On Mon, 15 Mar 2021 at 16:53, Alex Bennée <alex.ben...@linaro.org> wrote: > -Prefer g_new(T, n) instead of g_malloc(sizeof(T) ``*`` n) for the following > +Care should be taken to avoid introducing places where the guest could > +trigger an exit. For example using ``g_malloc`` on start-up is fine > +if the result of a failure is going to be a fatal exit anyway. There > +may be some start-up cases where failing is unreasonable (for example > +speculatively loading debug symbols). > + > +However if we are doing an allocation because of something the guest > +has done we should never trigger an exit. The code may deal with this > +by trying to allocate less memory and continue or re-designed to allocate > +buffers on start-up.
I think this is overly strong. We want to avoid malloc-or-die for cases where the guest gets to decide how big the allocation is; but if we're doing a single small fixed-size allocation that happens to be triggered by a guest action we should be OK to g_malloc() that I think. > +If the lifetime of the allocation is within the function and there are > +multiple exist paths you can also improve the readability of the code "exit" > +by using ``g_autofree`` and related annotations. See :ref:`autofree-ref` > +for more details. thanks -- PMM
