?

The Story So Far...

Posted Dec 28, 2014 22:17 UTC (Sun) by ldo (guest, #40946) [Link] (32 responses)

For those who just came in, and are too lazy to read the rest of the thread before sticking their oar in:

The article is about an assumption about (lack of) possible failures of certain memory allocations, which has somehow baked itself into many parts of the Linux kernel since long before anyone can now remember.
This assumption now seems to be unwise. However, it is going to be hard to remove, because of the complexity of error-recovery paths right through the kernel.
I offered up a general technique for simplifying such error-recovery paths, and gave a decently non-trivial example to illustrate it in action, solving a reasonably complex, real-world problem. A key part of the technique is that it avoids gotos. This way, you can be sure that cleanups will always execute, no matter which way the flow of control goes.
My efforts so far have been met with fear, hostility, and just plain prejudice. Several people have tried to claim that using gotos would be preferable to my technique.
Yet, when challenged, they are unable to actually prove their point, by offering simpler alternatives to my code.
So they resort to trying to cast aspersions on the quality of my code.
But that just brings us back to the same point: if they think my code is too complicated or just plain crap, why can’t they do better? Why can they not come up with something simpler to solve the same real-world problem? But they cannot.

Any questions?

The Story So Far...

Posted Dec 28, 2014 22:56 UTC (Sun) by nix (subscriber, #2304) [Link] (3 responses)

The problem in the kernel is not an inability to be sure that cleanups will execute. With the goto exception-handling technique, unless you omit a goto, they always execute, and if your cleanups are executed in the normal path (i.e. there is no return before the goto label) they will execute even if you omit a goto. This is *exactly the same* as in your technique.

The problem in the kernel is an inability to be sure that what those code paths do on error is even sane. They will execute if triggered, but because of this "too small to fail* rule, many of them have never executed, even when the system is out of memory.

Your digression on an idiosyncratic (and IMNHSO needlessly verbose and unreadable) technique to replace gotos is not relevant to this problem so cannot solve it.

To me, the technique appears similar to the panic that strikes people who started with one-return languages like Pascal when they are faced with languages that allow multiple returns. Yes, if carelessly used this can lead to unreadable spaghetti, but that doesn't mean the right answer is to ban it! It's amazing how many of my functions these days reduce to

int err = -1;

if (do-nothing-fastpath-test)
    return 0; /* early */

stuff that allocates memory or does other things needing cleanup in both success and failure cases
if (error check)
   goto cleanup_stuff;

stuff that doesn't need cleanup but can fail
if (error check)
   goto cleanup_stuff;

more stuff
if (error check)
   goto cleanup_more_stuff;

...

err = 0; /* success */

cleanup_more_stuff:
undo 'more stuff'

cleanup_stuff:
undo 'stuff'

return err;

It is clear that in this code -- other than in the early-fast-exit case -- the cleanups will always execute. You don't have to have a 'return' before them! The normal flow of control passes smoothly through them at all times: it's just that the cleanups can skip some of that flow (the parts relating to things they did that don't need cleanup, and where the cleanup is not something like free() that is harmless to do on something that was never allocated).

Notice how little code error handling includes here -- I've replaced the actual work with pseudocode, but even in the real code the error unwinding is *two lines per check*, one an unavoidable conditional, plus optional extra work in those conditionals to do error-specific stuff first. The cleanup is no extra code: it's just a couple of goto labels, and if you miss one of them out or somehow manage to do some cleanup at a too-deeply-nested level you get a nice easy-to-spot syntax error.

This is ever so much neater than your false-loops approach and involves much less spurious nesting. It's linear in the normal case, just like the actual code flow, with branches only in exceptional conditions, while your code makes *loops* look like the normal condition, even though those loops actually never happen. Plus, spurious break and continue are both correctly diagnosed as syntax errors: in your approach, they cause a silent and erroneous change in control flow, as if an error had happened. It is much easier to mistakenly type or transpose 'break' outside e.g. a switch than it is to accidentally type 'goto some_cleanup'!

In my view it is you who has manifestly failed to understand the merits of our approach, which is quite clearly beneficial on every metric I can see other than the unthinking one which assigns an infinite automatic negative value to any use of 'goto' regardless, even uses which only jump forward in control flow to the end of a function and are thus precisely equivalent to a block with a cleanup in it and then a return. Spaghetti code this is not! It is much less spaghetti than yours.

Note: I came from a Pascal background and was at first violently anti-goto *and* anti-multiple-returns. When I look at my code from those long-ago days the contorted control flow is almost unreadable. Almost all the time a nice linear flow is preferable. Save loops for things that can actually *loop* at least once -- and for the while (0) macro trick.

The Story So Far...

Posted Dec 29, 2014 0:41 UTC (Mon) by vonbrand (subscriber, #4458) [Link]

That is exactly the point: With the Linux goto usage the normal code path is linear and clear for all to see, failure exceptional code paths are kept apart, for separate analysis (which they require, as "normal situation" isn't guaranteed in them).

The Story So Far...

Posted Dec 29, 2014 4:20 UTC (Mon) by viro (subscriber, #7872) [Link] (1 responses)

TBH, my impression is that ldo either has never bothered to read any of the relevant papers (Dijkstra, Hoare, etc.) *or* has confused the proofs that goto doesn't add any expressive power (e.g. compared to mutual (tail) recursion) with the discussions of the reasons why goto often leads to brittle code that is hard to reason about. And these are very different things - by the very nature of such proofs, feeding them a hard-to-analyse ball of spaghetti yields an equally hard to analyse goto-free equivalent, so they actually demonstrate both that goto can be avoided *and* that avoiding goto doesn't guarantee avoiding the problems usually associated with it.

