| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
 | /*
 * Copyright (C) 2012-2025 Robin Haberkorn
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#define USE_DL_PREFIX /* for dlmalloc */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#ifdef HAVE_MALLOC_H
#include <malloc.h>
#endif
#ifdef HAVE_MALLOC_NP_H
#include <malloc_np.h>
#endif
#ifdef HAVE_WINDOWS_H
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <psapi.h>
#endif
/*
 * For task_info() on OS X.
 */
#ifdef HAVE_MACH_MACH_H
#include <mach/mach.h>
#endif
#ifdef HAVE_MACH_MESSAGE_H
#include <mach/message.h>
#endif
#ifdef HAVE_MACH_KERN_RETURN_H
#include <mach/kern_return.h>
#endif
#ifdef HAVE_MACH_TASK_INFO_H
#include <mach/task_info.h>
#endif
/*
 * For sysctl() on FreeBSD.
 */
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_SYS_USER_H
#include <sys/user.h>
#endif
#ifdef HAVE_SYS_SYSCTL_H
#include <sys/sysctl.h>
#endif
/*
 * For sysconf() on Linux.
 */
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
#endif
#include <glib.h>
/*
 * For open() (currently only on Linux).
 */
#ifdef G_OS_UNIX
#include <sys/stat.h>
#include <fcntl.h>
#endif
#include "sciteco.h"
#include "error.h"
#include "undo.h"
#include "memory.h"
/**
 * @file
 * Memory measurement and limiting.
 *
 * A discussion of memory measurement techniques on Linux
 * and UNIXoid operating systems is in order, since this
 * problem turned out to be rather tricky.
 *
 * @par Size of the program break
 * There is also the old-school technique of calculating the size
 * of the program break, i.e. the effective size of the DATA segment.
 * This works under the assumption that all allocations are
 * performed by extending the program break, as is __traditionally__
 * done by malloc() and friends.
 *
 * - Unfortunately, modern malloc() implementations sometimes
 *   mmap() memory, especially for large allocations.
 *   SciTECO mostly allocates small chunks.
 *   Unfortunately, some malloc implementations like jemalloc
 *   only claim memory using mmap(), thus rendering sbrk(0)
 *   useless.
 * - Furthermore, some malloc-implementations like glibc will
 *   only shrink the program break when told so explicitly
 *   using malloc_trim(0).
 * - The sbrk(0) method thus depends on implementation details
 *   of the libc.
 * - However, this might be a suitable backend on old UNIX-platforms
 *   or a as a fallback for teco_memory_get_usage().
 *
 * @par Resource limits
 * UNIX has resource limits, which could be used to enforce
 * the memory limit, but in case they are hit, malloc()
 * will return NULL, so g_malloc() would abort().
 * Wrapping malloc() to work around that has the same
 * problems described below.
 *
 * @par Hooking malloc()
 * malloc_usable_size() could be used to count the memory
 * consumption by updating a counter after every malloc(),
 * realloc() and free().
 * malloc_usable_size() is libc-specific, but available at least in
 * glibc and jemalloc (FreeBSD). Windows (MSVCRT) has `_msize()`.
 * This would require overwriting or hooking all calls to
 * malloc() and friends, though.
 * For all other platforms, we'd have to rely on writing the
 * heap object size into every heap object, thus wasting
 * one word per heap object.
 *
 * - glibc has malloc hooks, but they are non-portable and
 *   deprecated.
 * - It is possible to effectively wrap malloc() by overriding
 *   the libc's implementation, which will even work when
 *   statically linking in libc since malloc() is usually
 *   declared `weak`.
 *   This however does probably not work on all platforms and
 *   means you need to know the original function (pointers).
 *   It should work sufficiently when linking everything statically.
 * - glibc exports symbols for the original malloc() implementation
 *   like `__libc_malloc()` that could be used for wrapping.
 *   This is undocumented and libc-specific, though.
 * - The GNU ld --wrap option allows us to intercept calls,
 *   but obviously won't work for shared libraries.
 * - The portable dlsym() could be used to look up the original
 *   library symbol, but it may and does call malloc functions,
 *   e.g. calloc() on glibc.
