c: 将 malloc 的数组元素设置为 NULL(无效写入)
c: set malloc'd array element to NULL (invalid write)
我正在使用并行进程,在我的代码的一部分中,我想分叉一个新进程,该进程使用略有不同的参数调用同一程序。例如,如果用户最初调用“./prog arg1 arg2 arg3”,我想分叉一个执行“./prog -n 1 arg2 arg3”的新进程,然后该程序将分叉并执行“./prog - n 2 arg3。”我能想到的唯一方法是使用 execv(),但我 运行 遇到了问题,因为 execv 要求传递给它的 argv[] 数组中的最后一个元素为 NULL。下面是我的代码,我将 post 下面的 valgrind 输出。
//fork an additional process: ./prog -n (i+1) args...
// could accomplish by execv("./prog", paramlist), where paramlist is
// the same as -n (i+1) and then argv, skipping argv[1]
//create new paramlist
char **params = malloc(sizeof(char*) * argc + 2 );
sprintf(numbuf, "%d", i+1);
//./prog -n (i+1) argv[2:argc-1]
params[0] = argv[0];
params[1] = "-n";
params[2] = numbuf;
for(int i = 2; i<argc; i++){ //skip argv[0] bc we already assigned it
params[i+1] = argv[i]; //skip argv[1] because we just worked on it
}
params[argc+1] = NULL; //list must be null terminated
pid3 = fork();
if(0 == pid3){
execv("./prog", params);
exit(-1);
} //no waitpid here, because we'd like this process to continue on its own
params[argc+1] = ""; //avoid invalid free
free(params);
当我运行这个代码正常时,我得到以下错误:
*** Error in `./prog': free(): invalid next size (fast): 0x0000000001ac3830 ***
Valgrind 告诉我这个:
==28067== Memcheck, a memory error detector
==28067== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==28067== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==28067== Command: ./prog ./photos/photo1.jpg
==28067==
=====Displaying photo 0 (be patient.. XQuartz sucks)
Enter degrees to rotate image(0,90,180,270): 90
Enter a caption > thumb
==28067== Invalid write of size 8
==28067== at 0x400C58: main (in /usr/prog)
==28067== Address 0x51fa8d0 is 16 bytes inside a block of size 18 alloc'd
==28067== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==28067== by 0x400C05: main (in /usr/prog)
==28067==
==28067== Invalid write of size 8
==28067== at 0x400CC3: main (in /usr/prog)
==28067== Address 0x51fa8d8 is 6 bytes after a block of size 18 alloc'd
==28067== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==28067== by 0x400C05: main (in /usr/prog)
==28067==
==28067== Invalid write of size 8
==28067== at 0x400D0E: main (in /usr/prog)
==28067== Address 0x51fa8d8 is 6 bytes after a block of size 18 alloc'd
==28067== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==28067== by 0x400C05: main (in /usr/prog)
==28067==
==28071== Syscall param execve(argv) points to unaddressable byte(s)
==28071== at 0x4F00CF7: execve (in /usr/lib64/libc-2.23.so)
==28071== by 0x400CE8: main (in /usr/prog)
==28071== Address 0x51fa8d2 is 0 bytes after a block of size 18 alloc'd
==28071== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==28071== by 0x400C05: main (in /usr/prog)
==28071==
==28067==
==28067== HEAP SUMMARY:
==28067== in use at exit: 0 bytes in 0 blocks
==28067== total heap usage: 5 allocs, 5 frees, 1,051,194 bytes allocated
==28067==
==28067== All heap blocks were freed -- no leaks are possible
==28067==
==28067== For counts of detected and suppressed errors, rerun with: -v
==28067== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
有趣的是,如果我注释掉 'free(params)' 行,则会出现分段错误,发生在它之前的行 'params[argc+1] = "";' 上。为什么会这样?
