You are most likely seeing this question because your question has been closed as a duplicate of this. For a moderately complete list of related questions, please see A long list of possible duplicates — C memory allocation and overrunning bounds on Meta Stack Overflow.
From free char*: invalid next size (fast) asked by noobie on 2014-04-11.
I am freeing a char*
after a concatenation process, but I receive this error:
free(): invalid next size (fast): 0x0000000001b86170
This is my code:
void concat(stringList *list) {
char *res = (char*)malloc(sizeof(char*));
strcpy(res, list->head->string);
list->tmp = list->head->next;
while (list->tmp != NULL) {
strcat(res, ",");
strcat(res, list->tmp->string);
list->tmp = list->tmp->next;
}
printf("%s\n", res);
free(res);
}
When running my program, I see an error message like this:
*** glibc detected *** ./a.out: free(): corrupted unsorted chunks: 0x12345678 ***
The detailed information can contain any of the following after the *** glibc detected ***
and the program name, and the message is followed by a hexadecimal address (shown as 0x12345678) and another ***
:
free(): corrupted unsorted chunks: 0x12345678
free(): invalid next size (fast): 0x12345678
free(): invalid next size (normal): 0x12345678
free(): invalid pointer: 0x12345678
free(): invalid size: 0x12345678
malloc(): corrupted unsorted chunks: 0x12345678
malloc(): corrupted unsorted chunks 2: 0x12345678
malloc(): memory corruption: 0x12345678
malloc(): memory corruption (fast): 0x12345678
malloc(): smallbin double linked list corrupted: 0x12345678
munmap_chunk(): invalid pointer: 0x12345678
realloc(): invalid next size (fast): 0x12345678
realloc(): invalid old size (fast): 0x12345678
realloc(): invalid pointer: 0x12345678
corrupted double-linked list: 0x12345678
This happens while calling the frobnicate()
function; what is wrong with that function?
unwind gave the accepted answer to the example question:
Your code is wrong.
You are allocating space for a single pointer (
malloc(sizeof(char*))
), but no characters. You are overwriting your allocated space with all the strings, causing undefined behavior (in this particular case, corruptingmalloc()
's book-keeping data).You don't need to allocate space for the pointer (
res
); it's a local variable. You must allocate space for all the characters you wish to store at the address held by the pointer.Since you're going to be traversing a list to find strings to concatenate, you can't know the total size upfront. You're going to have to do two passes over the list: one to sum the
strlen()
of each string, then allocate that plus space for the separator and terminator, then another pass when you actually do the concatenation.
What you are seeing is the result of a corruption in the internal structures of the glibc allocator. When you are allocating or freeing dynamic memory, the allocator has to manage the memory it reserved from the OS and, depending on the action requested by you, find a new chunk to hand out, sort a freed chunk into the list of those that it can hand out later again, or give the memory back to the operating system. These error messages show that the data structures it uses to manage this functionality are corrupted.
These errors all mean that some of your code has modified memory that it was not given to use, invoking undefined behaviour. This is most likely the result of overwriting some memory quite a bit earlier in your program, and it is totally possible that the error does not lie in the frobnicate()
function.
Yes, this means that the error can be anywhere in your program or 3rd party libraries you use.
This is probably not a good question for Stack Overflow. Unless you have a good simple reproduction of your problem, this community may be unable to help you very much. The cause of the error can be anywhere in your code (and is very often not in the function where the error is spotted), and it may be in code that we cannot see. Stack Overflow is not a collaborative debugging site. Even when someone can find the flaw in your code, it is unlikely that your specific question will ever help any future visitor.
long *data = malloc(number * 4)
instead of long *data = malloc(number * sizeof(long));
or (better) long *data = malloc(number * sizeof(*data));
. There are many other ways to get the size calculation wrong. Another common one is to forget to account for the null terminator character at the end of a string: char *copy = malloc(strlen(str));
instead of char *copy = malloc(strlen(str)+1);
.What you need to do now is to roll up your sleeves and debug that problem
There is no simple answer what to look for, or what to fix. No single syntactical construct that you were using wrong. The cause of this bug can come in literally thousands of varieties.
exp-sgcheck
tool. If you are running multithreaded code, the cause might also be related to a race condition so you might want to try the included race condition checkers drd
and helgrind
for more insight. At the point of writing this, valgrind supports the following platforms:
If you can't solve your problem using one these tools, you should try to create an MCVE (How to create a Minimal, Complete, and Verifiable Example?) or, equivalently, an SSCCE (Short, Self Contained, Correct (Compilable), Example).
Remember to work on a copy of your code because creating an MCVE requires you to ruthlessly remove code that does not help reproduce the problem. Using a VCS (version control system) to assist is a good idea; you can record intermediate stages in reducing the problem to a minimum. It might be a new throw-away repository just for reducing your problem to a manageable size.
With a good modular design to your code, it should be relatively easy to create the MCVE. Maybe you also already have a unit test that is better suited to be fed into one of the above tools. You also might just want to create one that can later serve as a regression test for this bug.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With