Question

我创建了以下代码，一个用于可打印ascii的简单强力程序。用户传入用于启动密码短语长度和结束密码短语长度的参数。当我的程序运行时，我收到以下错误：

输入：

~$ Enter START length & END length ex:(8 10): 2 3

输出：

... (more output above)
~|
~}
~~

*** glibc detected *** ./wordgen: double free or corruption (out): 0x0916e008 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6cbe1)[0x874be1]
/lib/i386-linux-gnu/libc.so.6(+0x6e50b)[0x87650b]
/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0x87969d]
./wordgen[0x80486f4]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x81ee37]
./wordgen[0x8048471]
======= Memory map: ========
00110000-0012a000 r-xp 00000000 08:06 3408733    /lib/i386-linux-gnu/libgcc_s.so.1Aborted

Valgrind输出：

==11050== Invalid read of size 1
==11050==    at 0x804866F: main (wordgen.c:37)
==11050==  Address 0x41a2027 is 1 bytes before a block of size 3 alloc'd
==11050==    at 0x4026864: malloc (vg_replace_malloc.c:236)
==11050==    by 0x8048600: main (wordgen.c:28)
==11050== 
==11050== Invalid write of size 1
==11050==    at 0x8048675: main (wordgen.c:37)
==11050==  Address 0x41a2027 is 1 bytes before a block of size 3 alloc'd
==11050==    at 0x4026864: malloc (vg_replace_malloc.c:236)
==11050==    by 0x8048600: main (wordgen.c:28)
==11050== 
==11050== Invalid read of size 1
==11050==    at 0x8048689: main (wordgen.c:38)
==11050==  Address 0x41a2027 is 1 bytes before a block of size 3 alloc'd
==11050==    at 0x4026864: malloc (vg_replace_malloc.c:236)
==11050==    by 0x8048600: main (wordgen.c:28)
==11050==

C代码：

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char *argv[]) {
  int  sLen = 1;
  int  eLen = 0;

  printf("Enter START length & END length ex:(8 10): ");
  scanf("%d %d", &sLen, &eLen);
  int cLen = sLen;
  while (cLen <= eLen) {

    /* Allocate Memory for String  & Initialize */
    char *outStr = malloc(cLen + 1);
    memset(outStr, ' ', cLen);
    outStr[cLen] = 0;

    int outerControl = 1;
    while (outerControl == 1) {
      int cMod = 1;
      int innerControl = 1;
      while(innerControl == 1) {
        outStr[cLen-cMod] += 1;
        if((int)outStr[cLen-cMod] == 127) {
          //Exit Condition Where The Error Occurred
          if(cLen - cMod == 0) { outerControl = 0;  } 
          outStr[cLen-cMod] = 32;
          cMod += 1;
        }
        else { innerControl = 0; }
      }
      printf("%s\n",outStr);
    }
    free(outStr); // Possible source of Error?
    cLen += 1;
  }

  return 0;
}

我是C编程新手，对此错误感到非常困惑。这是什么意思？我是如何错误地创建程序的？我假设它与内存管理有关...

Answer 1

你的问题是：

while(innerControl == 1) {
  printf("%d %d\n", cLen, cMod);
  outStr[cLen-cMod] += 1;                       // <-- this here
  if((int)outStr[cLen-cMod] == 127) {
    //Exit Condition Where The Error Occurred
    if(cLen - cMod == 0) { outerControl = 0;  }
    outStr[cLen-cMod] = 32;
    cMod += 1;
  }
  else { innerControl = 0; }
}

在某些时候，cMod增长到大于cLen，因此您从其范围内访问outStr（即：outStr[-1]）。此行为未定义。

这个条件：

if(cLen - cMod == 0) { outerControl = 0;  }

...似乎是为了防止这种情况，但只会在(int)outStr[cLen-cMod] == 127时执行。您可能应该添加以下内容：

if (cMod > cLen)
    break;

outStr[cLen-cMod] += 1;

Answer 2

您在while (cLen <= eLen)循环的每次传递中释放outStr，因此仅当eLen - cLen＆lt; 1;）

更新：对不起，我错了 - 你在每次通过时都会把它搞好。

我尝试了你的程序，它在我的mac上没有任何错误。尝试使用valgrind来了解发生了什么。

C中的内存分配运行时错误

2 个答案: