為什么 valgrind 在重用分配的內存時會抱怨大小為 1 的無效讀寫？

Question

我編寫了一個函數來比較版本 c 字符串，如"1.2.3" 、 "1.123.9"等。

int compare_versions(char* first, char* second)
{
  size_t first_last_dot1 = 0;
  size_t first_last_dot2 = strcspn(first, ".");
  size_t second_last_dot1 = 0;
  size_t second_last_dot2 = strcspn(second, ".");

  while(first_last_dot2 || second_last_dot2)
  {
    if(first_last_dot2 && !second_last_dot2) return 1;
    if(!first_last_dot2 && second_last_dot2) return -1;

    char* first_c = (char*)calloc(first_last_dot2 + 1, sizeof(char));
    strncat(first_c, first + first_last_dot1, first_last_dot2);
    int first_n = atoi(first_c);
    first_last_dot1 += first_last_dot2 + 1;
    first_last_dot2 = strcspn(first + first_last_dot1, ".");
    free(first_c);

    char* second_c = (char*)calloc(second_last_dot2 + 1, sizeof(char));
    strncat(second_c, second + second_last_dot1, second_last_dot2);
    int second_n = atoi(second_c);
    second_last_dot1 += second_last_dot2 + 1;
    second_last_dot2 = strcspn(second + second_last_dot1, ".");
    free(second_c);

    if (first_n != second_n)
    {
      if(first_n < second_n) return -1;
      return 1;
    }
  }

  return 0;
}

並且 valgrind 根本不會抱怨我的“測試”：

assert(0 == compare_versions("1.12345678.2", "1.12345678.2"));

valgrind 輸出：

==24002== Memcheck, a memory error detector
==24002== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==24002== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==24002== Command: ./a.out
==24002== 
==24002== 
==24002== HEAP SUMMARY:
==24002==     in use at exit: 0 bytes in 0 blocks
==24002==   total heap usage: 10 allocs, 10 frees, 48 bytes allocated
==24002== 
==24002== All heap blocks were freed -- no leaks are possible
==24002== 
==24002== For counts of detected and suppressed errors, rerun with: -v
==24002== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)

現在我想重用分配的內存，即：當我分配一個大小為 4 的內存塊時，我可以將它重用於所有大小為 4 的 c 字符串（包括終止空字符）。

所以我寫了這個版本的完全相同的函數：

int compare_versions(char* first, char* second)
{
  size_t first_last_dot1 = 0;
  size_t first_last_dot2 = strcspn(first, ".");
  size_t second_last_dot1 = 0;
  size_t second_last_dot2 = strcspn(second, ".");

  char* first_c = (char*)calloc(first_last_dot2 + 1, sizeof(char));
  char* second_c = (char*)calloc(second_last_dot2 + 1, sizeof(char));
  int first_max = first_last_dot2;
  int second_max = second_last_dot2;

  while(first_last_dot2 || second_last_dot2)
  {
    // first longer than second ( different only by last segment )
    if(first_last_dot2 && !second_last_dot2) {
      free(first_c);
      free(second_c);
      return 1;
    }
    // second longer than first ( different only by last segment )
    if(!first_last_dot2 && second_last_dot2) {
      free(first_c);
      free(second_c);
      return -1;
    }

    if(first_last_dot2 > first_max) {
      first_max = first_last_dot2;
      first_c = (char*)realloc(first_c, first_last_dot2 + 1);
      memset(first_c, 0, first_last_dot2);
    }
    strncat(first_c, first + first_last_dot1, first_last_dot2);
    int first_n = atoi(first_c);
    first_last_dot1 += first_last_dot2 + 1;
    first_last_dot2 = strcspn(first + first_last_dot1, ".");

    if(second_last_dot2 > second_max) {
      second_max = second_last_dot2;
      second_c = (char*)realloc(second_c, second_last_dot2 + 1);
      memset(second_c, 0, second_last_dot2);
    }
    strncat(second_c, second + second_last_dot1, second_last_dot2);
    int second_n = atoi(second_c);
    second_last_dot1 += second_last_dot2 + 1;
    second_last_dot2 = strcspn(second + second_last_dot1, ".");

    if (first_n != second_n)
    {
      free(first_c);
      free(second_c);
      if(first_n < second_n) return -1;
      return 1;
    }
  }

  free(first_c);
  free(second_c);
  return 0;                                                                                                                                                                                                                                                                       
}