 *   Some people work around this using bootstrap makeshift allocators
 *   used only during dlsym().
 *   __In other words, there is no way to portably and reliably
 *   wrap malloc() and friends when linking dynamically.__
 * - Another difficulty is that, when free() is overridden, every
 *   function that can __independently__ allocate memory that
 *   can be passed to free() must also be overridden.
 *   This is impossible to know without making assumptions about the
 *   malloc implementation used.
 *   Otherwise the measurement is not precise and there can even
 *   be underruns. Thus we'd have to guard against underruns.
 * - Unfortunately, it is undefined whether the "usable" size of
 *   a heap object can change unwittingly, i.e. not by malloc() or
 *   realloc() on that same heap object, but for instance after a
 *   neighbouring heap object is freed.
 *   If this can happen, free() on that heap object might subtract
 *   more than was initially added for this heap object, resulting
 *   in measurement underruns.
 * - malloc() and friends are MT-safe, so any replacement function
 *   would have to be MT-safe as well to avoid memory corruption.
 *
 * Memory counting using malloc_usable_size() in overwritten/wrapped
 * malloc()/realloc()/free() calls has thus been deemed impractical.
 *
 * Overriding could only work if we store the allocated size
 * at the beginning of each heap object and would link in an external
 * malloc() implementation, so that the symbol names are known.
 *
 * Unfortunately, overwriting libc functions is also non-portable,
 * so replacing the libc malloc with an external allocator is tricky.
 * On Linux (and hopefully other UNIXes), you can simply link
 * in the malloc replacement statically which will even let the
 * dynamic linker pick the new implementation.
 * On Windows however, we would apparently need incredibly hacky code
 * to patch the symbol tables
 * (see https://github.com/ned14/nedmalloc/blob/master/winpatcher.c).
 * Alternatively, everything __including__ MSVCRT needs to be linked
 * in statically. This is not supported by MinGW and would have certain
 * disadvantages even if it worked.
 *
 * @par malloc() introspection
 * glibc and some other platforms have mallinfo().
 * But at least on glibc it can get unbearably slow on programs
 * with a lot of (virtual/resident) memory.
 * Besides, mallinfo's API is broken on 64-bit systems, effectively
 * limiting the enforcable memory limit to 4GB.
 * Other glibc-specific introspection functions like malloc_info()
 * can be even slower because of the syscalls required.
 *
 * - FreeBSD/jemalloc has mallctl("stats.allocated") which even when
 *   optimized is significantly slower than the current implementation
 *   but generally acceptable.
 * - dlmalloc has malloc_footprint() which is very fast.
 *   It was therefore considered to simply import dlmalloc as the default
 *   allocator on (almost) all platforms.
 *   Despite problems overwriting malloc() globally on some platforms,
 *   this turned out to be impractical since malloc_footprint() includes
 *   only the mmapped memory and memory is not always unmapped even when
 *   calling malloc_trim(), so we couldn't recover after hitting
 *   the memory limit.
 * - rpmalloc has a cheap rpmalloc_global_statistics() but enabling it
 *   comes with a memory overhead.
 * - There seems to be no other malloc() replacement with a constant-time
 *   function returning the footprint.
 *
 * @par Instrumenting all of SciTECO's and C++ allocations.
 * If we don't want to count each and every allocation in the system,
 * we could also use custom allocators/deallocators together with
 * malloc_usable_size().
 * For many objects, the size will also be known at free() time, so
 * malloc_usable_size() can be avoided.
 *
 * - To track Scintilla's memory usage, custom C++ allocators/deallocators
 *   can be defined.
 * - Beginning with C++14 (or earlier with -fsized-deallocation),
 *   it is possible to globally replace sized allocation/deallocation
 *   functions, which could be used to avoid the malloc_usable_size()
 *   workaround. Unfortunately, this may not be used for arrays,
 *   since the compiler may have to call non-sized variants if the
 *   original allocation size is unknown - and there is no way to detect
 *   that when the new[] call is made.
