1.\" 2.\" Copyright (c) 1980, 1991, 1993 3.\" The Regents of the University of California. All rights reserved. 4.\" 5.\" This code is derived from software contributed to Berkeley by 6.\" the American National Standards Committee X3, on Information 7.\" Processing Systems. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. Neither the name of the University nor the names of its contributors 18.\" may be used to endorse or promote products derived from this software 19.\" without specific prior written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" $OpenBSD: malloc.3,v 1.54 2008/08/07 18:41:47 otto Exp $ 34.\" 35.Dd $Mdocdate: August 7 2008 $ 36.Dt MALLOC 3 37.Os 38.Sh NAME 39.Nm malloc , 40.Nm calloc , 41.Nm realloc , 42.Nm free , 43.Nm cfree 44.Nd memory allocation and deallocation 45.Sh SYNOPSIS 46.Fd #include <stdlib.h> 47.Ft void * 48.Fn malloc "size_t size" 49.Ft void * 50.Fn calloc "size_t nmemb" "size_t size" 51.Ft void * 52.Fn realloc "void *ptr" "size_t size" 53.Ft void 54.Fn free "void *ptr" 55.Ft void 56.Fn cfree "void *ptr" 57.Ft char * 58.Va malloc_options ; 59.Sh DESCRIPTION 60The 61.Fn malloc 62function allocates uninitialized space for an object whose 63size is specified by 64.Fa size . 65The 66.Fn malloc 67function maintains multiple lists of free blocks according to size, allocating 68space from the appropriate list. 69.Pp 70The allocated space is 71suitably aligned (after possible pointer 72coercion) for storage of any type of object. 73If the space is of 74.Em pagesize 75or larger, the memory returned will be page-aligned. 76.Pp 77Allocation of a zero size object returns a pointer to a zero size object. 78This zero size object is access protected, so any access to it will 79generate an exception (SIGSEGV). 80Many zero-sized objects can be placed consecutively in shared 81protected pages. 82The minimum size of the protection on each object is suitably aligned and 83sized as previously stated, but the protection may extend further depending 84on where in a protected zone the object lands. 85.Pp 86When using 87.Fn malloc 88be careful to avoid the following idiom: 89.Bd -literal -offset indent 90if ((p = malloc(num * size)) == NULL) 91 err(1, "malloc"); 92.Ed 93.Pp 94The multiplication may lead to an integer overflow. 95To avoid this, 96.Fn calloc 97is recommended. 98.Pp 99If 100.Fn malloc 101must be used, be sure to test for overflow: 102.Bd -literal -offset indent 103if (size && num > SIZE_MAX / size) { 104 errno = ENOMEM; 105 err(1, "overflow"); 106} 107.Ed 108.Pp 109The 110.Fn calloc 111function allocates space for an array of 112.Fa nmemb 113objects, each of whose size is 114.Fa size . 115The space is initialized to zero. 116The use of 117.Fn calloc 118is strongly encouraged when allocating multiple sized objects 119in order to avoid possible integer overflows. 120.Pp 121The 122.Fn free 123function causes the space pointed to by 124.Fa ptr 125to be either placed on a list of free pages to make it available for future 126allocation or, if required, to be returned to the kernel using 127.Xr munmap 2 . 128If 129.Fa ptr 130is a null pointer, no action occurs. 131.Pp 132A 133.Fn cfree 134function is also provided for compatibility with old systems and other 135.Nm malloc 136libraries; it is simply an alias for 137.Fn free . 138.Pp 139The 140.Fn realloc 141function changes the size of the object pointed to by 142.Fa ptr 143to 144.Fa size 145bytes and returns a pointer to the (possibly moved) object. 146The contents of the object are unchanged up to the lesser 147of the new and old sizes. 148If the new size is larger, the value of the newly allocated portion 149of the object is indeterminate and uninitialized. 150If 151.Fa ptr 152is a null pointer, the 153.Fn realloc 154function behaves like the 155.Fn malloc 156function for the specified size. 157If the space cannot be allocated, the object 158pointed to by 159.Fa ptr 160is unchanged. 161If 162.Fa size 163is zero and 164.Fa ptr 165is not a null pointer, the object it points to is freed and a new zero size 166object is returned. 