1.\" 2.\" Copyright (c) 1980, 1991, 1993 3.\" The Regents of the University of California. All rights reserved. 4.\" 5.\" This code is derived from software contributed to Berkeley by 6.\" the American National Standards Committee X3, on Information 7.\" Processing Systems. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. Neither the name of the University nor the names of its contributors 18.\" may be used to endorse or promote products derived from this software 19.\" without specific prior written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" $OpenBSD: malloc.3,v 1.62 2009/02/13 23:36:17 jmc Exp $ 34.\" 35.Dd $Mdocdate: February 13 2009 $ 36.Dt MALLOC 3 37.Os 38.Sh NAME 39.Nm malloc , 40.Nm calloc , 41.Nm realloc , 42.Nm free , 43.Nm cfree 44.Nd memory allocation and deallocation 45.Sh SYNOPSIS 46.Fd #include <stdlib.h> 47.Ft void * 48.Fn malloc "size_t size" 49.Ft void * 50.Fn calloc "size_t nmemb" "size_t size" 51.Ft void * 52.Fn realloc "void *ptr" "size_t size" 53.Ft void 54.Fn free "void *ptr" 55.Ft void 56.Fn cfree "void *ptr" 57.Ft char * 58.Va malloc_options ; 59.Sh DESCRIPTION 60The 61.Fn malloc 62function allocates uninitialized space for an object whose 63size is specified by 64.Fa size . 65The 66.Fn malloc 67function maintains multiple lists of free blocks according to size, allocating 68space from the appropriate list. 69.Pp 70The allocated space is 71suitably aligned (after possible pointer 72coercion) for storage of any type of object. 73If the space is of 74.Em pagesize 75or larger, the memory returned will be page-aligned. 76.Pp 77Allocation of a zero size object returns a pointer to a zero size object. 78This zero size object is access protected, so any access to it will 79generate an exception (SIGSEGV). 80Many zero-sized objects can be placed consecutively in shared 81protected pages. 82The minimum size of the protection on each object is suitably aligned and 83sized as previously stated, but the protection may extend further depending 84on where in a protected zone the object lands. 85.Pp 86When using 87.Fn malloc 88be careful to avoid the following idiom: 89.Bd -literal -offset indent 90if ((p = malloc(num * size)) == NULL) 91 err(1, "malloc"); 92.Ed 93.Pp 94The multiplication may lead to an integer overflow. 95To avoid this, 96.Fn calloc 97is recommended. 98.Pp 99If 100.Fn malloc 101must be used, be sure to test for overflow: 102.Bd -literal -offset indent 103if (size && num > SIZE_MAX / size) { 104 errno = ENOMEM; 105 err(1, "overflow"); 106} 107.Ed 108.Pp 109The 110.Fn calloc 111function allocates space for an array of 112.Fa nmemb 113objects, each of whose size is 114.Fa size . 115The space is initialized to zero. 116The use of 117.Fn calloc 118is strongly encouraged when allocating multiple sized objects 119in order to avoid possible integer overflows. 120.Pp 121The 122.Fn free 123function causes the space pointed to by 124.Fa ptr 125to be either placed on a list of free pages to make it available for future 126allocation or, if required, to be returned to the kernel using 127.Xr munmap 2 . 128If 129.Fa ptr 130is a null pointer, no action occurs. 131.Pp 132A 133.Fn cfree 134function is also provided for compatibility with old systems and other 135.Nm malloc 136libraries; it is simply an alias for 137.Fn free . 138.Pp 139The 140.Fn realloc 141function changes the size of the object pointed to by 142.Fa ptr 143to 144.Fa size 145bytes and returns a pointer to the (possibly moved) object. 146The contents of the object are unchanged up to the lesser 147of the new and old sizes. 148If the new size is larger, the value of the newly allocated portion 149of the object is indeterminate and uninitialized. 150If 151.Fa ptr 152is a null pointer, the 153.Fn realloc 154function behaves like the 155.Fn malloc 156function for the specified size. 157If the space cannot be allocated, the object 158pointed to by 159.Fa ptr 160is unchanged. 161If 162.Fa size 163is zero and 164.Fa ptr 165is not a null pointer, the object it points to is freed and a new zero size 166object is returned. 