 *   What's worse is that at least G++ STL is broken seriously and
 *   some versions will call the non-sized delete() even when sized-deallocation
 *   is available. Again, this cannot be detected at new() time.
 *   Therefore, I had to remove the sized-deallocation based
 *   optimization.
 * - This approach has the same disadvantages as wrapping malloc() because
 *   of the unreliability of malloc_usable_size().
 *   Furthermore, all allocations by glib (e.g. g_strdup()) will be missed.
 *
 * @par Directly measuring the resident memory size
 * It is of course possible to query the program's RSS via OS APIs.
 * This has long been avoided because it is naturally platform-dependant and
 * some of the APIs have proven to be too slow for frequent polling.
 * Also, this will only reliably work if malloc_trim(0) does what it's
 * supposed to do.
 *
 * - Windows has GetProcessMemoryInfo() which is quite slow.
 *   When polled on a separate thread, the slow down is very acceptable.
 * - POSIX has getrusage().
 *   __Its performance on different OS is still untested!__
 *   It reports in different units on different systems, see
 *   mimalloc/src/prim/unix/prim.c.
 *   The maxrss field does not shrink even with a working malloc_trim().
 * - OS X has task_info().
 *   __Its performance is still untested!__
 * - FreeBSD has sysctl().
 * - Linux has no APIs but /proc/self/statm.
 *   Reading it is naturally very slow, but at least of constant time.
 *   When polled on a separate thread, the slow down is very acceptable.
 *   Also, use of malloc_trim() after hitting the memory limit is crucial
 *   since the RSS will otherwise not decrease.
 * - Haiku has no usable constant-time API.
 *
 * @par Conclusion
 * Every approach sucks and no platform supports everything.
 * We therefore now opted for a combined strategy:
 * Most platforms will by default try to replace malloc() with dlmalloc.
 * The dlmalloc functions are wrapped and the memory usage is counted via
 * malloc_usable_size() which in the case of dlmalloc should never change
 * for one heap object unless we realloc() it.
 * This should be fastest, the most precise and there is a guaranteed
 * malloc_trim().
 * Malloc overriding can be disabled at compile time to aid in memory
 * debugging.
 * On Windows and Mac OS, we never even try to link in dlmalloc.
 * If disabled, we try to directly measure memory consumption using
 * OS APIs.
 * Polling of the RSS takes place in a dedicated thread that is started
 * on demand and paused whenever the main thread is idle (e.g. waits for
 * user input), so we don't waste cycles.
 */
/**
 * Current memory usage.
 * Access must be synchronized using atomic operations.
 */
static guint teco_memory_usage = 0;
/*
 * NOTE: This implementation based on malloc_usable_size() might
 * also work with other malloc libraries, given that they provide
 * a malloc_usable_size() which does not change for a heap object
 * (unless it is reallocated of course).
 */
#ifdef REPLACE_MALLOC
#ifndef G_ATOMIC_LOCK_FREE
#warning "malloc() replacement will be very slow!"
