[PATCH 1/8] safe-alloc: improve doc

[PATCH 1/8] safe-alloc: improve doc

[Paul Eggert]

* doc/safe-alloc.texi: Clarify that reallocating an array appends
uninitialized storage.  Say ‘sizeof *p’ rather than ‘sizeof(*p)’
which would need a space before the paren to follow GNU style.
---
 ChangeLog           |  5 +++++
 doc/safe-alloc.texi | 14 +++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ab6045fd3..d2d12058e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2021-04-18  Paul Eggert  <eggert@cs.ucla.edu>
 
+	safe-alloc: improve doc
+	* doc/safe-alloc.texi: Clarify that reallocating an array appends
+	uninitialized storage.  Say ‘sizeof *p’ rather than ‘sizeof(*p)’
+	which would need a space before the paren to follow GNU style.
+
 	malloc-gnu-tests, etc.: test ptrdiff_t overflow
 	* modules/calloc-gnu-tests (Depends-on):
 	* modules/malloc-gnu-tests (Depends-on):
diff --git a/doc/safe-alloc.texi b/doc/safe-alloc.texi
index 60304472f..d40ec65b6 100644
--- a/doc/safe-alloc.texi
+++ b/doc/safe-alloc.texi
@@ -36,12 +36,14 @@ passed in as arguments when appropriate.
 It uses return values only for a success/failure error condition flag,
 and annotates them with GCC's @code{__warn_unused_result__} attribute.
 @item
-It uses @code{calloc} instead of @code{malloc}.
+When allocating a fresh array, it uses @code{calloc} instead of
+@code{malloc} so that the array's contents are zeroed.
+However, memory added to an already-existing array is uninitialized.
 @end itemize
 
 @defmac {int} ALLOC (ptr)
 @findex ALLOC
-Allocate @code{sizeof(*ptr)} bytes of memory and store the address of
+Allocate @code{sizeof *ptr} bytes of memory and store the address of
 allocated memory in @code{ptr}.  Fill the newly allocated memory with
 zeros.
 
@@ -50,7 +52,7 @@ Returns @minus{}1 on failure, 0 on success.
 
 @defmac {int} ALLOC_N (ptr, count)
 @findex ALLOC_N
-Allocate an array of @code{count} elements, each @code{sizeof(*ptr)}
+Allocate an array of @code{count} elements, each @code{sizeof *ptr}
 bytes long, and store the address of allocated memory in
 @code{ptr}.  Fill the newly allocated memory with zeros.
 
@@ -59,7 +61,7 @@ Returns @minus{}1 on failure, 0 on success.
 
 @defmac {int} ALLOC_N_UNINITIALIZED (ptr, count)
 @findex ALLOC_N_UNINITIALIZED
-Allocate an array of @code{count} elements, each @code{sizeof(*ptr)}
+Allocate an array of @code{count} elements, each @code{sizeof *ptr}
 bytes long, and store the address of allocated memory in
 @code{ptr}.  The allocated memory is not initialized.
 
@@ -69,9 +71,11 @@ Returns @minus{}1 on failure, 0 on success.
 @defmac {int} REALLOC_N (ptr, count)
 @findex REALLOC_N
 Reallocate the memory pointed to by @code{ptr} to be big enough to hold
-at least @code{count} elements, each @code{sizeof(*ptr)} bytes long,
+at least @code{count} elements, each @code{sizeof *ptr} bytes long,
 and store the address of allocated memory in @code{ptr}.  If
 reallocation fails, the @code{ptr} variable is not modified.
+If the new array is smaller than the old one, discard excess contents;
+if larger, the newly added storage is not initialized.
 
 Returns @minus{}1 on failure, 0 on success.
 @end defmac
-- 
2.27.0

[PATCH 2/8] backupfile: simplify via realloc-gnu

[Paul Eggert]

* lib/backupfile.c: Do not include xalloc-oversized.h.
(numbered_backup): Simplify now that realloc will do the right
thing about ptrdiff_t overflow.
* modules/backupfile (Depends-on): Add realloc-gnu;
remove xalloc-oversized.
---
 ChangeLog          | 7 +++++++
 lib/backupfile.c   | 3 +--
 modules/backupfile | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d2d12058e..e00a5b7c8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2021-04-18  Paul Eggert  <eggert@cs.ucla.edu>
 
+	backupfile: simplify via realloc-gnu
+	* lib/backupfile.c: Do not include xalloc-oversized.h.
+	(numbered_backup): Simplify now that realloc will do the right
+	thing about ptrdiff_t overflow.
+	* modules/backupfile (Depends-on): Add realloc-gnu;
+	remove xalloc-oversized.
+
 	safe-alloc: improve doc
 	* doc/safe-alloc.texi: Clarify that reallocating an array appends
 	uninitialized storage.  Say ‘sizeof *p’ rather than ‘sizeof(*p)’
diff --git a/lib/backupfile.c b/lib/backupfile.c
index 1e427e8de..bc03dd614 100644
--- a/lib/backupfile.c
+++ b/lib/backupfile.c
@@ -37,7 +37,6 @@
 #include "intprops.h"
 #include "opendirat.h"
 #include "renameatu.h"
-#include "xalloc-oversized.h"
 
 #ifndef _D_EXACT_NAMLEN
 # define _D_EXACT_NAMLEN(dp) strlen ((dp)->d_name)
@@ -271,7 +270,7 @@ numbered_backup (int dir_fd, char **buffer, size_t buffer_size, size_t filelen,
       size_t new_buffer_size = filelen + 2 + versionlenmax + 2;
       if (buffer_size < new_buffer_size)
         {
-          xalloc_count_t grown;
+          size_t grown;
           if (! INT_ADD_WRAPV (new_buffer_size, new_buffer_size >> 1, &grown))
             new_buffer_size = grown;
           char *new_buf = realloc (buf, new_buffer_size);
diff --git a/modules/backupfile b/modules/backupfile
index 42c8c9ed5..342a7bdff 100644
--- a/modules/backupfile
+++ b/modules/backupfile
@@ -21,11 +21,11 @@ intprops
 memcmp
 opendirat
 readdir
+realloc-gnu
 renameatu
 stdbool
 stdint
 xalloc-die
-xalloc-oversized
 
 configure.ac:
 gl_BACKUPFILE
-- 
2.27.0

[PATCH 3/8] group-member: simplify via realloc-gnu

[Paul Eggert]

