代码崩溃，除非我在其中放入printf语句

Question

This is a snippet of code from an array library I'm using. This runs fine on windows, but when I compile with gcc on linux if crashes in this function. when trying to narrow down the problem, I added a printf statement to it, and the code stopped crashing.

void _arrayCreateSize( void ***array, int capacity )
{
    (*array) = malloc( (capacity * sizeof(int)) + sizeof(ArrayHeader) );
    ((ArrayHeader*)(*array))->size = 0;
    ((ArrayHeader*)(*array))->capacity = capacity;
    // printf("Test!\n");
    *(char**)array += sizeof(ArrayHeader);
}

As soon as that printf is taken out it starts crashing on me again. I'm completely baffled as to why it's happening.

Answer 1

The last line in the function is not doing what was intended. The code is obscure to the point of impenetrability.

It appears that the goal is to allocate an array of int , because of the sizeof(int) in the first memory allocation. At the very least, if you are meant to be allocating an array of structure pointers, you need to use sizeof(SomeType *) , the size of some pointer type ( sizeof(void *) would do). As written, this will fail horribly in a 64-bit environment.

The array is allocated with a structure header ( ArrayHeader ) followed by the array proper. The returned value is supposed to the start of the array proper; the ArrayHeader will presumably be found by subtraction from the pointer. This is ugly as sin, and unmaintainable to boot. It can be made to work, but it requires extreme care, and (as Brian Kernighan said) "if you're as clever as possible when you write the code, how are you ever going to debug it?".

Unfortunately, the last line is wrong:

void _arrayCreateSize( void ***array, int capacity )
{
    (*array) = malloc( (capacity * sizeof(int)) + sizeof(ArrayHeader) );
    ((ArrayHeader*)(*array))->size = 0;
    ((ArrayHeader*)(*array))->capacity = capacity;
    // printf("Test!\n");
    *(char**)array += sizeof(ArrayHeader);
}

It adds sizeof(ArrayHeader) * sizeof(char *) to the address, instead of the intended sizeof(ArrayHeader) * sizeof(char) . The last line should read, therefore:

*(char *)array += sizeof(ArrayHeader);

or, as noted in the comments and an alternative answer:

*(ArrayHeader *)array += 1;
*(ArrayHeader *)array++;

I note in passing that the function name should not really start with an underscore. External names starting with an underscore are reserved to the implementation (of the C compiler and library).

---

The question asks "why does the printf() statement 'fix' things". The answer is because it moves the problem around. You've got a Heisenbug because there is abuse of the allocated memory, and the presence of the printf() manages to alter the behaviour of the code slightly.

Recommendation

1. Run the program under valgrind . If you don't have it, get it.
2. Revise the code so that the function checks the return value from malloc() , and so it returns a pointer to a structure for the allocated array.
3. Use the clearer code outlined in Michael Burr 's answer.

Answer 2

Arbitrary random crashing when adding seemingly unrelated printf() statements often is a sign of a corrupted heap. The compiler sometimes stores information about allocated memory directly on the heap itself. Overwriting that metadata leads to surprising runtime behavior.

A few suggestions:

• are you sure that you need void *** ?
• try replacing your argument to malloc() with 10000 . Does it work now?

Moreover, if you just want arrays that store some metadata, your current code is a bad approach. A clean solution would probably use a structure like the following:

struct Array {
    size_t nmemb;    // size of an array element
    size_t size;     // current size of array
    size_t capacity; // maximum size of array
    void *data;      // the array itself
};

Now you can pass an object of type Array to functions that know about the Array type, and Array->data cast to the proper type to everything else. The memory layout might even be the same as in your current approach, but access to the metadata is significantly easier and especially more obvious.

Your main audience is the poor guy that has to maintain your code 5 years from now.

Answer 3

Now that Jonathan Leffler has pointed out what the bug was , might I suggest that the function be written in a manner that's a little less puzzling?:

void _arrayCreateSize( void ***array, int capacity )
{
    // aloocate a header followed by an appropriately sized array of pointers
    ArrayHeader* p = malloc( sizeof(ArrayHeader) + (capacity * sizeof(void*)));

    p->size = 0;
    p->capacity = capacity;

    *array = (void**)(p+1);   // return a pointer to just past the header 
                              //   (pointing at the array of pointers)
}

Mix in your own desired handling of malloc() failure.

I think this will probably help the next person who needs to look at it.