3

What happens if you try to free a memory which is not allocated using malloc/calloc?

Here is what I mean :

void main()
{
int temp = 0;
int *ptr = &temp;
free(ptr);
}

I thought free() would return some error code but free() does not have a return value.

Leo Messi
  • 822
  • 10
  • 19
  • 1
    And you hoped C would be slow like Python or Java. If that's what you want, use one of those languages. Otherwise take the red pill and dive into a wonderful world where you actually have to take responsibility for the honoring your side of the contract for interfaces you use. – R.. GitHub STOP HELPING ICE Nov 21 '11 at 16:10
  • 1
    "Try to imagine all life as you know it stopping instantaneously and every molecule in your body exploding at the speed of light." (http://en.wikipedia.org/wiki/Proton_packs#Crossing_the_Streams) – Fred Larson Nov 21 '11 at 16:14
  • 2
    @R.. : I just asked a question . I am not complaining about C . – Leo Messi Nov 21 '11 at 16:14
  • 1
    maybe you could take a look to http://stackoverflow.com/questions/1957099/how-do-free-and-malloc-work-in-c/1957125#1957125 or http://stackoverflow.com/questions/5121335/question-on-free-in-c-language/5121366#5121366 – Cédric Julien Nov 21 '11 at 16:16

5 Answers5

8

If you call free() on the pointer which wasn't allocated before, it will trigger undefined behavior.

From Linux man pages:

The free() function frees the memory space pointed to by ptr, which must have been returned by a previous call to malloc(), calloc() or realloc(). Otherwise, or if free(ptr) has already been called before, undefined behavior occurs. If ptr is NULL, no operation is performed.

Malcolm
  • 41,014
  • 11
  • 68
  • 91
  • One can read this statement on lots of webpages, but are there any "official evidence" for this? – kol Nov 21 '11 at 16:12
  • @kol: For an authoritative reference please see also my answer (http://stackoverflow.com/questions/8214692/query-related-to-free-in-c/8214963#8214963). – undur_gongor Nov 21 '11 at 16:26
4

To add to Malcolm's answer: This is undefined behavior by ISO/IEC 9899:1999, 7.20.3.2:

Otherwise, if the argument does not match a pointer earlier returned by the calloc, malloc, or realloc function [...] the behavior is undefined.

See the draft standard here: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf.

Community
  • 1
  • 1
undur_gongor
  • 15,657
  • 5
  • 63
  • 75
2

I extended the above code a bit: 

#include <stdio.h>
#include <stdlib.h>

void main()
{
  int temp = 0;
  int *ptr = &temp;
  printf("Before: %0X\n", ptr);
  free(ptr);
  printf("After: %0X\n", ptr);
  getchar();
}

If this code is compiled by Visual Studio 2010, in Debug configuration, calling free initiates a "Debug Assertion failed" message. This error message comes from dbgheap.c:

/*
 * If this ASSERT fails, a bad pointer has been passed in. It may be
 * totally bogus, or it may have been allocated from another heap.
 * The pointer MUST come from the 'local' heap.
 */
_ASSERTE(_CrtIsValidHeapPointer(pUserData));

Compiling with MinGW-GCC, the resulting exe runs without error (the "After: ..." line shows the same value for ptr as the "Before: ..." line).

kol
  • 27,881
  • 12
  • 83
  • 120
1

All hell will break loose.

Which means:

  • If you are lucky, your program will error out and terminate.
  • If you are not lucky, some attacker will execute arbitrary code using your program (free() will usually try to insert your newly freed "chunk" of memory into some data structure, which usually involves some writes at locations determined by values at/near the pointer you passed).
  • Anything between these two extremes. Not terminating in error should be considered worse than terminating in error.
ninjalj
  • 42,493
  • 9
  • 106
  • 148
0

In addition to the answers by Malcom and undur_gongor, C on Windows with Visual Studio is the same. The pertinent section from MSDN's description is found here:

The free function deallocates a memory block (memblock) that was previously allocated by a call to calloc, malloc, or realloc. The number of freed bytes is equivalent to the number of bytes requested when the block was allocated (or reallocated, in the case of realloc). If memblock is NULL, the pointer is ignored and free immediately returns. Attempting to free an invalid pointer (a pointer to a memory block that was not allocated by calloc, malloc, or realloc) may affect subsequent allocation requests and cause errors.

Taylor Price
  • 622
  • 1
  • 8
  • 21