* lib/group-member.c, modules/group-member:
Simplify similarly to backupfile.
---
 ChangeLog            | 4 ++++
 lib/group-member.c   | 6 ++----
 modules/group-member | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e00a5b7c8..aff0e87fc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2021-04-18  Paul Eggert  <eggert@cs.ucla.edu>
 
+	group-member: simplify via realloc-gnu
+	* lib/group-member.c, modules/group-member:
+	Simplify similarly to backupfile.
+
 	backupfile: simplify via realloc-gnu
 	* lib/backupfile.c: Do not include xalloc-oversized.h.
 	(numbered_backup): Simplify now that realloc will do the right
diff --git a/lib/group-member.c b/lib/group-member.c
index 17bee831b..d433f2731 100644
--- a/lib/group-member.c
+++ b/lib/group-member.c
@@ -26,7 +26,6 @@
 #include <stdlib.h>
 
 #include "intprops.h"
-#include "xalloc-oversized.h"
 
 /* Most processes have no more than this many groups, and for these
    processes we can avoid using malloc.  */
@@ -54,9 +53,8 @@ get_group_info (struct group_info *gi)
   if (n_groups < 0)
     {
       int n_group_slots = getgroups (0, NULL);
-      xalloc_count_t nbytes;
-      if (0 <= n_group_slots
-          && ! INT_MULTIPLY_WRAPV (n_group_slots, sizeof *gi->group, &nbytes))
+      size_t nbytes;
+      if (! INT_MULTIPLY_WRAPV (n_group_slots, sizeof *gi->group, &nbytes))
         {
           gi->group = malloc (nbytes);
           if (gi->group)
diff --git a/modules/group-member b/modules/group-member
index aa56ecf7e..a224d9888 100644
--- a/modules/group-member
+++ b/modules/group-member
@@ -10,7 +10,7 @@ unistd
 extensions
 getgroups        [test $HAVE_GROUP_MEMBER = 0]
 intprops         [test $HAVE_GROUP_MEMBER = 0]
-xalloc-oversized [test $HAVE_GROUP_MEMBER = 0]
+realloc-gnu      [test $HAVE_GROUP_MEMBER = 0]
 
 configure.ac:
 gl_FUNC_GROUP_MEMBER
-- 
2.27.0

[PATCH 4/8] xalloc: new function xreallocarray

[Paul Eggert]

This effectively replaces xnmalloc, which perhaps should be deprecated.
The name xreallocarray should be easier to remember now that
reallocarray is a standard GNU function.
* lib/xalloc.h [GNULIB_XALLOC]: Do not include xalloc-oversized.h.
(xnmalloc, xnrealloc, x2nrealloc): Simplify by using xreallocarray.
* lib/xmalloc.c (xreallocarray): New function.
* modules/xalloc (Depends-on): Add reallocarray;
remove xalloc-oversized.
---
 ChangeLog      | 10 ++++++++++
 lib/xalloc.h   | 26 ++++++++++++++------------
 lib/xmalloc.c  | 12 ++++++++++++
 modules/xalloc |  2 +-
 4 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index aff0e87fc..857b7048f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
 2021-04-18  Paul Eggert  <eggert@cs.ucla.edu>
 
+	xalloc: new function xreallocarray
+	This effectively replaces xnmalloc, which perhaps should be deprecated.
+	The name xreallocarray should be easier to remember now that
+	reallocarray is a standard GNU function.
+	* lib/xalloc.h [GNULIB_XALLOC]: Do not include xalloc-oversized.h.
+	(xnmalloc, xnrealloc, x2nrealloc): Simplify by using xreallocarray.
+	* lib/xmalloc.c (xreallocarray): New function.
+	* modules/xalloc (Depends-on): Add reallocarray;
+	remove xalloc-oversized.
+
 	group-member: simplify via realloc-gnu
 	* lib/group-member.c, modules/group-member:
 	Simplify similarly to backupfile.
diff --git a/lib/xalloc.h b/lib/xalloc.h
index b08ab4e07..6cd7a680c 100644
--- a/lib/xalloc.h
+++ b/lib/xalloc.h
@@ -24,7 +24,6 @@
 #if GNULIB_XALLOC
 # include "idx.h"
 # include "intprops.h"
-# include "xalloc-oversized.h"
 #endif
 
 #ifndef _GL_INLINE_HEADER_BEGIN
@@ -62,6 +61,8 @@ void *xcalloc (size_t n, size_t s)
       _GL_ATTRIBUTE_MALLOC _GL_ATTRIBUTE_ALLOC_SIZE ((1, 2));
 void *xrealloc (void *p, size_t s)
       _GL_ATTRIBUTE_ALLOC_SIZE ((2));
+void *xreallocarray (void *p, size_t n, size_t s)
+      _GL_ATTRIBUTE_ALLOC_SIZE ((2, 3));
 void *x2realloc (void *p, size_t *pn);
 void *xpalloc (void *pa, idx_t *nitems, idx_t nitems_incr_min,
                ptrdiff_t nitems_max, idx_t item_size);
@@ -104,11 +105,10 @@ XALLOC_INLINE void *xnmalloc (size_t n, size_t s)
 XALLOC_INLINE void *
 xnmalloc (size_t n, size_t s)
 {
-  if (xalloc_oversized (n, s))
-    xalloc_die ();
-  return xmalloc (n * s);
+  return xreallocarray (NULL, n, s);
 }
 
+/* FIXME: Deprecate this in favor of xreallocarray?  */
 /* Change the size of an allocated block of memory P to an array of N
    objects each of S bytes, with error checking.  S must be nonzero.  */
 
@@ -117,9 +117,7 @@ XALLOC_INLINE void *xnrealloc (void *p, size_t n, size_t s)
 XALLOC_INLINE void *
 xnrealloc (void *p, size_t n, size_t s)
 {
-  if (xalloc_oversized (n, s))
-    xalloc_die ();
-  return xrealloc (p, n * s);
+  return xreallocarray (p, n, s);
 }
 
 /* If P is null, allocate a block of at least *PN such objects;
@@ -202,10 +200,7 @@ x2nrealloc (void *p, size_t *pn, size_t s)
         xalloc_die ();
     }
 
-  xalloc_count_t nbytes;
-  if (INT_MULTIPLY_WRAPV (n, s, &nbytes))
-    xalloc_die ();
-  p = xrealloc (p, nbytes);
+  p = xreallocarray (p, n, s);
   *pn = n;
   return p;
 }
@@ -241,10 +236,17 @@ xrealloc (T *p, size_t s)
   return (T *) xrealloc ((void *) p, s);
 }
 
