Infallible memory allocation

There's ongoing work to implement infallible memory allocators. These are memory allocation routines that never return null; that is, they always successfully return the requested block of memory. This is in contrast to a traditional, fallible memory allocator that can return null indicating that the request failed.

Currently, while code is transitioned to be compatible with infallible memory allocators, you have to explicitly decide whether to use infallible allocation or not. Eventually, however, the generic memory allocators (malloc() and realloc()) will become infallible.

How can memory allocation be infallible?

The term "infallible" means that your memory allocation request is guaranteed to succeed: your code can never see a failed request, and so doesn't need to check for failure.

Inside the allocation routine, the situation is different. Under extreme memory conditions, it's possible that the allocation will fail; however, the allocation routine will not, in this scenario, return to your code. Instead, the application will terminate. This should be rare, because the memory management system will do everything it can to find the memory you've asked for.

Choosing a memory allocator

As you write new code that needs to allocate memory, there are some simple rules to follow to help you decide whether to use a fallible or an infallible memory allocator:

  • If you're allocating what may be a large chunk of memory, you should allocate the memory fallibly (using malloc() for example), and check the result to be sure it's not null. You should do this for large memory allocations because in extremely low memory conditions, as described in How can memory allocation be infallible?, the application may terminate if an infallible allocator can't find the memory you requested.
  • If you don't know whether or not the memory will be large, use the standard malloc() routine. Be sure to check the result for null. Be warned that any allocation that's controlled by the user or web content may grow bigger than you expect; people and pages do surprising things all the time!
  • When instantiating objects, the new operator creates them infallibly by default. If you want to allocate them fallibly, use the syntax new (fallible) Foo().
  • When in doubt, use the infallible allocator and don't null check.
  • NS_Alloc() is also infallible.

Explicitly infallible memory allocators

The following memory allocators are explicitly infallible, and will remain so; they are guaranteed to return a valid memory pointer.

p = moz_xmalloc();
p = moz_xcalloc();
p = moz_xrealloc();
p = moz_xstrdup(); 
f = new Foo();
fArray = new Foo[];
n = ::operator new(...);
nArray = ::operator new[](...);

Explicitly fallible memory allocators

These memory allocators are explicitly fallible, and will remain so. When using these, you must check to ensure the resulting value isn't null before attempting to use the returned memory.

p = malloc();
p = realloc(); 
namespace mozilla {
  f = new (fallible) Foo();
  fArray = new (fallible) Foo[];
}
namespace mozilla {
  n = ::operator new(..., fallible);
  nArray = ::operator new[](..., fallible);
}

See also

Document Tags and Contributors

 Last updated by: nnethercote,