但隨后我將從 valgrind 獲得以下輸出：

==24039== Memcheck, a memory error detector
==24039== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==24039== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==24039== Command: ./a.out
==24039== 
==24039== Invalid write of size 1
==24039==    at 0x4A07E83: strncat (mc_replace_strmem.c:304)
==24039==    by 0x400828: compare_versions (main.c:46)
==24039==    by 0x400986: main (main.c:94)
==24039==  Address 0x4c330e9 is 0 bytes after a block of size 9 alloc'd
==24039==    at 0x4A06C20: realloc (vg_replace_malloc.c:662)
==24039==    by 0x4007F1: compare_versions (main.c:43)
==24039==    by 0x400986: main (main.c:94)
==24039== 
==24039== Invalid read of size 1
==24039==    at 0x39AA436FF3: ____strtol_l_internal (strtol_l.c:438)
==24039==    by 0x39AA433C5F: atoi (atoi.c:28)
==24039==    by 0x400834: compare_versions (main.c:47)
==24039==    by 0x400986: main (main.c:94)
==24039==  Address 0x4c330e9 is 0 bytes after a block of size 9 alloc'd
==24039==    at 0x4A06C20: realloc (vg_replace_malloc.c:662)
==24039==    by 0x4007F1: compare_versions (main.c:43)
==24039==    by 0x400986: main (main.c:94)
==24039== 
...
==24039== 
==24039== HEAP SUMMARY:
==24039==     in use at exit: 0 bytes in 0 blocks
==24039==   total heap usage: 4 allocs, 4 frees, 22 bytes allocated
==24039== 
==24039== All heap blocks were freed -- no leaks are possible
==24039== 
==24039== For counts of detected and suppressed errors, rerun with: -v
==24039== ERROR SUMMARY: 34 errors from 8 contexts (suppressed: 6 from 6)

這里有什么問題？

Answer 1

Valgrind 說明了一切 - 我只看初始錯誤：

==24039== Invalid write of size 1
==24039==    at 0x4A07E83: strncat (mc_replace_strmem.c:304)
==24039==    by 0x400828: compare_versions (main.c:46)
==24039==    by 0x400986: main (main.c:94)
==24039==  Address 0x4c330e9 is 0 bytes after a block of size 9 alloc'd
==24039==    at 0x4A06C20: realloc (vg_replace_malloc.c:662)
==24039==    by 0x4007F1: compare_versions (main.c:43)
==24039==    by 0x400986: main (main.c:94)

行compare_versions (main.c:46)是：

    strncat(first_c, first + first_last_dot1, first_last_dot2);

行compare_versions (main.c:43)是：

      first_c = (char*)realloc(first_c, first_last_dot2 + 1);

錯誤發生在第三個循環周期。 first_last_dot2已first_last_dot2中的第二個循環循環中設置

    first_last_dot2 = strcspn(first + first_last_dot1, ".");

到值1 （版本字符串的最后一部分的長度，即2 ）； 之前first_last_dot2已在第二個循環周期中設置為值8 （版本字符串中間部分的長度，即12345678 ），因此realloc分配的大小為8 + 1 = 9 。 由於現在if條件(first_last_dot2 > first_max)不為真， realloc以及

      memset(first_c, 0, first_last_dot2);

被跳過； 由於沒有執行后者， first_c仍然包含12345678並且strncat將2附加到它，將終止空字節寫入first_c [9]，這是大小為 9 alloc'd 的塊之后的 0 個字節。
如果在if塊之后移動兩個memset （也是second_c的一個），則沒有錯誤。