+template <typename T> inline T *
+xreallocarray (T *p, size_t n, size_t s)
+{
+  return (T *) xreallocarray ((void *) p, n, s);
+}
+
+/* FIXME: Deprecate this in favor of xreallocarray?  */
 template <typename T> inline T *
 xnrealloc (T *p, size_t n, size_t s)
 {
-  return (T *) xnrealloc ((void *) p, n, s);
+  return xreallocarray (p, n, s);
 }
 
 template <typename T> inline T *
diff --git a/lib/xmalloc.c b/lib/xmalloc.c
index 39ce893ad..88698fade 100644
--- a/lib/xmalloc.c
+++ b/lib/xmalloc.c
@@ -50,6 +50,18 @@ xrealloc (void *p, size_t n)
   return r;
 }
 
+/* Change the size of an allocated block of memory P to an array of N
+   objects each of S bytes, with error checking.  */
+
+void *
+xreallocarray (void *p, size_t n, size_t s)
+{
+  void *r = reallocarray (p, n, s);
+  if (!r && (!p || (n && s)))
+    xalloc_die ();
+  return r;
+}
+
 /* If P is null, allocate a block of at least *PN bytes; otherwise,
    reallocate P so that it contains more than *PN bytes.  *PN must be
    nonzero unless P is null.  Set *PN to the new block's size, and
diff --git a/modules/xalloc b/modules/xalloc
index 000933e94..0dbae1c86 100644
--- a/modules/xalloc
+++ b/modules/xalloc
@@ -15,9 +15,9 @@ intprops
 malloc-gnu
 minmax
 realloc-gnu
+reallocarray
 stdint
 xalloc-die
-xalloc-oversized
 
 configure.ac:
 gl_XALLOC
-- 
2.27.0

[PATCH 5/8] xalloc-oversized: fix SIZE_MAX optimization bug

[Paul Eggert]

* lib/xalloc-oversized.h (xalloc_count_t): Remove; no longer
needed and was evidently error-prone anyway.
(xalloc_oversized): Omit some over-optimization that caused
SIZE_MAX to not be treated as too large (the Gnulib convention) on
unusual platforms where PTRDIFF_MAX == SIZE_MAX.  This change
should not affect typical platforms where PTRDIFF_MAX < SIZE_MAX.
When optimizing, simply use ptrdiff_t instead of xalloc_count_t.
---
 ChangeLog              |  9 +++++++++
 lib/xalloc-oversized.h | 17 ++++++-----------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 857b7048f..1d2607a0b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
 2021-04-18  Paul Eggert  <eggert@cs.ucla.edu>
 
+	xalloc-oversized: fix SIZE_MAX optimization bug
+	* lib/xalloc-oversized.h (xalloc_count_t): Remove; no longer
+	needed and was evidently error-prone anyway.
+	(xalloc_oversized): Omit some over-optimization that caused
+	SIZE_MAX to not be treated as too large (the Gnulib convention) on
+	unusual platforms where PTRDIFF_MAX == SIZE_MAX.  This change
+	should not affect typical platforms where PTRDIFF_MAX < SIZE_MAX.
+	When optimizing, simply use ptrdiff_t instead of xalloc_count_t.
+
 	xalloc: new function xreallocarray
 	This effectively replaces xnmalloc, which perhaps should be deprecated.
 	The name xreallocarray should be easier to remember now that
diff --git a/lib/xalloc-oversized.h b/lib/xalloc-oversized.h
index 3618c75cb..6437a5d8b 100644
--- a/lib/xalloc-oversized.h
+++ b/lib/xalloc-oversized.h
@@ -30,25 +30,20 @@
 #define __xalloc_oversized(n, s) \
   ((size_t) (PTRDIFF_MAX < SIZE_MAX ? PTRDIFF_MAX : SIZE_MAX - 1) / (s) < (n))
 
-#if PTRDIFF_MAX < SIZE_MAX
-typedef ptrdiff_t xalloc_count_t;
-#else
-typedef size_t xalloc_count_t;
-#endif
-
 /* Return 1 if an array of N objects, each of size S, cannot exist reliably
-   because its total size in bytes exceeds MIN (PTRDIFF_MAX, SIZE_MAX).
+   because its total size in bytes exceeds MIN (PTRDIFF_MAX, SIZE_MAX - 1).
    N must be nonnegative, S must be positive, and either N or S should be
    of type ptrdiff_t or size_t or wider.  This is a macro, not a function,
    so that it works even if an argument exceeds MAX (PTRDIFF_MAX, SIZE_MAX).  */
-#if 7 <= __GNUC__ && !defined __clang__
+#if 7 <= __GNUC__ && !defined __clang__ && PTRDIFF_MAX < SIZE_MAX
 # define xalloc_oversized(n, s) \
-   __builtin_mul_overflow_p (n, s, (xalloc_count_t) 1)
-#elif 5 <= __GNUC__ && !defined __ICC && !__STRICT_ANSI__
+   __builtin_mul_overflow_p (n, s, (ptrdiff_t) 1)
+#elif (5 <= __GNUC__ && !defined __ICC && !__STRICT_ANSI__ \
+       && PTRDIFF_MAX < SIZE_MAX)
 # define xalloc_oversized(n, s) \
    (__builtin_constant_p (n) && __builtin_constant_p (s) \
     ? __xalloc_oversized (n, s) \
-    : ({ xalloc_count_t __xalloc_count; \
+    : ({ ptrdiff_t __xalloc_count; \
          __builtin_mul_overflow (n, s, &__xalloc_count); }))
 
 /* Other compilers use integer division; this may be slower but is
-- 
2.27.0

[PATCH 6/8] safe-alloc: simplify via reallocarray

[Paul Eggert]

* lib/safe-alloc.c: Do not include xalloc-oversized.h.
(safe_alloc_alloc_n, safe_alloc_realloc_n):
Use reallocarray to check for size or ptrdiff_t overflow.
* modules/reallocarray (License): Switch from LGPL to LGPLv2+, as
this is needed for safe-alloc and anyway is more appropriate for
this library function common with BSD.
* modules/safe-alloc (Depends-on): Depend on reallocarray
rather than xalloc-oversized.
---
 ChangeLog            | 10 ++++++++++
 lib/safe-alloc.c     | 17 ++---------------
 modules/reallocarray |  2 +-
 modules/safe-alloc   |  2 +-
 4 files changed, 14 insertions(+), 17 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1d2607a0b..76d714127 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
 2021-04-18  Paul Eggert  <eggert@cs.ucla.edu>
 
