Bug 693001

Summary: realloc and standards conformance
Product: Red Hat Enterprise Linux 6 Reporter: Eric Blake <eblake>
Component: glibcAssignee: Jeff Law <law>
Status: CLOSED NOTABUG QA Contact: qe-baseos-tools-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: fweimer, law, mfranc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-06 18:31:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Blake 2011-04-01 23:00:25 UTC 
Description of problem:
Right now, there is a huge debate going on between the WG14 working group (C99/C1x), Austin Group (POSIX 2008), and glibc implementers on the correct semantics of realloc(ptr,0).
http://austingroupbugs.net/view.php?id=400
http://sourceware.org/bugzilla/show_bug.cgi?id=12547

If Red Hat intends to comply with C1x or POSIX certification, then glibc _must_ provide a mode where realloc(ptr,0) complies with the standard.  However, in the current state of the debate, it looks like the C committee is at loggerheads with the glibc implementers (C claims that realloc(ptr,0) returning NULL is an error indication, hence ptr is still valid (this happens to match BSD semantics); glibc claims that realloc(ptr,0) returning NULL is a successful call to free(ptr)); worse, the conflict is extremely dangerous to ALL programs:

If code is written assuming glibc semantics but run on a system with the argued C semantics, you have a memory leak (either ptr, or the new non-NULL return value that the code was not expecting, will be leaked).  If code is written assuming C1x semantics but run on a system with the argued glibc semantics, you have a double free (realloc freed ptr, but because it returned NULL and the program assumes ptr is still valid, the program frees ptr again).  Either way, an application loses if _ANY_ standards document requires exactly one behavior rather than documenting both historical behaviors and warning applications of the portability pitfalls if they are not aware of both behaviors.

Can Red Hat please step up its involvement with WG14 to request that the C1x ballot be changed to support glibc's current implementation (effectively by recommending that realloc(ptr,0) be given implementation-defined semantics and effectively be labeled non-portable in practice) rather than hard-lining their current interpretation that realloc(ptr,0) must not return NULL if it freed ptr?
Comment 2 RHEL Program Management 2011-04-04 02:08:18 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 5 Jeff Law 2012-02-06 18:31:32 UTC 
AFAICT, the final wording stated that realloc (ptr, 0) is implementation defined which (at least for now) blesses glibc's behaviour.  However, long term the committee states they're considering changing the language to further clarify behaviour in this situation.

It's not ideal, but reasonable given the overall situation.