chris...@astron.com (Christos Zoulas) writes: > In article <20151210081103.e0fbbf...@cvs.netbsd.org>, > Kengo NAKAHARA <source-changes-d@NetBSD.org> wrote: >>-=-=-=-=-=- >> >>Module Name: src >>Committed By: knakahara >>Date: Thu Dec 10 08:11:03 UTC 2015 >> >>Modified Files: >> src/sys/net: if_gif.c >> >>Log Message: >>kmem_zalloc(, KM_SLEEP) must not return NULL. > > I would like to solicit opinions about this change and form a general > policy. > > 1. I would like to reduce the use of KASSERT in the kernel, specially > in situations like thee above where the test can be centralized (inside > kmem_alloc) and avoided without being fatal. > > 2. Static analyzer models understand allocators, but they are not > smart enough to determine under which situations they can fail. I > believe even kmem_alloc with KM_SLEEP can fail when the size is > large enough. > > So I propose to always check the return value of allocators with > an 'if' and not a KASSERT.
I think that a function needs to have a contract specified in a contract (and perhaps static analyzer markup). Code should never KASSERT for anything that can not be argued (statically shown) to be always true given contracts. So I agree with you.
signature.asc
Description: PGP signature