167.Pp 168When using 169.Fn realloc 170be careful to avoid the following idiom: 171.Bd -literal -offset indent 172size += 50; 173if ((p = realloc(p, size)) == NULL) 174 return (NULL); 175.Ed 176.Pp 177Do not adjust the variable describing how much memory has been allocated 178until the allocation has been successful. 179This can cause aberrant program behavior if the incorrect size value is used. 180In most cases, the above sample will also result in a leak of memory. 181As stated earlier, a return value of 182.Dv NULL 183indicates that the old object still remains allocated. 184Better code looks like this: 185.Bd -literal -offset indent 186newsize = size + 50; 187if ((newp = realloc(p, newsize)) == NULL) { 188 free(p); 189 p = NULL; 190 size = 0; 191 return (NULL); 192} 193p = newp; 194size = newsize; 195.Ed 196.Pp 197As with 198.Fn malloc 199it is important to ensure the new size value will not overflow; 200i.e. avoid allocations like the following: 201.Bd -literal -offset indent 202if ((newp = realloc(p, num * size)) == NULL) { 203 ... 204.Ed 205.Pp 206Malloc will first look for a symbolic link called 207.Pa /etc/malloc.conf 208and next check the environment for a variable called 209.Ev MALLOC_OPTIONS 210and finally for the global variable 211.Va malloc_options 212and scan them for flags in that order. 213Flags are single letters, uppercase means on, lowercase means off. 214.Bl -tag -width indent 215.It Cm A 216.Dq Abort . 217.Fn malloc 218will coredump the process, rather than tolerate failure. 219This is a very handy debugging aid, since the core file will represent the 220time of failure, rather than when the null pointer was accessed. 221.It Cm D 222.Dq Dump . 223.Fn malloc 224will dump statistics in a file called 225.Pa malloc.out 226at exit. 227This option requires the library to have been compiled with -DMALLOC_STATS in 228order to have any effect. 229.It Cm F 230.Dq Freeguard . 231Enable use after free protection. 232Unused pages on the freelist are read and write protected to 233cause a segmentation fault upon access. 234.It Cm G 235.Dq Guard . 236Enable guard pages and chunk randomization. 237Each page size or larger allocation is followed by a guard page that will 238cause a segmentation fault upon any access. 239Smaller than page size chunks are returned in a random order. 240.It Cm H 241.Dq Hint . 242Pass a hint to the kernel about pages we don't use. 243If the machine is paging a lot this may help a bit. 244.It Cm J 245.Dq Junk . 246Fill some junk into the area allocated. 247Currently junk is bytes of 0xd0 when allocating; this is pronounced 248.Dq Duh . 249\&:-) 250Freed chunks are filled with 0xdf. 251.It Cm N 252Do not output warning messages when encountering possible corruption 253or bad pointers. 254.It Cm P 255.Dq Move allocations within a page. 256Allocations larger than half a page but smaller that a page 257are aligned to the end of a page to catch buffer overruns in more 258cases. 259.It Cm R 260.Dq realloc . 261Always reallocate when 262.Fn realloc 263is called, even if the initial allocation was big enough. 264This can substantially aid in compacting memory. 265.\".Pp 266.\".It Cm U 267.\".Dq utrace . 268.\"Generate entries for 269.\".Xr ktrace 1 270.\"for all operations. 271.\"Consult the source for this one. 272.It Cm X 273.Dq xmalloc . 274Rather than return failure, 275.Xr abort 3 276the program with a diagnostic message on stderr. 277It is the intention that this option be set at compile time by 278including in the source: 279.Bd -literal -offset indent 280extern char *malloc_options; 281malloc_options = "X"; 282.Ed 283.Pp 284Note that this will cause code that is supposed to handle 285out-of-memory conditions gracefully to abort instead. 286.It Cm Z 287.Dq Zero . 288Fill some junk into the area allocated (see 289.Cm J ) , 290except for the exact length the user asked for, which is zeroed. 291.It Cm < 292.Dq Half the cache size . 293Decrease the size of the free page cache by a factor of two. 294.It Cm > 295.Dq Double the cache size . 296Increase the size of the free page cache by a factor of two. 297.El 298.Pp 299So to set a systemwide reduction of cache size and coredumps on problems: 300.Li ln -s 'A<' /etc/malloc.conf 301.Pp 302The 303.Cm J 304and 305.Cm Z 306flags are mostly for testing and debugging. 