> Date: Tue, 22 Jul 2014 21:21:39 +0000 > From: Doug Hogan <d...@acyclic.org> > > On Tue, Jul 22, 2014 at 02:51:17AM -0400, Jean-Philippe Ouellet wrote: > > That is misleading in the M_CANFAIL case. > > > > I'm not terribly good at wording things, but I suggest something > > more like this instead: > > Hmm I think it's only misleading in the M_CANFAIL case. I think this > diff makes it a little more complex than it needs to be. What do you > think about leaving the malloc option section as-is and instead > explain how mallocarray() operates before it calls malloc()? > > Something along these lines: "mallocarray(9) is a wrapper around > malloc(9) that checks for overflow. If arithmetic overflow is detected, > it returns NULL when M_CANFAIL is enabled or else calls panic(). > Otherwise, it has the same behavior as malloc." > > Does that work?
Hmm, I believe, quite strongly, that we should always panic when a arithmetic overflow is detected. The M_CANFAIL flag is really there to allow for failure in certain low-memory conditions, not to recover from programming bugs.