BTW, from the control flow graph decomposition POV, break is an atrocity almost equal to multiple returns (and if you add break <number of levels>
a-la sh(1), it becomes _worse_ than multiple returns). Not to mention its inconsistency between if() and switch(), etc.

Frankly, this sort of attitude is best cured by careful reading of the standard papers circa late 60s--early 70s *plus* sorting through the usual fare on lambda-lifting, supercombinators and related stuff (circa early 80s) *plus* that on the monads sensu Peyton-Jones et.al. Attitude re goto-phobia, that is - "my code is perfect, whaddya mean, idiosyncrasies?" one is cured only by sufficiently convincing LART...

Re: ldo either has never bothered to read any of the relevant papers

Posted Dec 30, 2014 20:57 UTC (Tue) by ldo (guest, #40946) [Link]

Or maybe you never bothered to look at my code?

Feel free to try any of the error-recovery-within-loop cases. That is where the rubber hits the road, and where all the goto-ists have come a cropper.

The Story So Far...

Posted Dec 28, 2014 23:33 UTC (Sun) by cesarb (subscriber, #6266) [Link] (5 responses)

> This way, you can be sure that cleanups will always execute, no matter which way the flow of control goes.

Stop right here. The problem is not with cleanups which should always be executed; these are already well-tested. The problem is with cleanups which should *never* be executed, unless an error happens.

In exception-handling terms, what you are talking about is a "finally" block, which executes both on success and on failure. The error-recovery paths in question, however, are "except" blocks, which execute only on failure.

For a filesystem-related example, since we're supposed to be talking about filesystems: let's say a user program just appended something into a file, and you're in the function which will submit the newly appended data to the block subsystem. As part of that, it has to allocate space for the new data, updating several of the filesystem's control structures, and allocate the control structures for the block subsystem.

If any allocation fails in the middle of this complex process, you have to unwind all the bookkeeping updates, otherwise the filesystem gets into an inconsistent state. If no allocation fails, however, the bookkeeping changes must be kept, since they represent the new state of the filesystem.

Is the pseudo-loop technique able to do the equivalent of an "except" block without getting even uglier? Remember that the rewind will have to be called from many places, since any of the allocations can fail, and that the failure can also be in the middle of the the initial update of the control structures, so the rewind might be partial.

The traditional way of doing this in the Linux kernel is somewhat like the following:

int foo(...)
{
int err = 0;
/* do stuff */
err = bar(...);
if (err)
goto error;
/* do even more stuff */
err = baz(...);
if (err)
goto error;
/* do yet more stuff */
out:
/* free temporary memory and unlock mutexes */
return err;
error:
/* unwind state updates */
goto out;
}

The kernel developers are pragmatic. If a kernel developer feels that using a "pseudo-loop" results in cleaner code, they do use it. However, for error handling the usual design pattern is either a "goto error" (single error label, pointers initialized to NULL) or a "goto error_foo" (many error labels, each falling through to the next, releasing resources in reverse order). On success, either the unlock is duplicated (it's usually just a unlock, memory is rarely allocated just for the duration of one function), or the error handling does a "goto out" like in the example above.

Re: The problem is with cleanups which should never be executed, unless an error happens.

Posted Dec 29, 2014 17:35 UTC (Mon) by ldo (guest, #40946) [Link] (4 responses)

This is why cleanups should be idempotent--pass the cleanup routine a NULL argument, and it does nothing. So the steps become something like

Allocate the first thing needing cleanup; abort on failure
Allocate the second thing needing cleanup; abort on failure
If the second thing subsumes the first thing (so cleaning up the second thing automatically cleans up the first thing), then you can set the first thing to NULL at this point, to avoid a double cleanup.
And so on.

So when you get to the end, you simply execute all the relevant cleanups unconditionally, and the ones with NULL arguments turn into no-ops.

Re: The problem is with cleanups which should never be executed, unless an error happens.

Posted Dec 29, 2014 18:14 UTC (Mon) by cesarb (subscriber, #6266) [Link] (3 responses)

> If the second thing subsumes the first thing (so cleaning up the second thing automatically cleans up the first thing), then you can set the first thing to NULL at this point, to avoid a double cleanup.

You still are in the "cleanup" mentality. But the problem with filesystems is not "cleanup", it's "rollback". There's nothing to subsume the relevant code, and it subsumes nothing else; it's really something which executes only on failure.

> So when you get to the end, you simply execute all the relevant cleanups unconditionally, and the ones with NULL arguments turn into no-ops.

That doesn't help with the situation in question, where the memory allocation routines never return "failure". The relevant error-recovery code would always get passed NULL, and so the branch which is called when it receives a non-NULL never gets tested.

Sure, you *called* the code unconditionally, but it doesn't change the fact that it *executes* conditionally. Whether the branch point is outside or inside it is immaterial. For instance, it's well-known that the standard "free(void *ptr)" function does nothing when called with a NULL argument, but that's because it begins with a conditional branch: "if (!ptr) return;". If it were always called with a NULL pointer, the most complex part of its code would never be exercised.

Re: You still are in the "cleanup" mentality.

Posted Dec 30, 2014 20:34 UTC (Tue) by ldo (guest, #40946) [Link] (2 responses)

That’s right. You keep insisting that “cleanup” and “rollback” are entirely different, whereas they are really two aspects of the same thing, and can be treated as such.

> That doesn't help with the situation in question, where the memory
> allocation routines never return "failure".

