malloc() 和 realloc() 函数的奇怪行为导致分段错误

Question

I have a function named num_to_binary , which is used to convert a decimal number stored in the form of array. The prototype for this function num_to_binary is as below:

void num_to_binary(int *number_b, int size_of_number);

Here:

number_b is pointer to array which stores my number. For example, if I would like to convert the number 12345 to binary, then I will be storing 12345 in number_b as follows:

number_b[0] = 1
number_b[1] = 2
number_b[2] = 3
number_b[3] = 4
number_b[4] = 5

Also, size_of_number is the number of digits in the number (or it is the number of elements in the array number_b ). So for the number 12345, size_of_number has the value 5.

Below is the full declaration of the function num_to_binary :

void num_to_binary(int *number_b, int size_of_number)
{
    int *tmp_pointer = malloc(1 * sizeof(int));
    int curr_size = 1;
    int i = 0;
    while(!is_zero(number_b,size_of_number))
    {
        if(i != 0)
        {
            curr_size += 1;
            tmp_pointer = realloc(tmp_pointer, curr_size * sizeof(int));
        }
        if(number_b[size_of_number - 1] % 2 == 1)
        {
            tmp_pointer[i] = 1;
            divide_by_2(number_b,size_of_number);
            i = i + 1;
        }
        else
        {
            tmp_pointer[i] = 0;
            divide_by_2(number_b,size_of_number);
            i = i + 1;
        }
    }
    int *fin_ans;
    fin_ans = malloc(curr_size * sizeof(int));
    for(int j = 0 ; j < curr_size; j++)
    {
        fin_ans[curr_size-1-j] = tmp_pointer[j];
    }
}

In the above function:

tmp_pointer : It is initially allocated some memory using malloc() , and is used to store the reverse of the binary representation of the number stored in number_b

curr_size : It stores the current size of tmp_pointer . It is initially set to 1. i : It is used to keep track of the while loop. It is also used to reallocation purpose, which I have explained a bit later.

is_zero(number_b, size_of_number) : It is a function, which returns 1 if the number stored in number_b is 0, else it returns 1.

divide_by_2(number_b, size_of_number) : It divides the number stored in number_b by 2. It does NOT change the size of the array number_b .

fin_ans : It is an integer pointer. Since the binary representation stored in the array tmp_pointer will be the reverse of the actual binary representation of the number, so fin_ans will store the correct binary representation of number by reversing the content of tmp_pointer .

Below is the how this function works :

1. First of all, tmp_pointer is allocated a memory equal to the size of 1 int. So, now tmp_pointer can store an integer.
2. We now go into the while loop. The loop will terminate only when the number stored in number_b equals 0.
3. Now, we check if i is equal to 0 or not. If it is not equal to zero, then this means than the loops has been run atleast once, and in order to store the next binary digit, we resize the memory allocated to tmp_pointer so that it can store the next bit.
4. If the last digit of the number is odd, then that implies that the corresponding binary digit will be 1, else it will be 0. The if and else condition do this task. They also increment i each time one of them is executed, and also divide the number by 2.
5. Now, we are out of the loop. It's time to reverse the binary number stored in tmp_pointer to get the final answer.
6. For this, we create a new pointer called fin_ans , and allocate it the memory which will be used for storing the correct binary representation of the number.
7. The last for loop is used to reverse the binary representation and store the correct binary representation in fin_ans .

The problem:

The code runs for small numbers such as 123, but for large numbers such as 1234567891, it gives a segmentation fault error. This can be checked by trying to print the digits stored in fin_ans .

I tried using GDB Debugger, and got to know that the reason for Segmentation Fault lies in the while loop. I am sure that the functions divide_by_2 and is_zero are not the reason for Segmentation Fault, since I have tested them thoroughly.

I also used DrMemory, which indicated that I am trying to access (read or write) a memory location which has not been allocated. Unfortunately, I am not able to figure out where the error lies.

I suspect realloc() to be the cause of Segmentation Fault, but I am not sure.

Apologies for such a long question, however, I would highly appreciate any help provided to me for this code.

Thanks in advance for helping me out !

Answer 1

There are multiple problems in the code:

• you do not check for memory allocation failure
• you forget to free tmp_pointer before leaving the function.
• you allocate a new array fin_ans to reserve the array tmp_pointer and perform the reverse operation but you do not return this array to the caller, nor do you have a way to return its size. You should change the prototype to return this information.
• if the number of zero, the converted number should probably have 1 digit initialized as 0, but you use malloc which does not initialize the array it allocates so tmp_pointer[0] is uninitialized.
• you did not provide the code for is_zero() nor divide_by_two() . It is possible that bugs in these functions cause the segmentation fault, especially if the loop does not reach zero and memory is eventually exhausted during this infinite loop.

Here is a modified version:

int *num_to_binary(int *number_b, int size_of_number, int *binary_size) {
    int i, j, curr_size;
    int *p, *newp;

    curr_size = 1;
    p = malloc(1 * sizeof(int));
    if (p == NULL)
        return NULL;
    p[0] = 0;

    for (i = 0; !is_zero(number_b, size_of_number); i++) {
        if (i != 0) {
            curr_size += 1;
            newp = realloc(p, curr_size * sizeof(int));
            if (newp == NULL) {
                free(p);
                return NULL;
            }
            p = newp;
        }
        p[i] = number_b[size_of_number - 1] % 2;
        divide_by_2(number_b, size_of_number);
    }
    for (i = 0, j = curr_size; i < j; i++)
        int digit = p[--j];
        p[j] = p[i];
        p[i] = digit;
    }
    *binary_size = curr_size;
    return p;
}

Answer 2

There is no need for multiple memory reallocations. Result memory buffer size could be easily evaluated as binary logarithm of the decimal input value. Calculation of the number binary representation could also be simplified:

//Transform binary array to actual number
int arr2int(int* pIntArray, unsigned int nSizeIn) {
    if (!pIntArray || !nSizeIn)
        return 0;

    int nResult = 0;
    for (unsigned int i = 0; i < nSizeIn; ++i)
        nResult += pIntArray[i] * (int)pow(10, nSizeIn - i - 1);

    return nResult;
}

int* int2bin(int* pIntArray, unsigned int nSizeIn, unsigned int* nSizeOut){
    //0) Converting int array to the actual value
    int nVal = arr2int(pIntArray, nSizeIn);

    //1)Evaluating size of result array and allocating memory
    if(!nVal)
        *nSizeOut = 1;
    else
        *nSizeOut = (int)floor(log2(nVal)) + 1;

    //2)Allocate and init memory
    int* pResult = malloc(*nSizeOut);
    memset(pResult, 0, *nSizeOut * sizeof(int));

    //3) Evaluate binary representation
    for (unsigned int i = 0; i < *nSizeOut; ++i){
        int nBinDigit = (int)pow(2, i);
        if (nBinDigit == (nVal & nBinDigit))
            pResult[*nSizeOut - i - 1] = 1;
    }

    return pResult;
}

Testing:

#include <stdio.h>
#include <math.h>
#include <stdlib.h>
#include <string.h>
#define _DC 9

int main()
{
    int test[_DC];
    for (int i = 0; i < _DC; ++i)
        test[i] = i;

    unsigned int nRes = 0;
    int* pRes = int2bin(test, _DC, &nRes);

    for (unsigned int i = 0; i < nRes; ++i)
        printf("%d", pRes[i]);

    free(pRes);
    return 0;
}