167.Pp 168When using 169.Fn realloc 170be careful to avoid the following idiom: 171.Bd -literal -offset indent 172size += 50; 173if ((p = realloc(p, size)) == NULL) 174 return (NULL); 175.Ed 176.Pp 177Do not adjust the variable describing how much memory has been allocated 178until the allocation has been successful. 179This can cause aberrant program behavior if the incorrect size value is used. 180In most cases, the above sample will also result in a leak of memory. 181As stated earlier, a return value of 182.Dv NULL 183indicates that the old object still remains allocated. 184Better code looks like this: 185.Bd -literal -offset indent 186newsize = size + 50; 187if ((newp = realloc(p, newsize)) == NULL) { 188 free(p); 189 p = NULL; 190 size = 0; 191 return (NULL); 192} 193p = newp; 194size = newsize; 195.Ed 196.Pp 197As with 198.Fn malloc 199it is important to ensure the new size value will not overflow; 200i.e. avoid allocations like the following: 201.Bd -literal -offset indent 202if ((newp = realloc(p, num * size)) == NULL) { 203 ... 204.Ed 205.Pp 206Malloc will first look for a symbolic link called 207.Pa /etc/malloc.conf 208and next check the environment for a variable called 209.Ev MALLOC_OPTIONS 210and finally for the global variable 211.Va malloc_options 212and scan them for flags in that order. 213Flags are single letters, uppercase means on, lowercase means off. 214.Bl -tag -width indent 215.It Cm A 216.Dq Abort . 217.Fn malloc 218will coredump the process, rather than tolerate internal 219inconsistencies or incorrect usage. 220This is the default and a very handy debugging aid, 221since the core file represents the time of failure, 222rather than when the bogus pointer was used. 223.It Cm D 224.Dq Dump . 225.Fn malloc 226will dump statistics in a file called 227.Pa malloc.out 228at exit. 229This option requires the library to have been compiled with -DMALLOC_STATS in 230order to have any effect. 231.It Cm F 232.Dq Freeguard . 233Enable use after free protection. 234Unused pages on the freelist are read and write protected to 235cause a segmentation fault upon access. 236This will also switch off the delayed freeing of chunks, 237reducing random behaviour but detecting double 238.Fn free 239calls as early as possible. 240.It Cm G 241.Dq Guard . 242Enable guard pages. 243Each page size or larger allocation is followed by a guard page that will 244cause a segmentation fault upon any access. 245.It Cm H 246.Dq Hint . 247Pass a hint to the kernel about pages we don't use. 248If the machine is paging a lot this may help a bit. 249.It Cm J 250.Dq Junk . 251Fill some junk into the area allocated. 252Currently junk is bytes of 0xd0 when allocating; this is pronounced 253.Dq Duh . 254\&:-) 255Freed chunks are filled with 0xdf. 256.It Cm P 257.Dq Move allocations within a page. 258Allocations larger than half a page but smaller than a page 259are aligned to the end of a page to catch buffer overruns in more 260cases. 261This is the default. 262.It Cm R 263.Dq realloc . 264Always reallocate when 265.Fn realloc 266is called, even if the initial allocation was big enough. 267This can substantially aid in compacting memory. 268.\".Pp 269.\".It Cm U 270.\".Dq utrace . 271.\"Generate entries for 272.\".Xr ktrace 1 273.\"for all operations. 274.\"Consult the source for this one. 275.It Cm X 276.Dq xmalloc . 277Rather than return failure, 278.Xr abort 3 279the program with a diagnostic message on stderr. 280It is the intention that this option be set at compile time by 281including in the source: 282.Bd -literal -offset indent 283extern char *malloc_options; 284malloc_options = "X"; 285.Ed 286.Pp 287Note that this will cause code that is supposed to handle 288out-of-memory conditions gracefully to abort instead. 289.It Cm Z 290.Dq Zero . 291Fill some junk into the area allocated (see 292.Cm J ) , 293except for the exact length the user asked for, which is zeroed. 294.It Cm < 295.Dq Half the cache size . 296Decrease the size of the free page cache by a factor of two. 297.It Cm > 298.Dq Double the cache size . 