#endif
void * __attribute__((used))
malloc(size_t size)
{
	void *ptr = dlmalloc(size);
	if (G_LIKELY(ptr != NULL))
		g_atomic_int_add(&teco_memory_usage, dlmalloc_usable_size(ptr));
	return ptr;
}
void __attribute__((used))
free(void *ptr)
{
	if (!ptr)
		return;
	g_atomic_int_add(&teco_memory_usage, -dlmalloc_usable_size(ptr));
	dlfree(ptr);
}
void * __attribute__((used))
calloc(size_t nmemb, size_t size)
{
	void *ptr = dlcalloc(nmemb, size);
	if (G_LIKELY(ptr != NULL))
		g_atomic_int_add(&teco_memory_usage, dlmalloc_usable_size(ptr));
	return ptr;
}
void * __attribute__((used))
realloc(void *ptr, size_t size)
{
	if (ptr)
		g_atomic_int_add(&teco_memory_usage, -dlmalloc_usable_size(ptr));
	ptr = dlrealloc(ptr, size);
	if (G_LIKELY(ptr != NULL))
		g_atomic_int_add(&teco_memory_usage, dlmalloc_usable_size(ptr));
	return ptr;
}
void * __attribute__((used))
memalign(size_t alignment, size_t size)
{
	void *ptr = dlmemalign(alignment, size);
	if (G_LIKELY(ptr != NULL))
		g_atomic_int_add(&teco_memory_usage, dlmalloc_usable_size(ptr));
	return ptr;
}
void * __attribute__((used))
aligned_alloc(size_t alignment, size_t size)
{
	return memalign(alignment, size);
}
int __attribute__((used))
posix_memalign(void **memptr, size_t alignment, size_t size)
{
	int ret = dlposix_memalign(memptr, alignment, size);
	if (G_LIKELY(!ret))
		g_atomic_int_add(&teco_memory_usage, dlmalloc_usable_size(*memptr));
	return ret;
}
void * __attribute__((used))
valloc(size_t size)
{
	void *ptr = dlvalloc(size);
	if (G_LIKELY(ptr != NULL))
		g_atomic_int_add(&teco_memory_usage, dlmalloc_usable_size(ptr));
	return ptr;
}
/*
 * The glibc manual claims we have to replace this function
 * but we'd need sysconf(_SC_PAGESIZE) to implement it.
 */
void * __attribute__((used))
pvalloc(size_t size)
{
	g_assert_not_reached();
	return NULL;
}
size_t __attribute__((used))
malloc_usable_size(void *ptr)
{
	return dlmalloc_usable_size(ptr);
}
int __attribute__((used))
malloc_trim(size_t pad)
{
	return dlmalloc_trim(pad);
}
/*
 * FIXME: Which platforms might need malloc_trim() to
 * recover from hitting the memory limit?
 * In other words, which platform's teco_memory_get_usage()
 * might return a large value even if most memory has already
 * been deallocated?
 */
#elif defined(G_OS_WIN32)
/*
 * On Windows, we never link in dlmalloc.
 *
 * NOTE: At least on Windows 2000, we run twice as fast than
 * when polling from a dedicated thread.
 *
 * NOTE: On Wine, we cannot recover from hitting the memory
 * limit, but this is probably because malloc() is actually
 * forwarded to the glibc which needs malloc_trim().
 * This should not be a problem on real Windows.
 */
static gsize
teco_memory_get_usage(void)
{
	PROCESS_MEMORY_COUNTERS info;
	/*
	 * This __should__ not fail since the current process has
	 * PROCESS_ALL_ACCESS, but who knows...
	 * Since memory limiting cannot be turned off when this
	 * happens, we can just as well terminate abnormally.
	 */
	if (G_UNLIKELY(!GetProcessMemoryInfo(GetCurrentProcess(),
	                                     &info, sizeof(info)))) {
		g_autofree gchar *msg = g_win32_error_message(GetLastError());
		g_error("Cannot get memory usage: %s", msg);
		return 0;
	}
	return info.WorkingSetSize;
}
#define NEED_POLL_THREAD
#elif defined(HAVE_TASK_INFO)
/*
 * Practically only for Mac OS X.
 *
 * NOTE: Running in a dedicated polling thread does indeed
 * improve our performance significantly.
 *
 * FIXME: We cannot simply overwrite weak malloc() functions
 * like on Linux since this does not affect shared libraries
 * unless $DYLD_FORCE_FLAT_NAMESPACE is set.
 * It should be possible to change the default malloc zone, though.
 * First experiments have been unsuccessful.
 * But see https://github.com/gperftools/gperftools/blob/master/src/libc_override_osx.h
 * https://chromium.googlesource.com/chromium/src/base/+/refs/heads/main/allocator/allocator_interception_mac.mm
 */
static gsize
teco_memory_get_usage(void)
{
	struct mach_task_basic_info info;
	mach_msg_type_number_t info_count = MACH_TASK_BASIC_INFO_COUNT;
	if (G_UNLIKELY(task_info(mach_task_self(), MACH_TASK_BASIC_INFO,
	                         (task_info_t)&info, &info_count) != KERN_SUCCESS))
		return 0;
	return info.resident_size;
}
#define NEED_POLL_THREAD
#elif defined(G_OS_UNIX) && defined(HAVE_SYSCONF) && defined(HAVE_SYSCTL)
/*
 * Practically only for FreeBSD.
