On Mon, Dec 31, 2012 at 02:59:13AM +0100, Joerg Sonnenberger wrote: > On Sun, Dec 30, 2012 at 05:36:00PM +0000, David A. Holland wrote: > > Module Name: src > > Committed By: dholland > > Date: Sun Dec 30 17:36:00 UTC 2012 > > > > Modified Files: > > src/lib/libutil: efun.c > > > > Log Message: > > If malloc, calloc, or realloc returns NULL when a size of 0 was > > requested, which is allowed by pertinent standards, honor it instead > > of bombing. > > > > Do not do this for calloc(x, y) where x != 0 && y != 0 but x*y == 0; > > in that case bomb. > > The commit message is misleading. We expect calloc(x,y) to return NULL > if x!=0 && y!=0 && x*y==0.
I've never quite understood why calloc() was ever defined with 2 parameters. The only time it can be different (and valid) from a naiive multiply is when the multiply is done as 'int' on a system where size_t > int. I'd have thought calloc() should be required to check that the multiply doesn't overflow - but that ought (probably) require a different errno than ENOMEM. Certainly checking for multiply overflow would seem better than checking for the product being zero. Unfortunately that check tends to need a divide - although some simple range checks will avoid that in most cases. David -- David Laight: da...@l8s.co.uk