How do malloc() and free() work?

OK some answers about malloc were already posted.

The more interesting part is how free works (and in this direction, malloc too can be understood better).

In many malloc/free implementations, free does normally not return the memory to the operating system (or at least only in rare cases). The reason is that you will get gaps in your heap and thus it can happen, that you just finish off your 2 or 4 GB of virtual memory with gaps. This should be avoided, since as soon as the virtual memory is finished, you will be in really big trouble. The other reason is, that the OS can only handle memory chunks that are of a specific size and alignment. To be specific: Normally the OS can only handle blocks that the virtual memory manager can handle (most often multiples of 512 bytes e.g. 4KB).

So returning 40 Bytes to the OS will just not work. So what does free do?

Free will put the memory block in its own free block list. Normally it also tries to meld together adjacent blocks in the address space. The free block list is just a circular list of memory chunks which have some administrative data in the beginning. This is also the reason why managing very small memory elements with the standard malloc/free is not efficient. Every memory chunk needs additional data and with smaller sizes more fragmentation happens.

The free-list is also the first place that malloc looks at when a new chunk of memory is needed. It is scanned before it calls for new memory from the OS. When a chunk is found that is bigger than the needed memory, it is divided into two parts. One is returned to caller, the other is put back into the free list.

There are many different optimizations to this standard behaviour (for example for small chunks of memory). But since malloc and free must be so universal, the standard behaviour is always the fallback when alternatives are not usable. There are also optimizations in handling the free-list — for example storing the chunks in lists sorted by sizes. But all optimizations also have their own limitations.

Why does your code crash:

The reason is that by writing 9 chars (don’t forget the trailing null byte) into an area sized for 4 chars, you will probably overwrite the administrative-data stored for another chunk of memory that resides “behind” your chunk of data (since this data is most often stored “in front” of the memory chunks). When free then tries to put your chunk into the free list, it can touch this administrative-data and therefore stumble over an overwritten pointer. This will crash the system.

This is a rather graceful behaviour. I have also seen situations where a runaway pointer somewhere has overwritten data in the memory-free-list and the system did not immediately crash but some subroutines later. Even in a system of medium complexity such problems can be really, really hard to debug! In the one case I was involved, it took us (a larger group of developers) several days to find the reason of the crash — since it was in a totally different location than the one indicated by the memory dump. It is like a time-bomb. You know, your next “free” or “malloc” will crash, but you don’t know why!

Those are some of the worst C/C++ problems, and one reason why pointers can be so problematic.

Related Posts:

  1. How to track down a “double free or corruption” error
  2. How to track down a “double free or corruption” error
  3. Understanding “corrupted size vs. prev_size” glibc error
  4. How to run valgrind with basic c example?
  5. Is “delete this” allowed in C++?
  6. What is a segmentation fault?
  7. How many spaces for tab character(\t)?
  8. What does (~0L) mean?
  9. What is the difference between float and double?
  10. What is the effect of extern “C” in C++?
  11. Why are #ifndef and #define used in C++ header files?
  12. What exactly is the difference between “pass by reference” in C and in C++?
  13. When to use extern “C” in simple words? [duplicate]
  14. Floating point exception( core dump
  15. Mutex example / tutorial? [closed]
  16. What does “dereferencing” a pointer mean?
  17. What is an unsigned char?
  18. What does “dereferencing” a pointer mean?
  19. Convert char to int in C and C++
  20. Why use conio.h?
  21. What is the array form of ‘delete’?
  22. Convert an int to ASCII character
  23. Why unsigned int 0xFFFFFFFF is equal to int -1?
  24. What is the significance of return 0 in C and C++?
  25. How to go from fopen to fopen_s
  26. Difference between long double and double in C and C++ [duplicate]
  27. What is use of c_str function In c++
  28. What is the difference between const int*, const int * const, and int const *?
  29. What is the C version of RMI
  30. How to print pthread_t
  31. What is the difference between const int*, const int * const, and int const *?
  32. What is the printf format specifier for bool?
  33. Fastest way to check if a file exist using standard C++/C++11,14,17/C?
  34. Is there a function to copy an array in C/C++?
  35. Difference between using Makefile and CMake to compile the code
  36. What is the difference between a static and const variable?
  37. Should I learn C before learning C++?
  38. Eclipse C++ : “Program “g++” not found in PATH”
  39. unsigned int vs. size_t
  40. Fatal error: iostream: No such file or directory in compiling C program using GCC
  41. Convert Python program to C/C++ code?
  42. error: expected primary-expression before ‘)’ token (C)
  43. Is “argv[0] = name-of-executable” an accepted standard or just a common convention?
  44. Examples of good gotos in C or C++
  45. What is activation record in the context of C and C++?
  46. Fastest way to check if a file exist using standard C++/C++11,14,17/C?
  47. How to convert C++ Code to C
  48. How to make an array with a dynamic size? General usage of dynamic arrays (maybe pointers too)?
  49. Deleting a dynamically allocated 2D array
  50. Fatal error: ‘stdafx.h’ file not found
  51. warning: control reaches end of non-void function [-Wreturn-type]
  52. gcc/g++: “No such file or directory”
  53. What does ‘const static’ mean in C and C++?
  54. How to use glOrtho() in OpenGL?
  55. Best C/C++ Network Library
  56. Is the sizeof(some pointer) always equal to four?
  57. 2D array vs array of arrays
  58. Deleting an object in C++
  59. C++ array assign error: invalid array assignment
  60. Typedef function pointer?
  61. “…redeclared as different kind of symbol”?
  62. What is the use of intptr_t?
  63. Debug vs Release in CMake
  64. How can I get the list of files in a directory using C or C++?
  65. How can I get the list of files in a directory using C or C++?
  66. What does “Permission denied” “Id returned 1 exit status” mean?
  67. Multi-character constant warnings
  68. What is the C equivalent to the C++ cin statement?
  69. Static linking vs dynamic linking
  70. What are the different versions of exec used for in C and C++?
  71. What’s the difference between nexti and stepi in gdb?
  72. C++ – Too Many Initializers for Arrays
  73. Reading string by char till end of line C/C++
  74. Is there a replacement for unistd.h for Windows (Visual C)?
  75. C++ – include unistd.h: why not cunistd?
  76. How to project a point onto a plane in 3D?
  77. C: using strtol endptr is never NULL, cannot check if value is integer only?
  78. gcc: undefined reference to
  79. Why use pointers?
  80. What’s the difference between * and & in C?
  81. Valgrind Invalid free() / delete / delete[] / realloc() in C
  82. Difference between pic Vs pie
  83. Double pointer array in c++
  84. What’s the meaning of exception code “EXC_I386_GPFLT”?
  85. How to write log base(2) in c/c++
  86. gcc -g :what will happen
  87. What is the job of autogen.sh when building a c++ package on Linux
  88. What’s the Use of ‘\r’ escape sequence?
  89. Is there a standard sign function (signum, sgn) in C/C++?
  90. Using OpenMP with clang
  91. Why is this vector iterator not incrementable?
  92. Warning: comparison of distinct pointer types
  93. cc1.exe System Error – libwinpthread-1.dll missing – But it isn’t
  94. Two decimal places using printf( )
  95. Fatal error: iostream: No such file or directory in compiling C program using GCC
  96. Different ways to deallocate an array – c++
  97. Difference between the int * i and int** i
  98. Is there a way to compile C++ to C Code?
  99. Whats the difference between UInt8 and uint8_t
  100. The tilde operator in C

Leave a Comment