[v2,0/9] misc: Replace alloca() by g_malloc()

Message

Philippe Mathieu-Daudé May 6, 2021, 1:37 p.m. UTC

The ALLOCA(3) man-page mentions its "use is discouraged".
Replace few calls by equivalent GLib malloc().

Last call site is linux-user/.

Since v1:
- Converted more uses (alsaaudio, tpm, pca9552)
- Reworked gdbstub (Alex)
- Simplified PPC/KVM (Greg)

Philippe Mathieu-Daudé (9):
  audio/alsaaudio: Replace ALSA alloca() by malloc() equivalent
  backends/tpm: Replace qemu_mutex_lock calls with QEMU_LOCK_GUARD
  backends/tpm: Replace g_alloca() by g_malloc()
  bsd-user/syscall: Replace alloca() by g_new()
  gdbstub: Constify GdbCmdParseEntry
  gdbstub: Only call cmd_parse_params() with non-NULL command schema
  gdbstub: Replace alloca() + memset(0) by g_new0()
  hw/misc/pca9552: Replace g_newa() by g_new()
  target/ppc/kvm: Replace alloca() by g_malloc()

 audio/alsaaudio.c           | 11 +++++++----
 backends/tpm/tpm_emulator.c | 35 +++++++++++++++--------------------
 bsd-user/syscall.c          |  3 +--
 gdbstub.c                   | 34 +++++++++++++++-------------------
 hw/misc/pca9552.c           |  2 +-
 target/ppc/kvm.c            |  3 +--
 6 files changed, 40 insertions(+), 48 deletions(-)

Comments

Warner Losh May 6, 2021, 2:22 p.m. UTC | #1

On Thu, May 6, 2021 at 7:39 AM Philippe Mathieu-Daudé <philmd@redhat.com>
wrote:

> The ALLOCA(3) man-page mentions its "use is discouraged".
> Replace few calls by equivalent GLib malloc().
>

Except g_alloc and g_malloc are not at all the same, and you can't drop in
replace one with the other.

g_alloc allocates stack space on the calling frame that's automatically
freed when the function returns.
g_malloc allocates space from the heap, and calls to it must be matched
with calls to g_free().

These patches don't do the latter, as far as I can tell, and so introduce
memory leaks unless there's something I've missed.

Warner



> Last call site is linux-user/.
>
> Since v1:
> - Converted more uses (alsaaudio, tpm, pca9552)
> - Reworked gdbstub (Alex)
> - Simplified PPC/KVM (Greg)
>
> Philippe Mathieu-Daudé (9):
>   audio/alsaaudio: Replace ALSA alloca() by malloc() equivalent
>   backends/tpm: Replace qemu_mutex_lock calls with QEMU_LOCK_GUARD
>   backends/tpm: Replace g_alloca() by g_malloc()
>   bsd-user/syscall: Replace alloca() by g_new()
>   gdbstub: Constify GdbCmdParseEntry
>   gdbstub: Only call cmd_parse_params() with non-NULL command schema
>   gdbstub: Replace alloca() + memset(0) by g_new0()
>   hw/misc/pca9552: Replace g_newa() by g_new()
>   target/ppc/kvm: Replace alloca() by g_malloc()
>
>  audio/alsaaudio.c           | 11 +++++++----
>  backends/tpm/tpm_emulator.c | 35 +++++++++++++++--------------------
>  bsd-user/syscall.c          |  3 +--
>  gdbstub.c                   | 34 +++++++++++++++-------------------
>  hw/misc/pca9552.c           |  2 +-
>  target/ppc/kvm.c            |  3 +--
>  6 files changed, 40 insertions(+), 48 deletions(-)
>
> --
> 2.26.3
>
>
>
>

Eric Blake May 6, 2021, 2:28 p.m. UTC | #2

On 5/6/21 9:22 AM, Warner Losh wrote:
> On Thu, May 6, 2021 at 7:39 AM Philippe Mathieu-Daudé <philmd@redhat.com>
> wrote:
> 
>> The ALLOCA(3) man-page mentions its "use is discouraged".
>> Replace few calls by equivalent GLib malloc().
>>
> 
> Except g_alloc and g_malloc are not at all the same, and you can't drop in
> replace one with the other.
> 
> g_alloc allocates stack space on the calling frame that's automatically
> freed when the function returns.
> g_malloc allocates space from the heap, and calls to it must be matched
> with calls to g_free().
> 
> These patches don't do the latter, as far as I can tell, and so introduce
> memory leaks unless there's something I've missed.

You missed the g_autofree, whose job is to call g_free() on all points
in the control flow where the malloc()d memory goes out of scope
(equivalent in expressive power to alloca()d memory going out of scope).
 Although the code is arguably a bit slower (as heap manipulations are
not as cheap as stack manipulations), in the long run that speed penalty
is worth the safety factor (since stack manipulations under user control
are inherently unsafe).

Warner Losh May 6, 2021, 3:02 p.m. UTC | #3

On Thu, May 6, 2021 at 8:28 AM Eric Blake <eblake@redhat.com> wrote:

> On 5/6/21 9:22 AM, Warner Losh wrote:
> > On Thu, May 6, 2021 at 7:39 AM Philippe Mathieu-Daudé <philmd@redhat.com
> >
> > wrote:
> >
> >> The ALLOCA(3) man-page mentions its "use is discouraged".
> >> Replace few calls by equivalent GLib malloc().
> >>
> >
> > Except g_alloc and g_malloc are not at all the same, and you can't drop
> in
> > replace one with the other.
> >
> > g_alloc allocates stack space on the calling frame that's automatically
> > freed when the function returns.
> > g_malloc allocates space from the heap, and calls to it must be matched
> > with calls to g_free().
> >
> > These patches don't do the latter, as far as I can tell, and so introduce
> > memory leaks unless there's something I've missed.
>
> You missed the g_autofree, whose job is to call g_free() on all points
> in the control flow where the malloc()d memory goes out of scope
> (equivalent in expressive power to alloca()d memory going out of scope).
>  Although the code is arguably a bit slower (as heap manipulations are
> not as cheap as stack manipulations), in the long run that speed penalty
> is worth the safety factor (since stack manipulations under user control
> are inherently unsafe).
>

Yea, I had missed that. Too many years of reviewing patches that
came in for other projects that didn't use that feature. Outside of the
bsd-user context, I'd agree with you that things are safer this way.
But emulating system calls has other considerations, that I've gone
into in another thread.

So please accept my apology for not noticing the g_autofree
in these. It definitely makes what I said here incorrect and
it should be ignored...

Warner