+	safe-alloc: simplify via reallocarray
+	* lib/safe-alloc.c: Do not include xalloc-oversized.h.
+	(safe_alloc_alloc_n, safe_alloc_realloc_n):
+	Use reallocarray to check for size or ptrdiff_t overflow.
+	* modules/reallocarray (License): Switch from LGPL to LGPLv2+, as
+	this is needed for safe-alloc and anyway is more appropriate for
+	this library function common with BSD.
+	* modules/safe-alloc (Depends-on): Depend on reallocarray
+	rather than xalloc-oversized.
+
 	xalloc-oversized: fix SIZE_MAX optimization bug
 	* lib/xalloc-oversized.h (xalloc_count_t): Remove; no longer
 	needed and was evidently error-prone anyway.
diff --git a/lib/safe-alloc.c b/lib/safe-alloc.c
index 45e770015..116ac4371 100644
--- a/lib/safe-alloc.c
+++ b/lib/safe-alloc.c
@@ -22,8 +22,6 @@
 /* Specification.  */
 #include "safe-alloc.h"
 
-#include "xalloc-oversized.h"
-
 #include <stdlib.h>
 #include <stddef.h>
 #include <errno.h>
@@ -51,16 +49,10 @@ safe_alloc_alloc_n (void *ptrptr, size_t size, size_t count, int zeroed)
       return 0;
     }
 
-  if (xalloc_oversized (count, size))
-    {
-      errno = ENOMEM;
-      return -1;
-    }
-
   if (zeroed)
     *(void **) ptrptr = calloc (count, size);
   else
-    *(void **) ptrptr = malloc (count * size);
+    *(void **) ptrptr = reallocarray (NULL, count, size);
 
   if (*(void **) ptrptr == NULL)
     return -1;
@@ -91,12 +83,7 @@ safe_alloc_realloc_n (void *ptrptr, size_t size, size_t count)
       *(void **) ptrptr = NULL;
       return 0;
     }
-  if (xalloc_oversized (count, size))
-    {
-      errno = ENOMEM;
-      return -1;
-    }
-  tmp = realloc (*(void **) ptrptr, size * count);
+  tmp = reallocarray (*(void **) ptrptr, size, count);
   if (!tmp)
     return -1;
   *(void **) ptrptr = tmp;
diff --git a/modules/reallocarray b/modules/reallocarray
index 11d32bb5f..a64c6fd2d 100644
--- a/modules/reallocarray
+++ b/modules/reallocarray
@@ -26,7 +26,7 @@ Include:
 <stdlib.h>
 
 License:
-LGPL
+LGPLv2+
 
 Maintainer:
 all
diff --git a/modules/safe-alloc b/modules/safe-alloc
index 13e78dec7..9453b49ee 100644
--- a/modules/safe-alloc
+++ b/modules/safe-alloc
@@ -7,7 +7,7 @@ lib/safe-alloc.c
 m4/safe-alloc.m4
 
 Depends-on:
-xalloc-oversized
+reallocarray
 
 configure.ac:
 gl_SAFE_ALLOC
-- 
2.27.0

[PATCH 7/8] calloc-gnu: now LGPLv2+

[Paul Eggert]

* modules/calloc-gnu (License): Change from GPL to LGPLv2+.
The old value was evidently a longstanding typo, and calloc
will be needed by LGPLv2+ modules that will want to rely
on GNU behavior.
---
 ChangeLog          | 6 ++++++
 modules/calloc-gnu | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 76d714127..ede998670 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2021-04-18  Paul Eggert  <eggert@cs.ucla.edu>
 
+	calloc-gnu: now LGPLv2+
+	* modules/calloc-gnu (License): Change from GPL to LGPLv2+.
+	The old value was evidently a longstanding typo, and calloc
+	will be needed by LGPLv2+ modules that will want to rely
+	on GNU behavior.
+
 	safe-alloc: simplify via reallocarray
 	* lib/safe-alloc.c: Do not include xalloc-oversized.h.
 	(safe_alloc_alloc_n, safe_alloc_realloc_n):
diff --git a/modules/calloc-gnu b/modules/calloc-gnu
index 2aa2dd1c0..bbd2a4933 100644
--- a/modules/calloc-gnu
+++ b/modules/calloc-gnu
@@ -20,7 +20,7 @@ Include:
 <stdlib.h>
 
 License:
-GPL
+LGPLv2+
 
 Maintainer:
 Jim Meyering
-- 
2.27.0

[PATCH 8/8] safe-alloc: fix pointer implementation

[Paul Eggert]

The old implementation assumed that all pointers use the same
internal representation, but the C standard doesn’t guarantee
this.  Use void * (pointer) not void ** (pointer-to-pointer) for
the internal functions’ API.  The internal functions now return
NULL if and only if they failed, and the macros translate that
into -1 or 0 to satisfy the existing API.
* doc/safe-alloc.texi (Safe Allocation Macros): Mention overflow.
* lib/safe-alloc.c: Major rewrite.  Now this simply
defines SAFE_ALLOC_INLINE and includes safe-alloc.h.
* lib/safe-alloc.h: Include stddef.h, not stdlib.h.
(SAFE_ALLOC_INLINE): New macro; use Gnulib inline function style.
(safe_alloc_realloc_n): New API, which passes and returns
the pointer, and which returns NULL if and only if failure occurs.
(safe_alloc_check): New function.
(ALLOC, ALLOC_N, ALLOC_N_UNINITIALIZED, REALLOC_N):
Redo using the new API for internal functions, and using calloc
which is good enough since it’s GNU-compatible now.
(FREE): Expand to an expression rather than merely to something
that needs a following ‘;’ to become a statement.
* modules/safe-alloc (Depends-on): Add calloc-gnu.
---
 ChangeLog           | 22 +++++++++++
 doc/safe-alloc.texi |  2 +
 lib/safe-alloc.c    | 90 +-------------------------------------------
 lib/safe-alloc.h    | 91 +++++++++++++++++++++++++--------------------
 modules/safe-alloc  |  1 +
 5 files changed, 76 insertions(+), 130 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ede998670..2c7edd59a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,27 @@
 2021-04-18  Paul Eggert  <eggert@cs.ucla.edu>
 
