1.\" 2.\" Copyright (c) 1980, 1991, 1993 3.\" The Regents of the University of California. All rights reserved. 4.\" 5.\" This code is derived from software contributed to Berkeley by 6.\" the American National Standards Committee X3, on Information 7.\" Processing Systems. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. Neither the name of the University nor the names of its contributors 18.\" may be used to endorse or promote products derived from this software 19.\" without specific prior written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" $OpenBSD: malloc.3,v 1.45 2006/06/06 14:49:26 pedro Exp $ 34.\" 35.Dd August 27, 1996 36.Dt MALLOC 3 37.Os 38.Sh NAME 39.Nm malloc , 40.Nm calloc , 41.Nm realloc , 42.Nm free , 43.Nm cfree 44.Nd memory allocation and deallocation 45.Sh SYNOPSIS 46.Fd #include <stdlib.h> 47.Ft void * 48.Fn malloc "size_t size" 49.Ft void * 50.Fn calloc "size_t nmemb" "size_t size" 51.Ft void * 52.Fn realloc "void *ptr" "size_t size" 53.Ft void 54.Fn free "void *ptr" 55.Ft void 56.Fn cfree "void *ptr" 57.Ft char * 58.Va malloc_options ; 59.Sh DESCRIPTION 60The 61.Fn malloc 62function allocates uninitialized space for an object whose 63size is specified by 64.Fa size . 65The 66.Fn malloc 67function maintains multiple lists of free blocks according to size, allocating 68space from the appropriate list. 69.Pp 70The allocated space is 71suitably aligned (after possible pointer 72coercion) for storage of any type of object. 73If the space is of 74.Em pagesize 75or larger, the memory returned will be page-aligned. 76.Pp 77Allocation of a zero size object returns a pointer to a zero size object. 78This zero size object is access protected, so any access to it will 79generate an exception (SIGSEGV). 80Many zero-sized objects can be placed consecutively in shared 81protected pages. 82The minimum size of the protection on each object is suitably aligned and 83sized as previously stated, but the protection may extend further depending 84on where in a protected zone the object lands. 85.Pp 86When using 87.Fn malloc 88be careful to avoid the following idiom: 89.Bd -literal -offset indent 90if ((p = malloc(num * size)) == NULL) 91 err(1, "malloc"); 92.Ed 93.Pp 94The multiplication may lead to an integer overflow. 95To avoid this, 96.Fn calloc 97is recommended. 98.Pp 99If 100.Fn malloc 101must be used, be sure to test for overflow: 102.Bd -literal -offset indent 103if (num && SIZE_MAX / num < size) { 104 errno = ENOMEM; 105 err(1, "overflow"); 106} 107.Ed 108.Pp 109The 110.Fn calloc 111function allocates space for an array of 112.Fa nmemb 113objects, each of whose size is 114.Fa size . 115The space is initialized to all bits zero. 116The use of 117.Fn calloc 118is strongly encouraged when allocating multiple sized objects 119in order to avoid possible integer overflows. 120.Pp 121The 122.Fn free 123function causes the space pointed to by 124.Fa ptr 125to be deallocated, that is, at least made available for further allocation, 126but if possible, it will be passed back to the kernel with 127.Xr sbrk 2 . 128If 129.Fa ptr 130is a null pointer, no action occurs. 131.Pp 132A 133.Fn cfree 134function is also provided for compatibility with old systems and other 135.Nm malloc 136libraries; it is simply an alias for 137.Fn free . 138.Pp 139The 140.Fn realloc 141function changes the size of the object pointed to by 142.Fa ptr 143to 144.Fa size 145bytes and returns a pointer to the (possibly moved) object. 146The contents of the object are unchanged up to the lesser 147of the new and old sizes. 148If the new size is larger, the value of the newly allocated portion 149of the object is indeterminate and uninitialized. 150If 151.Fa ptr 152is a null pointer, the 153.Fn realloc 154function behaves like the 155.Fn malloc 156function for the specified size. 157If the space cannot be allocated, the object 158pointed to by 159.Fa ptr 160is unchanged. 161If 162.Fa size 163is zero and 164.Fa ptr 165is not a null pointer, the object it points to is freed and a new zero size 166object is returned. 167.Pp 168When using 169.Fn realloc 170be careful to avoid the following idiom: 171.Bd -literal -offset indent 172size += 50; 173if ((p = realloc(p, size)) == NULL) 174 return (NULL); 175.Ed 176.Pp 177Do not adjust the variable describing how much memory has been allocated 178until the allocation has been successful. 