 *
 * Since FreeBSD supports dlmalloc(), which is generally faster than
 * jemalloc with a poll thread, this is not usually required.
 */
static gsize
teco_memory_get_usage(void)
{
	static long page_size = 0;
	if (G_UNLIKELY(!page_size))
		page_size = sysconf(_SC_PAGESIZE);
	struct kinfo_proc procstk;
	size_t len = sizeof(procstk);
	int pidinfo[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, getpid()};
	if (G_UNLIKELY(sysctl(pidinfo, G_N_ELEMENTS(pidinfo),
	                      &procstk, &len, NULL, 0) < 0))
		return 0;
	return procstk.ki_rssize * page_size;
}
/**
 * Options passed to jemalloc.
 *
 * It's crucial to disable opt.retain, so that freeing memory after
 * recovering from memory limit hits actually decreases the RSS.
 * The reasons for activating the option, mentioned in jemalloc(3),
 * shouldn't be relevant on FreeBSD.
 */
const gchar *malloc_conf = "retain:false";
#define NEED_POLL_THREAD
#elif defined(G_OS_UNIX) && defined(HAVE_SYSCONF) && defined(HAVE_PROCFS)
#ifndef HAVE_MALLOC_TRIM
#warning malloc_trim() missing - Might not recover from hitting the memory limit!
#endif
/*
 * Mainly for Linux, but there might be other UNIXoids supporting procfs.
 * This would be ridiculously slow if polled from the main thread.
 *
 * Since Linux supports dlmalloc(), this will usually not be required
 * unless you disable it explicitly.
 *
 * NOTE: This is conciously avoiding glib and stdio APIs since we run in
 * a very tight loop and should avoid any unnecessary allocations which could
 * significantly slow down the main thread.
 */
static gsize
teco_memory_get_usage(void)
{
	static long page_size = 0;
	if (G_UNLIKELY(!page_size))
		page_size = sysconf(_SC_PAGESIZE);
	int fd = open("/proc/self/statm", O_RDONLY);
	if (fd < 0)
		/* procfs might not be mounted */
		return 0;
	gchar buf[256];
	ssize_t len = read(fd, buf, sizeof(buf)-1);
	close(fd);
	if (G_UNLIKELY(len < 0))
		return 0;
	buf[len] = '\0';
	gsize memory_usage = 0;
	sscanf(buf, "%*u %" G_GSIZE_FORMAT, &memory_usage);
	return memory_usage * page_size;
}
#define NEED_POLL_THREAD
#else
/*
 * We've got neither dlmalloc, nor any particular OS backend.
 */
#warning dlmalloc is disabled and there is no memory counting backend - memory limiting will be unavailable!
#endif
#ifdef NEED_POLL_THREAD
static GThread *teco_memory_thread = NULL;
static enum {
	TECO_MEMORY_STATE_ON,
	TECO_MEMORY_STATE_OFF,
	TECO_MEMORY_STATE_SHUTDOWN
} teco_memory_state = TECO_MEMORY_STATE_ON;
static GMutex teco_memory_mutex;
static GCond teco_memory_cond;
/*
 * FIXME: What if we activated the thread only whenever the
 * usage is queried in the main thread?
 * This would automatically "clock" the threaded polling at the same rate
 * as the main thread is polling.
 * On the downside, the value of teco_memory_usage would be more outdated,
 * so a memory overrun would be detected with even more delay.
 */
static gpointer
teco_memory_poll_thread_cb(gpointer data)
{
	g_mutex_lock(&teco_memory_mutex);
	for (;;) {
		while (teco_memory_state == TECO_MEMORY_STATE_ON) {
			g_mutex_unlock(&teco_memory_mutex);
			/*
			 * NOTE: teco_memory_mutex is not used for teco_memory_usage
			 * since it is locked most of the time which would extremely slow
			 * down the main thread.