Returning NULL from an allocation request is a failure.

> Sure, you *called* the code unconditionally, but it doesn't change
> the fact that it *executes* conditionally.

Do you know what “abstraction” means?

Re: You still are in the "cleanup" mentality.

Posted Dec 30, 2014 22:33 UTC (Tue) by cesarb (subscriber, #6266) [Link] (1 responses)

> > That doesn't help with the situation in question, where the memory allocation routines never return "failure".
> Returning NULL from an allocation request is a failure.

Please, reread the article this comment thread is attached to.

The whole issue is that, under certain conditions, the allocation requests were *never* returning NULL, even when they should!

> > Sure, you *called* the code unconditionally, but it doesn't change the fact that it *executes* conditionally.
> Do you know what “abstraction” means?

Please, reread the article this comment thread is attached to.

Abstraction or not, it doesn't change the fact that, since the allocation requests were *never* returning NULL, even when they should, the error handling code was *never* being executed. It doesn't matter whether it has been abstracted away or not, untested code is untested code.

Re: requests were never returning NULL, even when they should!

Posted Dec 31, 2014 21:00 UTC (Wed) by ldo (guest, #40946) [Link]

Precisely the point. And changing them to return NULL is fraught, because the error-handling paths in the callers are quite likely riddled with omissions where they should be dealing with this case. And finding and fixing those omissions is hard, because the error-handling paths are so complex.

Which is why I am advocating simpler error-handling paths, as in my example.

The Story So Far...

Posted Dec 28, 2014 23:59 UTC (Sun) by bronson (guest, #4806) [Link] (1 responses)

You think that, just because nobody wants to refactor your 1300-line hellishly-nested file with way-too-long functions, you win the argument?

Hardly. Reread Cyberax's replies with an open mind this time. He's right: carefully applied gotos would take care of your "do /* once */ {} while(false)" nesting and ambiguous breaks. If you want to make your code more readable, this would be a great first step. After that, you could give it a good scrubbing with https://www.kernel.org/doc/Documentation/CodingStyle

But, from your aggressive writing style, it sounds like you'd rather argue.

Re: you win the argument?

Posted Dec 29, 2014 17:28 UTC (Mon) by ldo (guest, #40946) [Link]

Yes.

I took the trouble to write all that code which proves my point. If you want to prove yours, you have to do the same.

The Story So Far...

Posted Dec 29, 2014 0:35 UTC (Mon) by cesarb (subscriber, #6266) [Link]

> So they resort to trying to cast aspersions on the quality of my code.

Taking a look at that code, it's easy to see why. It has a rather unorthodox coding style, which can make coders used only to common coding styles for both C *and* Python recoil in horror.

The code layout is the first thing one unavoidably notices when first looking at a new source code file, so even before even they can even consider the actual code quality, your code already has a negative score in their minds.

In particular, Python does have a standard coding style for C code: https://www.python.org/dev/peps/pep-0007/. When in Rome...

Here are, in no particular order, a few of the things which made *me* recoil in horror on a quick look at that code:

* The placement of the parameters in a function definition.
* The placement of the comment describing the function. Its traditional location (and the one all code-documentation tools expect) is before the function; you placed it just before the opening brace, where the parameters types were declared in pre-standard C.
* The unorthodox indentation of a multi-line expression, which placed each operator in its own line (instead of, as usually done, either at the end or at the beginning of a line).
* The use of an "end comment" for control structures. An actual example from that code file:

for (; i < 4; ++i)
{
/* ... */
} /*if*/

Yes, the comment doesn't match the control structure it's attached to. This is why most people don't bother with these sorts of comments: unless they are part of the language (and thus forced to be correct by the compiler), they can and will end up being wrong.

None of that affects the quality of the compiled code; it's all stripped by the compiler (even the "dummy loops" are optimized out). The exception is all the PyErr_Occurred() calls; your code has redundant calls to that function (it's not a macro, so it won't be optimized out), which probably wouldn't happen with a more standard coding style.

Your code might or might not have a good quality; the strange coding style makes it unnecessarily hard to tell. And as others have noted, it has a few "code smells" (https://en.wikipedia.org/wiki/Code_smell), like excessively long functions, which usually correlate with a lower code quality.

The Story So Far...

Posted Dec 29, 2014 9:39 UTC (Mon) by itvirta (guest, #49997) [Link] (5 responses)

>The article is about an assumption about (lack of) possible failures of certain memory allocations,
>which has somehow baked itself into many parts of the Linux kernel since long before anyone can now remember.

About errors promised, but not returned, and the numerous error paths that are untested
because of that (plus a nice lock-up), if I got it right. The actual coding style of the error
paths seems unrelated.

> Yet, when challenged, they are unable to actually prove their point, by offering simpler
> alternatives to my code.
> So they resort to trying to cast aspersions on the quality of my code.

You've repeated about five times the suggestion that someone _else_ should prove their
way by reorganising _your_ code. Given that everyone else, including the Linux kernel folks
seem to be happy with their gotos against your suggestion, it seems that the numbers are
against you, and I've seen no proof for your way other than your personal (and persistent)
assertion.

Not that mere numbers prove everything, but it makes one wonder. As does the fact that
someone tried to rework your code, but made mistakes. Doesn't that also reflect badly on your
code? Perhaps it isn't as well-readable as you assert? Some specific issues about the coding
style have been mentioned, but I haven't seen any real arguments to defend them, except the
dogmatic anti-goto attitude. (And you accuse others of prejudice!)

