Re: Safe memory allocation functions

On 2015-01-16 12:09:25 -0300, Alvaro Herrera wrote:
> Robert Haas wrote:
> > On Thu, Jan 15, 2015 at 10:57 AM, Alvaro Herrera
> > <alvherre@2ndquadrant.com> wrote:
> 
> > >> I do think that "safe" is the wrong suffix.  Maybe palloc_soft_fail()
> > >> or palloc_null() or palloc_no_oom() or palloc_unsafe().
> > >
> > > I liked palloc_noerror() better myself FWIW.
> > 
> > I don't care for noerror() because it probably still will error in
> > some circumstances; just not for OOM.
> 
> Yes, but that seems fine to me.  We have other functions with "noerror"
> flags, and they can still fail under some circumstances -- just not if
> the error is the most commonly considered scenario in which they fail.

We rely on palloc erroring out on large allocations in a couple places
as a crosscheck. I don't think this argument holds much water.

> The first example I found is LookupAggNameTypeNames(); there are many
> more.  I don't think this causes any confusion in practice.
> 
> Another precendent we have is something like "missing_ok" as a flag name
> in get_object_address() and other places; following that, we could have
> this new function as "palloc_oom_ok" or something like that.  But it
> doesn't seem an improvement to me.  (I'm pretty sure we all agree that
> this must not be a flag to palloc but rather a new function.)
> 
> Of all the ones you proposed above, the one I like the most is
> palloc_no_oom, but IMO palloc_noerror is still better.

Neither seem very accurate. no_oom isn't true because they actually can
cause ooms. _noerror isn't true because they can error out - we
e.g. rely on palloc erroring out when reading toast tuples (to detect
invalid datum lengths) and during parsing of WAL as an additional
defense.

Greetings,

Andres Freund

-- Andres Freund                       http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services