C code - malloc and free

Question

consider the below code:

int main()

{

int *a,address,size;

    a= (int *) malloc(10);
    address=(int*) a-1;
    size=(int ) *(a-1); // sorry there was a bug wrong casting, now its corrected.
    printf("address of malloc n:%d\n",address);
    printf("size of malloc block b:%d\n",size);
    printf("before%p",a);
    a=a+1;
    printf("\n after%p",a);    
    free(a);

    getch();

}

Address of the malloc "a" was incremented and then freed (a+1). It will lead to memory leak, but how will the free know the end point till it has to free so that it will not free the next chunk of memory by mistake? Is there any end marker like in Char Array - '\\0'?

I read in K&R chapter 8 section 8.7 that free maintains a list from which the free will know were to add back the free memory block to.

Is there any size from which table its declared by malloc? Then how will the above code work, i guess this is were the free list comes to picture right? Its just going to add the free linked list ie a+1 on words only. and forget about the other memory location which will lead to memory leak.

But when you do a malloc(), I read that it returns a pointer-1 and will give the Size of the malloc block that was allocated, am I right?

Can anyone explain this in detail?

Question is not related to Code. its how exactly the Malloc and free function work with each other. if i say free(a), how exactly will the free function know the end of the block?

Answer 1

All that can be said the free(a+1) call is that it leads to undefined behaviour, since a+1 has never been returned by malloc() et al.

Upon closer inspection, the size=(int *)*(a-1) line also leads to undefined behaviour, since you're dereferencing a pointer outside the allocated region.

The mechanics of memory allocation (ie things like free lists) are implementation-specific and should not be relied upon except in very specific and very rare circumstances.

edit If you curious to learn how a possible implementation might work, here is a description of one popular malloc() implementation: dlmalloc .

Answer 2

You are in the realm of undefined behavior .

Free must be passed a pointer returned by malloc as per the standard:

The free function causes the space pointed to by ptr to be deallocated, that is, made available for further allocation. If ptr is a null pointer, no action occurs. Otherwise, if the argument does not match a pointer earlier returned by the calloc , malloc , or realloc function , or if the space has been deallocated by a call to free or realloc , the behavior is undefined .

-- ANSI Standard 1988

Section 4.10.3.2 :The free function

Answer 3

You can't ask the sorts of questions you have about C implementations in general. You are making assumptions about the C implementation, some of which may be true, but they aren't guaranteed to be true by the C standard. Perhaps on some implementations, freeing an invalid pointer means you have a memory leak, and perhaps on some implementations, reading the 4 bytes prior to the pointer returned by malloc will give you the size of the allocated memory, but this is not standardised. The code you have written invokes undefined and implementation-defined behaviour in a number of places. Without knowing what C implementation you are talking about, it is impossible to tell you what the code will do. When a program invokes undefined behaviour, the implementation is free to do whatever it wants to do. A conforming C implementation can cause your computer to melt down into a steaming pile of silicon for freeing an invalid pointer. Will it? Don't know. The behaviour of your code is undefined.

How free and malloc are implemented depend on the implementation, not on the C standard. The C standard explains what the functions do and it is up to each individual C implementation to provide conforming versions of free and malloc based on the descriptions of these functions in the C standard.