In theory, some malloc calls with M_WAITOK can fail because the underlying Malloc() implementation in src/stand can fail. We should proactively detect this and fail in a helpful way, rather than waiting for the null pointer dereference.
Note to bug busters: this is an enhancement request that may languish (though hopefully not), please check with me before starting any timeout process on it. Thanks!