I stumbled upon a rather apt quote attributed to Dijkstra regarding his well-known article
about not using goto. Perhaps you should ponder on it for a moment:
"I have the uncomfortable feeling that others are making a religion out of it, as if the conceptual
problems of programming could be solved by a single trick, by a simple form of coding discipline!"

> But that just brings us back to the same point: if they think my code is too complicated or just
> plain crap, why can’t they do better? Why can they not come up with something simpler to solve
> the same real-world problem? But they cannot.

If this is just an exercise, perhaps a smaller one would do. Also of course, you could do your
part in comparing the options. It's not like anyone has a responsibility to attend to exercises
someone else gives on the Internet. If you want to take the lack of submissions as proof of
your superior position, you are of course free to do so. But it doesn't mean you are right,
or that others will want to talk to you after that.

Somehow, I'm starting to hope you are just trolling. That would at least _explain_ all of this. :)

Re: If this is just an exercise, perhaps a smaller one would do

Posted Dec 30, 2014 21:00 UTC (Tue) by ldo (guest, #40946) [Link] (4 responses)

My sample code already includes both simple cases and complex ones. Others have already tackled the simple cases, and frankly, I don’t think they prove anything either way. But that is the nature of classroom exercises; they never quite prepare you for real-world code.

It is the complex cases that demonstrate the scalability of my technique over GOTOs. This is evidenced by the fact that no one can come up with an equivalent using GOTOs that is even correct.

Re: If this is just an exercise, perhaps a smaller one would do

Posted Dec 30, 2014 22:56 UTC (Tue) by cesarb (subscriber, #6266) [Link] (3 responses)

> This is evidenced by the fact that no one can come up with an equivalent using GOTOs that is even correct.

Absence of evidence is not evidence of absence.

You posted a large block of source code, without any testcases, written in an unorthodox coding style. To do a decent rewrite, first one would have to understand the code, which is made harder by the uncommon code style and by the fact that it's a mathematical algorithm; experienced programmers tend to "pattern match" the source code visually to skip unimportant details, but this can only happen if one is familiar with the coding style. Then one would have to carefully reformat each function, converting the do-nothing loops into straight code without breaking the do-something loops; this is made harder because the same keyword (break) is being used to exit both. Finally, one would have to refactor the code into a more traditional style, being very careful to not break anything (since there are no testcases).

That's a lot of work for something which would be used solely to score a rhetorical point and then thrown away; the maintainer of the code (you) would not accept the changed code, since you're being so dogmatic about your coding style.

It could be worth doing the exercise if there was any chance that it would not be a wasted effort. Since there isn't, there are better uses for our time, and that's probably why nobody's bothering.

Re: Absence of evidence is not evidence of absence.

Posted Dec 31, 2014 21:01 UTC (Wed) by ldo (guest, #40946) [Link] (2 responses)

*Yawn* More content-free hand-waving hot air. Show us the code!

Re: Absence of evidence is not evidence of absence.

Posted Dec 31, 2014 22:25 UTC (Wed) by bronson (guest, #4806) [Link] (1 responses)

If you want something to be rewritten so bad, why don't you rewrite the goto-laden kernel examples cesarb posted? It should be easy to demonstrate how much more readable your technique is.

Re: why don't you rewrite the goto-laden kernel examples cesarb posted?

Posted Jan 1, 2015 21:46 UTC (Thu) by ldo (guest, #40946) [Link]

Because they’re just not that interesting.

The Story So Far...

Posted Dec 29, 2014 18:36 UTC (Mon) by acollins (guest, #94471) [Link] (12 responses)

Looking at your spuhelper.c example has convinced me of the exact opposite. I find your error paths nearly unreadable.

A goto label would provide a clear indication of where error handling takes place, instead, in your code I have to look at all the surrounding context to figure out what on earth "break" means in that particular context (is it exiting a real loop normally or is it a do-nothing loop to avoid a goto?). You mix error handling and normal loop control flow in a very confusing manner.

Contrast this with far more complex kernel code I've read that is much more understandable at first glance, largely due to readable error handling.

A number of people have already replied with similar thoughts but I'll reiterate, instead of lashing out, perhaps take a look at the feedback and reconsider your code.

Re: Contrast this with far more complex kernel code

Posted Dec 30, 2014 20:36 UTC (Tue) by ldo (guest, #40946) [Link] (11 responses)

I’d be curious to know if anybody can point to an example in the kernel which has to deal with error recovery from inside a loop, similar to my code.

That is the one case where the goto-ists have so far fallen flat on their faces when trying to “improve” my code.

Re: Contrast this with far more complex kernel code

Posted Dec 30, 2014 22:27 UTC (Tue) by cesarb (subscriber, #6266) [Link] (10 responses)

> I’d be curious to know if anybody can point to an example in the kernel which has to deal with error recovery from inside a loop, similar to my code.

Sure. A very simple one, which should be easy to follow: the deeply nested unuse_mm() loop, which can be found at mm/swapfile.c. This is one I'm familiar with, other kernel developers most certainly know of better examples.

The first thing to notice is that, for better readability, it's split into several functions, one for each nesting level of the loop. The outermost loop, within unuse_mm, loops over the vmas and calls unuse_vma for each one. The next level, within unuse_vma, calls unuse_pud_range for each pgd; unuse_pud_range calls unuse_pmd_range for each pud; unuse_pmd_range calls unuse_pte_range for each pmd; and unuse_pte_range calls unuse_pte for each pte. Finally, unuse_pte does the real work, and it's where an error can happen.

