Presentation is loading. Please wait.

Presentation is loading. Please wait.

Memory-Related Perils and Pitfalls in C

Published byCecil York Modified over 7 years ago

Similar presentations

Presentation on theme: "Memory-Related Perils and Pitfalls in C"— Presentation transcript:

1 Memory-Related Perils and Pitfalls in C
!!! Memory-Related Perils and Pitfalls in C Dereferencing bad pointers Reading uninitialized memory Overwriting memory Referencing nonexistent variables Freeing blocks multiple times Referencing freed blocks Failing to free blocks

2 Dereferencing Bad Pointers
The classic scanf bug int val; ... scanf(“%d”, val); Fix: should be &val, not val.

3 Dereferencing Bad Pointers
The classic scanf bug Will cause scanf to interpret contents of val as an address! Best case: program terminates immediately due to segmentation fault Worst case: contents of val correspond to some valid read/write area of virtual memory, causing scanf to overwrite that memory, with disastrous and baffling consequences much later in program execution int val; ... scanf(“%d”, val); Fix: should be &val, not val.

4 Reading Uninitialized Memory
Assuming that heap data is initialized to zero /* return y = Ax */ int *matvec(int **A, int *x) { int *y = (int *)malloc( N * sizeof(int) ); int i, j; for (i=0; i<N; i++) { for (j=0; j<N; j++) { y[i] += A[i][j] * x[j]; } return y; Fix: explicitly zero y[i], or use calloc().

5 Overwriting Memory Allocating the (possibly) wrong sized object
int **p; p = (int **)malloc( N * sizeof(int) ); for (i=0; i<N; i++) { p[i] = (int *)malloc( M * sizeof(int) ); } Fix: p = malloc(N * sizeof(int *)).

6 Overwriting Memory Off-by-one error int **p;
p = (int **)malloc( N * sizeof(int *) ); for (i=0; i<=N; i++) { p[i] = (int *)malloc( M * sizeof(int) ); } Fix: i < N, rather than i <= N.

7 Overwriting Memory Not checking the max string size
Basis for classic buffer overflow attacks Your lab assignment #3 char s[8]; int i; gets(s); /* reads “ ” from stdin */ Fix: use fgets().

8 Overwriting Memory Misunderstanding pointer arithmetic
int *search(int *p, int val) { while (p && *p != val) p += sizeof(int); return p; } Fix: should be p++.

9 Overwriting Memory Referencing a pointer instead of the object it points to ‘--’ and ‘*’ operators have same precedence and associate from right-to-left, so -- happens first! int *getPacket(int **packets, int *size) { int *packet; packet = packets[0]; packets[0] = packets[*size - 1]; *size--; // what is happening here? reorderPackets(packets, *size); return(packet); } Fix: should be (*size)--. gcc will raise a warning for this line of code only if -Wall is used: gcc -Wall lecture22.c lecture22.c: In function ‘getPacket’: lecture22.c:5:2: warning: value computed is not used [-Wunused-value]

10 Referencing Nonexistent Variables
Forgetting that local variables disappear when a function returns int *foo () { int val; return &val; } Fix: allocate val dynamically, rather than as a local variable.

11 Freeing Blocks Multiple Times
Nasty! x = (int *)malloc( N * sizeof(int) ); <manipulate x> free(x); ... y = (int *)malloc( M * sizeof(int) ); <manipulate y> Fix: free(x) just once. Difficult to diagnose / resolve because free() itself doesn’t (can’t) return any errors – errors are only encountered later on!

12 Freeing Blocks Multiple Times
Nasty! What does the free list look like? x = (int *)malloc( N * sizeof(int) ); <manipulate x> free(x); ... y = (int *)malloc( M * sizeof(int) ); <manipulate y> Fix: free(x) just once. Difficult to diagnose / resolve because free() itself doesn’t (can’t) return any errors – errors are only encountered later on! x = (int *)malloc( N * sizeof(int) ); <manipulate x> free(x);

13 Referencing Freed Blocks
Evil! x = (int *)malloc( N * sizeof(int) ); <manipulate x> free(x); ... y = (int *)malloc( M * sizeof(int) ); for (i=0; i<M; i++) y[i] = x[i]++; Fix: free(x) after the for loop…

14 Failing to Free Blocks (Memory Leaks)
Slow, silent, long-term killer! foo() { int *x = (int *)malloc(N*sizeof(int)); ... return; } Fix: free(x) before returning.

15 Failing to Free Blocks (Memory Leaks)
Freeing only part of a data structure struct list { int val; struct list *next; }; foo() { struct list *head = (struct list *)malloc( sizeof(struct list) ); head->val = 0; head->next = NULL; <create and manipulate the rest of the list> ... free(head); return; } Fix: save next = head->next before free(head), then free next (and all other nodes following it) too…

16 Dealing With Memory Bugs
Conventional debugger (gdb) Good for finding bad pointer dereferences Hard to detect the other memory bugs Debugging malloc (UToronto CSRI malloc) Wrapper around conventional malloc Detects memory bugs at malloc and free boundaries Memory overwrites that corrupt heap structures Some instances of freeing blocks multiple times Memory leaks Cannot detect all memory bugs Overwrites into the middle of allocated blocks Freeing block twice that has been reallocated in the interim Referencing freed blocks

17 Dealing With Memory Bugs (cont.)
Some malloc implementations contain checking code Linux glibc malloc: setenv MALLOC_CHECK_ 2 FreeBSD: setenv MALLOC_OPTIONS AJR Binary translator: valgrind (Linux), Purify Powerful debugging and analysis technique Rewrites text section of executable object file Can detect all errors as debugging malloc Can also check each individual reference at runtime Bad pointers Overwriting Referencing outside of allocated block

18 What about Java or ML or Python or …?
In memory-safe languages, most of these bugs are impossible. Cannot perform arbitrary pointer manipulation Cannot get around the type system Array bounds checking, null pointer checking Automatic memory management But one of the bugs we saw earlier is possible. Which one?

19 Memory Leaks with GC not because of forgotten free() -- we have GC!
unneeded “leftover” roots keep objects reachable Sometimes nullifying a variable is not needed for correctness but is for performance. Bigger issue with reference counting GC. Root nodes Heap nodes reachable Not-reachable (garbage)

Download ppt "Memory-Related Perils and Pitfalls in C"

Similar presentations

Instructors: Seth Copen Goldstein, Franz Franchetti, Greg Kesden

Instructors: Seth Copen Goldstein, Franz Franchetti, Greg Kesden
CSCI 171 Presentation 11 Pointers. Pointer Basics.

CSCI 171 Presentation 11 Pointers. Pointer Basics.
Some topics in Memory Management

Some topics in Memory Management
1 Dynamic Memory Allocation: Advanced Concepts Andrew Case Slides adapted from Jinyang Li, Randy Bryant and Dave O’Hallaron Joke of the day: Why did the.

1 Dynamic Memory Allocation: Advanced Concepts Andrew Case Slides adapted from Jinyang Li, Randy Bryant and Dave O’Hallaron Joke of the day: Why did the.
Mark and Sweep Algorithm Reference Counting Memory Related PitFalls

Mark and Sweep Algorithm Reference Counting Memory Related PitFalls
Carnegie Mellon 1 Dynamic Memory Allocation: Advanced Concepts 15-213: Introduction to Computer Systems 18 th Lecture, Oct. 26, 2010 Instructors: Randy.

Carnegie Mellon 1 Dynamic Memory Allocation: Advanced Concepts : Introduction to Computer Systems 18 th Lecture, Oct. 26, 2010 Instructors: Randy.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.

CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
Today More on memory bugs Java vs C, the battle..

Today More on memory bugs Java vs C, the battle..
Dynamic Memory Allocation II Nov 7, 2002 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Memory-related perils and pitfalls.

Dynamic Memory Allocation II Nov 7, 2002 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Memory-related perils and pitfalls.
– 1 – Dynamic Memory Allocation – beyond the stack and globals Stack Easy to allocate (decrement esp) Easy to deallocate (increment esp) Automatic allocation.

– 1 – Dynamic Memory Allocation – beyond the stack and globals Stack Easy to allocate (decrement esp) Easy to deallocate (increment esp) Automatic allocation.
Dynamic Memory Allocation I May 21, 2008 Topics Simple explicit allocators Data structures Mechanisms Policies.

Dynamic Memory Allocation I May 21, 2008 Topics Simple explicit allocators Data structures Mechanisms Policies.
Pointers and Memory Allocation – part 2 -L. Grewe.

Pointers and Memory Allocation – part 2 -L. Grewe.
Dynamic Memory Allocation II November 7, 2007 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Review of pointers Memory-related.

Dynamic Memory Allocation II November 7, 2007 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Review of pointers Memory-related.
Dynamic Memory Allocation II March 27, 2008 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Review of pointers Memory-related.

Dynamic Memory Allocation II March 27, 2008 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Review of pointers Memory-related.
University of Washington Memory Allocation III The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Memory Allocation III The Hardware/Software Interface CSE351 Winter 2013.
Debugger Presented by 李明璋 2012/05/08. The Definition of Bug –Part of the code which would result in an error, fault or malfunctioning of the program.

Debugger Presented by 李明璋 2012/05/08. The Definition of Bug –Part of the code which would result in an error, fault or malfunctioning of the program.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
University of Washington Today Finished up virtual memory On to memory allocation Lab 3 grades up HW 4 up later today. Lab 5 out (this afternoon): time.

University of Washington Today Finished up virtual memory On to memory allocation Lab 3 grades up HW 4 up later today. Lab 5 out (this afternoon): time.
SPL – Practical Session 2 Topics: – C++ Memory Management – Pointers.

SPL – Practical Session 2 Topics: – C++ Memory Management – Pointers.

Similar presentations

Ads by Google