Many functions require the allocation of multiple resources. Failing and returning somewhere in the middle of this function without freeing all of the allocated resources could produce a memory leak. It is a common error to forget to free one (or all) of the resources in this manner, so a
goto chain is the simplest and cleanest way to organize exits while preserving the order of freed resources.
Noncompliant Code Example (POSIX)
In this noncompliant example, exit code is written for every instance in which the function can terminate prematurely. Notice how failing to close
fin2 produces a resource leak, leaving an open file descriptor.
Please note that these examples assume
NOERR to be defined, as recommended in DCL09-C. Declare functions that return errno with a return type of errno_t. An equivalent compatible example would define
errno_t as an
NOERR as zero.
These examples also assume that
errno is set if
malloc() fail. These are guaranteed by POSIX but not by C11. See ERR30-C. Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure for more details.
This is just a small example; in much larger examples, errors like this are even harder to detect.
Compliant Solution (POSIX, Nested Ifs)
This compliant solution uses nested if statements to properly close files and free memory in the case that any error occurs. When the number of resources to manage is small (3 in this example), nested if statements will be simpler than a goto chain.
Compliant Solution (POSIX, Goto Chain)
Occasionally, the number of resources to manage in one function will be too large to permit using nested ifs to manage them.
In this revised version, a
goto chain replaces each individual return segment. If no error occurs, control flow falls through to the
SUCCESS label, releases all of the resources, and returns
NOERR. If an error occurs, the return value is set to
errno, control flow jumps to the proper failure label, and the appropriate resources are released before returning.
This method is beneficial because the code is cleaner, and the programmer does not need to rewrite similar code upon every function error.
Note that this guideline does not advocate more general uses of goto, which is still considered harmful. The use of goto in these cases is specifically to transfer control within a single function body.
Compliant Solution (
copy_process() from Linux kernel)
Some effective examples of
goto chains are quite large. This compliant solution is an excerpt from the Linux kernel. This is the
copy_process function from
kernel/fork.c from version 2.6.29 of the kernel.
The function uses 17
goto labels (not all displayed here) to perform cleanup code should any internal function yield an error code. If no errors occur, the program returns a pointer to the new process
p. If any error occurs, the program diverts control to a particular
goto label, which performs cleanup for sections of the function that have currently been successfully executed but not for sections that have not yet been executed. Consequently, only resources that were successfully opened are actually closed.
All comments in this excerpt were added to indicate additional code in the kernel not displayed here.
Failure to free allocated memory or close opened files results in a memory leak and possibly unexpected results.
|LDRA tool suite|
|50 D||Partially implemented|
Ensure resources are freed
|Polyspace Bug Finder|
Checks for memory leak and resource leak (rec. partially covered)
|Dijkstra, Edgar, "Go To Statement Considered Harmful.", 1968|
|Linux Kernel Sourcecode (v2.6.xx)||2.6.29, |
|[Seacord 2013]||Chapter 4, "Dynamic Memory Management"|