179This can cause aberrant program behavior if the incorrect size value is used. 180In most cases, the above sample will also result in a leak of memory. 181As stated earlier, a return value of 182.Dv NULL 183indicates that the old object still remains allocated. 184Better code looks like this: 185.Bd -literal -offset indent 186newsize = size + 50; 187if ((newp = realloc(p, newsize)) == NULL) { 188 free(p); 189 p = NULL; 190 size = 0; 191 return (NULL); 192} 193p = newp; 194size = newsize; 195.Ed 196.Pp 197As with 198.Fn malloc 199it is important to ensure the new size value will not overflow; 200i.e. avoid allocations like the following: 201.Bd -literal -offset indent 202if ((newp = realloc(p, num * size)) == NULL) { 203 ... 204.Ed 205.Pp 206Malloc will first look for a symbolic link called 207.Pa /etc/malloc.conf 208and next check the environment for a variable called 209.Ev MALLOC_OPTIONS 210and finally for the global variable 211.Va malloc_options 212and scan them for flags in that order. 213Flags are single letters, uppercase means on, lowercase means off. 214.Bl -tag -width indent 215.It Cm A 216.Dq Abort . 217.Fn malloc 218will coredump the process, rather than tolerate failure. 219This is a very handy debugging aid, since the core file will represent the 220time of failure, rather than when the null pointer was accessed. 221.It Cm D 222.Dq Dump . 223.Fn malloc 224will dump statistics in a file called 225.Pa malloc.out 226at exit. 227This option requires the library to have been compiled with -DMALLOC_STATS in 228order to have any effect. 229.It Cm F 230.Dq Freeguard . 231Enable use after free protection. 232Unused pages on the freelist are read and write protected to 233cause a segmentation fault upon access. 234.It Cm G 235.Dq Guard . 236Enable guard pages and chunk randomization. 237Each page size or larger allocation is followed by a guard page that will 238cause a segmentation fault upon any access. 239Smaller than page size chunks are returned in a random order. 240.It Cm H 241.Dq Hint . 242Pass a hint to the kernel about pages we don't use. 243If the machine is paging a lot this may help a bit. 244.It Cm J 245.Dq Junk . 246Fill some junk into the area allocated. 247Currently junk is bytes of 0xd0; this is pronounced 248.Dq Duh . 249\&:-) 250.It Cm N 251Do not output warning messages when encountering possible corruption 252or bad pointers. 253.It Cm P 254.Dq Pointer Protection . 255Pointer sized allocations are aligned to the end of a page to catch 256sizeof(ptr) errors where sizeof(*ptr) is meant. 257.It Cm R 258.Dq realloc . 259Always reallocate when 260.Fn realloc 261is called, even if the initial allocation was big enough. 262This can substantially aid in compacting memory. 263.\".Pp 264.\".It Cm U 265.\".Dq utrace . 266.\"Generate entries for 267.\".Xr ktrace 1 268.\"for all operations. 269.\"Consult the source for this one. 270.It Cm X 271.Dq xmalloc . 272Rather than return failure, 273.Xr abort 3 274the program with a diagnostic message on stderr. 275It is the intention that this option be set at compile time by 276including in the source: 277.Bd -literal -offset indent 278extern char *malloc_options; 279malloc_options = "X"; 280.Ed 281.It Cm Z 282.Dq Zero . 283Fill some junk into the area allocated (see 284.Cm J ) , 285except for the exact length the user asked for, which is zeroed. 286.It Cm < 287.Dq Half the cache size . 288Decrease the size of the free page cache by a factor of two. 289.It Cm > 290.Dq Double the cache size . 291Increase the size of the free page cache by a factor of two. 292.El 293.Pp 294So to set a systemwide reduction of cache size and coredumps on problems: 295.Li ln -s 'A<' /etc/malloc.conf 296.Pp 297The 298.Cm J 299and 300.Cm Z 301flags are mostly for testing and debugging. 302If a program changes behavior if either of these options are used, 303it is buggy. 304.Pp 305The default number of free pages cached is 16. 306.Sh RETURN VALUES 307The 308.Fn malloc 309and 310.Fn calloc 311functions return a pointer to the allocated space if successful; otherwise, 312a null pointer is returned and 313.Va errno 314is set to 315.Er ENOMEM . 