Why exactly should I not call free() on variables not allocated by malloc()?

Up vote 5 down vote favorite 1 share g+ share fb share tw.

C memory memory-management free malloc link|improve this question edited Apr 22 '10 at 5:33sharptooth71k578247 asked Apr 22 '10 at 5:12ultrajohn870213 68% accept rate.

Just a minor semantic correction: There are no "objects" in C. Better would be "variable", or "structure". – Chris Cooper Apr 22 '10 at 5:14 6 @Chris The K&R book, it states (somewhere by the end) that object is any memory location that can be referenced by a name (or so I recall, I cant find my copy) – Tom Apr 22 '10 at 5:16 5 @Chris Cooper: Just because some people say that C isn't "object oriented" doesn't mean that there's no such thing as an object in that language.

From the C spec: "object: region of data storage in the execution environment, the contents of which can represent values. " There you have it. – Dietrich Epp Apr 22 '10 at 5:21 1 I am not talking of object here as it is in the OOP paradigm... – ultrajohn Apr 22 '10 at 5:21 1 Its not disasterous, its undefined, there is a big difference.

You are free to make any undefined behavior consistent and possibly even useful provided that you make the modifications yourself, without breaking any defined behavior. – Tim Post? Apr 22 '10 at 5:43.

That's undefined behavior - never try it. Let's see what happens when you try to free() an automatic variable. The heap manager will have to deduce how to take ownership of the memory block.

To do so it will either have to use some separate structure that lists all allocated blocks and that is very slow an rarely used or hope that the necessary data is located near the beginning of the block. The latter is used quite often and here's how I is supposed to work. When you call malloc() the heap manager allocates a slightly bigger block, stores service data at the beginning and returns an offset pointer.

Smth like: void* malloc( size_t size ) { void* block = tryAlloc( size + sizeof( size_t) ); if( block == 0 ) { return 0; } // the following is for illustration, more service data is usually written *((size_t*)block) = size; return (size_t*)block + 1; } then free() will try to access that data by offsetting the passed pointer but if the pointer is to an automatic variable whatever data will be located where it expects to find service data. Hence undefined behavior. Many times service data is modified by free() for heap manager to take ownership of the block - so if the pointer passed is to an automatic variable some unrelated memory will be modified and read from.

Implementations may vary but you should never make any specific assumptions. Only call free() on addresses returned by malloc() family functions.

More please...:) – ultrajohn Apr 22 '10 at 5:24 1 You'd have to tryAlloc(size + sizeof(size_t)) to have room for the size_t in front. – Chris Lutz Apr 22 '10 at 5:27 @Chris Lutz: Thank you, fixed that. – sharptooth Apr 22 '10 at 5:29 Usually there is a scheme followed to allocate memory (and more is allocated to store size, prevent seg-fault to some extent, etc).

Stackoverflow.com/questions/2650895/… – N 1. 1 Apr 22 '10 at 5:31 1 Fix #2: You cast block to the right type, but forget to dereference it afterwards. – Chris Lutz Apr 22 '10 at 5:40.

It is undefined behaviour. And logically, if behaviour is undefined, you cannot be sure what has happened, and if the program is still operating properly.

Because the standard says it does. How? I don't know.

If we knew how it happened, it wouldn't be undefined. – Chris Lutz Apr 22 '10 at 5:28 1 @peterchen - Because if undefined behavior involved world peace, I'd be all for it. – Chris Lutz Apr 22 '10 at 5:32 1 @peterchen: The Standard never says that UB can't be world peace.

It can be world peace or whatever else. – sharptooth Apr 22 '10 at 5:40.

By the standard, it's "undefined behavior" - i.e. "anything can happen". That's usually bad things, though.

In practice: free'ing a pointer means modifying the heap. C runtime does virtually never validate if the pointer passed comes from the heap - that would be to costly in either time or memory. Combine these two factoids, and you get "free(non-malloced-ptr) will write something somewhere" - the resutl may be some of "your" data modified behind your back, an access violation, or trashing vital runtime structures, such as a return address on the stack.

Example: A disastrous scenario: Your heap is implemented as a simple list of free blocks. Malloc means removing a suitable block from the list, free means adding it to the list again. (a typical if trivial implementation) You free() a pointer to a local variable on the stack.

You are "lucky" because the modification goes into irrelevant stack space. However, part of the stack is now on your free list. Because of the allocator design and your allocation patterns, malloc is unlikely to return this block.

Later, in an completely unrelated part of the program, you actually do get this block as malloc result, writing to it trashes some local variables up the stack, and when returning some vital pointer contains garbage and your app crashes. Symptoms, repro and location are completely unrelated to the actual cause. Debug that.

Some people have pointed out here that this is "undefined behavior". I'm going to go farther and say that on some implementations, this will either crash your program or cause data corruption. It has to do with how "malloc" and "free" are implemented.

One possible way to implement malloc/free is to put a small header before each allocated region. On a malloc'd region, that header would contain the size of the region. When the region is freed, that header is checked and the region is added to the appropriate freelist.

If this happens to you, this is bad news. For example, if you free an object allocated on the stack, suddenly part of the stack is in the freelist. Then malloc might return that region in response to a future call, and you'll scribble data all over your stack.

Another possibility is that you free a string constant. If that string constant is in read-only memory (it often is), this hypothetical implementation would cause a segfault and crash either after a later malloc or when free adds the object to its freelist. This is a hypothetical implementation I am talking about, but you can use your imagination to see how it could go very, very wrong.

Some implementations are very robust and are not vulnerable to this precise type of user error. Some implementations even allow you to set environment variables to diagnose these types of errors. Valgrind and other tools will also detect these errors.

Undefined behavior as officially defined - behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements. Since standard imposes no requirements, there are bound to be different implementations and the program may crash on some implementations. – N 1.

1 Apr 22 '10 at 5:43.

Strictly speaking, this is not true. Calloc() and realloc() are valid object sources for free(), too. ;).

Strictly speaking, you are correct. However, calloc() and realloc() are just convenient interfaces to malloc(). If given a platform with only malloc() and memcpy(), one could quickly implement calloc() and realloc() in just a few minutes.

– Tim Post? Apr 22 '10 at 6:02 1 Not exactly. To copy the data for realloc, you need to know the size of the old memory block.

– Secure Apr 22 '10 at 10:10.

It would certainly be possible for an implementation of malloc/free to keep a list of the memory blocks thats been allocated and in the case the user tries to free a block that isn't in this list do nothing. However since the standard says that this isn't a requirement most implementation will treat all pointers coming into free as valid.

Please have a look at what undefined behavior means. Malloc() and free() on a conforming hosted C implementation are built to standards. The standards say the behavior of calling free() on a heap block that was not returned by malloc() (or something wrapping it, e.g. Calloc()) is undefined.

This means, it can do whatever you want it to do, provided that you make the necessary modifications to free() on your own. You won't break the standard by making the behavior of free() on blocks not allocated by malloc() consistent and even possibly useful. In fact, there could be platforms that (themselves) define this behavior.

I don't know of any, but there could be some. There are several garbage collecting / logging malloc() implementations that might let it fail more gracefully while logging the event. But thats implementation , not standards defined behavior.

Undefined simply means don't count on any kind of consistent behavior unless you implement it yourself without breaking any defined behavior. Finally, implementation defined does not always mean defined by the host system. Many programs link against (and ship) uclibc.

In that case, the implementation is self contained, consistent and portable.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.