nondeterministic failures due to incorrect malloc size?

Question

Do we have an example that demonstrates non-deterministic failures due to the incorrect malloc size in C?

For example, in my 'gzip' program in linux:

.
.
.
char* a = (char*)malloc(256) // correct version 
is changed to
char* a = (char*)malloc(206) //faulty version
.
.
.

Because of this, a test case tc that pass on the correct version becomes fail (i.e., segmentation fault) on the faulty version. However, the failure is non-deterministic. Sometimes, the failed test case tc on the faulty version does not cause segmentation fault (i.e., pass).

This may be due to the 'undefined' behavior of malloc, but I could not know how it happens exactly.

Does anyone can give me some concrete example? Thank you in advance.

[Please don't cast the return value of `malloc()` in C](http://stackoverflow.com/a/605858/28169). — unwind, Oct 03 '13 at 12:28

score 3 · Accepted Answer · answered Oct 03 '13 at 12:21

Imagine the memory as a sequence of pages. Some are available to your process, some are unavailable due to permissions and some are simply inaccessible, i.e. not mapped in. Consider this map (not to scale):

      +                        +   +
      |   Page, 4096 bytes     |   |
      +-----------------+------+   |
      |                 |      |   |
      |                 |      |   |
      |                 |      |   |
      +-----------------+------+-->v
           3890B          206B   X <-- Not mapped, can't touch!

If you allocate 206 bytes it all depends where in the page those 206 bytes will lie.

If they lie at the start (to the left) accessing more is OK as far as Linux is concerned (but still undefined behavior as far as C is concerned)
If however accessing more bytes spills into another page, with a different protection or into one that's not mapped in, Linux will not be amused and you'll get a segfault

So you're at the mercy of something you can't control: where malloc will allocate your data, i.e. where the additional 50 bytes will be.

@freddy Don't accept it just yet, maybe better stuff comes up. — cnicutar, Oct 03 '13 at 12:36

score 1 · Answer 2 · edited Jun 20 '20 at 09:12

1

It is not undefined behaviour of the malloc. It simply gives you the memory you asked for.

You probably access non-reserved memory later (something like a[208] = 'x';) which WILL cause the undefined behaviour.

C Standard says:

undefined behavior

behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements

Which means anything can happen. You cannot predict the result, and must always avoid such situations.

edited Jun 20 '20 at 09:12

Community

1
1

answered Oct 03 '13 at 12:17

user694733

15,208
2
42
68

Thank you, but what is the 'undefined behaviour'? How it can cause failure non-deterministically? – freddy Oct 03 '13 at 12:18
[Undefined Behaviour](http://stackoverflow.com/questions/2397984/undefined-unspecified-and-implementation-defined-behavior) Here you can read more about UB. – Arya Oct 03 '13 at 12:20

nondeterministic failures due to incorrect malloc size?

2 Answers2