Yes, we have a 5-level nested loop here, 4 of them looping over the 4-level abstract page table, with errors propagating outward from the innermost loop. Since each loop is in its own function, it doesn't use even need a "goto"; it can use a straight "return". But the innermost function (unuse_pte) does have an example of the traditional "cleanup" use of goto.

Now how about an example from XFS, since we're supposed to be talking about XFS? I randomly looked at its source code, and found xlog_alloc_log. That function has to deal with error recovery from before the loop, from after the loop, and from within the loop, and the error recovery must be run only on failure. It's an allocation function; if there's no failure, it must keep everything it allocated, and if there's any failure, it must release everything it has allocated.

Re: Finally, unuse_pte does the real work, and it's where an error can happen.

Posted Dec 31, 2014 21:56 UTC (Wed) by ldo (guest, #40946) [Link] (9 responses)

Speaking of which, I notice there is no error checking on this call to pte_offset_map_lock. Can that never fail?

And what happens if unuse_pte returns an error, anyway? Do the outer routines abort, and leave their work half-done? Is this supposed to be cleanup code, or not?

Re: Finally, unuse_pte does the real work, and it's where an error can happen.

Posted Dec 31, 2014 22:56 UTC (Wed) by cesarb (subscriber, #6266) [Link] (8 responses)

> Speaking of which, I notice there is no error checking on this call to pte_offset_map_lock. Can that never fail?

Looking at how it's implemented, that call does two things: it temporarily maps the page table, in a way which won't fail (in some architectures, it's a simple arithmetic operation, and in others, it uses a mechanism which has a number of slots reserved for temporary mappings), and it locks a spinlock. If the spinlock is unlocked, it can't fail; if the spinlock is locked, it will wait until its current owner unlocks it, so again it can't fail.

> And what happens if unuse_pte returns an error, anyway? Do the outer routines abort, and leave their work half-done?

The answer here is yes!

This code is ultimately called from within the swapoff system call (further down in the same file). There's in fact another outermost loop, try_to_unuse, which loops over the swapfile's pages and tries to unuse (yeah...) each one in turn. Here is where it's called:

1872 set_current_oom_origin();
1873 err = try_to_unuse(p->type, false, 0); /* force unuse all pages */
1874 clear_current_oom_origin();
1875
1876 if (err) {
1877 /* re-insert swap space back into swap_list */
1878 reinsert_swap_info(p);
1879 goto out_dput;
1880 }

Just before this fragment of code, the swapfile (or swap partition) is marked as disabled on the list of swapfiles. The try_to_unuse function then tries to move all the pages which currently reside into that swapfile back into the main memory, and make all page tables which pointed to these pages on the swap point to them in main memory, so the swapfile can be safely removed.

If try_to_unuse fails (usually because there's not enough memory to hold what's currently on the swapfile to be removed), this code enables the swapfile again (this part of the code used to be almost a duplicate of the corresponding part of the swapon code; I refactored it into a separate function used by both). It doesn't try to swap out again the pages it swapped in; if there's a need to free some of the main memory, the normal memory management code will swap them out again.

If try_to_unuse succeeds, on the other hand, the swapfile is now empty; the code after the fragment of code I pasted above releases all the resources which were allocated by the swapon system call for this swapfile, and returns success to the userspace.

Re:The answer here is yes!

Posted Jan 1, 2015 21:44 UTC (Thu) by ldo (guest, #40946) [Link] (7 responses)

In that case, this code is not very interesting. The interesting case would be the construction of a complex data structure, piece by piece, where each individual piece construction could fail. If any failures occur, then all the partially-constructed pieces so far need to be freed before returning an error indication to the caller. Only if all the construction steps succeed can the complete object be returned to the caller.

In my opinion, this would be just about the ultimate stress test of your error-recovery technique.

Search through my example for the comment “so I don't dispose of it yet” to see how I deal with this. You should find three instances.

Re:The answer here is yes!

Posted Jan 1, 2015 22:51 UTC (Thu) by reubenhwk (guest, #75803) [Link]

It seems like the vars around /* so I don't dispose of it yet */ are used as local variable where you're building/using something, and at a point (where the assignment of result is) is where you're ready to call this data structure complete and ready to return. I do something similar. When I can I try to ensure that a function either completely fails or completely succeeds with no in-between.

Re:The answer here is yes!

Posted Jan 1, 2015 23:12 UTC (Thu) by nix (subscriber, #2304) [Link]

There have been multiple worked examples of exactly this shown to you already.

Re:The answer here is yes!

Posted Jan 2, 2015 1:56 UTC (Fri) by cesarb (subscriber, #6266) [Link]

> In that case, this code is not very interesting. The interesting case would be the construction of a complex data structure, piece by piece, where each individual piece construction could fail.

Well, swapoff is the destruction of a complex data structure, not its construction. Its construction is the swapon system call, further down in the same file.

The same design pattern can be found all over the Linux kernel: there's a construction function, which constructs whatever complex data structure the module needs, and a destruction function, which releases it.

> If any failures occur, then all the partially-constructed pieces so far need to be freed before returning an error indication to the caller. Only if all the construction steps succeed can the complete object be returned to the caller.

In the swapon system call, there's a single error handling label "bad_swap" which frees all the partially-constructed data structures, undoes block device configuration, closes the opened file, and so on. It falls through to the "out" label, used for both the success and failure cases, which releases any temporarily used resources.

> Search through my example for the comment “so I don't dispose of it yet” to see how I deal with this. You should find three instances.

I see. You have two variables for the return value of the function: one which has its reference counter decremented at the end, and one which is actually returned from the function. You keep the allocated structure at the first one, and when everything's ready, you swap it with the second one. So in the failure case, the reference counter is decremented and it returns NULL; in the success case, the reference counter is not decremented and it returns the pointer to the structure.

It's an elegant way of doing it (though I'm annoyed at your inconsistency: twice you called it "result" and once you called it "Result"). It's also orthogonal to the use of goto versus pseudo-loop for cleanup: this trick can help simplify the code in both cases.

What you did is actually a design pattern in modern C++:

std::unique_ptr<foo> fn(/*args*/)
{
auto ret = std::make_unique<foo>(/*args*/);
/* ...code which can throw an exception... */
return ret;
}

Here, "ret" is a std::unique_ptr<foo>, which contains a pointer to a "foo". When this variable gets out of scope, which will happen if an exception is thrown, whatever is pointed to by "ret" will be deleted. When it reaches the "return ret", however, the pointer is moved (as in std::move) to the return value of the function, so when it leaves the scope, "ret" is pointing to NULL, and the returned object isn't deleted.

Re:The answer here is yes!

Posted May 23, 2017 13:21 UTC (Tue) by mirabilos (subscriber, #84359) [Link] (3 responses)

What, you don’t initialise them to NUL and just free them afterwards?

struct foo *foo = calloc(1, sizeof(foo));

if (!(foo->a = geta()))
goto out;
if (!(foo->b = getb()))
goto out;
if (!(foo->c = getc()))
goto out;
if (!(foo->d = getd()))
goto out;
return (foo);

out:
free(foo->d);
free(foo->c);
free(foo->b);
free(foo->a);
return (NULL); /* error */

Re:The answer here is yes!

Posted May 23, 2017 14:08 UTC (Tue) by anselm (subscriber, #2796) [Link] (2 responses)

This sort of thing may work most of the time, but just for the record, while calloc() fills the whole structure in question with all-bits-zero bytes, there is no guarantee in the C standard that an individual structure entry like foo->a will in fact turn out to be a valid null pointer afterwards. (The C language does not require the null pointer to be “all bits zero”, even though expressions like “!(foo->a = geta())” must still return 1, as in “true”, if the geta() call yields a null pointer.)

If you're unlucky this means that if, say, you error out when trying to allocate foo->b, the “free(foo->d);” at the beginning of the out: path might try to free something at the all-bits-zero-address-that-isn't-a-null-pointer that hasn't previously be allocated, which isn't allowed. This shortcut looks enticingly convenient and probably works on most platforms today but people who are interested in safe, portable, and standard-conforming C code shouldn't be using it.

Re:The answer here is yes!

Posted May 26, 2017 9:55 UTC (Fri) by mirabilos (subscriber, #84359) [Link] (1 responses)

Sure, but that can be implementation-defined, and POSIX does do this (in the next version):

http://austingroupbugs.net/view.php?id=940#c2696

Re:The answer here is yes!

Posted May 26, 2017 23:06 UTC (Fri) by nix (subscriber, #2304) [Link]

Note the freedom which still exists: there can be *other* bit patterns that also represent the null pointer. :)

Or You Could Simplify The Error-Recovery Paths

Posted Dec 29, 2014 19:14 UTC (Mon) by rleigh (guest, #14622) [Link] (4 responses)

Nowadays I'd do this:

std::unique_ptr<a> ptra(std::make_unique<a>(args)); // a instance allocated std::unique_ptr<b> ptrb(std::make_unique<b>(args)); // b instance allocated // stuff that might fail. ptrb->foo(ptra->bar()); // Cleanup of ptra a instance and ptrb b instance is automatic

I know this isn't going to be acceptable in the kernel, but in userspace this gives you guaranteed correct behaviour on error, and will clean up correctly on allocation failure of either instance, returns at any point and also exceptions at any point. No need for complex conditionals. No need for gotos. It's all automatically handled.

Unless you really want to suffer with C, you can just have it all handled if you use the facilities C++ offers you. The worry that you've missed some special case is taken care of by RAII, and it does lead to simpler, more readable, more maintainable and more robust code.

Or You Could Simplify The Error-Recovery Paths

Posted Dec 29, 2014 19:23 UTC (Mon) by cesarb (subscriber, #6266) [Link] (3 responses)

> Unless you really want to suffer with C, you can just have it all handled if you use the facilities C++ offers you.

If you are willing to use GNU extensions, you can have it on C too via __attribute__((__cleanup__(...))). One well-known project which uses it is systemd.

But I agree that it's not going to be acceptable in the kernel, since it introduces implicit calls to the cleanup functions, and kernel developers prefer to be explicit.

Or You Could Simplify The Error-Recovery Paths

Posted Dec 29, 2014 23:11 UTC (Mon) by rleigh (guest, #14622) [Link] (2 responses)

This is certainly a partial solution for C. It's akin to a shared_ptr custom deleter. It's not really a great alternative to C++ destructors, because the cleanup still needs specifying by hand for each type instance and it's not really encapsulated as well since the cleanup function is either local to the translation unit or effectively public without additional measures, but it's probably the best you're going to get out of C. If you're going this far into the nonportable and nonstandard with C, I'd argue you'd be better off using standard and portable C++.

Or You Could Simplify The Error-Recovery Paths

Posted Dec 30, 2014 23:28 UTC (Tue) by cesarb (subscriber, #6266) [Link] (1 responses)

Wouldn't it be more like a unique_ptr custom deleter instead of a shared_ptr custom deleter?

Or You Could Simplify The Error-Recovery Paths

Posted Dec 31, 2014 11:17 UTC (Wed) by rleigh (guest, #14622) [Link]

Yes, either works for the example above (I originally wrote it to use shared_ptr but updated the example to use unique_ptr).

