Paul Eggert wrote:
> I installed this patch instead.
Thanks.
> I prefer to put it into a C++ ghetto area of the code.
I was hesitating about this too.
What I realize now is that we are using xmalloc() too often, and xnmalloc()
not often enough. xnmalloc() is designed to be safe against integer
multiplication overflow. Yet we have this:
clean-temp.c:277: xmalloc (new_allocated * sizeof (struct tempdir *
volatile));
fatal-signal.c:210: xmalloc (new_actions_allocated * sizeof
(actions_entry_t));
fstrcmp.c:623: buffer = (int *) xmalloc (bufmax * (2 * sizeof (int)));
getgroups.c:53: gbuf = xmalloc (n * sizeof *gbuf);
gl_array_list.c:92: (const void **) xmalloc (count * sizeof (const void *));
gl_carray_list.c:65: (struct gl_list_impl *) xmalloc (sizeof (struct
gl_list_impl));
group-member.c:60: group = xmalloc (n_group_slots * sizeof *group);
The sinner is mostly me, but not only me :-)
How about adding a macro with type argument, like we had a few years ago
(before xnmalloc was invented)? One can design it with a type as argument,
or with an expression of that type as argument. Both are feasible in a way
such that
1. xnmalloc is called, enabling the overflow check,
2. there are no warnings/errors about the return type.
Here's some prototype code for testing. What do you think?
Bruno
---------------------------------------------------------------------------
#include <stdlib.h>
extern void * xmalloc (size_t n);
extern void * xnmalloc (size_t n, size_t s);
#define XALLOC_WITH_TYPE(N,TYPE) (TYPE *) xnmalloc (N, sizeof (TYPE))
#ifdef __cplusplus
template <typename T>
inline T * XALLOC_WITH_EXPRESSION (size_t n, T expr)
{
return (T *) xnmalloc (n, sizeof (T));
}
#else
#define XALLOC_WITH_EXPRESSION(N,EXPR) xnmalloc (N, sizeof (EXPR))
#endif
struct foo { int x; char y; };
struct foo * bar1 ()
{
return XALLOC_WITH_TYPE (3, struct foo);
}
struct foo * bar2 (struct foo *p)
{
return XALLOC_WITH_EXPRESSION (3, *p);
}
