We Keep Coding

Heap corruption when using delete

I have a MultiString class that has some methods in it.
I am strugling with deleting my array of strings in the destructor, I get heap corruption.
Here is my class (some methods are cut)
class MultiString {
public:
//constructor destructor
MultiString(int);
~MultiString();
//methods
void Setat(int nindex, const char* str);
//attributes
char** buf;//pointer to vector
int str_nmb;//strings number
};
Constructor code:
MultiString::MultiString(int number)
{
str_nmb = number;
buf = new char* [number];
for (int i = 0; i < number; i++) buf[i] = NULL;
}
Setat code (used to set strings in array):
void MultiString::Setat(int nindex, const char* str)
{
if (nindex<0 || nindex>str_nmb || str == NULL) {
std::cout << "gg";
return;
}
char* tmp = new char[strlen(str)+1];
if (tmp == NULL) return;
if (buf[nindex] != NULL) delete buf[nindex]; //here delete works fine
buf[nindex] = tmp;
strcpy_s(buf[nindex], strlen(buf[nindex]), str);
std::cout << buf[nindex]<< std::endl;
}
Destructor code:
MultiString::~MultiString()
{
for (int i = 0; i < str_nmb; i++)
delete buf[i]; // heap corruption here
delete buf;
}
And my main():
int main()
{
MultiString* ms = new MultiString(3);
ms->etat(0, "qwerty");
ms->Setat(1, "asdfgh");
ms->Setat(2, "zxcvbn");
delete ms;
return 0;
}

char* tmp = new char[strlen(str)+1];
// ...
buf[nindex] = tmp;
strcpy_s(buf[nindex], strlen(buf[nindex]), str);
buf[nindex] points to the freshly allocated, but uninitialized memory area. Calling strlen on that is undefined behavior and likely what corrupts your heap. You probably want to call strlen(str) instead.
Apart from that you're making a few other mistakes:
Rule of 0/3/5 broken.
delete where delete[] would be necessary
Wrong bounds check (nindex>str_nmb)
What about Multistring(-5) ?
if (tmp == NULL) return; ... no, you shouldn't mute errors. Throw an exception or something.
Also .. why strcpy_s ? Use std::strncpy ... that's at least guaranteed to be available! Make sure the copied C string is null terminated!

Exception thrown: write access violation. this was nullptr

So I am trying to make a buffer class. This buffer class contains a huge buffer of size 384*4. The plan was for every UDP datagram received, size(384), the buffer class is called and return a pointer to where the datagram should be written.
And there will be another listener pointer to which RtAudio playback will memcpy from. [The listening part is not entirely relevant yet as I still have a problem writing into the buffer]
When I try to call server_->getPointer() (shown below), the "Exception thrown: write access violation. this was nullptr." is thrown. Please help me!! and tell me if there is anything else that I should provide.
Buffer.h
#pragma once
#ifndef BUFFER_H
#define BUFFER_H
class Buffer {
private:
int bufferSize = 192 * 2; // one frame takes 2 Byte [int16]
int nBuffers = 4;
int *buffer_ = nullptr;
int* writerPointer = nullptr;
int* listenerPointer = nullptr;
int writerCounter = 0;
int listenerCounter = 0;
int* tempW = nullptr;
int* tempL = nullptr;
public:
Buffer();
~Buffer();
int* getWriterPointer();
int* getlistenerPointer();
int * getPointer();
};
#endif // !BUFFER_H
Buffer.cpp
#include"Buffer.h"
#include <iostream>
Buffer::Buffer() {
buffer_ = reinterpret_cast<int*>(malloc(bufferSize*nBuffers));
memset(buffer_, (int)5, bufferSize*nBuffers);
std::cout << "new Buffer" << bufferSize * nBuffers << std::endl;
listenerPointer = buffer_;
writerPointer = buffer_;
std::cout << "HERE " << *buffer_ << std::endl;
std::cout << "new Buffer" << bufferSize * nBuffers << " pointer a " << listenerPointer << " pointer b " << writerPointer << std::endl;
}
Buffer::~Buffer() {
delete buffer_;
}
...
//For teting purposes
int* Buffer::getPointer(){
bufferSize = 192 * 2;
std::cout << "get pointer asdfasdf::" << writerCounter << std::endl;
std::cout << "pointer's position offset: " << writerCounter - 1 << std::endl;
if (writerCounter == nBuffers - 1) {
writerCounter = 0;
return writerPointer + (bufferSize*(nBuffers - 1));
}
else {
writerCounter += 1;
return writerPointer + (bufferSize*(writerCounter - 1));
}
}
main.cpp
#include <iostream>
#include "Buffer.h"
int main()
{
std::cout << "Hello World!\n";
Buffer *buffer_ = new Buffer();
buffer_->getPointer();
}