+	safe-alloc: fix pointer implementation
+	The old implementation assumed that all pointers use the same
+	internal representation, but the C standard doesn’t guarantee
+	this.  Use void * (pointer) not void ** (pointer-to-pointer) for
+	the internal functions’ API.  The internal functions now return
+	NULL if and only if they failed, and the macros translate that
+	into -1 or 0 to satisfy the existing API.
+	* doc/safe-alloc.texi (Safe Allocation Macros): Mention overflow.
+	* lib/safe-alloc.c: Major rewrite.  Now this simply
+	defines SAFE_ALLOC_INLINE and includes safe-alloc.h.
+	* lib/safe-alloc.h: Include stddef.h, not stdlib.h.
+	(SAFE_ALLOC_INLINE): New macro; use Gnulib inline function style.
+	(safe_alloc_realloc_n): New API, which passes and returns
+	the pointer, and which returns NULL if and only if failure occurs.
+	(safe_alloc_check): New function.
+	(ALLOC, ALLOC_N, ALLOC_N_UNINITIALIZED, REALLOC_N):
+	Redo using the new API for internal functions, and using calloc
+	which is good enough since it’s GNU-compatible now.
+	(FREE): Expand to an expression rather than merely to something
+	that needs a following ‘;’ to become a statement.
+	* modules/safe-alloc (Depends-on): Add calloc-gnu.
+
 	calloc-gnu: now LGPLv2+
 	* modules/calloc-gnu (License): Change from GPL to LGPLv2+.
 	The old value was evidently a longstanding typo, and calloc
diff --git a/doc/safe-alloc.texi b/doc/safe-alloc.texi
index d40ec65b6..e896e2598 100644
--- a/doc/safe-alloc.texi
+++ b/doc/safe-alloc.texi
@@ -13,6 +13,8 @@ Some of the memory allocation mistakes that are commonly made are
 passing the incorrect number of bytes to @code{malloc}, especially
 when allocating an array,
 @item
+unchecked integer overflow when calculating array sizes,
+@item
 fail to check the return value of @code{malloc} and @code{realloc} for
 errors,
 @item
diff --git a/lib/safe-alloc.c b/lib/safe-alloc.c
index 116ac4371..df061f9ef 100644
--- a/lib/safe-alloc.c
+++ b/lib/safe-alloc.c
@@ -1,91 +1,3 @@
-/* safe-alloc.c: safer memory allocation
-
-   Copyright (C) 2009-2021 Free Software Foundation, Inc.
-
-   This program is free software: you can redistribute it and/or modify it
-   under the terms of the GNU General Public License as published by the
-   Free Software Foundation; either version 3 of the License, or any
-   later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
-
-/* Written by Daniel Berrange <berrange@redhat.com>, 2008 */
-
 #include <config.h>
-
-/* Specification.  */
+#define SAFE_ALLOC_INLINE _GL_EXTERN_INLINE
 #include "safe-alloc.h"
-
-#include <stdlib.h>
-#include <stddef.h>
-#include <errno.h>
-
-
-/**
- * safe_alloc_alloc_n:
- * @ptrptr: pointer to pointer for address of allocated memory
- * @size: number of bytes to allocate
- * @count: number of elements to allocate
- *
- * Allocate an array of memory 'count' elements long,
- * each with 'size' bytes. Return the address of the
- * allocated memory in 'ptrptr'.  The newly allocated
- * memory is filled with zeros.
- *
- * Return -1 on failure to allocate, zero on success
- */
-int
-safe_alloc_alloc_n (void *ptrptr, size_t size, size_t count, int zeroed)
-{
-  if (size == 0 || count == 0)
-    {
-      *(void **) ptrptr = NULL;
-      return 0;
-    }
-
-  if (zeroed)
-    *(void **) ptrptr = calloc (count, size);
-  else
-    *(void **) ptrptr = reallocarray (NULL, count, size);
-
-  if (*(void **) ptrptr == NULL)
-    return -1;
-  return 0;
-}
-
-/**
- * safe_alloc_realloc_n:
- * @ptrptr: pointer to pointer for address of allocated memory
- * @size: number of bytes to allocate
- * @count: number of elements in array
- *
- * Resize the block of memory in 'ptrptr' to be an array of
- * 'count' elements, each 'size' bytes in length. Update 'ptrptr'
- * with the address of the newly allocated memory. On failure,
- * 'ptrptr' is not changed and still points to the original memory
- * block. The newly allocated memory is filled with zeros.
- *
- * Return -1 on failure to allocate, zero on success
- */
-int
-safe_alloc_realloc_n (void *ptrptr, size_t size, size_t count)
-{
-  void *tmp;
-  if (size == 0 || count == 0)
-    {
-      free (*(void **) ptrptr);
-      *(void **) ptrptr = NULL;
-      return 0;
-    }
-  tmp = reallocarray (*(void **) ptrptr, size, count);
-  if (!tmp)
-    return -1;
-  *(void **) ptrptr = tmp;
-  return 0;
-}
diff --git a/lib/safe-alloc.h b/lib/safe-alloc.h
index 1c655734e..7de424f3c 100644
--- a/lib/safe-alloc.h
+++ b/lib/safe-alloc.h
@@ -15,76 +15,89 @@
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
 
-/* Written by Daniel Berrange <berrange@redhat.com>, 2008 */
+/* Written by Daniel Berrange and Paul Eggert.  */
 
 #ifndef SAFE_ALLOC_H_
-# define SAFE_ALLOC_H_
+#define SAFE_ALLOC_H_
 
-# include <stdlib.h>
+#include <stdlib.h>
 
-/* Don't call these directly - use the macros below */
-int
-safe_alloc_alloc_n (void *ptrptr, size_t size, size_t count, int zeroed)
-  _GL_ATTRIBUTE_NODISCARD;
+#ifndef _GL_INLINE_HEADER_BEGIN
+   #error "Please include config.h first."
+#endif
+_GL_INLINE_HEADER_BEGIN
+#ifndef SAFE_ALLOC_INLINE
+# define SAFE_ALLOC_INLINE _GL_INLINE
+#endif
 