char **params = malloc(sizeof(char*) * argc + 2 );
应该是
char **params = malloc(sizeof(char*) * (argc + 2) );
我正在使用并行进程,在我的代码的一部分中,我想分叉一个新进程,该进程使用略有不同的参数调用同一程序。例如,如果用户最初调用“./prog arg1 arg2 arg3”,我想分叉一个执行“./prog -n 1 arg2 arg3”的新进程,然后该程序将分叉并执行“./prog - n 2 arg3。”我能想到的唯一方法是使用 execv(),但我 运行 遇到了问题,因为 execv 要求传递给它的 argv[] 数组中的最后一个元素为 NULL。下面是我的代码,我将 post 下面的 valgrind 输出。
//fork an additional process: ./prog -n (i+1) args...
// could accomplish by execv("./prog", paramlist), where paramlist is
// the same as -n (i+1) and then argv, skipping argv[1]
//create new paramlist
char **params = malloc(sizeof(char*) * argc + 2 );
sprintf(numbuf, "%d", i+1);
//./prog -n (i+1) argv[2:argc-1]
params[0] = argv[0];
params[1] = "-n";
params[2] = numbuf;
for(int i = 2; i<argc; i++){ //skip argv[0] bc we already assigned it
params[i+1] = argv[i]; //skip argv[1] because we just worked on it
}
params[argc+1] = NULL; //list must be null terminated
pid3 = fork();
if(0 == pid3){
execv("./prog", params);
exit(-1);
} //no waitpid here, because we'd like this process to continue on its own
params[argc+1] = ""; //avoid invalid free
free(params);
当我运行这个代码正常时,我得到以下错误:
*** Error in `./prog': free(): invalid next size (fast): 0x0000000001ac3830 ***
Valgrind 告诉我这个:
==28067== Memcheck, a memory error detector
==28067== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==28067== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==28067== Command: ./prog ./photos/photo1.jpg
==28067==
=====Displaying photo 0 (be patient.. XQuartz sucks)
Enter degrees to rotate image(0,90,180,270): 90
Enter a caption > thumb
==28067== Invalid write of size 8
==28067== at 0x400C58: main (in /usr/prog)
==28067== Address 0x51fa8d0 is 16 bytes inside a block of size 18 alloc'd
==28067== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==28067== by 0x400C05: main (in /usr/prog)
==28067==
==28067== Invalid write of size 8
==28067== at 0x400CC3: main (in /usr/prog)
==28067== Address 0x51fa8d8 is 6 bytes after a block of size 18 alloc'd
==28067== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==28067== by 0x400C05: main (in /usr/prog)
==28067==
==28067== Invalid write of size 8
==28067== at 0x400D0E: main (in /usr/prog)
==28067== Address 0x51fa8d8 is 6 bytes after a block of size 18 alloc'd
==28067== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==28067== by 0x400C05: main (in /usr/prog)
==28067==
==28071== Syscall param execve(argv) points to unaddressable byte(s)
==28071== at 0x4F00CF7: execve (in /usr/lib64/libc-2.23.so)
==28071== by 0x400CE8: main (in /usr/prog)
==28071== Address 0x51fa8d2 is 0 bytes after a block of size 18 alloc'd
==28071== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==28071== by 0x400C05: main (in /usr/prog)
==28071==
==28067==
==28067== HEAP SUMMARY:
==28067== in use at exit: 0 bytes in 0 blocks
==28067== total heap usage: 5 allocs, 5 frees, 1,051,194 bytes allocated
==28067==
==28067== All heap blocks were freed -- no leaks are possible
==28067==
==28067== For counts of detected and suppressed errors, rerun with: -v
==28067== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
有趣的是,如果我注释掉 'free(params)' 行,则会出现分段错误,发生在它之前的行 'params[argc+1] = "";' 上。为什么会这样?
char **params = malloc(sizeof(char*) * argc + 2 );
应该是
char **params = malloc(sizeof(char*) * (argc + 2) );