Look up "zero copying" for the protocol part.
The problem you have is that your pointer is actually a nullptr at the time you are trying to use it. You need to check the return from malloc:
Buffer::Buffer() :
buffer_(reinterpret_cast<int*>(malloc(bufferSize*nBuffers)))
{
if(buffer_ == nullptr) throw std::bad_alloc();
}
But, you should use new instead which would do this check and throw bad_alloc automatically if it fails:
Buffer::Buffer() :
buffer_(new int[bufferSize*nBuffers])
{
// no need to check here
}
For every malloc you need one free, and for every new you need one delete - and you should never mix them.
Also, malloc allocates bytes, but an int is usually 4 or 8 bytes so you'd need to multiply the number of ints you want to allocate space for with sizeof(int)*CHAR_BIT/8 to get the correct size.
Just forget about malloc and free and use new and delete in their place.
This is how you delete your array allocated with new int[...]:
Buffer::~Buffer() {
delete[] buffer_; // delete array
}
An even better option is to use a std::unique_ptr which will do the delete[] for you when it goes out of scope:
class Buffer {
private:
std::unique_ptr<int[]> buffer_;
public:
Buffer() :
buffer_(std::make_unique<int[]>(bufferSize * nBuffers))
{}
// ~Buffer() no need to implement a destructor unless you manually handle resources
};

Char* data changes when accessed

I am working on a c++ application that has a function
//ControllerCore.cpp
Report ControllerCore::GetReport() {
unsigned char buf[256];
int res = 0;
while (res == 0) {
res = get_unsigned_char*(buf, sizeof(buf));
if (res < 0)
printf("Unable to read()\n");
#ifdef WIN32
Sleep(50);
#else
usleep(50 * 1000);
#endif
}
Report report = Report();
report.data = buf;
report.dataLength = res;
return report;
}
Report is defined as
//Report.h
struct Report
{
public:
unsigned char* data;
int dataLength;
};
When ContollerCore::GetReport() returns it assigns report.data to the pointer to an array of unsigned characters that I can work with fine. But when the caller tries to print report.data the values of the array change.
//Main.cpp
int RequestReport() {
Report report = core.GetReport();
for (int i = 0; i < report.dataLength; i++) {
std::cout << "0x" << std::hex << (int)report.data[i] << ", ";
}
std::cout << std::endl;
return 1;
}

You're returning a pointer to a local array. As soon as ControlerCore::GetReport returns, buf goes out of scope and is destroyed. Any attempt to access it after that leads to undefined behavior.
You need make Report actually hold the data directly. The easiest way would be to use a std::vector:
struct Report
{
std::vector<unsigned char> data;
// don't need dataLength anymore since std::vector knows its size
};
Report ControllerCore::GetReport() {
Report report;
report.data.resize(256);
int res = 0;
while (res == 0) {
res = get_data(report.data.data(), report.data.size());
}
report.data.resize(res);
return report;
}
Now that Report has only one member it probably isn't needed anymore, and you could just return std::vector<unsigned char> directly instead.
If you want to avoid the dynamic allocation used by std::vector, you could use std::array (or a raw array) instead:
struct Report
{
std::array<unsigned char, 256> data;
size_t dataLength; // back now, since the length of the data won't match the size of the contianer
};
Report ControllerCore::GetReport() {
Report report;
int res = 0;
while (res == 0) {
res = get_data(report.data.data(), report.data.size());
}
report.dataLength = res;
return report;
}
This avoids the dynamic allocation, but does incur an extra copy of the data since std::array can't be efficiently moved like std::vector can. That means that unless dynamic allocation is especially slow on your platform, the std::vector version is probably going to be faster.

You can try using report.data itself instead of buf.
Report ControllerCore::GetReport() {
Report report;
report.data=new char[256];
int res = 0;
while (res == 0) {
res = get_unsigned_char*(report.data, sizeof(char)*256);
if (res < 0)
printf("Unable to read()\n");
#ifdef WIN32
Sleep(50);
#else
usleep(50 * 1000);
#endif
}
report.dataLength = res;
return report;
}

Memory leak error?