-int
-safe_alloc_realloc_n (void *ptrptr, size_t size, size_t count)
-  _GL_ATTRIBUTE_NODISCARD;
+/* Don't call these directly - use the macros below.  */
+SAFE_ALLOC_INLINE void *
+safe_alloc_realloc_n (void *ptr, size_t count, size_t size)
+{
+  if (count == 0 || size == 0)
+    count = size = 1;
+  return reallocarray (ptr, count, size);
+}
+SAFE_ALLOC_INLINE int _GL_ATTRIBUTE_NODISCARD
+safe_alloc_check (void *ptr)
+{
+  /* Return 0 if the allocation was successful, -1 otherwise.  */
+  return -!ptr;
+}
 
 /**
  * ALLOC:
- * @ptr: pointer to hold address of allocated memory
+ * @ptr: pointer to allocated memory
  *
- * Allocate sizeof(*ptr) bytes of memory and store
- * the address of allocated memory in 'ptr'. Fill the
+ * Allocate sizeof *ptr bytes of memory and store
+ * the address of allocated memory in 'ptr'.  Fill the
  * newly allocated memory with zeros.
  *
- * Return -1 on failure to allocate, zero on success
+ * Return -1 on failure to allocate, zero on success.
  */
-# define ALLOC(ptr)                                     \
-  safe_alloc_alloc_n (&(ptr), sizeof (*(ptr)), 1, 1)
+#define ALLOC(ptr) ALLOC_N (ptr, 1)
 
 /**
  * ALLOC_N:
- * @ptr: pointer to hold address of allocated memory
+ * @ptr: pointer to allocated memory
  * @count: number of elements to allocate
  *
- * Allocate an array of 'count' elements, each sizeof(*ptr)
+ * Allocate an array of 'count' elements, each sizeof *ptr
  * bytes long and store the address of allocated memory in
- * 'ptr'. Fill the newly allocated memory with zeros.
+ * 'ptr'.  Fill the newly allocated memory with zeros.
  *
- * Return -1 on failure, 0 on success
+ * Return -1 on failure, 0 on success.
  */
-# define ALLOC_N(ptr, count)                                    \
-  safe_alloc_alloc_n (&(ptr), sizeof (*(ptr)), (count), 1)
+#define ALLOC_N(ptr, count) \
+  safe_alloc_check ((ptr) = calloc (count, sizeof *(ptr)))
 
 /**
  * ALLOC_N_UNINITIALIZED:
- * @ptr: pointer to hold address of allocated memory
+ * @ptr: pointer to allocated memory
  * @count: number of elements to allocate
  *
- * Allocate an array of 'count' elements, each sizeof(*ptr)
+ * Allocate an array of 'count' elements, each sizeof *ptr
  * bytes long and store the address of allocated memory in
- * 'ptr'. Do not initialize the new memory at all.
+ * 'ptr'.  Do not initialize the new memory at all.
  *
- * Return -1 on failure to allocate, zero on success
+ * Return -1 on failure to allocate, zero on success.
  */
-# define ALLOC_N_UNINITIALIZED(ptr, count)                      \
-  safe_alloc_alloc_n (&(ptr), sizeof (*(ptr)), (count), 0)
+#define ALLOC_N_UNINITIALIZED(ptr, count) \
+  safe_alloc_check ((ptr) = safe_alloc_realloc_n (NULL, count, sizeof *(ptr)))
 
 /**
  * REALLOC_N:
- * @ptr: pointer to hold address of allocated memory
+ * @ptr: pointer to allocated memory
  * @count: number of elements to allocate
  *
- * Re-allocate an array of 'count' elements, each sizeof(*ptr)
+ * Re-allocate an array of 'count' elements, each sizeof *ptr
  * bytes long and store the address of allocated memory in
- * 'ptr'. Fill the newly allocated memory with zeros
+ * 'ptr'.  Fill the newly allocated memory with zeros.
  *
- * Return -1 on failure to reallocate, zero on success
+ * Return -1 on failure to reallocate, zero on success.
  */
-# define REALLOC_N(ptr, count)                                  \
-  safe_alloc_realloc_n (&(ptr), sizeof (*(ptr)), (count))
+#define REALLOC_N(ptr, count) \
+  safe_alloc_check ((ptr) = safe_alloc_realloc_n (ptr, count, sizeof *(ptr)))
 
 /**
  * FREE:
@@ -93,12 +106,8 @@ safe_alloc_realloc_n (void *ptrptr, size_t size, size_t count)
  * Free the memory stored in 'ptr' and update to point
  * to NULL.
  */
-# define FREE(ptr)                              \
-  do                                            \
-    {                                           \
-      free (ptr);                               \
-      (ptr) = NULL;                             \
-    }                                           \
-  while (0)
+#define FREE(ptr) ((void) (free (ptr), (ptr) = NULL))
+
+_GL_INLINE_HEADER_END
 
 #endif /* SAFE_ALLOC_H_ */
diff --git a/modules/safe-alloc b/modules/safe-alloc
index 9453b49ee..180aa8a2d 100644
--- a/modules/safe-alloc
+++ b/modules/safe-alloc
@@ -7,6 +7,7 @@ lib/safe-alloc.c
 m4/safe-alloc.m4
 
 Depends-on:
+calloc-gnu
 reallocarray
 
 configure.ac:
-- 
2.27.0

Re: [PATCH 4/8] xalloc: new function xreallocarray

[Bruno Haible]

Paul Eggert wrote:
> +	xalloc: new function xreallocarray
> +	This effectively replaces xnmalloc, which perhaps should be deprecated.
> +	The name xreallocarray should be easier to remember now that
> +	reallocarray is a standard GNU function.

I disagree that xnmalloc should be deprecated. In 90% of the cases where
I use xnmalloc() or its macro equivalent XNMALLOC, it's for arrays that
get allocated once and freed once.

xnmalloc and XNMALLOC take 2 arguments, whereas xreallocarray takes 3
arguments. It is often possible to express a function with a simple
interface as a special case of a more complex function. If, in many
use-cases, the simpler function is sufficient, users should not be
forced to understand the more complex function.

No one has ever proposed to deprecate malloc(), although it is a special
case of realloc(). Or to deprecate gettext(), on the grounds that it is
a special case of dcgettext().

Bruno

Re: [PATCH 1/8] safe-alloc: improve doc

[Eric Blake]

On 4/18/21 11:01 PM, Paul Eggert wrote:
> * doc/safe-alloc.texi: Clarify that reallocating an array appends
> uninitialized storage.  Say ‘sizeof *p’ rather than ‘sizeof(*p)’
> which would need a space before the paren to follow GNU style.

