0

If I run this code it will crash with a stack dump: 

int * a = (int *) malloc(sizeof(int) * 10);
a++;
free(a);

Why doesn't it work? Why does it need the pointer returned by malloc()? What records does the resource management system behind it keep? Is it the length of the array? Is it the last cell's address? And does it associate it with the starting pointer?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
strings95
  • 661
  • 11
  • 26
  • is there any error coming ? if yes can you show – Omer Obaid Dec 18 '13 at 05:26
  • 1
    Why should it work? The behaviour of C has always been that the pointer handed to `free()` must have been returned by `malloc()`, `calloc()`, `realloc()` or any of their brethren (`posix_memalign()`, `aligned_alloc()`, etc). If you want to write your own memory allocation system, you may, but the standard version works as it does and there's no real benefit to asking why — that is the way it is defined to behave. – Jonathan Leffler Dec 18 '13 at 05:27
  • 2
    http://stackoverflow.com/questions/1518711/how-does-free-know-how-much-to-free?rq=1 Maybe Answer of this question can help you – Omer Obaid Dec 18 '13 at 05:32

4 Answers4

3

When memory is allocated, the size of allocated memory is stored in a block adjacent to the allocated block.

Why doesn't it work?
int * a = (int *) malloc(sizeof(int) * 10);
a++;
free(a);

This will not work because, free searchs for the adjacent block which has the size of allocated memory.

Why does it need the pointer returned by malloc?

The adjecent block of pointer returned by malloc, has the information about the size of allocated memory.

  • It isn't always adjacent. The current trend in memory allocator design is to not keep the accounting data next to the allocated data because it makes heap overflow attacks too dangerous. – Art Dec 18 '13 at 10:19
2

It doesn't work because you add one to the pointer that malloc returned to you.

free expects a pointer that malloc returned. Due to the a++ the pointer is no longer what malloc returned and thus free doesn't know what to do with it.

Scotty Bauer
  • 1,277
  • 9
  • 14
  • 2
    @user2603656: because that is the way it is designed and specified to behave. Why is the sky blue? – Jonathan Leffler Dec 18 '13 at 05:27
  • 1
    @user2603656 if you're studying for a test or something its because free() knows that the pointer you return to it, at some speecific offset from that pointer it an get header information for the allocated block. It will go off by that offset and modify the header to say the block is now free. It will then place it on the free list (depending on their implementation). – Scotty Bauer Dec 18 '13 at 05:31
1

The malloc function reserves a little bit more memory in the heap than what the user tells it. This is because a unique value before the allocated blocks is saved in order to know what size and chunks of memory the system is able to free. 

int * a = (int *) malloc(sizeof(int) * 10);

When you increment the pointer "a", the system will refer to the new location that a is pointing to and therefore it results in reading garbage data.

This leads to usually undefined behavior and usually causes crashing when running your program.

Cam
  • 21
  • 3
0

Malloc usually allocates more data than what we usually request. This additional space is used to house some of the important information such as the amount of memory(number of bytes) allocated when a malloc call is made. Sometimes additional information such as pointer to the next free location is also maintained. This information is stored at a specific location relative to the starting memory location that malloc return to us. If we return some other address to the free function, then it will look at the value in the address relative to what you passed to free and will end up freeing that number of bytes and "may" cause a crash.

user376507
  • 2,004
  • 1
  • 19
  • 31