[英]Why would valgrind complain about invalid read and writes of size 1 on reusing allocated memory?
我編寫了一個函數來比較版本 c 字符串,如"1.2.3"
、 "1.123.9"
等。
int compare_versions(char* first, char* second)
{
size_t first_last_dot1 = 0;
size_t first_last_dot2 = strcspn(first, ".");
size_t second_last_dot1 = 0;
size_t second_last_dot2 = strcspn(second, ".");
while(first_last_dot2 || second_last_dot2)
{
if(first_last_dot2 && !second_last_dot2) return 1;
if(!first_last_dot2 && second_last_dot2) return -1;
char* first_c = (char*)calloc(first_last_dot2 + 1, sizeof(char));
strncat(first_c, first + first_last_dot1, first_last_dot2);
int first_n = atoi(first_c);
first_last_dot1 += first_last_dot2 + 1;
first_last_dot2 = strcspn(first + first_last_dot1, ".");
free(first_c);
char* second_c = (char*)calloc(second_last_dot2 + 1, sizeof(char));
strncat(second_c, second + second_last_dot1, second_last_dot2);
int second_n = atoi(second_c);
second_last_dot1 += second_last_dot2 + 1;
second_last_dot2 = strcspn(second + second_last_dot1, ".");
free(second_c);
if (first_n != second_n)
{
if(first_n < second_n) return -1;
return 1;
}
}
return 0;
}
並且 valgrind 根本不會抱怨我的“測試”:
assert(0 == compare_versions("1.12345678.2", "1.12345678.2"));
valgrind 輸出:
==24002== Memcheck, a memory error detector
==24002== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==24002== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==24002== Command: ./a.out
==24002==
==24002==
==24002== HEAP SUMMARY:
==24002== in use at exit: 0 bytes in 0 blocks
==24002== total heap usage: 10 allocs, 10 frees, 48 bytes allocated
==24002==
==24002== All heap blocks were freed -- no leaks are possible
==24002==
==24002== For counts of detected and suppressed errors, rerun with: -v
==24002== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)
現在我想重用分配的內存,即:當我分配一個大小為 4 的內存塊時,我可以將它重用於所有大小為 4 的 c 字符串(包括終止空字符)。
所以我寫了這個版本的完全相同的函數:
int compare_versions(char* first, char* second)
{
size_t first_last_dot1 = 0;
size_t first_last_dot2 = strcspn(first, ".");
size_t second_last_dot1 = 0;
size_t second_last_dot2 = strcspn(second, ".");
char* first_c = (char*)calloc(first_last_dot2 + 1, sizeof(char));
char* second_c = (char*)calloc(second_last_dot2 + 1, sizeof(char));
int first_max = first_last_dot2;
int second_max = second_last_dot2;
while(first_last_dot2 || second_last_dot2)
{
// first longer than second ( different only by last segment )
if(first_last_dot2 && !second_last_dot2) {
free(first_c);
free(second_c);
return 1;
}
// second longer than first ( different only by last segment )
if(!first_last_dot2 && second_last_dot2) {
free(first_c);
free(second_c);
return -1;
}
if(first_last_dot2 > first_max) {
first_max = first_last_dot2;
first_c = (char*)realloc(first_c, first_last_dot2 + 1);
memset(first_c, 0, first_last_dot2);
}
strncat(first_c, first + first_last_dot1, first_last_dot2);
int first_n = atoi(first_c);
first_last_dot1 += first_last_dot2 + 1;
first_last_dot2 = strcspn(first + first_last_dot1, ".");
if(second_last_dot2 > second_max) {
second_max = second_last_dot2;
second_c = (char*)realloc(second_c, second_last_dot2 + 1);
memset(second_c, 0, second_last_dot2);
}
strncat(second_c, second + second_last_dot1, second_last_dot2);
int second_n = atoi(second_c);
second_last_dot1 += second_last_dot2 + 1;
second_last_dot2 = strcspn(second + second_last_dot1, ".");
if (first_n != second_n)
{
free(first_c);
free(second_c);
if(first_n < second_n) return -1;
return 1;
}
}
free(first_c);
free(second_c);
return 0;
}
但隨后我將從 valgrind 獲得以下輸出:
==24039== Memcheck, a memory error detector
==24039== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==24039== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==24039== Command: ./a.out
==24039==
==24039== Invalid write of size 1
==24039== at 0x4A07E83: strncat (mc_replace_strmem.c:304)
==24039== by 0x400828: compare_versions (main.c:46)
==24039== by 0x400986: main (main.c:94)
==24039== Address 0x4c330e9 is 0 bytes after a block of size 9 alloc'd
==24039== at 0x4A06C20: realloc (vg_replace_malloc.c:662)
==24039== by 0x4007F1: compare_versions (main.c:43)
==24039== by 0x400986: main (main.c:94)
==24039==
==24039== Invalid read of size 1
==24039== at 0x39AA436FF3: ____strtol_l_internal (strtol_l.c:438)
==24039== by 0x39AA433C5F: atoi (atoi.c:28)
==24039== by 0x400834: compare_versions (main.c:47)
==24039== by 0x400986: main (main.c:94)
==24039== Address 0x4c330e9 is 0 bytes after a block of size 9 alloc'd
==24039== at 0x4A06C20: realloc (vg_replace_malloc.c:662)
==24039== by 0x4007F1: compare_versions (main.c:43)
==24039== by 0x400986: main (main.c:94)
==24039==
...
==24039==
==24039== HEAP SUMMARY:
==24039== in use at exit: 0 bytes in 0 blocks
==24039== total heap usage: 4 allocs, 4 frees, 22 bytes allocated
==24039==
==24039== All heap blocks were freed -- no leaks are possible
==24039==
==24039== For counts of detected and suppressed errors, rerun with: -v
==24039== ERROR SUMMARY: 34 errors from 8 contexts (suppressed: 6 from 6)
這里有什么問題?
Valgrind 說明了一切 - 我只看初始錯誤:
==24039== Invalid write of size 1 ==24039== at 0x4A07E83: strncat (mc_replace_strmem.c:304) ==24039== by 0x400828: compare_versions (main.c:46) ==24039== by 0x400986: main (main.c:94) ==24039== Address 0x4c330e9 is 0 bytes after a block of size 9 alloc'd ==24039== at 0x4A06C20: realloc (vg_replace_malloc.c:662) ==24039== by 0x4007F1: compare_versions (main.c:43) ==24039== by 0x400986: main (main.c:94)
行compare_versions (main.c:46)
是:
strncat(first_c, first + first_last_dot1, first_last_dot2);
行compare_versions (main.c:43)
是:
first_c = (char*)realloc(first_c, first_last_dot2 + 1);
錯誤發生在第三個循環周期。 first_last_dot2
已first_last_dot2
中的第二個循環循環中設置
first_last_dot2 = strcspn(first + first_last_dot1, ".");
到值1 (版本字符串的最后一部分的長度,即2
); 之前first_last_dot2
已在第二個循環周期中設置為值8 (版本字符串中間部分的長度,即12345678
),因此realloc
分配的大小為8 + 1 = 9 。 由於現在if
條件(first_last_dot2 > first_max)
不為真, realloc
以及
memset(first_c, 0, first_last_dot2);
被跳過; 由於沒有執行后者, first_c
仍然包含12345678
並且strncat
將2
附加到它,將終止空字節寫入first_c
[9],這是大小為 9 alloc'd 的塊之后的 0 個字節。
如果在if
塊之后移動兩個memset
(也是second_c
的一個),則沒有錯誤。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.