How do I understand Invalid read in Valgrind, where address is bigger than the alloc'd block size

Question

I am new to Valgrind. Got these Valgrind message:

==932767== Invalid read of size 16
==932767==    at 0x3D97D2B9AA: __strcasecmp_l_sse42 (in /lib64/libc-2.12.so)
...
==932767==  Address 0x8c3e170 is 9 bytes after a block of size 7 alloc'd
==932767==    at 0x6A73B4A: malloc (vg_replace_malloc.c:296)
==932767==    by 0x34E821195A: ??? 

Here I have two questions:

1. the allocated block is 7 bytes, then how come the address 0x8c3e170 is in 9 bytes? Normally the pointed size is smaller than the allocated size. So under what circumstance we will meet the above issue?

2. the Invalide read size is 16bytes. Does it include the 2 extra bytes from "Address 0x8c3e170 is 9 bytes after a block of size 7 alloc'd"

Answer 1

If it weren't for the ellipsis I would say the Address 0x8c3e170... msg is directly related to the Invalid read of size 16 because it's indented further.

It's possible to get false positives, so don't rule that out. For example, it's possible that strcasecmp is reading more than it needs to as an optimization.

I read the 2nd message as the address being read from starts 9 bytes after the end of a block of size 7.

I have two suggestions, either of which will probably help you track this down:

1) Run your application under valgrind such that you can attach in a separate terminal window with gdb:

~ valgrind --vgdb=yes --vgdb-error=0 your_program

in another window:

~ gdb your_program
(gdb) target remote | vgdb

This option makes it halt as though a breakpoint were set on every problem valgrind finds

2) Compile with the undefined and/or memory sanitizers either with clang or gcc (4.9 or higher). They catch the same sorts of issues, but I find the error messages more informative.