One can safely allocate x elements of size y in C by using calloc(x, y) and calloc() will take care of the multiplication x*y.
However realloc() for example only takes the new size as parameter and I was wondering how I could safely realloc x*y bytes using realloc().
What if x*y doesn't fit in size_t? How does calloc() handle this?
The size_t is an unsigned type, and the maximum value of size_t is the absolute maximum size of object that can be allocated with realloc or malloc; this is available in the macro SIZE_MAX. On 32-bit personal computers the size_t is often 32 bits; 64 bits on 64-bit computers. It should be enough.
To ensure that the calculation of item_size * n_items does not overflow, you can divide the SIZE_MAX by item_size and ensure that the resulting value is greater than or equal to n_items:
size_t max_items = SIZE_MAX / item_size;
if (max_items < n_items) {
// an overflow would occur
}
else {
// it is ok
}
calloc must return NULL if the allocation did not succeed, so calloc most probably has a check similar to one above.
The short answer is that you can't do it safely. The most you can do is limit the amount of memory you attempt to allocate so it does not exceed SIZE_MAX.
SIZE_MAX is the maximum value that can be produced by the sizeof operator.
Every data type in C must have a size that can be computed using sizeof, including arrays, and any contiguous block of memory allocated using malloc(), calloc(), or realloc().
If x*y is mathematically greater than SIZE_MAX, then it is not possible to allocate that amount of memory by any means. Even if the underlying system supports that, the C program will not be able to use that memory block entirely.
There is also a concern that computing x*y (assuming x and y are of type size_t) will use modulo arithmetic, so will actually give the result mathematically equivalent to (x*y)%(SIZE_MAX + 1).
What if x*y doesn't fit in size_t? How does
calloc()handle this?
realloc() and malloc() are limited in that the size argument passed to them is limited to SIZE_MAX. Not so with calloc()
A compliant C implementation is not required to limit calloc() to allocating memory of only SIZE_MAX. The following may work. An single type can have a maximum size of SIZE_MAX and an array size can be as large as SIZE_MAX SIZE_MAX-1 "bytes", yet iptr below is not an array, but a pointer.
// Assume sizeof(double) == 8
double *iptr = calloc(SIZE_MAX, sizeof *iptr);
Re-allocating such large pointers is problematic as it requires using another call to calloc()
How to avoid overflow in
realloc?
OP's problem is not so much of what realloc() can handle but of how code calculates the values passed to it may overflow.
To insure an unsigned type, like size_t, does not overflow multiplication:
if (b && a > SIZE_MAX/b) Handle_Overflow();
prod = a*b;
size_t is an unsigned type.
For unsigned types overflow behaviour is deterministic, as mentioned in C11
[....] because a result that cannot be represented by the resulting unsigned integer type is reduced modulo the number that is one greater than the largest value that can be represented by the resulting type.
So, as long as you make sure the operation which produces the value to be stored in the variable type size_t does not overflow in the process, passing that variable to realloc() has no impact. At most, realloc() will fail to allocate that memory.
If x * y overflows size_t, realloc will try to allocate that value which was overflown:
bytes = (x * y) % 2^(sizeof(size_t) * 8)
So realloc will "see" bytes amount of bytes. It does not take care of anything.
