From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Safe memory allocation functions |
Date: | 2015-01-14 20:54:20 |
Message-ID: | CA+TgmoZpmLkCt6EaY34_bVTDK-0+6sAKo41XuEvC4-ZY0+1M0A@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Jan 13, 2015 at 10:10 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> However, there is a larger practical problem with this whole concept,
> which is that experience should teach us to be very wary of the assumption
> that asking for memory the system can't give us will just lead to nice
> neat malloc-returns-NULL behavior. Any small perusal of the mailing list
> archives will remind you that very often the end result will be SIGSEGV,
> OOM kills, unrecoverable trap-on-write when the kernel realizes it can't
> honor a copy-on-write promise, yadda yadda. Agreed that it's arguable
> that these only occur in misconfigured systems ... but misconfiguration
> appears to be the default in a depressingly large fraction of systems.
> (This is another reason for "_safe" not being the mot juste :-()
I don't really buy this. It's pretty incredible to think that after a
malloc() failure there is absolutely no hope of carrying on sanely.
If that were true, we wouldn't be able to ereport() out-of-memory
errors at any severity less than FATAL, but of course it doesn't work
that way. Moreover, AllocSetAlloc() contains malloc() and, if that
fails, calls malloc() again with a smaller value, without even
throwing an error.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2015-01-14 21:02:28 | Re: OOM on EXPLAIN with lots of nodes |
Previous Message | Robert Haas | 2015-01-14 20:48:47 | Re: __attribute__ for non-gcc compilers |