tags:

views:

254

answers:

3
+4  Q: 

delete[] supplied a modified new-ed pointer. Undefined Behaviour?

I saw some code as below during a peer-code-review session:

   char *s = new char[3];
   *s++ = 'a';
   *s++ = 'b';
   *s++='\0';
   delete []s; // this may or may not crash on some or any day !!

Firstly, I know that in Standard C++, pointing to one-past the array-size is O.K. though accessing it results in undefined behaviour. So I believe the last line *s++='\0' is fine. But if I recall correctly, the C++ standard mandates that delete should be supplied the same pointer that new returned. This I believe means that the returned pointer must not be tampered-with. I guess it is because new might keep some housekeeping info before the returned address that delete might use. Moving the new'd pointer might make this inaccessible.

Is it undefined behaviour or implementation-defined or unspecified? Can anyone confirm this please? Preferably by pointing to the correct place in the C++ Standard.

Thanks in advance,

EDIT-1: In the freely available draft version of the draft C++ Standard ( Draft_SC22-N-4411.pdf ) has the details in section 5.3.5. I got it from Bjarne's homepage.

+4  A: 

Yes, you must delete[] the original pointer you were given by new; in this case, that would be a pointer to the head of the array, rather than the tail. The code here is deleting some other unspecified random object.

Crashworks  2009-04-25 07:54:12
Thnx, but do you know the right place where in the C++ Standard the same is mentioned? We can then include this in our coding guidelines.
Abhay  2009-04-25 07:59:19
+15  A: 

From the C++ Standard, section 5.3.5/2:

the value of the operand of delete shall be the pointer value which resulted from a previous array new-expression. If not, the behaviour is undefined

anon  2009-04-25 07:59:03
+3  A: 

Yeah, recall how this is often implemented: new really calls malloc, which gives back a pointer to (void*)(&(((int*)p)[1])), where p is the actual start of the memory allocated, and the first int is the size of the actual memory we got back.

The pointer we get back is one sizeof(int) (or whatever alignment requires) further along in the actual memory allocated. We lay down our object there, leaving the actual size undisturbed.

Then when that pointer passed to delete, which passes it to free, free looks one int before the passed pointer, to find the size that's being given back.

Passing back something other than what we got is going to mean that free thinks an arbitrary amount of actual memory is being passed back, and it'll screw up the free list accordingly.

Again, this is how it's often implemented, not how new, delete, malloc, or free are required to be implemented.

tpdi  2009-05-01 03:21:08

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS