←back to thread

Some bits on malloc(0) in C being allowed to return NULL

(utcc.utoronto.ca)
50 points ingve | 3 comments | 25 Jun 25 06:15 UTC | HN request time: 0.606s | source
Show context
bobmcnamara ◴[26 Jun 25 17:01 UTC] No.44389188[source]
Ages ago I worked with a system where malloc(0) incremented a counter and returned -1.

free(-1) decremented the counter.

This way you could check for leaks :p

replies(3): >>44389317 #>>44389346 #>>44389977 #
o11c ◴[26 Jun 25 17:17 UTC] No.44389317[source]
Noncompliant, since `malloc(0)` is specified to return a unique pointer if it's not `NULL`.

On most platforms an implementation could just return adjacent addresses from the top half of the address space. On 32-bit platforms it doesn't take long to run out of such address space however, and you don't want to waste the space for a bitmap allocator. I suppose you could just use a counter for each 64K region or something, so you can reuse it if the right number of elements has been freed ...

replies(3): >>44389517 #>>44389553 #>>44395128 #
LPisGood ◴[26 Jun 25 17:38 UTC] No.44389517[source]
Noncompliant, but what could this reasonably impact?
replies(2): >>44389559 #>>44389605 #
bobmcnamara ◴[26 Jun 25 17:41 UTC] No.44389559[source]
> Noncompliant, since `malloc(0)` is specified to return a unique pointer if it's not `NULL`.

I know I've seen that somewhere, but may I ask what standard you're referring to?

replies(1): >>44389694 #
masfuerte ◴[26 Jun 25 17:55 UTC] No.44389694[source]
It's POSIX.

> Each [...] allocation shall yield a pointer to an object disjoint from any other object. The pointer returned points to the start (lowest byte address) of the allocated space. If the space cannot be allocated, a null pointer shall be returned. If the size of the space requested is 0, the behavior is implementation-defined: either a null pointer shall be returned, or the behavior shall be as if the size were some non-zero value, except that the behavior is undefined if the returned pointer is used to access an object.

https://pubs.opengroup.org/onlinepubs/9799919799/functions/m...

replies(1): >>44390087 #
MaxBarraclough ◴[26 Jun 25 18:40 UTC] No.44390087[source]
Not just POSIX, also the ISO C standard itself. https://en.cppreference.com/w/c/memory/malloc
replies(2): >>44390145 #>>44390234 #
masfuerte ◴[26 Jun 25 18:45 UTC] No.44390145[source]
That doesn't say the pointer has to be unique.
replies(2): >>44390258 #>>44390287 #
jcranmer ◴[26 Jun 25 18:58 UTC] No.44390258[source]
cppreference isn't the standard, and while the text they write looks like it's the same verbiage that would be authoritative, it's not. (And there's some criticism of it from standards committee members in that regard).

The current C standard text says:

> The order and contiguity of storage allocated by successive calls to the aligned_alloc, calloc, malloc, and realloc functions is unspecified. The pointer returned if the allocation succeeds is suitably aligned so that it can be assigned to a pointer to any type of object with a fundamental alignment requirement and size less than or equal to the size requested. It can then be used to access such an object or an array of such objects in the space allocated (until the space is explicitly deallocated). The lifetime of an allocated object extends from the allocation until the deallocation. Each such allocation shall yield a pointer to an object disjoint from any other object. The pointer returned points to the start (lowest byte address) of the allocated space. If the space cannot be allocated, a null pointer is returned. If the size of the space requested is zero, the behavior is implementation-defined: either a null pointer is returned to indicate an error, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object.

So yeah, the allocations are required to be unique (at least until it's free'd).

replies(1): >>44392253 #
bobmcnamara ◴[26 Jun 25 22:55 UTC] No.44392253[source]
> Each such allocation shall yield a pointer to an object disjoint from any other object.

Phrasing could be slightly more clear to prevent someone from making the argument that -1 is disjoint from all objects as it does not point to an object

replies(1): >>44395792 #
1. Joker_vD ◴[27 Jun 25 11:08 UTC] No.44395792[source]
And if you use 0 as the value of NULL pointer, then -1 can't ever point to an object (because adding 1 to it should generate a non-NULL pointer, so that pointer comparisons are not UB).

So yeah, C implementations have to reserve at least two addresses, not just one. By the way, the standard to this day allows NULL, when cast to a pointer type, to be something else than all-bits-zero pattern (and some implementations indeed took this opportunity).

replies(1): >>44396796 #
2. ynik ◴[27 Jun 25 13:48 UTC] No.44396796[source]
But adding 1 to a pointer will add sizeof(T) to the underlying value, so you actually need to reserve more than two addresses if you want to distinguish the "past-the-end" pointer for every object from NULL.

--

While it's rare to find a platform nowadays that uses something other than a zero bit pattern for NULL as normal pointer type; it's extremely common in C++ for pointer-to-member types: 0 is the first field at the start of a struct (offset 0); and NULL is instead represented with -1.

replies(1): >>44397276 #
3. Joker_vD ◴[27 Jun 25 14:58 UTC] No.44397276[source]
> so you actually need to reserve more than two addresses if you want to distinguish the "past-the-end" pointer for every object from NULL.

Well, yes and no. A 4-byte int can not reside at -4, but a char could be; but no object can reside at -1. So implementations need to take care that one-past-the-end addresses never equal to whatever happens to serve as nullptr but this requirement only makes address -1 completely unavailable for the C-native objects.