C链表valgrind读取的大小无效

Question

I have a problem with my Linked List and the valgrind output. Without further adieu here is my linked list:

typedef struct Map map;

struct Map
{
    void *address;
    double free_time;
    map* next;
}*map_list;

The list is created using a dummy head node. As you can see, the struct holds an address and a free time, which I try to associate them.

In the find_and_free function I search this list using a time and if this time is smaller than the one stored in the list, I deallocate the saved address. And then I deallocate the list node as well.

This is the function used to find any free time that is smaller than the one I am passing. If it is smaller, I free the address stored to the list, and then call the delete_map_node function to also deallocate the node of the list.

void find_and_free_address(map *root, double mtime)
{
    map *current = root->next;
    assert(current);
    while(current)
    {
        if(current->free_time < mtime)
        {

            printf("there is something to FREE now\n");
            printf("the time to check for free is %lf and the maps free time is %lf\n", mtime,current->free_time);
            printf("The map contains an address that is time to free\n");
            //free_allocated_address(&current->address);
            free(current->address);
            delete_map_node(map_list, current->free_time);
            //delete(map_list,current->free_time);
            //return next;
        }

        else
        {
            printf("there is nothing to free now\n");
        }

        current = current->next; //FIRST ERROR
    }
    printf("THE MAP SIZE AFTER REMOVALS IS %d\n", map_size(map_list));
}

And this is the delete_map_node function

map* delete_map_node(map *root,double ftime)
{
    if (root==NULL)
    {
        return NULL;
    }

    //map *temporary;

    if (root->free_time == ftime)
    {
        map *temporary = root->next;
        free(root); //SECOND ERROR
        root = temporary;
        return temporary;
    }

    root->next = delete_map_node(root->next, ftime);
    //free(root->address);
    return root;
}

I am aware that those two can be combined to only one function.

valgrind, reports no memory leaks or uninitialized values. However when I execute the following command:

valgrind --tool=memcheck --leak-check=full --track-origins=yes -v ./a.out

I get the following output :

==6807== Invalid read of size 4
==6807==    at 0x8049228: find_and_free_address (Map.c:123)
==6807==    by 0x8048DA6: second_iteration (List.c:150)
==6807==    by 0x8048C6B: first_iteration (List.c:113)
==6807==    by 0x8048908: main (Fscanf.c:63)
==6807==  Address 0x42005bc is 12 bytes inside a block of size 16 free'd
==6807==    at 0x402AF3D: free (vg_replace_malloc.c:468)
==6807==    by 0x804929F: delete_map_node (Map.c:142)
==6807==    by 0x80492C1: delete_map_node (Map.c:147)
==6807==    by 0x8049216: find_and_free_address (Map.c:113)
==6807==    by 0x8048DA6: second_iteration (List.c:150)
==6807==    by 0x8048C6B: first_iteration (List.c:113)
==6807==    by 0x8048908: main (Fscanf.c:63)

I can see that the error is that I access root->next and current->next after I have freed them, but I have not managed to do without it.

Can you suggest me a way, to get rid of this error?

Answer 1

One problem that I see is that in delete_map_node you free root (which might be map_list passed from find_and_free_address ), but you don't actually change map_list which means that when delete_map_node returns the map_list variable points to unallocated memory. Accessing map_list afterwards leads to undefined behavior .

The simple solution to this is to assign the return value of delete_map_node to map_list :

map_list = delete_map_node(map_list, current->free_time);

Also, what happens when delete_map_node frees the node in the list that is current in the find_and_free_address function? Then current = current->next will also lead to undefined behavior.