Or You Could Simplify The Error-Recovery Paths

Posted Jan 12, 2015 0:54 UTC (Mon) by Kamilion (subscriber, #42576) [Link] (1 responses)

I want to thank everyone participating in this thread for providing their opinions, I'm an embedded HW guy but I've been starting out in python recently and just learned a *WHOLE* lot from this discussion thread.

I've been wondering how to interact between high level languages like python and low level languages like C, C++, and Rust for a good long time.

This has been a great window into some traps and pitfalls and how-times-have-changed situations.

Does anyone know of any coding contests where a body of decent coders critique intentionally terribly written code (as opposed to, say, Obfuscated C) in a manner such as this thread? I'm vaguely aware of code-golf from seeing sidebar-links on the stackoverflow network, which I guess could be close, but can anyone offer anything else similar?

Or You Could Simplify The Error-Recovery Paths

Posted Jan 12, 2015 12:53 UTC (Mon) by mathstuf (subscriber, #69389) [Link]

There's the Underhanded C contest.

Find and fix by exhaustion

Posted Dec 26, 2014 1:38 UTC (Fri) by davecb (subscriber, #1574) [Link]

For each caller of an allocator, record it's name and address
For each of these, start a standard regression test.
When the allocator is called
- turn on coverage tracking
- return error from the allocator
- run for another 10 instructions or so
- stop and mail the tcov results to the subsystem maintainer.
continue the loop with the next call

The maintainers then see if their error-handers work.

We used to a variant on this in Solaris, specifically using interposers to catch, report and continue after some #%#^!!! unwise person wrote
if (*p != '\0') instead of if (p != NULL & *p != '\0').

The trick is generalizable, so you can run in can't-fail mode on individual calls until they're all converted to handling failures properly.
It takes lots of calendar time, but not much time per individual maintainer, so it scales.

--dave

The "too small to fail" memory-allocation rule

Posted Dec 31, 2014 2:23 UTC (Wed) by gerdesj (subscriber, #5446) [Link] (4 responses)

I rather enjoyed reading the comments here. I have my own views, as a sysadmin, on the finer points of programming constructs ...

Many here are experts in some way or another. Some are regarded as de-facto experts by most of their peers. I think we might all learn by listening even when the speaker is clearly wrong by our own measure.

This article was about long held assumptions being shown to not be quite right and that seems somehow appropriate in the comments final analysis.

Cheers
Jon

The "too small to fail" memory-allocation rule

Posted Dec 31, 2014 8:50 UTC (Wed) by cyronin (subscriber, #99592) [Link] (3 responses)

I feel like this is a nice analysis of this page. while the goto versus do-break-while() discussion seemed frustratingly pointless and off topic, I gained a refreshing insight of the rationale behind coding style decisions that you don't often see in coding style documentation.

I've often been told that the best way to learn something is to assert the wrong thing to experts, and they will give a clearer rationale on that topic than you will ever get from any other source. As a bonus, you might even cause a previously unnoticed rational inconsistency to become obvious, via the rubber duck effect.

The "too small to fail" memory-allocation rule

Posted Jan 1, 2015 1:05 UTC (Thu) by nix (subscriber, #2304) [Link]

I've often been told that the best way to learn something is to assert the wrong thing to experts, and they will give a clearer rationale on that topic than you will ever get from any other source.

It's even better if you can manage to accidentally manage this trick when your interlocutor is the original inventor of whatever-it-is. Particularly if you didn't realise it. (This was much easier before the days of web search engines, but if you don't think to check it can happen these days too.)

It's a highly efficient way to become rapidly convinced that you are still below the Dunning-Kruger bound on whatever it is. :)

(I have, of course, been there. More than once...)

The "too small to fail" memory-allocation rule

Posted Jan 1, 2015 21:16 UTC (Thu) by zlynx (guest, #2285) [Link] (1 responses)

> I've often been told that the best way to learn something is to assert the wrong thing to experts, and they will give a clearer rationale on that topic than you will ever get from any other source.

This may be true but to do it on purpose only wastes the expert's time and make them stop wanting to talk to anyone.

In my opinion this is why discussions on comp.lang.c eventually turned every thread into "Read the FAQ" and for a while StackOverflow every new question was turned into a duplicate, until it became too much work to even find the duplicate for each stupid question and now the site is mostly junk. In my opinion.

The "too small to fail" memory-allocation rule

Posted Jan 2, 2015 3:12 UTC (Fri) by marcH (subscriber, #57642) [Link]

> and now the site is mostly junk

Who reads the entire site and cares?

Partial static analysis of error paths

Posted Jan 5, 2015 10:06 UTC (Mon) by mtorni (guest, #3618) [Link]

Wouldn't static analysis of error-handling code help with checking some of those error paths?

I was thinking of checking all the execution paths (disregarding loops)
and producing a report of all possible cases of remaining allocations and not-rolled-back actions. For a simple function the report would be the "happy case" (several allocations in effect, perhaps a lock) and "failure" (no allocations and locks in effect after exit). If the function had error-handling bugs, there would be also be partial exit cases (some allocations in force, perhaps a lock).

Might be some work to implement, but the reports could be great for verification of code before commits.

The "too small to fail" memory-allocation rule

Posted Jan 8, 2015 13:41 UTC (Thu) by pebolle (guest, #35204) [Link]

"Nobody really knows when the rule that these allocations could not fail went into the kernel; it predates the Git era."

This triggered me to try to uncover that history. I think I managed to do that. These are the highlights. I won't actually analyze these highligths: just finding them already cost me quite a bit of time!