Something in you recent malloc work (I'm not yet sure if it was this
particular series) is breaking compilation on Fedora Rawhide:

  CC       regex.o
In file included from regexec.c:1368,
                 from regex.c:74:
./malloc/dynarray-skeleton.c:195:24: error: expected declaration
specifiers or '...' before '(' token
  195 | __attribute_nonnull__ ((1))
      |                        ^

Looks like the definition of macro  __attribute_nonnull__ from cdefs.h
is no longer implicitly picked up by the system headers used in that file.

I'm still poking around to see if I can fix it, but you're welcome to
beat me to it..

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Re: [PATCH 1/8] safe-alloc: improve doc

[Paul Eggert]

[-- Attachment #1: Type: text/plain, Size: 327 bytes --]

On 4/22/21 11:20 AM, Eric Blake wrote:

> Looks like the definition of macro  __attribute_nonnull__ from cdefs.h
> is no longer implicitly picked up by the system headers used in that file.

I installed the attached Gnulib patch to fix that; please give it a try.

If it works, we should sync Gnulib's cdefs.h back into glibc.

[-- Attachment #2: 0001-libc-config-port-better-to-Fedora-Rawhide.patch --]
[-- Type: text/x-patch, Size: 3950 bytes --]

From eb32c992c90617b529e2ce08ad6014d418dceaf9 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 22 Apr 2021 12:29:49 -0700
Subject: [PATCH] libc-config: port better to Fedora Rawhide
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem reported by Eric Blake in:
https://lists.gnu.org/r/bug-gnulib/2021-04/msg00181.html
* lib/cdefs.h: Make this closer to glibc, so that we can
merge Gnulib into glibc here.
(__attribute_maybe_unused__): Make identical to glibc’s
definition, though with an additional comment.
(__attribute_nonnull__): Add clarifying comment.
Make inclusion of bits/wordsize.h, bits/long-double.h
dependent on __GLIBC__, not on !__WORDSIZE.
* lib/libc-config.h: Use __attribute_nonnull__,
not __attribute_maybe_unused__, to detect whether
to include sys/cdefs.h.
---
 ChangeLog         | 16 ++++++++++++++++
 lib/cdefs.h       | 14 +++++++++-----
 lib/libc-config.h |  2 +-
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 579284336..eacc4a53f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2021-04-22  Paul Eggert  <eggert@cs.ucla.edu>
+
+	libc-config: port better to Fedora Rawhide
+	Problem reported by Eric Blake in:
+	https://lists.gnu.org/r/bug-gnulib/2021-04/msg00181.html
+	* lib/cdefs.h: Make this closer to glibc, so that we can
+	merge Gnulib into glibc here.
+	(__attribute_maybe_unused__): Make identical to glibc’s
+	definition, though with an additional comment.
+	(__attribute_nonnull__): Add clarifying comment.
+	Make inclusion of bits/wordsize.h, bits/long-double.h
+	dependent on __GLIBC__, not on !__WORDSIZE.
+	* lib/libc-config.h: Use __attribute_nonnull__,
+	not __attribute_maybe_unused__, to detect whether
+	to include sys/cdefs.h.
+
 2021-04-21  Paul Eggert  <eggert@cs.ucla.edu>
 
 	realloc: port to AIX 7.1
diff --git a/lib/cdefs.h b/lib/cdefs.h
index 90f97412a..9618152ab 100644
--- a/lib/cdefs.h
+++ b/lib/cdefs.h
@@ -259,10 +259,12 @@
 # define __attribute_const__ /* Ignore */
 #endif
 
-#if defined __STDC_VERSION__ && 201710L < __STDC_VERSION__
-# define __attribute_maybe_unused__ [[__maybe_unused__]]
-#elif __GNUC_PREREQ (2,7) || __glibc_has_attribute (__unused__)
+#if __GNUC_PREREQ (2,7) || __glibc_has_attribute (__unused__)
 # define __attribute_maybe_unused__ __attribute__ ((__unused__))
+/* Once the next version of the C standard comes out, we can
+   do something like the following here:
+   #elif defined __STDC_VERSION__ && 202???L <= __STDC_VERSION__
+   # define __attribute_maybe_unused__ [[__maybe_unused__]]   */
 #else
 # define __attribute_maybe_unused__ /* Ignore */
 #endif
@@ -320,7 +322,9 @@
 #endif
 
 /* The nonnull function attribute marks pointer parameters that
-   must not be NULL.  */
+   must not be NULL.  This has the name __nonnull in glibc,
+   and __attribute_nonnull__ in files shared with Gnulib to avoid
+   collision with a different __nonnull in DragonFlyBSD 5.9.  */
 #ifndef __attribute_nonnull__
 # if __GNUC_PREREQ (3,3) || __glibc_has_attribute (__nonnull__)
 #  define __attribute_nonnull__(params) __attribute__ ((__nonnull__ params))
@@ -487,7 +491,7 @@
 
 /* The #ifndef lets Gnulib avoid including these on non-glibc
    platforms, where the includes typically do not exist.  */
-#ifndef __WORDSIZE
+#ifdef __GLIBC__
 # include <bits/wordsize.h>
 # include <bits/long-double.h>
 #endif
diff --git a/lib/libc-config.h b/lib/libc-config.h
index f14013f7e..f2c86144b 100644
--- a/lib/libc-config.h
+++ b/lib/libc-config.h
@@ -71,7 +71,7 @@
 # endif
 #endif
 
-#ifndef __attribute_maybe_unused__
+#ifndef __attribute_nonnull__
 /* <sys/cdefs.h> either does not exist, or is too old for Gnulib.
    Prepare to include <cdefs.h>, which is Gnulib's version of a
    more-recent glibc <sys/cdefs.h>.  */
-- 
2.27.0

Re: [PATCH 4/8] xalloc: new function xreallocarray

[Paul Eggert]

[-- Attachment #1: Type: text/plain, Size: 215 bytes --]

On 4/21/21 5:18 PM, Bruno Haible wrote:
> I disagree that xnmalloc should be deprecated.

I agree. That was a thinko in my ChangeLog entry; I meant to write 
"xnrealloc". Sorry about that. I installed the attached.

[-- Attachment #2: 0001-ChangeLog-Fix-thinko.patch --]
[-- Type: text/x-patch, Size: 818 bytes --]

From ca883666cb34922d9ab1bd0ac0101970c7aa3910 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 22 Apr 2021 12:35:57 -0700
Subject: [PATCH] * ChangeLog: Fix thinko.