			 */
			g_atomic_int_set(&teco_memory_usage, teco_memory_get_usage());
			g_thread_yield();
			g_mutex_lock(&teco_memory_mutex);
		}
		if (G_UNLIKELY(teco_memory_state == TECO_MEMORY_STATE_SHUTDOWN))
			break;
		g_cond_wait(&teco_memory_cond, &teco_memory_mutex);
		/* teco_memory_mutex is locked */
	}
	g_mutex_unlock(&teco_memory_mutex);
	return NULL;
}
void __attribute__((constructor))
teco_memory_start_limiting(void)
{
	if (!teco_memory_limit)
		return;
	/*
	 * FIXME: Setting a low thread priority would certainly help.
	 * This would be less important for platforms like Linux where
	 * we usually don't need a polling thread at all.
	 */
	if (G_UNLIKELY(!teco_memory_thread))
		teco_memory_thread = g_thread_new(NULL, teco_memory_poll_thread_cb, NULL);
	g_mutex_lock(&teco_memory_mutex);
	teco_memory_state = TECO_MEMORY_STATE_ON;
	g_cond_signal(&teco_memory_cond);
	g_mutex_unlock(&teco_memory_mutex);
}
void
teco_memory_stop_limiting(void)
{
	g_mutex_lock(&teco_memory_mutex);
	teco_memory_state = TECO_MEMORY_STATE_OFF;
	g_mutex_unlock(&teco_memory_mutex);
}
static void TECO_DEBUG_CLEANUP
teco_memory_cleanup(void)
{
	if (!teco_memory_thread)
		return;
	g_mutex_lock(&teco_memory_mutex);
	teco_memory_state = TECO_MEMORY_STATE_SHUTDOWN;
	g_cond_signal(&teco_memory_cond);
	g_mutex_unlock(&teco_memory_mutex);
	g_thread_join(teco_memory_thread);
}
#else /* !NEED_POLL_THREAD */
void teco_memory_start_limiting(void) {}
void teco_memory_stop_limiting(void) {}
#endif
/**
 * Memory limit in bytes (500mb by default, assuming SI units).
 * 0 means no limiting.
 */
gsize teco_memory_limit = 500*1000*1000;
gboolean
teco_memory_set_limit(gsize new_limit, GError **error)
{
	gsize memory_usage = (guint)g_atomic_int_get(&teco_memory_usage);
	if (G_UNLIKELY(new_limit && memory_usage > new_limit)) {
		g_autofree gchar *usage_str = g_format_size(memory_usage);
		g_autofree gchar *limit_str = g_format_size(new_limit);
		g_set_error(error, TECO_ERROR, TECO_ERROR_FAILED,
		            "Cannot set undo memory limit (%s): "
		            "Current usage too large (%s).",
		            limit_str, usage_str);
		return FALSE;
	}
	teco_undo_gsize(teco_memory_limit) = new_limit;
	if (teco_memory_limit)
		teco_memory_start_limiting();
	else
		teco_memory_stop_limiting();
	return TRUE;
}
/**
 * Check whether the memory limit is exceeded or would be
 * exceeded by an allocation.
 *
 * @param request Size of the requested allocation or 0 if
 *                you want to check the current memory usage.
 */
gboolean
teco_memory_check(gsize request, GError **error)
{
	gsize memory_usage = (guint)g_atomic_int_get(&teco_memory_usage);
	gsize requested_memory_usage = memory_usage+request;
	/*
	 * Check for overflows.
	 * NOTE: Glib 2.48 has g_size_checked_add().
	 */
	if (G_UNLIKELY(requested_memory_usage < memory_usage))
		/* guaranteed to fail if memory limiting is enabled */
		requested_memory_usage = G_MAXSIZE;
	if (G_UNLIKELY(teco_memory_limit && requested_memory_usage >= teco_memory_limit)) {
		g_autofree gchar *limit_str = g_format_size(requested_memory_usage);
		g_set_error(error, TECO_ERROR, TECO_ERROR_MEMLIMIT,
		            "Memory limit (%s) exceeded. See <EJ> command.",
		            limit_str);
		return FALSE;
	}
	return TRUE;
}
 |