For a simple assignment to do with dynamic memory and copy constructors, my prof has assigned us a simple assignment, but I get an error during the second time my delete [] happens.
header file:
class Stream {
int len;
char *hold;
char* newmem(int);
public:
Stream ();
Stream (int);
Stream(const char *);
~Stream ( );
void operator=(const Stream &);
Stream(const Stream &);
friend void show(Stream);
void operator<<(const char*);
};
it should be fairly simple. here is my code:
#include <iostream>
#include <new>
#include <cstring>
using namespace std;
#include "stream.h"
char* Stream::newmem(int x) {
char * tmp;
try {
tmp = new char[x];
}
catch(std::bad_alloc) {
tmp = NULL;
}
if(tmp)
cout << "newmem: " << (void *) tmp << endl;
return tmp;
}
Stream::Stream ( ) {
len = 1000;
hold = newmem(len);
if (hold)
strcpy (hold, "");
}
Stream::Stream(int n) {
len = n;
hold = newmem(len);
if (hold)
strcpy (hold,"");
}
Stream::Stream(const char * dat) {
len = strlen(dat) +1;
hold = newmem(len);
if (hold)
strcpy(hold,dat);
}
Stream::Stream(const Stream &from) {
cout << "in the copy constructor, allocating new memory..." << endl;
cout << "original pointer address is: " << (void *) from.hold << endl;
cin.get( );
len=from.len;
hold=newmem(len +1);
cout << "new pointer address is: " << (void *) hold << endl;
cin.get( );
if(hold)
strcpy (hold,from.hold);
}
Stream::~Stream ( ) {
cout << "destruct: " << (void *) hold << endl;
cin.get( );
if (hold)
delete [] hold;
}
void Stream::operator= (const Stream &from) {
if(hold)
delete [ ] hold;
len = from.len;
hold=newmem(len +1);
if (hold)
strcpy(hold,from.hold);
}
void show (Stream prt) {
cout << "String is: " << prt.hold << endl << "Length is: " << prt.len << endl;
}
void Stream::operator<< (const char *data) {
int dlen = strlen(data);
for (int i=0 ; i<=len && i<=dlen ; i++) {
hold[i] = data[i];
}
}
int main( ) {
char data[ ] = "Growing up it all seems so one-sided;"
"Opinions all provided;"
"The future pre-decided;"
"Detached and subdivided;"
"In the mass production zone!"
"-Neil Peart- \"Subdivisions\"";
Stream x1, x2(25), x3;
x1 << data;
x2 << data;
show(x1);
show(x2);
x3 = x2;
show(x3);
return 0;
}
and my output / error:
in the copy constructor, allocating new memory...
original pointer address is: 0x804c008
new pointer address is: 0x804c808
String is: Growing up it all seems so one-sided;Opinions all provided;The future pre-decided;Detached and subdivided;In the mass production zone!-Neil Peart-Subdivisions"
Length is: 1000
destruct: 0x804c808
in the copy constructor, allocating new memory...
original pointer address is: 0x804c3f8
new pointer address is: 0x804c808
String is: Growing up it all seems so
Length is: 25
destruct: 0x804c808
*** glibc detected *** a.out: free(): invalid pointer: 0x0804c808 ***

The for loop in the operator<< has two off-by-one errors:
for (int i=0 ; i<=len
allows i==len, but the only valid indices of hold are 0..(len-1). So, you can write one off the end.
Secondly, as thiton pointed out, it doesn't copy the \0 terminator even if there is space.
A correct implementation might look like:
void Stream::operator<< (const char *data) {
int source_len = strlen(data);
int copy_len = min(source_len, len-1); // allow for terminator
for (int i=0; i<copy_len; i++) {
hold[i] = data[i];
}
hold[copy_len] = '\0';
}
although it'd be better practise to simply use strncpy.
Note that the idiom of using half-open (or one-past-the-end) ranges is standard not only in direct array indexing, but also with C++ iterators. So, you should always expect to see
for (i=0; i<n; ++i) {
or
for (i = begin; i != end; ++i) {
and should generally treat closed-range loops like yours as a smell that warrants further investigation.

