tags:

views:

349

answers:

4
+2  Q: 

Deleting a heap then dereferencing a pointer to that memory

This is code from an exercise:

#include <iostream>
using namespace std;

int main() {
    int n = 13;
    int* ip = new int(n + 3);
    int* ip2 = ip;
    cout << *ip << endl;
    delete ip;
    cout << *ip2 << endl;
    cout << ip << tab << ip2 << endl;
}

When the space allocated to the int on the heap is deleted, I thought that dereferencing the pointer would give some sort of memory error. Instead, it returns 0.

Why is this?

+13  A: 

Dereferencing an invalid pointer leads to undefined results per spec. It's not guaranteed to fail.

Usually (CPU/OS/compiler/... dependent), the compiler doesn't really care about it at all. It just gives what's currently at that memory address. For example, in x86 architecture, you just see an error only when the address is in a memory page that's not mapped to your process (or your process doesn't have permission to access that), thus an exception will be thrown by the CPU (protection fault) which the OS would handle appropriately (and probably, making your process fail). A trick is sometimes used to make accessing the address 0 always cause an access violation: The OS sets the read/write bits of the first page of the address space in the page table to 0 so that any access to that page will always generate an exception.

Mehrdad Afshari  2009-05-29 20:22:33
Thanks. But I think I'm missing something since no page fault is generated, BUT the dereferencing produces zero. Now if it was still pointing to the same area of memory, then you'd expect the old value to be there (assuming not over-written). I've run the program several times and pointer is not null so there's something else going on. This is gcc compiler on IA-32 arch.
bugmenot77  2009-05-29 20:48:31
bugmenot77: That's just a side note. I meant to say most C/C++ implementations don't really care and the error that you sometimes see is from OS/CPU, not the compiler. About your question, when you delete a pointer, the pointer itself is not set to zero automatically. The value of that memory location might be overwritten (you can't assume anything). Anyhow, NOTHING is guaranteed about this. You should not rely on an invalid pointer at all.
Mehrdad Afshari  2009-05-29 20:53:34
Also, it's common for debug builds to deliberately fill the memory with some values to aid debugging.
Mehrdad Afshari  2009-05-29 20:59:15
Thanks. It is the zero filling that is confusing me. I ran several iterations to see if it was ever non-zero to eliminate the overwriting scenario (didn't expect over-writes given this is a single user desktop machine with nothing else happening). What you said re: debug build makes sense. This isn't debug which is why it surprised me as if delete was overwriting with zeros, it would suggest performance implications. Anyway, it seems a mystery and perhaps only someone with knowledge of gcc, linux and x86 would know.
bugmenot77  2009-05-29 21:05:35
+4  A: 

This behaviour is undefined, and so what will happen is implementation and system dependent.

Nathaniel Flath  2009-05-29 20:23:29
+4  A: 

Dereferencing the ip pointer will return what happens to be at that memory location at that time.

It's returning 0 because that's what the four bytes at ip happen to encode to when cast as an integer.

dereferencing a pointer after it's been deleted is unpredictable. It might be zero, it might be something else if that memory has been reallocated elsewhere.

You're just lucky that it's 0 when you run your program.

Randolpho  2009-05-29 20:25:12
Or unlucky, depending on how you look at it...
Nick Presta  2009-05-29 20:26:13
@Nick Presta: True.dat
Randolpho  2009-05-29 20:28:35
A: 

Further to Mehrdads answer, In gcc with glibc, the data structures representing the memory heap are stored in the block of memory returned, to save memory (i.e. its an intrusive list). So, when a block of memory is freed, it is added to the free list. My guess is that the 0 being written following the free indicates that this is the last element of the the free block list (the first pointer sized word of deallocated memory will contain the lists next pointer).

If you were to allocate and free more memory before dereferencing this block again, the value would change when a new item is added to the end of the free list. This is one way that library implementation decisions affect what happens during 'undefined' behaviour. In this case, the glibc developers have taken advantage of the fact that this behaviour is undefined to make their memory allocator more space efficient.

If you run your program under valgrind, it will catch these errors for you. In any case, always stay away from undefined behaviour, since it is very likely to be different on various platforms and even different builds on the same platform (e.g. debug vs release).

Jon  2009-05-30 19:43:03

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS