To begin with, let me say that I understand how and why the problem I’m describing can happen. I was a Computer Science major, and I understand overflow/underflow and signed/unsigned arithmetic. (For those unfamiliar with the topic, Apple’s Secure Coding Guide discusses integer overflow briefly.)
My question is about reporting and recovering from such an error once it has been detected, and more specifically in the case of an Objective-C framework. (I write and maintain CHDataStructures.) I have a few collections classes that allocate memory for storing objects and dynamically expand as necessary. I haven’t yet seen any overflow-related crashes, probably because my test cases mostly use sane data. However, given unvalidated values, things could explode rather quickly, and I want to prevent that.
I have identified at least two common cases where this can occur:
- The caller passes a very large unsigned value (or negative signed value) to
-initWithCapacity:. - Enough objects have been added to cause the capacity to dynamically expand, and the capacity has grown large enough to cause overflow.
The easy part is detecting whether overflow will occur. (For example, before attempting to allocate length * sizeof(void*) bytes, I can check whether length <= UINT_MAX / sizeof(void*), since failing this test will mean that the product will overflow and potentially allocate a much smaller region of memory than desired. On platforms that support it, the checkint.h API is another alternative.) The harder part is determining how to deal with it gracefully. In the first scenario, the caller is perhaps better equipped (or at least in the mindset) to deal with a failure. The second scenario can happen anywhere in the code that an object is added to the collection, which may be quite non-deterministic.
My question, then, is this: How is “good citizen” Objective-C code expected to act when integer overflow occurs in this type of situation? (Ideally, since my project is a framework in the same spirit as Foundation in Cocoa, I’d like to model off of the way it behaves for maximum “impedance matching”. The Apple documentation I’ve found doesn’t mention much at all about this.) I figure that in any case, reporting the error is a given. Since the APIs to add an object (which could cause scenario 2) don’t accept an error parameter, what can I really do to help resolve the problem, if anything? What is really considered okay in such situations? I’m loath to knowingly write crash-prone code if I can do better…
There are two issues at hand:
(1) An allocation has failed and you are out of memory.
(2) You have detected an overflow or other erroneous condition that will lead to (1) if you continue.
In the case of (1), you are hosed (unless the failed allocation was both stupid large & you know that the failed allocation was only that one). If this happens, the best thing you can do is to crash as quickly as possible and leave behind as much evidence as you can. In particular, creating a function that calls
abort()of a name likeIAmCrashingOnPurposeBecauseYourMemoryIsDepleted()will leave evidence in the crash log.If it is really (2), then there are additional questions. Specifically, can you recover from the situation and, regardless, is the user’s data still intact? If you can recover, then grand… do so and the user never has to know. If not, then you need to make absolutely sure that the user’s data is not corrupt. If it isn’t, then save and die. If the user’s data is corrupt, then do your best to not persist the corrupted data and let the user know that something has gone horribly wrong. If the user’s data is already persisted, but corrupt, then… well… ouch… you might want to consider creating a recovery tool of some kind.