---
 ChangeLog | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index eacc4a53f..ec81fe4b0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -116,7 +116,7 @@
 	When optimizing, simply use ptrdiff_t instead of xalloc_count_t.
 
 	xalloc: new function xreallocarray
-	This effectively replaces xnmalloc, which perhaps should be deprecated.
+	This is the same as xnrealloc, which perhaps should be deprecated.
 	The name xreallocarray should be easier to remember now that
 	reallocarray is a standard GNU function.
 	* lib/xalloc.h [GNULIB_XALLOC]: Do not include xalloc-oversized.h.
-- 
2.27.0

Re: [PATCH 1/8] safe-alloc: improve doc

[Eric Blake]

On 4/22/21 2:32 PM, Paul Eggert wrote:
> On 4/22/21 11:20 AM, Eric Blake wrote:
> 
>> Looks like the definition of macro  __attribute_nonnull__ from cdefs.h
>> is no longer implicitly picked up by the system headers used in that
>> file.
> 
> I installed the attached Gnulib patch to fix that; please give it a try.
> 
> If it works, we should sync Gnulib's cdefs.h back into glibc.

Yep, that got it. Thanks for a quick fix.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Re: [PATCH 1/8] safe-alloc: improve doc

[Eric Blake]

On 4/22/21 1:20 PM, Eric Blake wrote:
> On 4/18/21 11:01 PM, Paul Eggert wrote:
>> * doc/safe-alloc.texi: Clarify that reallocating an array appends
>> uninitialized storage.  Say ‘sizeof *p’ rather than ‘sizeof(*p)’
>> which would need a space before the paren to follow GNU style.
> 
> Something in you recent malloc work (I'm not yet sure if it was this
> particular series) is breaking compilation on Fedora Rawhide:
> 
>   CC       regex.o
> In file included from regexec.c:1368,
>                  from regex.c:74:
> ./malloc/dynarray-skeleton.c:195:24: error: expected declaration
> specifiers or '...' before '(' token
>   195 | __attribute_nonnull__ ((1))
>       |                        ^
> 

For closure on this thread, my git bisect finally ended at fc6d7d850
"libc-config: port to DragonFlyBSD 5.9" as the point the problem was
introduced; but since the fix is already in, this observation is now
just for archival purposes

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Re: [PATCH 4/8] xalloc: new function xreallocarray

[Paul Eggert]

[-- Attachment #1: Type: text/plain, Size: 1116 bytes --]

On 4/21/21 17:18, Bruno Haible wrote:
> xnmalloc and XNMALLOC take 2 arguments, whereas xreallocarray takes 3
> arguments. It is often possible to express a function with a simple
> interface as a special case of a more complex function. If, in many
> use-cases, the simpler function is sufficient, users should not be
> forced to understand the more complex function.

Good point. Also, xnmalloc enables better static checking, as it has 
__attribute__ ((__malloc__)), __attribute__ ((__malloc__ (free, 1))), 
and  __attribute__ ((__returns_nonnull__)), whereas xreallocarray 
doesn't have these.

I noticed this when converting GNU diffutils to use ximalloc etc, and 
this this convinced me to add xinmalloc, by installing the attached 
patch. I plan to use this in GNU diffutils and probably other apps.


Should we change xreallocarray to always return nonnull? We could then 
add __attribute__ ((__returns_nonnull__)) to its declaration. This might 
help performance and/or static checking a bit. The only downside I can 
see is that xreallocarray's semantics would differ a bit more from glibc 
reallocarray's.

[-- Attachment #2: 0001-xalloc-new-function-xinmalloc.patch --]
[-- Type: text/x-patch, Size: 1909 bytes --]

From de6894e291369f73dc343d544b29367493b312b4 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 19 Oct 2021 16:31:32 -0700
Subject: [PATCH] xalloc: new function xinmalloc

* lib/xmalloc.c (xinmalloc): New function, which is like
xnmalloc but for idx_t instead of size_t.
---
 ChangeLog     | 6 ++++++
 lib/xalloc.h  | 3 +++
 lib/xmalloc.c | 6 ++++++
 3 files changed, 15 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index a017453dc..2f19e30a2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2021-10-19  Paul Eggert  <eggert@cs.ucla.edu>
+
+	xalloc: new function xinmalloc
+	* lib/xmalloc.c (xinmalloc): New function, which is like
+	xnmalloc but for idx_t instead of size_t.
+
 2021-10-18  Paul Eggert  <eggert@cs.ucla.edu>
 
 	regex: fix buffer read overrrun
diff --git a/lib/xalloc.h b/lib/xalloc.h
index ee07113fe..7f2c3fb8a 100644
--- a/lib/xalloc.h
+++ b/lib/xalloc.h
@@ -60,6 +60,9 @@ void *xmalloc (size_t s)
 void *ximalloc (idx_t s)
   _GL_ATTRIBUTE_MALLOC _GL_ATTRIBUTE_DEALLOC_FREE
   _GL_ATTRIBUTE_ALLOC_SIZE ((1)) _GL_ATTRIBUTE_RETURNS_NONNULL;
+void *xinmalloc (idx_t n, idx_t s)
+  _GL_ATTRIBUTE_MALLOC _GL_ATTRIBUTE_DEALLOC_FREE
+  _GL_ATTRIBUTE_ALLOC_SIZE ((1, 2)) _GL_ATTRIBUTE_RETURNS_NONNULL;
 void *xzalloc (size_t s)
   _GL_ATTRIBUTE_MALLOC _GL_ATTRIBUTE_DEALLOC_FREE
   _GL_ATTRIBUTE_ALLOC_SIZE ((1)) _GL_ATTRIBUTE_RETURNS_NONNULL;
diff --git a/lib/xmalloc.c b/lib/xmalloc.c
index 51a0832de..d5def0bc7 100644
--- a/lib/xmalloc.c
+++ b/lib/xmalloc.c
@@ -101,6 +101,12 @@ xnmalloc (size_t n, size_t s)
   return xreallocarray (NULL, n, s);
 }
 
+void *
+xinmalloc (idx_t n, idx_t s)
+{
+  return xireallocarray (NULL, n, s);
+}
+
 /* If P is null, allocate a block of at least *PS bytes; otherwise,
    reallocate P so that it contains more than *PS bytes.  *PS must be
    nonzero unless P is null.  Set *PS to the new block's size, and
-- 
2.31.1