307If a program changes behavior if either of these options are used, 308it is buggy. 309.Pp 310The default number of free pages cached is 64. 311.Sh RETURN VALUES 312The 313.Fn malloc 314and 315.Fn calloc 316functions return a pointer to the allocated space if successful; otherwise, 317a null pointer is returned and 318.Va errno 319is set to 320.Er ENOMEM . 321.Pp 322The 323.Fn free 324and 325.Fn cfree 326functions return no value. 327.Pp 328The 329.Fn realloc 330function returns a pointer to the (possibly moved) allocated space 331if successful; otherwise, a null pointer is returned and 332.Va errno 333is set to 334.Er ENOMEM . 335.Sh ENVIRONMENT 336.Bl -tag -width Ev 337.It Ev MALLOC_OPTIONS 338See above. 339.El 340.Sh FILES 341.Bl -tag -width "/etc/malloc.conf" 342.It Pa /etc/malloc.conf 343symbolic link to filename containing option flags 344.El 345.Sh DIAGNOSTICS 346If 347.Fn malloc , 348.Fn calloc , 349.Fn realloc , 350or 351.Fn free 352detect an error or warning condition, 353a message will be printed to file descriptor 3542 (not using stdio). 355Errors will always result in the process being 356.Xr abort 3 'ed. 357If the 358.Cm A 359option has been specified, warnings will also 360.Xr abort 3 361the process. 362.Pp 363Here is a brief description of the error messages and what they mean: 364.Bl -tag -width Ds 365.It Dq out of memory 366If the 367.Cm A 368option is specified it is an error for 369.Fn malloc , 370.Fn calloc , 371or 372.Fn realloc 373to return 374.Dv NULL . 375.It Dq malloc init mmap failed 376This is a rather weird condition that is most likely to indicate a 377seriously overloaded system or a ulimit restriction. 378.It any other error 379.Fn malloc 380detected an internal error; 381consult sources and/or wizards. 382.El 383.Pp 384Here is a brief description of the warning messages and what they mean: 385.Bl -tag -width Ds 386.It Dq bogus pointer (double free?) 387An attempt to 388.Fn free 389or 390.Fn realloc 391an unallocated pointer was made. 392.It Dq chunk is already free 393There was an attempt to free a chunk that had already been freed. 394.It Dq modified chunk-pointer 395The pointer passed to 396.Fn free 397or 398.Fn realloc 399has been modified. 400.It Dq recursive call 401An attempt was made to call recursively into these functions, i.e., from a 402signal handler. 403This behavior is not supported. 404In particular, signal handlers should 405.Em not 406use any of the 407.Fn malloc 408functions nor utilize any other functions which may call 409.Fn malloc 410(e.g., 411.Xr stdio 3 412routines). 413.It Dq unknown char in MALLOC_OPTIONS 414We found something we didn't understand. 415.It Dq malloc cache overflow/underflow 416The internal malloc page cache has been corrupted. 417.It Dq malloc free slot lost 418The internal malloc page cache has been corrupted. 419.It Dq guard size 420An inconsistent guard size was detected. 421.El 422.Sh SEE ALSO 423.Xr brk 2 , 424.Xr mmap 2 , 425.Xr munmap 2 , 426.Xr alloca 3 , 427.Xr getpagesize 3 428.Sh STANDARDS 429The 430.Fn malloc 431function conforms to 432.St -ansiC . 433.Sh HISTORY 434The present implementation of 435.Fn malloc 436started out as a filesystem on a drum 437attached to a 20-bit binary challenged computer built with discrete germanium 438transistors, and it has since graduated to handle primary storage rather than 439secondary. 440.Pp 441The main difference from other 442.Fn malloc 443implementations are believed to be that 444the free pages are not accessed until allocated. 445Most 446.Fn malloc 447implementations will store a data structure containing a, 448possibly double-, linked list in the free chunks of memory, used to tie 449all the free memory together. 450That is a quite suboptimal thing to do. 451Every time the free-list is traversed, all the otherwise unused, and very 452likely paged out, pages get faulted into primary memory, just to see what 453lies after them in the list. 454.Pp 455On systems which are paging, this can increase the page-faults 456of a process by a factor of five. 457