316.Pp 317The 318.Fn free 319and 320.Fn cfree 321functions return no value. 322.Pp 323The 324.Fn realloc 325function returns a pointer to the (possibly moved) allocated space 326if successful; otherwise, a null pointer is returned and 327.Va errno 328is set to 329.Er ENOMEM . 330.Sh ENVIRONMENT 331.Bl -tag -width Ev 332.It Ev MALLOC_OPTIONS 333See above. 334.El 335.Sh FILES 336.Bl -tag -width "/etc/malloc.conf" 337.It Pa /etc/malloc.conf 338symbolic link to filename containing option flags 339.El 340.Sh DIAGNOSTICS 341If 342.Fn malloc , 343.Fn calloc , 344.Fn realloc , 345or 346.Fn free 347detect an error or warning condition, 348a message will be printed to file descriptor 3492 (not using stdio). 350Errors will always result in the process being 351.Xr abort 3 'ed. 352If the 353.Cm A 354option has been specified, warnings will also 355.Xr abort 3 356the process. 357.Pp 358Here is a brief description of the error messages and what they mean: 359.Bl -tag -width Ds 360.It Dq (ES): mumble mumble mumble 361.Fn malloc 362has been compiled with 363.Dv \&-DEXTRA_SANITY 364and something looks fishy in there. 365Consult sources and/or wizards. 366.It Dq allocation failed 367If the 368.Cm A 369option is specified it is an error for 370.Fn malloc , 371.Fn calloc , 372or 373.Fn realloc 374to return 375.Dv NULL . 376.It Dq mmap(2) failed, check limits. 377This is a rather weird condition that is most likely to indicate a 378seriously overloaded system or a 379.Xr ulimit 1 380restriction. 381.It Dq freelist is destroyed. 382.Fn malloc Ns 's 383internal freelist has been stomped on. 384.El 385.Pp 386Here is a brief description of the warning messages and what they mean: 387.Bl -tag -width Ds 388.It Dq chunk/page is already free. 389There was an attempt to free a chunk that had already been freed. 390.It Dq junk pointer, too high to make sense. 391The pointer doesn't make sense. 392It's above the area of memory that 393.Fn malloc 394knows something about. 395This could be a pointer from some 396.Xr mmap 2 'ed 397memory. 398.It Dq junk pointer, too low to make sense. 399The pointer doesn't make sense. 400It's below the area of memory that 401.Fn malloc 402knows something about. 403This pointer probably came from your data or bss segments. 404.It Dq malloc() has never been called. 405Nothing has ever been allocated, yet something is being freed or 406realloc'ed. 407.It Dq modified (chunk-/page-) pointer. 408The pointer passed to 409.Fn free 410or 411.Fn realloc 412has been modified. 413.It Dq pointer to wrong page. 414The pointer that 415.Fn malloc 416is trying to free is not pointing to 417a sensible page. 418.It Dq recursive call. 419An attempt was made to call recursively into these functions, i.e., from a 420signal handler. 421This behavior is not supported. 422In particular, signal handlers should 423.Em not 424use any of the 425.Fn malloc 426functions nor utilize any other functions which may call 427.Fn malloc 428(e.g., 429.Xr stdio 3 430routines). 431.It Dq unknown char in MALLOC_OPTIONS 432We found something we didn't understand. 433.El 434.Sh SEE ALSO 435.Xr brk 2 , 436.Xr alloca 3 , 437.Xr getpagesize 3 438.Sh STANDARDS 439The 440.Fn malloc 441function conforms to 442.St -ansiC . 443.Sh HISTORY 444The present implementation of 445.Fn malloc 446started out as a filesystem on a drum 447attached to a 20-bit binary challenged computer built with discrete germanium 448transistors, and it has since graduated to handle primary storage rather than 449secondary. 450.Pp 451The main difference from other 452.Fn malloc 453implementations are believed to be that 454the free pages are not accessed until allocated. 455Most 456.Fn malloc 457implementations will store a data structure containing a, 458possibly double-, linked list in the free chunks of memory, used to tie 459all the free memory together. 460That is a quite suboptimal thing to do. 461Every time the free-list is traversed, all the otherwise unused, and very 462likely paged out, pages get faulted into primary memory, just to see what 463lies after them in the list. 464.Pp 465On systems which are paging, this can increase the page-faults 466of a process by a factor of five. 467