First a little self-help advice: The most important tool for catching memory access errors is valgrind. Run it on your program, and you'll get a warning every time you try to access unallocated or uninitialized memory. It's no substitute for knowledge, but the next best thing.
While I get different output than you get, errors seem to interact here:
The operator<< has an off-by-one error in the range check. It writes one byte too much (hold[len]).
operator<< does never write the terminating null byte. Both errors are invoked by x2 << data.
When the copy constructor tries to copy the string from x2, strcpy finds no terminating null byte and both reads right off the end of x2.hold and writes past the end of x3.hold. The latter has the potential for unbounded corruption and probably caused your error.
Whenever you deal with C strings, make very, very sure to get termination right. The fixed version is:
void Stream::operator<< (const char *data) {
int dlen = strlen(data);
hold[len-1] = 0;
for (int i=0 ; i < len-1 && i <= dlen ; i++) {
hold[i] = data[i];
}
}
Or, using the std library:
void Stream::operator<< (const char *data) {
strncpy(hold, data, len);
hold[len-1] = 0;
}

Critique my non-intrusive heap debugger

This is a follow-up to Critique my heap debugger from yesterday. As suggested by bitc, I now keep metadata about the allocated blocks in a separate handwritten hashtable.
The heap debugger now detects the following kinds of errors:
memory leaks (now with more verbose debugging output)
illegal pointers passed to delete (that also takes care of double deletes)
wrong form of delete (array vs. non-array)
buffer overflows
buffer underflows
Feel free to discuss and thanks in advance!
#include <cstdio>
#include <cstdlib>
#include <cstring>
#include <new>
namespace
{
// I don't want to #include <algorithm> for a single function template :)
template <typename T>
void my_swap(T& x, T& y)
{
T z(x);
x = y;
y = z;
}
typedef unsigned char byte;
const byte CANARY[] = {0x5A, 0xFE, 0x6A, 0x8D,
0x5A, 0xFE, 0x6A, 0x8D,
0x5A, 0xFE, 0x6A, 0x8D,
0x5A, 0xFE, 0x6A, 0x8D};
bool canary_dead(const byte* cage)
{
bool dead = memcmp(cage, CANARY, sizeof CANARY);
if (dead)
{
for (size_t i = 0; i < sizeof CANARY; ++i)
{
byte b = cage[i];
printf(b == CANARY[i] ? "__ " : "%2X ", b);
}
putchar('\n');
}
return dead;
}
enum kind_of_memory {AVAILABLE, TOMBSTONE, NON_ARRAY_MEMORY, ARRAY_MEMORY};
const char* kind_string[] = {0, 0, "non-array memory", " array memory"};
struct metadata
{
byte* address;
size_t size;
kind_of_memory kind;
bool in_use() const
{
return kind & 2;
}
void print() const
{
printf("%s at %p (%d bytes)\n", kind_string[kind], address, size);
}
bool must_keep_searching_for(void* address)
{
return kind == TOMBSTONE || (in_use() && address != this->address);
}
bool canaries_alive() const
{
bool alive = true;
if (canary_dead(address - sizeof CANARY))
{
printf("ERROR: buffer underflow at %p\n", address);
alive = false;
}
if (canary_dead(address + size))
{
printf("ERROR: buffer overflow at %p\n", address);
alive = false;
}
return alive;
}
};
const size_t MINIMUM_CAPACITY = 11;
class hashtable
{
metadata* data;
size_t used;
size_t capacity;
size_t tombstones;
public:
size_t size() const
{
return used - tombstones;
}
void print() const
{
for (size_t i = 0; i < capacity; ++i)
{
if (data[i].in_use())
{
printf(":( leaked ");
data[i].print();
}
}
}
hashtable()
{
used = 0;
capacity = MINIMUM_CAPACITY;
data = static_cast<metadata*>(calloc(capacity, sizeof(metadata)));
tombstones = 0;
}
~hashtable()
{
free(data);
}
hashtable(const hashtable& that)
{
used = 0;
capacity = 3 * that.size() | 1;
if (capacity < MINIMUM_CAPACITY) capacity = MINIMUM_CAPACITY;
data = static_cast<metadata*>(calloc(capacity, sizeof(metadata)));
tombstones = 0;
for (size_t i = 0; i < that.capacity; ++i)
{
if (that.data[i].in_use())
{
insert_unsafe(that.data[i]);
}
}
}
hashtable& operator=(hashtable copy)
{
swap(copy);
return *this;
}
void swap(hashtable& that)
{
my_swap(data, that.data);
my_swap(used, that.used);
my_swap(capacity, that.capacity);
my_swap(tombstones, that.tombstones);
}
void insert_unsafe(const metadata& x)
{
*find(x.address) = x;
++used;
}
void insert(const metadata& x)
{
if (2 * used >= capacity)
{
hashtable copy(*this);
swap(copy);
}
insert_unsafe(x);
}
metadata* find(void* address)
{
size_t index = reinterpret_cast<size_t>(address) % capacity;
while (data[index].must_keep_searching_for(address))
{
++index;
if (index == capacity) index = 0;
}
return &data[index];
}
void erase(metadata* it)
{
it->kind = TOMBSTONE;
++tombstones;
}
} the_hashset;
struct heap_debugger
{
heap_debugger()
{
puts("heap debugger started");
}
~heap_debugger()
{
the_hashset.print();
puts("heap debugger shutting down");
}
} the_heap_debugger;
void* allocate(size_t size, kind_of_memory kind) throw (std::bad_alloc)
{
byte* raw = static_cast<byte*>(malloc(size + 2 * sizeof CANARY));
if (raw == 0) throw std::bad_alloc();
memcpy(raw, CANARY, sizeof CANARY);
byte* payload = raw + sizeof CANARY;
memcpy(payload + size, CANARY, sizeof CANARY);
metadata md = {payload, size, kind};
the_hashset.insert(md);
printf("allocated ");
md.print();
return payload;
}
void release(void* payload, kind_of_memory kind) throw ()
{
if (payload == 0) return;
metadata* p = the_hashset.find(payload);
if (!p->in_use())
{
printf("ERROR: no dynamic memory at %p\n", payload);
}
else if (p->kind != kind)
{
printf("ERROR:wrong form of delete at %p\n", payload);
}
else if (p->canaries_alive())
{
printf("releasing ");
p->print();
free(static_cast<byte*>(payload) - sizeof CANARY);
the_hashset.erase(p);
}
}
}
void* operator new(size_t size) throw (std::bad_alloc)
{
return allocate(size, NON_ARRAY_MEMORY);
}
void* operator new[](size_t size) throw (std::bad_alloc)
{
return allocate(size, ARRAY_MEMORY);
}
void operator delete(void* payload) throw ()
{
release(payload, NON_ARRAY_MEMORY);
}
void operator delete[](void* payload) throw ()
{
release(payload, ARRAY_MEMORY);
}
int main()
{
int* p = new int[1];
delete p; // wrong form of delete
delete[] p; // ok
delete p; // no dynamic memory (double delete)
p = new int[1];
p[-1] = 0xcafebabe;
p[+1] = 0x12345678;
delete[] p; // underflow and overflow prevent release
// p is not released, hence leak
}

Very nice, indeed. Your canaries could actually reveal some real cases of overflow/underflow (though not all of them as Matthieu pointed out).
What more. You might run into some problems with a multi-threaded application. Perhaps protect the hashtable from concurrent access?
Now that you log every allocation and deallocation, you can (if you like) provide more information about the program being tested. It might be interesting to know the total and average number of allocations at any given time? The total, max, min and average bytes allocated, and the average lifespan of allocations.
If you want to compare different threads, at least with Pthreads you can identify them with pthread_self(). This heap debugger could become a quite useful analysis tool.

Are you using a very weak malloc that doesn't already have this sort of stuff built into it? Because if it's there, you are doubling the overhead for little gain. Also, this kind of system really hurts when doing small object allocation or is ineffective with them as people do 1 alloc and manage the memory themselves.
As far as the code is concerned, it looks like it will do what you say it will do and it looks well designed and is easy to read. But, if you are going to go through the trouble of doing this though, why not catch your buffer over/under flows at the source by using managed containers/pointers/operator[] thingies. That way, you can debug on the spot of the failure instead of finding out at free that something evil has occured.
There are efficiencies to be had that I'm sure others will find, but these are just some thoughts off the top of my head after looking over your code for a few minutes.

I wonder about the detection of underflows / overflows.
I mean, if I have a 10 elements arrays, then it seems you'll detect if I write at -1 and 10, but what if I write at 20 ? Underflow or Overflow are not necessarily done as part of a buffer overrun (contiguous).
Furthermore, what's the point of preventing release of the block ? This block is (relatively) fine, it's the neighbors you've (unfortunately) corrupted.
Anyway, it seems pretty fine to me, though I would probably have more than one return per function because there's no point in Single Exit. You seem more of a C programmer than a C++ one :)