25

I often catch myself doing the following (in non-critical components):

some_small_struct *ptr=(some_small_struct *) malloc(sizeof(some_small_struct));
ptr->some_member= ...;

In words, I allocate dynamically memory for a small structure and I use it directly without checking the malloc'ed pointer. I understand there is always a chance that the program won't get the memory it asks for (duh!) but consider the following:

If the program can't even get some memory for a small structure off the heap, maybe there are much bigger problems looming and it doesn't matter after all.

Furthermore, what if handling the null pointer exacerbates the precarious situation even more?? (e.g. trying to log the condition calls even more non-existing resources etc.)

Is my reasoning sane (enough) ?

Updated:

  1. A "safe_malloc" function can be useful when debugging and might be useful otherwise
  2. +X access can hide the root cause of a NULL pointer
  3. On Linux, "optimistic memory allocation" can shadow loomin OOM (Out-Of-Memory) conditions
Improve this question
2
  • Best practices means strength and stability for all systems. Apply them depends on us. Commented Dec 21, 2009 at 17:21
  • Found a related question ( I like Reed Copsey contribution ): stackoverflow.com/questions/691402/… Commented Dec 22, 2009 at 14:48

10 Answers 10

Reset to default
22

Depends on the platform. For instance, on Linux (by default) it does not make much sense to check for NULL:

http://linux.die.net/man/3/malloc

By default, Linux follows an optimistic memory allocation strategy. This means that when malloc() returns non-NULL there is no guarantee that the memory really is available. This is a really bad bug. In case it turns out that the system is out of memory, one or more processes will be killed by the infamous OOM killer.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Malloc can still return NULL when the address space is full.
It's called memory overcommit and it can be disabled so this is not really true.
@boraalper4: I wrote "by default" which pretty clearly implies it can be disabled. So which part is not true?
@Nemanja Trifunovic: "it does not make much sense to check for NULL"; if it can be disabled, then it does make sense to check for NULL. (Of course you may not want to bother with checking the return value every time.)
11

In the case of C, it depends on the platform. If you are on an embedded platform with very little memory, you should alweays check, thouggh what you do if it does fail is more difficult to say. On a modern 32-bit OS with virtual memory, the system will probably become unresponsive and crash before it admits to running out of memory. In this case, the call to malloc never returns, so the utility of checking its value becomes moot.

In the case of C++, you should be using new instead of malloc, in which case an exception will be raised on exhaustion, so there is no point in checking the return value.

Improve this answer

14 Comments

But in the C case you should always check. Unresponsive and recoverable is better than a crash.
@Martin: like what? I am truly curious as I have no idea what exit() might provide as value to me. Please explain.
@Martin At least on UNIX like operating systems, a memory access violation may well be better than exiting cleanly, because then you will get a core dump.
@Mattin The core will also tell you WHERE you ran out of memory, assuming you use the pointer immediately after malloc'ing it, as the OP asked about.
"On a modern 32-bit OS with virtual memory, the system will probably become unresponsive and crash before it admits to running out of memory. In this case, the call to malloc never returns, so the utility of checking its value becomes moot." This is not true at all, the malloc can fail just because there's not enough (continuous) memory in the address space, and this does not imply that the system ran out of memory: actually the virtual address space on a 32 bit OS is up to 4 GB wide, while the physical memory can be much more, not counting the swap space. So, check that return value.
|
7

I would say No. Using a NULL pointer is going to crash the program (probably).
But detecting it and doing something intelligent will be OK and you may be able to recover from the low memory situation.

If you are doing a big operation set some global error flag and start unwinding the stack and releasing resources. Hopefully one or more of these resources will be your memory hog and your application will get back to normal.

This of course is a C problem and handeled automatically in C++ with the help of exceptions and RAII.
As new will not return NULL there is no point in checking.

Improve this answer

6 Comments

@Martin: the system (as Neil pointed out also) will probably become unresponsive to the point that any recovery might be a pointless operation. If something is eating memory faster than can be meaningfully mitigated, I see no point.
C++ manages to do it. If something is eating memory fast, then stop doing something. Release all resources to-do with something get back to a normal state then report the error. With work C can be made to handle errors just like C++. At worst call exit() and shut down cleanly. Generating segfaults because you can be bothered to code correctly is not going to make your customers confident in your ability.
@Martin: (1) program X might not be the one eating memory, it could be program Y. (2) your suggestion to call exit() is acknowledged (3) back to my initial point: if my program (say X) can't even grab some 16bytes to manipulate a structure, I am pretty sure the error log of the host will anyhow get filled my other nasty things. The customer in question will get its hands full with other concerns and the segfault you are referring to might not be his biggest concern.
@jldupont. 1) If we are in an embeded platform the X and Y may interact. But you definately need to check there. If we are on Windows the usage of memory by X will not affect the memory available to Y.
For those who say that you cannot do useful things when you run out of memory, think again. The key is planning ahead. Allocate memory specifically for dealing with such problems at program startup. Use this memory when calling myexit(). If you need to call third party code, which may want more memory, freeing a block of memory you allocated early on for the sole purpose of deallocating /might/ help reclaim memory that can be used.
|
7

Allocations can fail for several reasons. What you do (and can do) about it depends in part on the allocation failure.

Being truly out of memory is catastrophic. Unless you've made a careful plan for this, there's probably nothing you can do. (For example, you could have pre-allocated all the resources you'd need for an emergency save and shutdown.)

But many allocation failures have nothing to do with being out of memory. Fragmentation can cause an allocation to fail because there's not enough contiguous space available even though there's plenty of memory free. The question specifically said a "small structure", so this is probably as bad as true out-of-memory condition. (But code is ever-changing. What's a small structure today might be a monster tomorrow. And if it's so small, do you really need memory from the heap or can you get it from the stack?)

