Program crashing on free() with an invalid pointer message

Hello all,

This is my first post...I'm just starting to learn C and going through some of the beginner tutorials at cprogramming.com. The following code is giving me an error at run time

Code:

#include <stdio.h>
#include <stdlib.h>

int main() {

        int x,z;
        int *p; /* initialize a pointer to an integer */
        int *p2 = malloc(sizeof(*p2)); /* dynamic allocation of memory */

        x = 12;
        z = 29;
        p = &x;
        p2 = &z;

        printf("The value from pointer p at memory address %p is %d\n\n", p, *p);
        printf("The value from pointer p2 at memory address %p is %d\n\n", p2, *p2);

        /* release dynamic memory allocation and set pointers to 0 */
        free(p2); 
        p = 0;
        p2 = 0;

        getchar();

        return 0;
}

I don't receive any error messages when compiling with the command "gcc -Wall -o ex2 ex2.c" but when attempting to run, I get the following error message:

Code:

*** glibc detected *** ./ex2: free(): invalid pointer: 0x00007fffaa879b38 ***
======= Backtrace: =========
/lib64/libc.so.6[0x31b8877ec8]
/lib64/libc.so.6(cfree+0x76)[0x31b887a486]
./ex2[0x40061b]
/lib64/libc.so.6(__libc_start_main+0xe6)[0x31b881e576]
./ex2[0x4004e9]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fd:00 5865751                            /Develop/c/practice/ex2
00600000-00601000 rw-p 00000000 fd:00 5865751                            /Develop/c/practice/ex2
00857000-00878000 rw-p 00857000 00:00 0                                  [heap]
31b8400000-31b8420000 r-xp 00000000 fd:00 8511798                        /lib64/ld-2.9.so
31b861f000-31b8620000 r--p 0001f000 fd:00 8511798                        /lib64/ld-2.9.so
31b8620000-31b8621000 rw-p 00020000 fd:00 8511798                        /lib64/ld-2.9.so
31b8800000-31b8968000 r-xp 00000000 fd:00 8511800                        /lib64/libc-2.9.so
31b8968000-31b8b68000 ---p 00168000 fd:00 8511800                        /lib64/libc-2.9.so
31b8b68000-31b8b6c000 r--p 00168000 fd:00 8511800                        /lib64/libc-2.9.so
31b8b6c000-31b8b6d000 rw-p 0016c000 fd:00 8511800                        /lib64/libc-2.9.so
31b8b6d000-31b8b72000 rw-p 31b8b6d000 00:00 0 
31c3a00000-31c3a16000 r-xp 00000000 fd:00 8511828                        /lib64/libgcc_s-4.3.2-20081105.so.1
31c3a16000-31c3c16000 ---p 00016000 fd:00 8511828                        /lib64/libgcc_s-4.3.2-20081105.so.1
31c3c16000-31c3c17000 rw-p 00016000 fd:00 8511828                        /lib64/libgcc_s-4.3.2-20081105.so.1
7f3d9c000000-7f3d9c021000 rw-p 7f3d9c000000 00:00 0 
7f3d9c021000-7f3da0000000 ---p 7f3d9c021000 00:00 0 
7f3da2860000-7f3da2862000 rw-p 7f3da2860000 00:00 0 
7f3da287a000-7f3da287d000 rw-p 7f3da287a000 00:00 0 
7fffaa867000-7fffaa87c000 rw-p 7ffffffea000 00:00 0                      [stack]
7fffaa9fe000-7fffaa9ff000 r-xp 7fffaa9fe000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Any ideas where I'm going wrong? Once I comment out the free() function and re-compile, the program will run fine. I'm running on Fedora 10, 64 bit.

Thanks in advance for your time!

Let's concentrate on those statements that involve p2:

Code:

int *p2 = malloc(sizeof(*p2));
p2 = &z;
printf("The value from pointer p2 at memory address %p is %d\n\n", p2, *p2);
free(p2);

It is clear that you assign the address of z to p2. This means that p2 no longer points to dynamically allocated memory, hence it is incorrect to call free() with it. The error is the assignment of the address of z to p2 since it causes the dynamically allocated memory to be "orphaned". What you probably want to do is assign the value of z to the object pointed to by p2:

Code:

*p2 = z;

By the way, the comment on this line is misleading:

Code:

int *p; /* initialize a pointer to an integer */

It is more of an instruction than a comment of what the line does, but in the first place the comment is unnecessary since in the place where it would make sense (p = &x; ) it would be redundant.

Classic case of "trying to free something that didn't come from malloc"

Code:

        p2 = &z;

overwrites the value of p2 that you got back from malloc. Since free expects to see some data before the pointer you pass in, that holds a bit of data to so that free can do it's job, this is not the case when the memory didn't come from malloc, and that is what is causing your crash.

As a consequence of overwriting your p2 value, you also have a memory leak, because you have lost your pointer from malloc, and can't free it.

--
Mats

Thank you laserlight and matsp!

Right, I was trying to get p2 to be a pointer to z and get in some practice with malloc. With my misunderstanding of pointers though, I thought I needed to point to z's address to p2 to accomplish this. Thanks to your explanation, I realize I lost the memory address that malloc allocated for me and replaced it with z's address. Makes total sense now. Wow, only a couple simple programs in and I've already created a memory leak!

Thank you both for the thorough explanation; I now understand pointers and malloc much better than about a half hour ago. I changed the statement p2 = &z; to *p2 = z; as laserlight suggested in order to maintain the memory address malloc provided and it works now.

Thanks again, I appreciate your feedback!

Note that there is a big difference between p2 pointing at z (and you do not need malloc in that case) and the value p2 points at being the same as z. If we make two examples:

Code:

int *p2;
int z = 7;
p2 = malloc(sizeof(*p2));
*p2 = z;
z = 8;
printf("*p2 = %d, z = %d\n", *p2, z);

and
int *p2;
int z = 7;
p2 = &z;
z = 8;
printf("*p2 = %d, z = %d\n", *p2, z);
*p2 = 9;
printf("*p2 = %d, z = %d\n", *p2, z);
[/code]

Note how the value of z changes independently of the value of *p2 in the first case, and in the second case, changes to z or *p2 will change both *p2 and z in one case.

--
Mats

Thanks Mats!

Point well noted...I think I'm starting to get it.

The way I am understanding this is that in the first code example, p2 is storing the the value of z in its own memory address that was allocated by malloc(). z has a different memory address from p2. When the value of z changes from 7 to 8, p2 remains at 7 because it was only assigned the value of z at the time of assignment and does not reflect the current value of z when changed because they are not using the same memory address.

The second example has p2 and z using the same memory address, therefore a change in value using either variable name affects both since they both have the same address.

Thanks again for the noting that difference...

*applaud*
Well done. Many people have trouble with pointers.
Now, if you want extra exercise, you can try out pointer to pointers! That part confuses yet more people.