How can malloc take more number of bytes of data than assigned

Question

According to what I have understood about malloc() is it allows us to assign the memory dynamically during the runtime. Below is the code that I am looking into

#include<conio.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
void main() {
  char *description;
  clrscr();
  description = malloc(2*sizeof(char));
  strcpy(description,"Hello there!");
  printf("%s",description);
  free(description);
  printf("%s",description);
  getch();
}

My question is I am asking system to assign 2 bytes of memory in the malloc() function. So when I try to fill the string "Hello there!" and print the same I should get only the first 2 characters of the string as output but I am getting the whole string that I have given in strcpy() function in the output.

And also after I use free() function if I try to print description again I should not get any output if I am not wrong but I am still getting the same string again. May in know how this works. I am using turbo C++ compiler.

You are shooting yourself in the foot. It's a tradition and design decision that C language allows you to shoot yourself in the foot. — user3528438, Feb 13 '17 at 13:46
Well a systems language like C must allow you to shoot yourself in the foot. The solution is to not do it. — DeiDei, Feb 13 '17 at 13:49
To put the above comments a bit more bluntly, C requires you to know what the hell it is your are doing — StoryTeller - Unslander Monica, Feb 13 '17 at 13:51
Writing to, or reading from, memory you don't own is always **Undefined Behaviour**. It will sometimes appear to work. It will break just as often. Just don't do it. — sp2danny, Feb 13 '17 at 13:57
Programmer's rights #1: it's a fundamental right to be able to shoot yourself in the foot. — mfro, Feb 13 '17 at 14:13
[How dangerous is it to access an array out of bounds?](http://stackoverflow.com/questions/15646973/how-dangerous-is-it-to-access-an-array-out-of-bounds) — Lundin, Feb 13 '17 at 14:45
these pair of lines: `description = malloc(2*sizeof(char)); strcpy(description,"Hello there!");` are not correct. 1) the C standard defines `sizeof( char )` as 1 so the amount of bytes allocated is only 2 2) trying to copy a longer string into those 2 bytes overruns the allocated buffer, which a) corrupts the linked list in heap memory b) results in undefined behavior, which can lead to a seg fault event, especially when `free()` is called. — user3629249, Feb 14 '17 at 20:31

Richard Chambers · Answer 1 · 2017-02-14T14:00:46.813

The malloc() function allocates at least the amount of memory you request though it may be more. However the amount of memory that malloc() provides is not really the central issue here.

The C programming language is designed for speed and efficiency which means that many of the checks that other languages do are not done. So you can write a program that does something wrong and it will still work under some circumstances and in other circumstances not work.

In C a pointer is the address of a memory location. C does not check if the address is a valid address or not. C does not check that the amount of memory you are trying to use is the correct amount of memory.

So here is an annotated version of your program.

#include<conio.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
void main() {
  char *description;   // create a variable that will contain the address of a character
  clrscr();
  // allocate an array of characters. the number of characters is 2 so this
  // will allocate a minimum size memory area that will hold 2 characters.
  // malloc() may round up the size or it may not but all you can count on
  // is 2 characters in size.
  description = malloc(2*sizeof(char));
  // copy a constant string to the memory location pointed to by the variable
  // description. the strcpy() function does not check on the limits of the
  // memory. after the malloc() is done there is no size information available
  // to strcpy() or any other of the C runtime library functions in the C Standard Library
  // this is copying 11 characters plus the end of string for a total of 12 characters
  // so to be correct the memory area pointed to by description should be at least
  // 12 characters however we know from the malloc() above it is guaranteed to
  // be only 2 characters so we are going past the memory area with this strcpy().
  strcpy(description,"Hello there!");
  // however we get lucky and it works anyway.
  printf("%s",description);
  // tell the memory allocation library that you are done with the memory and it
  // can be used for something else now. the pointer will probably still be good
  // for a while because the memory allocation, which gets its memory from the
  // operating system, does not normally give any freed memory back to the OS.
  // instead it normally just keeps it until the application terminates.
  // as long as this freed memory is not used for something else, more than
  // likely whatever you put there will remain there as is. however the moment
  // the memory is given to something else, the values will change.
  free(description);
  printf("%s",description);
  getch();
}

You can get an idea as to what is happening if you try the following sample program which is a modification of yours that instead of using malloc() uses variables on the stack.

#include<conio.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
void main() {
    char array1[12] = { 0 };
    char array2[2] = { 0 };
    char array3[12] = { 0 };
    char *description;
    printf("Before\n  array1 %s\n", array1);
    printf("  array2 %s\n", array2);
    printf("  array3 %s\n", array3);

    description = &array2[0];
    strcpy(description, "Hello there!");
    printf("description %s\n", description);

    printf("\nAfter\n  array1 %s\n", array1);
    printf("  array2 %s\n", array2);
    printf("  array3 %s\n", array3);
}

Using Visual Studio 2013 and running in Debug mode I get a warning about memory being overwritten as the application terminates. When I do a release build and run it, there are no errors and I get the following output. As you can see the strcpy() function just copied the characters overwriting adjacent memory. It looks like the Visual Studio 2013 compiler is aligning memory on a double word boundary so that only the last few characters of the string are visible in the adjacent memory area. Visual Studio padded the variable array2[] so that the next variable allocated is on a double word boundary.

Before
  array1
  array2
  array3
description Hello there!

After
  array1
  array2 Hello there!
  array3 ere!

If we modify the above program to the following:

#include<conio.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
void main() {
    char array1[12] = { 0 };
    char array2[2] = { 0 };
    char array3[12] = { 0 };
    char *description;
    int  *values;
    printf("Before\n  array1 %s\n", array1);
    printf("  array2 %s\n", array2);
    printf("  array3 %s\n", array3);

    description = &array2[0];
    strcpy(description, "Hello there!");
    printf("description %s\n", description);

    printf("\nAfter\n  array1 %s\n", array1);
    printf("  array2 %s\n", array2);
    printf("  array3 %s\n", array3);

    description = malloc(8 * sizeof(char));
    strcpy(description, "this");
    printf("\n\nMalloc\n  first description %p %s\n", description, description);
    free(description);

    values = malloc(1 * sizeof(int));
    *values = 0;
    printf("  pointer %p and value %d\n", values, *values);
    printf("  second description %p %s\n", description, description);

}

Then we get the following output. In this case we got lucky and were given the same memory area on the malloc() of the int so when we modified the int we also modified the area pointed to by description because once it was freed then malloc() reused the area for the next allocation.

Before
  array1
  array2
  array3
description Hello there!

After
  array1
  array2 Hello there!
  array3 ere!


Malloc
  first description 00944B28 this
  pointer 00944B28 and value 0
  second description 00944B28

The Resource Ownership Principle

This example demonstrates two rules when using malloc() and free().

Allocate with malloc() the amount you need and never exceed the amount of memory you requested. If you need more then look at the realloc() function.

Once you free a memory area using free() never use that pointer value again. You no longer own the memory area once it is freed.

When you use malloc() you become the owner of the memory but only that memory that you requested. When you use free() you relinquish ownership of the memory and you should not use it any more because you no longer own it.

Shingala94 · Accepted Answer · 2017-02-13T14:11:13.907

3

Malloc allocates 2 bytes. This means from a starting point (the one returned by the malloc) give me 2 bytes. strcpy copies all bytes in the string "hello there!" starting at the address in description. This does not care about the allocation, it just copies the bytes. The %s in printf tells printf to look for a null terminated string.

free() is used to tell the memory manager that the bytes can be used for other purposes again. It does not erase the data already present.

As @Michael Foukarakis pointed out, writing bytes in unallocated memory may cause undefined behavior. If something else were to write on the not allocated memory between the statements things will break.

edited Feb 13 '17 at 14:11

answered Feb 13 '17 at 13:51

Shingala94

404
3
18

Thanks, Patrick! May I know how I can still print the data even after using the free() function for freeing the allocation from description. – Akshay Vasu Feb 13 '17 at 13:54
free() is used to tell the memory manager that the bytes can be used for other purposes again. It does not erase the data already present – Shingala94 Feb 13 '17 at 13:56
Thank you. that explains my queries :) – Akshay Vasu Feb 13 '17 at 13:57

score 1 · Answer 3 · answered Feb 13 '17 at 13:53

1

if you put more data then merory size beaviour'll be umpredictable.

Nothing will warning you about your bad action but a memory fault can happen anytime.

answered Feb 13 '17 at 13:53

St Chain

7
2

score 1 · Answer 4 · answered Feb 13 '17 at 14:01

description = malloc(2*sizeof(char));

You are requesting 2 bytes of storage. In case of success, that's all the memory description will point to that you can safely use.

strcpy(description,"Hello there!");

You are writing past the end of the memory allocated with malloc (proof: "Hello there!" has a length of more than 2), therefore your program invokes undefined behaviour.

printf("%s",description);
free(description);
printf("%s",description);

None of the above 3 lines have any meaning in a program which invokes undefined behaviour. Any expectations from them are baseless and wrong.

Additionally, attempting to print the string (assuming to be) pointed to by description after free(description); also invokes undefined behavior.

Thank you for explaining so well Michael. I was shooting myself in the foot indeed. — Akshay Vasu, Feb 13 '17 at 14:04

How can malloc take more number of bytes of data than assigned

4 Answers4