In a multi-threaded world, allocation failures are often transient conditions. Your modest allocation might fail this microsecond, but perhaps a memory-hogging thread is about to release a big buffer. So a recovery strategy might involve a delay and retry.

How (and if) you handle allocation failure can also depend on the type of application. If you're writing a complex document editor, and a crash means losing user's work, then it's worth expending more effort to handle these failures. If your application is transactional, and each change is incrementally applied to persistent storage, then a crash is only a minor inconvenience to the user. Even so, logging should be considered. If you're application is routinely getting allocation failures, you probably have a bug, and you'll need the logs to know about it and track it down.

Lastly, you have to think about testing. Allocation failures are rare, so the chance that recovery code has been exercised in your testing is vanishingly small--unless you've taken steps to ensure test coverage by artificially forcing failures. If you aren't going to test your recovery code, then it's probably not worth writing it.

Improve this answer

Comments

2

at the very least I would put an assert(ptr != NULL) in there so you get a meaningful error.

Improve this answer

11 Comments

@Evan: but, to my point, wouldn't this trigger a chain of events that couldn't be supported anyways?
@jldupont: Yes, but think about this: Imagine that the ptr->some_member =... doesn't cause a segfault, but it overwrites something that causes a segfault much later. A very nasty bug is well hidden. The assert will catch it right away.
@jldupont: Yes, but event if accessing *NULL faults, which it doesn't always, accessing *(NULL + 4) may not.
The assert is meaningless as it will only abort in test-environments while out-of-memory situations are much more common in real situations. The assert will only tell you that it is likely to have an out-of-memory situation or will you ship your product in debug-mode?
Still, in that case, I would go for a SafeMalloc() function that does the (assert) check instead of putting asserts all over the place.
|
2

Furthermore, what if handling the null pointer exacerbates the precarious situation even more??

I do not see why it can exacerbate the situation.
Anyway, when writing code for windows ptr->some_member will throw access violation so you will immediately see the problem, therefore I see no reason to check the return value, unless your program has some opportunity to free the memory. For platforms that do not handle null-pointers in a good way(throwing exception) it is dangerous to ignore such points.

Improve this answer

5 Comments

+1: exactly. Which platforms would not handle null-pointers? (aside from embedded systems probably)
even if ptr is a null pointer (ie its value lies in a reserved region of the address space), that's not necessarily true for ptr->foo or ptr[42]
@Christoph: excellent point. Maybe the added tweak would be in accessing +0 first then.
I do not think some_small_struct will have a size of 1 Mb (or what is exact value for NULL-pointer assignment memory partition?)
@ironic: that's platform specific; if you're confident the code will never exhaust the reserved space on all platforms its going to be ported to, feel free to drop checks for NULL; meanwhile, I'll continue to accompany each foo = malloc(sizeof *foo) with a if(!foo) [...] where [...] is something like return NULL, abort(), log("out of memory"), ...
2

Assuming that you are running on a Linux/MaxOs/Windows or other virtual memory system, then... the only reason to check the return value from malloc is if you have a strategy for freeing up enough memory to allow the program to continue running. An informative message will help in diagnosing the problem, but only if your program caused the out-of-memory situation. Usually it is not your program and the only thing that your program can to do help is to exit as quickly as possible.

assert(ptr != NULL);

will do all of these things. My usual strategy is to have a layer around malloc that has this in it.

void *my_malloc(size_t size)
{
    void *ptr = malloc ( size );
    assert(ptr != NULL);
    return *ptr;
}

Then you call my_malloc instead of malloc. During development I use a memory allocation library that is conducive to debugging. After that if it runs out of memory - I get a message.

Improve this answer

2 Comments

Don't forget to use the corresponding my_free! Otherwise it is an error ;)
This assert is useless: the most likely case where malloc will fail is production, not your tests. And in production one normally ships release builds, which define NDEBUG, which makes all the asserts no-ops.
1

Yes, having insufficient memeory will almost certatinly presage other failures coming soon. But how sure are you that no corrupt output will occur between the failure to allocate and the final crash?

How sure are you for every program, every time you make an edit.

Catch your errors so you can know you crashed on time.

Improve this answer

1 Comment

+1: for addressing the incertitude. This strategy coupled with safemalloc might be a good combo. thanks.
0

It is possible to allocate a largish chunk of memory at startup that you can free when you hit an out of memory condition and use that to shut down gracefully.

Improve this answer

4 Comments

@Eclipse: yes of course (the "constant memory" pattern) but this isn't what the question is about.
This won't actually work on Linux, which will happily overcommit memory (see also OOM killer). Your "freeable" block will be a reserved section of address space with no actual memory backing it, so when you free it, things don't get any better. ::sigh::
You will have some level of stack memory left (otherwise you would have hit a stack overflow, not a NULL return from malloc). Unless you hit both conditions at the same time, you shouldn't have a problem handling the situation as long as you don't need to allocate more heap space until you can free the reserve memory.
You could reserve your safety block and then access each memory page of it to force the memory manager to connect some backing memory. They you get this trick back again.
0

I always feel it is important and best to handle the return of malloc or any other system call for that matter. Though in modern systems (apart from embedded ones) it's a rare scenario unless and until your code uses too much memory, it's always safer.

Continuing the code after a system call failure can lead to corruption, crash and what not apart from making your program look bad.

Also, in linux, memory allocated to a process is limited. Try creating 1000 threads in a process and allocate some memory in each one of them, then you can easily simulate the low memory condition. : )

Always better to check for sys call return values!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.