URL: <https://savannah.gnu.org/bugs/?68192>
Summary: [long-term] check all dynamic memory allocations for
success
Group: GNU roff
Submitter: gbranden
Submitted: Sun 29 Mar 2026 10:37:57 PM UTC
Category: General
Severity: 3 - Normal
Item Group: Lint
Status: In Progress
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Unlocked
Planned Release: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Sun 29 Mar 2026 10:37:57 PM UTC By: G. Branden Robinson <gbranden>
A principle of C programming for many years has been:
**Never** call _malloc_(3) without checking its return value.
Unfortunately _groff_ was first written so long ago that the foregoing wasn't
quite common wisdom, and moreover it was mostly written in C++, where the
language operators `new` and `delete` are more idiomatic.
The semi-good news is that _groff_ defaulted to overriding _all_ `new` and
`delete` operations to use its own allocator wrapping the standard C library's
_malloc_(3) and _free_(3) (as contemplated, and I guess endorsed by
Stroustrup). Even better, this wrapper _did_ check _malloc_(3)'s return
value. (I'd link to _groff_ 1.24.1's "src/libs/libgroff/new.cpp" here, but
it's a weekend, so Savannah's cgit front end is unresponsive, likely thanks to
LLM scraper bot attacks.)
The semi-bad news is that, recognizing that C++ language runtimes are of
higher quality in the 2020s than they were before the C++ language was first
standardized (in 1998/9), for _groff_ 1.23.0, I made _groff_ skip use of its
own allocator by default.
That doesn't appear to have caused any problems (at least any that anyone
bothered to report to us), but it does mean that my change made us more
sloppy, because I didn't go through and wrap all uses of the `new` operator
with `try` so as to catch `std::bad_alloc` exceptions.
(C++ implementations' exception handling systems were not mature, or maybe
even widely implemented at the time James Clark first wrote _groff_. While
the language feature does appear in the 2nd edition of Stroustrup's _The C++
Programming Language_ and his and Ellis's _The Annotated C++ Reference
Manual_, as far as I can tell, _groff_ completely eschewed it. Perhaps
relatedly, I recall stack unwinding in C being something of a novelty back in
about 2001 when I (and the company I worked for) was doing some contracting
work porting Debian GNU/Linux to the IA-64 ("Itanium" [cheekily: "Itanic"])
machine architecture. Possibly ambition in this area, at least in conjunction
with dynamic shared objects, ran considerably ahead of implementation
robustness.)
Bottom line? We need to be using `try`/`catch` everywhere we use `new`.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?68192>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
