I have a code like this :
void **array = (void**)malloc(sizeof(void*)*4);
array[0] = (void *)"Hello";
array[1] = (void *)"World";
array[2] = (void *)"My";
array[3] = (void *)"Example";
array = (void **)realloc(array,sizeof(void*)*3);
printf("%s\n",(char*)array[3]);
free(array);
Even though I reallocate the memory it is printing Example
Where am I wrong?
It works because sometimes undefined behaviour actually does work. That still doesn't make it a good idea because it's not guaranteed to work.
What's likely happening under the covers is that the realloc call is not changing anything at all because you've asked for a small reduction in a block that's already insignificantly small anyway.
Many memory allocation functions have a certain resolution which they allocate to, such as always a multiple of sixteen bytes. So, in that case, whether you asked for three four-byte pointers or four four-byte pointers, you'll always get a sixteen-byte chunk (plus overhead). It also means that, if you tell it to reduce your sixteen-byte chunk to a twelve-byte chunk, it's probably smart enough to just leave it alone.
You can check this by printing out the pointer just before and just after the realloc - it's likely to be exactly the same value.
So it just leaves the memory alone which is why, when you access the fourth element of the array, it's still set up as before.
But, as stated, this is an implementation detail that is not guaranteed, so you should not rely on it. Ever!
See this:
$ cat test.cpp
#include <stdlib.h>
#include <stdio.h>
int main() {
void **array = (void**)malloc(sizeof(void*)*4);
array[0] = (void *)"Hello";
array[1] = (void *)"World";
array[2] = (void *)"My";
array[3] = (void *)"Example";
array = (void **)realloc(array,sizeof(void*)*3);
printf("%s\n",(char*)array[3]);
free(array);
}
$ g++ test.cpp -o a -fsanitize=address
$ ./a
=================================================================
==11051== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060000efc8 at pc 0x400a3f bp 0x7fffafc0bf40 sp 0x7fffafc0bf38
READ of size 8 at 0x60060000efc8 thread T0
#0 0x400a3e (/tmp/a+0x400a3e)
#1 0x7fe6d321aec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#2 0x400868 (/tmp/a+0x400868)
0x60060000efc8 is located 0 bytes to the right of 24-byte region [0x60060000efb0,0x60060000efc8)
allocated by thread T0 here:
#0 0x7fe6d35d355f (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1555f)
#1 0x400a12 (/tmp/a+0x400a12)
#2 0x7fe6d321aec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
Shadow bytes around the buggy address:
0x0c013fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c013fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c013fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c013fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c013fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c013fff9df0: fa fa fa fa fa fa 00 00 00[fa]fa fa fd fd fd fd
0x0c013fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c013fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c013fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c013fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c013fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==11051== ABORTING
So, actually these bytes of memory were freed, but you are just lucky (or not) that these bytes wasn't reused for anything else.
The realloc call changes size of an allocated memory. In your case you lowered a size, so the system just cut off the bytes in contiguous region that were allocated previously. I.e. your pointer to the text is still there, just the system didn't yet reused these bytes for another thing. In my example I compiled your code with debug option -fsanitize=address that checks for buffer overflow and an usage of a freed memory, and terminates an app with an error message if something alike happened — and it happens in your case.
Try this:
printf( "before: %p\n", array );
array = (void **)realloc(array,sizeof(void*)*3);
printf( "after: %p\n", array );
What's likely happening is the heap implementation you're using notices you're just dropping a few bytes from your allocation and doesn't do anything other than marking the current block a bit smaller before returning the same pointer.
I'd guessing you're running a 32-bit application on an x86 CPU. So your pointers are probably 4 bytes, but the x86 has some data types that have an 8-byte alignment restriction. That's important because 7.20.3 of the C standard says:
The order and contiguity of storage allocated by successive calls to the calloc, malloc, and realloc functions is unspecified. The pointer returned if the allocation succeeds is suitably aligned so that it may be assigned to a pointer to any type of object and then used to access such an object or an array of such objects in the space allocated...
That means in practice most malloc()/calloc()/realloc()/free() implementations on x86 machines return memory in 8-byte chunks. Since your chunk started at 16 bytes - or two eight-byte chunks - and you shortened it to 12 - which is still two eight-byte chunks - your realloc() call didn't move the memory.
In other words, undefined behavior. Don't expect that to work if you start with 2000 pointers in your array and you realloc() that down to two pointers.
