c - 无效的写入/读取 valgrind 错误，在其他问题中未找到解决方案

Question

我正在为家庭作业编写 C 代码，该作业通过内存段的动态数组复制主内存。

这些内存段来自不同的接口，它本身只是一个 uint32_ts 的静态数组。

我的主内存接口称为 heapmem（如堆内存），自从切换以来，我一直收到奇怪的 valgrind 读/写错误。在咀嚼我之前，我已经查看和研究，并且作为最后的手段来SO。

这是错误

==30352== Invalid write of size 8
==30352==    at 0x401661: HeapMem_map (heapmem.c:84)
==30352==    by 0x400E74: map (um.c:109)
==30352==    by 0x4010FD: runOpcode (um.c:182)
==30352==    by 0x4011A1: UM_run (um.c:209)
==30352==    by 0x400A71: main (main.c:10)
==30352==  Address 0x4c53b00 is 0 bytes after a block of size 16 alloc'd
==30352==    at 0x4A0610C: malloc (vg_replace_malloc.c:195)
==30352==    by 0x401425: HeapMem_new (heapmem.c:32)
==30352==    by 0x400ABE: UM_new (um.c:31)
==30352==    by 0x400A64: main (main.c:8)
==30352== 
==30352== Invalid read of size 8
==30352==    at 0x401787: HeapMem_put (heapmem.c:114)
==30352==    by 0x400D38: sstore (um.c:90)
==30352==    by 0x401090: runOpcode (um.c:167)
==30352==    by 0x4011A1: UM_run (um.c:209)
==30352==    by 0x400A71: main (main.c:10)
==30352==  Address 0x4c53b00 is 0 bytes after a block of size 16 alloc'd
==30352==    at 0x4A0610C: malloc (vg_replace_malloc.c:195)
==30352==    by 0x401425: HeapMem_new (heapmem.c:32)
==30352==    by 0x400ABE: UM_new (um.c:31)
==30352==    by 0x400A64: main (main.c:8)
==30352== 
==30352== Invalid read of size 8
==30352==    at 0x401956: car_double (heapmem.c:151)
==30352==    by 0x401640: HeapMem_map (heapmem.c:82)
==30352==    by 0x400E74: map (um.c:109)
==30352==    by 0x4010FD: runOpcode (um.c:182)
==30352==    by 0x4011A1: UM_run (um.c:209)
==30352==    by 0x400A71: main (main.c:10)
==30352==  Address 0x4c53b00 is 0 bytes after a block of size 16 alloc'd
==30352==    at 0x4A0610C: malloc (vg_replace_malloc.c:195)
==30352==    by 0x401425: HeapMem_new (heapmem.c:32)
==30352==    by 0x400ABE: UM_new (um.c:31)
==30352==    by 0x400A64: main (main.c:8)
==30352== 
==30352== Invalid read of size 8
==30352==    at 0x40174A: HeapMem_get (heapmem.c:108)
==30352==    by 0x400CD9: sload (um.c:86)
==30352==    by 0x401079: runOpcode (um.c:164)
==30352==    by 0x4011A1: UM_run (um.c:209)
==30352==    by 0x400A71: main (main.c:10)
==30352==  Address 0x4c7e0f0 is 0 bytes after a block of size 4,096 alloc'd
==30352==    at 0x4A0610C: malloc (vg_replace_malloc.c:195)
==30352==    by 0x401923: car_double (heapmem.c:148)
==30352==    by 0x401640: HeapMem_map (heapmem.c:82)
==30352==    by 0x400E74: map (um.c:109)
==30352==    by 0x4010FD: runOpcode (um.c:182)
==30352==    by 0x4011A1: UM_run (um.c:209)
==30352==    by 0x400A71: main (main.c:10)

以下是代码中的函数给我错误：

//  Heap Memory Structure
struct T {
   Stack_T SegID_stack;
   MemSeg_T* HeapMem_car;
   int length, highest;
};

//  Create a new heap memory structure
T HeapMem_new (MemSeg_T program) {
    assert (program);
    T retHeap = malloc(sizeof(*retHeap));
    Stack_T structStack = Stack_new ();
    retHeap->length = INIT_SIZE;
    retHeap->highest = 0;
    MemSeg_T* structCar = malloc(INIT_SIZE * sizeof(*structCar));
    //  Fill the array with NULL ptrs
    for (int i = 0; i < INIT_SIZE; i++) {
        structCar[i] = NULL;
    }
    retHeap->HeapMem_car = structCar;
    retHeap->SegID_stack = structStack;
    //  We'll be using the map function to initialize
    //  the heap with a program at the 0th segment.
    HeapMem_map (retHeap, MemSeg_length (program));
    retHeap->HeapMem_car[PROGRAM_LOC] = program;
    return retHeap;
}

//  Line 84
heapmem->HeapMem_car[toMap] = segment;
//  Line 114
MemSeg_T segToPut = heapmem->HeapMem_car[toPut];
//  Line 151
newCar[i] = heapmem->HeapMem_car[i];
//  Line 108
MemSeg_T wordSeg = heapmem->HeapMem_car[toGet];

其余代码可在此处获得。

Answer 1

首先对您的一个错误进行小剖析：

==30352== Invalid write of size 8
==30352==    at 0x401661: HeapMem_map (heapmem.c:84)
==30352==    by 0x400E74: map (um.c:109)
==30352==    by 0x4010FD: runOpcode (um.c:182)
==30352==    by 0x4011A1: UM_run (um.c:209)
==30352==    by 0x400A71: main (main.c:10)
==30352==  Address 0x4c53b00 is 0 bytes after a block of size 16 alloc'd
==30352==    at 0x4A0610C: malloc (vg_replace_malloc.c:195)
==30352==    by 0x401425: HeapMem_new (heapmem.c:32)
==30352==    by 0x400ABE: UM_new (um.c:31)
==30352==    by 0x400A64: main (main.c:8)

请注意，此列表的底部告诉您分配发生的位置。顶部告诉你它是如何被滥用的。在这种情况下，您正好经过请求分配的末尾 8 个字节。

您会注意到其中的所有超限，并且剩余的违规以完全相同的偏移量（8 个字节）超出了他们的能力范围。对引用代码的进一步检查表明它似乎总是相同的数组。这实际上是一件好事，因为它很可能只是错误地计算数据项的存在方式并达到超出允许空间的一个或两个的问题

在这种情况下，被破坏的项目似乎是一个动态分配的指针列表（heapmem->HeapMem_car[]）。在具有 64 位指针的机器上运行会使每个指针都有 8 字节宽，因此您很可能在此分配的最后一个可访问元素中简单地一个接一个，而在 C 中，这通常意味着在某些点你分配的N项目，然后访问array[N]忘记限制是N-1。所有上述访问违规似乎都集中在相信该数组的索引没有越界，但 valgrind 报告它们是。我建议您将一些 assert() 插入这些访问点并在违规时中断以查看您是如何到达那里的。哦等等.. valgrind 已经为你提供了这些信息。看看那个可爱的调用堆栈。嗯……

那么，为什么即使有这些违规行为它似乎也能奏效呢？多种可能性。如果您没有远远超出分配的内存 - 并且这里的所有地址都是 0 字节之后 - （这些毕竟是指针，所以祈祷它们是 NULL）很有可能不会覆盖重要数据和程序似乎工作。直到分配突然降落在其他地方并且您跨过页面边界。过冲和kerboom。

感谢Daniel Fischer对这个答案的第二部分的贡献（为什么它似乎有效）。