It appears to start at v2.4.10 which included a "major rewrite of the VM code" by Andrea Arcangeli. That apparently "came as a bit of a surprise" to most kernel developers . As far as I understand quite a few threads on lkml discuss the exiting bugs people hit in that code.

One of the tweaks to that code was added in v2.4.11-pre6. It added

       /* Don't let big-order allocations loop */
       if (order)
               return NULL;

to mm/page_alloc.c:__alloc_pages(). This appears to be added by Linus himself. I have not (yet) found any public discussion of this change.

In v2.4.13-pre5 these lines were changed to

       /* Don't let big-order allocations loop */
       if (order > 1)
               return NULL;

(I haven't tried to link this change to a patch or a public discussion.)

Then between v2.4.14-pre8 and v2.4.14 these were changed to

       /* Don't let big-order allocations loop */
       if (order > 3)
               return NULL;

This seems to done again by Linus himself.

Fast forward to v2.5.46. It included a patch by Andrew Morton titled "disable PF_MEMALLOC for interrupt allocations". It "tidies things up a little in there" by changing the code to

      /*
       * Don't let big-order allocations loop.  Yield for kswapd, try again.
       */
      if (order <= 3) {
              yield();
              goto rebalance;
      }

Andrew Morton again cleaned up the code quite a bit in v2.5.69 with the patch called "implement __GFP_REPEAT, __GFP_NOFAIL, __GFP_NORETRY". I won't quote the new code.

And, finally, in the git era "3" was changed in v2.6.23 to "PAGE_ALLOC_COSTLY_ORDER" by Andy Whitcroft's commit 5ad333eb66ff ("Lumpy Reclaim V4").

Anyone with access to a Linux git repository can easily follow the subsequent changes to that code. But hopefully this shows the history before the Git era (ie, before v2.6.12). Unless, of course, this isn't actually the code discussed in this article!

The "too small to fail" memory-allocation rule

Posted Jan 19, 2015 15:53 UTC (Mon) by pal (guest, #57253) [Link] (1 responses)

there is a well-known rule: never call foreign code while holding a lock. which is violated by calling memory allocation in xfs. changing memory allocation behavior instead of following this simple rule is a whack-a-mole game itself

The "too small to fail" memory-allocation rule

Posted Jan 19, 2015 18:33 UTC (Mon) by dgm (subscriber, #49227) [Link]

I have never seen this rule (or at least not in that form). What I have seen is a guideline that hints that the code protected by a lock should be as small and straightforward as possible.

Your rule actually makes a lot of sense. Locks exists to ensure concurrent access to a shared resource in a coherent way. If you're calling "foreign" code, then your code is not just accessing the shared resource, and thus it is protecting too much. Probably the "right" thing to do is to move all resource allocations (including memory) outside the lock scope, and only acquire the lock once all the needed resources are ready.

The "too small to fail" memory-allocation rule

Posted Feb 12, 2015 13:30 UTC (Thu) by wenhua.yu (guest, #100439) [Link] (2 responses)

讨论这么热烈，
我就看看

The "too small to fail" memory-allocation rule

Posted Feb 17, 2015 19:43 UTC (Tue) by bronson (guest, #4806) [Link]

It really was. I'm hoping there will be another article summarizing the comments.

The "too small to fail" memory-allocation rule

Posted Mar 17, 2015 16:55 UTC (Tue) by meuh (guest, #22042) [Link]

According to some online translator: "So lively discussion, I'll take a look".

The "too small to fail" memory-allocation rule

Posted May 30, 2022 13:28 UTC (Mon) by huxiaoming (guest, #158793) [Link]

check https://lwn.net/Articles/668126/ for the following up

The "too small to fail" memory-allocation rule

Small allocations and OOM killer

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Error recovery (was: The "too small to fail" memory-allocation rule)

Re: OTOH, Android expects its apps to be able to handle crashes cleanly.

Re: OTOH, Android expects its apps to be able to handle crashes cleanly.

The "too small to fail" memory-allocation rule

XFS

XFS

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

Re: shouldn't require a complete copy of the parent process's memory

Re: shouldn't require a complete copy of the parent process's memory

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

The "too small to fail" memory-allocation rule

Or You Could Simplify The Error-Recovery Paths

Or You Could Simplify The Error-Recovery Paths

Re: Wouldn't it be simpler and more readable to use a goto instead of a pseudo-loop?

Re: Wouldn't it be simpler and more readable to use a goto instead of a pseudo-loop?

Re: There would be precisely as many "goto" statements

Re: There would be precisely as many "goto" statements

Re: So, YES to gotos for error handling!

Re: There would be precisely as many "goto" statements

Re: There would be precisely as many "goto" statements

Re: There would be precisely as many "goto" statements

Re: There would be precisely as many "goto" statements

Re: There would be precisely as many "goto" statements

Re: you're wrong about the claim of needing a billion labels

Re: you're wrong about the claim of needing a billion labels

Re: deeply nested allocations example *should* be solved by factoring out

Re: deeply nested allocations example *should* be solved by factoring out

Re: deeply nested allocations example should be solved by factoring out

Re: deeply nested allocations example should be solved by factoring out

Re: deeply nested allocations example should be solved by factoring out

Re: deeply nested allocations example should be solved by factoring out

Re: deeply nested allocations example should be solved by factoring out

Re: deeply nested allocations example should be solved by factoring out

Re: The problem is with cleanups which should never be executed, unless an error happens.

Re: The problem is with cleanups which should never be executed, unless an error happens.