From owner-freebsd-questions@FreeBSD.ORG  Tue Aug  5 06:43:45 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7EDDE1065675
	for <freebsd-questions@freebsd.org>;
	Tue,  5 Aug 2008 06:43:45 +0000 (UTC)
	(envelope-from shyamalshukla@gmail.com)
Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.179])
	by mx1.freebsd.org (Postfix) with ESMTP id 50DC48FC1D
	for <freebsd-questions@freebsd.org>;
	Tue,  5 Aug 2008 06:43:45 +0000 (UTC)
	(envelope-from shyamalshukla@gmail.com)
Received: by wa-out-1112.google.com with SMTP id j4so1528139wah.3
	for <freebsd-questions@freebsd.org>;
	Mon, 04 Aug 2008 23:43:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to
	:subject:in-reply-to:mime-version:content-type:references;
	bh=LoQnsHh5+CBdxwwARR13/ouN907wYYee4KZcwFwFWDI=;
	b=m4wQ9O8vJ3xxP93UCkgF5/D5825VdYC+XMZPmm79JazFax2O1jHP07+bNQkoHoYFLt
	tT00LHYArJekru5ZblKp2uHuevtswNHiznsrB77MrZ+4h0N8ObZ8rkGENipD24J5CWnB
	aaR607cKxq0olc4vk0oBuJ7Ah+acoy7h7goQw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:in-reply-to:mime-version
	:content-type:references;
	b=ZtTQMuk9ywf69F93oohRdDXq6zE2gKQZzdGMb9ZiAPV7Ytx5TaKdkJaTQFFAFmKtjS
	O2SScyZuJYk+71CGZYVhfT+kZpC7QT+q2DdHBzoiC5LxE7v3MThuI/4VsZGRMr3DylXx
	e5XN+YhDxQ48fwrN7iWh0Kws0MmmR0q9Zh0oo=
Received: by 10.114.106.13 with SMTP id e13mr15249734wac.157.1217916967424;
	Mon, 04 Aug 2008 23:16:07 -0700 (PDT)
Received: by 10.115.19.7 with HTTP; Mon, 4 Aug 2008 23:16:06 -0700 (PDT)
Message-ID: <eb50c26c0808042316yde39f60r7e68a89fb2cef9c6@mail.gmail.com>
Date: Tue, 5 Aug 2008 11:46:06 +0530
From: "Shyamal Shukla" <shyamalshukla@gmail.com>
To: freebsd-questions@freebsd.org
In-Reply-To: <eb50c26c0808040629w252647f1m756f43a7aeba1ff9@mail.gmail.com>
MIME-Version: 1.0
References: <eb50c26c0808040629w252647f1m756f43a7aeba1ff9@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: memory allocation with malloc
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2008 06:43:45 -0000

Hi All,

     I am trying to validate my understanding of how malloc works by means
of the below C program which tries to corrupt essential information
maintained by malloc for free() operation.

The program allocates 4, 12 byte blocks (internally 16 bytes are allocated
for each 12 byte block). Hence the total allocated space was 48 bytes.

As malloc maintains the (length of allocated block + 1), 4 bytes before the
returned pointer (from malloc), I have manipulated this length for the first
block and set it to 49 with the goal that a single free shall release all
these 4 blocks and a subsequent malloc of 15 bytes shall be from the address
of first block.

However, this does not happen. Can someone please correct my understanding
and provide me with a reference to the working of malloc() and free()?

#include<stdio.h>

int main(void)
{
    char * ptr,* ptr1, *ptr2, * ptr3, * ptr4;
    int * i;
    int n,q,p;
    int loop = 0;

    ptr1 = (char *)malloc(12);
    i = (int *)(ptr1 - 4);
    printf("\n ptr1 = %p,%d \n",ptr1,*i);
    printf("\n %d:%d:%d:%d\n",ptr1[-4],ptr1[-3],ptr1[-2],ptr1[-1]);
    printf("\n %d:%d:%d:%d\n",ptr1[0],ptr1[1],ptr1[2],ptr1[3]);
    printf("\n %d:%d:%d:%d\n",ptr1[4],ptr1[5],ptr1[6],ptr1[7]);
    printf("\n %d:%d:%d:%d\n",ptr1[8],ptr1[9],ptr1[10],ptr1[11]);
    *i = 49;

    ptr2 = (char *)malloc(12);
    i = (int *)(ptr2 - 4);
    printf("\n ptr2 = %p,%d \n",ptr2,*i);
    printf("\n %d:%d:%d:%d\n",ptr2[-4],ptr2[-3],ptr2[-2],ptr2[-1]);

    ptr3 = (char *)malloc(12);
    i = (int *)(ptr3 - 4);
    printf("\n ptr3 = %p,%d \n",ptr3,*i);
    printf("\n %d:%d:%d:%d\n",ptr3[-4],ptr3[-3],ptr3[-2],ptr3[-1]);

    ptr4 = (char *)malloc(12);
    i = (int *)(ptr4 - 4);
    printf("\n ptr4 = %p,%d \n",ptr4,*i);
    printf("\n %d:%d:%d:%d\n",ptr4[-4],ptr4[-3],ptr4[-2],ptr4[-1]);

    free(ptr1);
    printf("\n ------------ANALYZE-------------\n");
    printf("\n %d:%d:%d:%d\n",ptr1[-4],ptr1[-3],ptr1[-2],ptr1[-1]);
    printf("\n %d:%d:%d:%d\n",ptr1[0],ptr1[1],ptr1[2],ptr1[3]);
    printf("\n %d:%d:%d:%d\n",ptr1[4],ptr1[5],ptr1[6],ptr1[7]);
    printf("\n %d:%d:%d:%d\n",ptr1[8],ptr1[9],ptr1[10],ptr1[11]);

    ptr = (char *)malloc(15);
    i = (int *)(ptr - 4);
    printf("\n ptr = %p,%d \n",ptr,*i);
    return;
}


Thanks and Regards,
Shyamal



-- 
Linux - because life is too short for reboots...