299Increase the size of the free page cache by a factor of two. 300.El 301.Pp 302So to set a systemwide reduction of cache size and use guard pages: 303.Dl # ln -s 'G\*(Lt' /etc/malloc.conf 304.Pp 305The flags are mostly for testing and debugging. 306If a program changes behavior if any of these options (except 307.Cm X ) 308are used, 309it is buggy. 310.Pp 311The default number of free pages cached is 64. 312.Sh RETURN VALUES 313The 314.Fn malloc 315and 316.Fn calloc 317functions return a pointer to the allocated space if successful; otherwise, 318a null pointer is returned and 319.Va errno 320is set to 321.Er ENOMEM . 322.Pp 323The 324.Fn free 325and 326.Fn cfree 327functions return no value. 328.Pp 329The 330.Fn realloc 331function returns a pointer to the (possibly moved) allocated space 332if successful; otherwise, a null pointer is returned and 333.Va errno 334is set to 335.Er ENOMEM . 336.Sh ENVIRONMENT 337.Bl -tag -width Ev 338.It Ev MALLOC_OPTIONS 339See above. 340.El 341.Sh FILES 342.Bl -tag -width "/etc/malloc.conf" 343.It Pa /etc/malloc.conf 344symbolic link to filename containing option flags 345.El 346.Sh DIAGNOSTICS 347If 348.Fn malloc , 349.Fn calloc , 350.Fn realloc , 351or 352.Fn free 353detect an error condition, 354a message will be printed to file descriptor 3552 (not using stdio). 356Errors will result in the process being aborted, 357unless the 358.Cm a 359option has been specified. 360.Pp 361Here is a brief description of the error messages and what they mean: 362.Bl -tag -width Ds 363.It Dq out of memory 364If the 365.Cm X 366option is specified it is an error for 367.Fn malloc , 368.Fn calloc , 369or 370.Fn realloc 371to return 372.Dv NULL . 373.It Dq malloc init mmap failed 374This is a rather weird condition that is most likely to indicate a 375seriously overloaded system or a ulimit restriction. 376.It Dq bogus pointer (double free?) 377An attempt to 378.Fn free 379or 380.Fn realloc 381an unallocated pointer was made. 382.It Dq chunk is already free 383There was an attempt to free a chunk that had already been freed. 384.It Dq modified chunk-pointer 385The pointer passed to 386.Fn free 387or 388.Fn realloc 389has been modified. 390.It Dq recursive call 391An attempt was made to call recursively into these functions, i.e., from a 392signal handler. 393This behavior is not supported. 394In particular, signal handlers should 395.Em not 396use any of the 397.Fn malloc 398functions nor utilize any other functions which may call 399.Fn malloc 400(e.g., 401.Xr stdio 3 402routines). 403.It Dq unknown char in MALLOC_OPTIONS 404We found something we didn't understand. 405.It Dq malloc cache overflow/underflow 406The internal malloc page cache has been corrupted. 407.It Dq malloc free slot lost 408The internal malloc page cache has been corrupted. 409.It Dq guard size 410An inconsistent guard size was detected. 411.It any other error 412.Fn malloc 413detected an internal error; 414consult sources and/or wizards. 415.El 416.Sh SEE ALSO 417.Xr brk 2 , 418.Xr mmap 2 , 419.Xr munmap 2 , 420.Xr alloca 3 , 421.Xr getpagesize 3 422.Sh STANDARDS 423The 424.Fn malloc 425function conforms to 426.St -ansiC . 427.Sh HISTORY 428The present implementation of 429.Fn malloc 430started out as a filesystem on a drum 431attached to a 20-bit binary challenged computer built with discrete germanium 432transistors, and it has since graduated to handle primary storage rather than 433secondary. 434.Pp 435The main difference from other 436.Fn malloc 437implementations are believed to be that 438the free pages are not accessed until allocated. 439Most 440.Fn malloc 441implementations will store a data structure containing a, 442possibly double-, linked list in the free chunks of memory, used to tie 443all the free memory together. 444That is a quite suboptimal thing to do. 445Every time the free-list is traversed, all the otherwise unused, and very 446likely paged out, pages get faulted into primary memory, just to see what 447lies after them in the list. 448.Pp 449On systems which are paging, this can increase the page-faults 450of a process by a factor of five. 451