Let's consider the following program:
main.c:
#include <stdlib.h>
void f(void)
{
int* x = malloc(10 * sizeof(int));
x[10] = 0; // problem 1: heap block overrun
} // problem 2: memory leak -- x not freed
int main(void)
{
f();
return 0;
}
void f(void)
{
int* x = malloc(10 * sizeof(int));
x[10] = 0; // problem 1: heap block overrun
} // problem 2: memory leak -- x not freed
int main(void)
{
f();
return 0;
}
Once the program has been compiled (with debug info (-g) into ./main in unix-based systems), we can check for memory issues by running valgrind:
valgrind --leak-check=yes ./main
The output is the following (after the header):
==3938== Invalid write of size 4
==3938== at 0x40054B: f (main.c:6)
==3938== by 0x40055B: main (main.c:11)
==3938== Address 0x51fd068 is 0 bytes after a block of size 40 alloc'd
==3938== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3938== by 0x40053E: f (main.c:5)
==3938== by 0x40055B: main (main.c:11)
==3938==
==3938==
==3938== HEAP SUMMARY:
==3938== in use at exit: 40 bytes in 1 blocks
==3938== total heap usage: 1 allocs, 0 frees, 40 bytes allocated
==3938==
==3938== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==3938== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3938== by 0x40053E: f (main.c:5)
==3938== by 0x40055B: main (main.c:11)
==3938==
==3938== LEAK SUMMARY:
==3938== definitely lost: 40 bytes in 1 blocks
==3938== indirectly lost: 0 bytes in 0 blocks
==3938== possibly lost: 0 bytes in 0 blocks
==3938== still reachable: 0 bytes in 0 blocks
==3938== suppressed: 0 bytes in 0 blocks
The prefix "==3938== " represents the process id.
The first main issue is the invalid write: the first part of the output indicates where the write occurs, while the second part indicates where the memory incorrectly written has been allocated. From this information, we can see that the write within f() is invalid and observe that the problem is because x receives memory for 10 ints (i.e. the accessible indexes are between 0 and 9). Thus, the problem is trying to write to x[10].
The second issue is the memory lost indicated both in the sentence : "40 bytes in 1 blocks are definitely lost in loss record 1 of 1"
and in the LEAK SUMMARY. We can see here which malloc wasn't freed (then one in f (main.c:5)).
We can write now the following similar program:
#include <stdlib.h>
void f(void)
{
int* x = malloc(10 * sizeof(int));
x[9] = 0; // problem 1: we now write to a valid inded
free(x); // problem 2: solved, now x was freed
}
int main(void)
{
f();
return 0;
}
void f(void)
{
int* x = malloc(10 * sizeof(int));
x[9] = 0; // problem 1: we now write to a valid inded
free(x); // problem 2: solved, now x was freed
}
int main(void)
{
f();
return 0;
}
and running valgrind we obtain the following output (after the general header):
==4060== HEAP SUMMARY:
==4060== in use at exit: 0 bytes in 0 blocks
==4060== total heap usage: 1 allocs, 1 frees, 40 bytes allocated
==4060==
==4060== All heap blocks were freed -- no leaks are possible
The program has no memory issues!
[1] http://valgrind.org/ . The example is from the the tool's quick start guide.
