Question

我和这个问题几乎相同： Getting data from pointer in struct "Invalid read/write"

但是当我尝试遵循这些建议时，我仍然有相同的无效读取大小。

我的结构看起来像这样：

DAY$NUMBER  DAY$NAME    DAY$DATE
--------------------------------------
1   MARTES  12/01/2010
2   MIERCOLES   13/01/2010
3   JUEVES  14/01/2010
4   VIERNES 15/01/2010

我的循环缓冲区代码：

typedef struct{
   int lenght;
   int max_lenght;
   int extract;
   int inserting;
   void** structure;
} queue_t;

当我尝试调用pop_from_queue时，我仍在从数组之外获取消息。例如：

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>

#include "queue.h"

 /* creates a new queue with a given size */
queue_t* create_queue(int capacity){

    queue_t* queue = malloc (sizeof(queue_t));

    queue->lenght = 0;
    queue -> max_lenght = capacity;
    queue -> extract = 0;
    queue -> inserting = 0;
    queue -> structure = malloc(sizeof(void*) * capacity);
    return queue;
}
/* deletes the queue and all allocated memory */
void delete_queue(queue_t *queue){
    free(queue->structure);
    free(queue);
}

/*
 * inserts a reference to the element into the queue
 * returns: true on success; false otherwise
 */
bool push_to_queue(queue_t* queue, void* data){
    bool succes;
    if ((queue -> max_lenght) <= (queue -> lenght)){
        succes = false;
    }
    else{
        if (queue -> inserting == queue->max_lenght){
            queue -> inserting = 0;
        }
        queue -> structure[queue -> inserting] = data;
        queue -> inserting += 1;
        queue -> lenght += 1;
        succes = true;
    }
    return succes;
}

/*
 * gets the first element from the queue and removes it from the queue
 * returns: the first element on success; NULL otherwise
 */
void* pop_from_queue(queue_t *queue){
    void* element;
    if ((queue->lenght) <= 0){
        element = NULL;
    }
    else{
        element = queue -> structure[queue-> extract];
        queue -> extract += 1;
        queue -> lenght -= 1;
        if(queue -> extract == queue -> max_lenght){
            queue -> extract = 0;
        }
    }
    return element;
}

/*
 * gets idx-th element from the queue
 * returns: the idx-th element on success; NULL otherwise
 */
void* get_from_queue(queue_t *queue, int idx){
    void* element;
    if(idx >= queue -> lenght){
        element = NULL;
    }
    else{
        if (queue -> extract + idx >= queue->max_lenght){
            element = &queue -> structure[queue->extract+idx - queue->         max_lenght];
        }
        else{
            element = &queue -> structure[queue-> extract+idx];
        }
    }
    return element;
}

/* gets number of stored elements */
int get_queue_size(queue_t *q){
    return q -> lenght;
}

我是结构的初学者所以我欢迎任何帮助。

修改这些错误在线：

==236== Invalid read of size 4
==236==    at 0x4009C8: pop_from_queue (queue.c:53)
==236==    by 0x400721: pop (main.c:33)
==236==    by 0x400817: main (main.c:78)
==236==  Address 0x51fc040 is 0 bytes inside a block of size 24 free'd
==236==    at 0x4C2BD57: free (vg_replace_malloc.c:530)
==236==    by 0x40073D: pop (main.c:35)
==236==    by 0x400817: main (main.c:78)
==236==  Block was alloc'd at
==236==    at 0x4C2AC3D: malloc (vg_replace_malloc.c:299)
==236==    by 0x4008B8: create_queue (queue.c:10)
==236==    by 0x400798: main (main.c:57)
==236==
==236== Invalid read of size 8
==236==    at 0x4009DC: pop_from_queue (queue.c:57)
==236==    by 0x400721: pop (main.c:33)
==236==    by 0x400817: main (main.c:78)
==236==  Address 0x51fc050 is 16 bytes inside a block of size 24 free'd
==236==    at 0x4C2BD57: free (vg_replace_malloc.c:530)
==236==    by 0x40073D: pop (main.c:35)
==236==    by 0x400817: main (main.c:78)
==236==  Block was alloc'd at
==236==    at 0x4C2AC3D: malloc (vg_replace_malloc.c:299)
==236==    by 0x4008B8: create_queue (queue.c:10)
==236==    by 0x400798: main (main.c:57)
==236==
==236== Invalid read of size 4
==236==    at 0x4009E4: pop_from_queue (queue.c:57)
==236==    by 0x400721: pop (main.c:33)
==236==    by 0x400817: main (main.c:78)
==236==  Address 0x51fc048 is 8 bytes inside a block of size 24 free'd
==236==    at 0x4C2BD57: free (vg_replace_malloc.c:530)
==236==    by 0x40073D: pop (main.c:35)
==236==    by 0x400817: main (main.c:78)
==236==  Block was alloc'd at
==236==    at 0x4C2AC3D: malloc (vg_replace_malloc.c:299)
==236==    by 0x4008B8: create_queue (queue.c:10)
==236==    by 0x400798: main (main.c:57)
==236==
==236== Invalid read of size 4
==236==    at 0x4009FB: pop_from_queue (queue.c:58)
==236==    by 0x400721: pop (main.c:33)
==236==    by 0x400817: main (main.c:78)
==236==  Address 0x51fc048 is 8 bytes inside a block of size 24 free'd
==236==    at 0x4C2BD57: free (vg_replace_malloc.c:530)
==236==    by 0x40073D: pop (main.c:35)
==236==    by 0x400817: main (main.c:78)
==236==  Block was alloc'd at
==236==    at 0x4C2AC3D: malloc (vg_replace_malloc.c:299)
==236==    by 0x4008B8: create_queue (queue.c:10)
==236==    by 0x400798: main (main.c:57)
==236==
etc.

我的主要方案方法：

53 if ((queue->lenght) <= 0){
57 element = queue -> structure[queue-> extract];
58 queue -> extract += 1;
59 queue -> lenght -= 1;
60 if(queue -> extract == queue -> max_lenght){
89 return q -> lenght;

Answer 1

仔细阅读代码，我发现了一些直接的问题。

/* pop from the queue, print and free the element */
void pop(queue_t *queue)
{
    void *p = pop_from_queue(queue);
    print_int(p);
    free(queue);
}

我认为你不想在这里释放整个queue，而是p。

void delete_queue(queue_t *queue){
    free(queue->structure);
    free(queue);
}

由于queue->structure是一个指针列表，因此只释放列表的内存。它指向的内存仍然需要被释放。这可以是调用者的责任，但也可以卸载到队列中。

使用这样的通用结构，您通常会为结构提供一个知道如何释放队列中内存的函数指针。举个好例子，看看the initializer of GLib's pointer arrays take a destroy function。

bool push_to_queue(queue_t* queue, void* data){
    bool succes;
    if ((queue -> max_lenght) <= (queue -> lenght)){
        succes = false;
    }
    else{
        if (queue -> inserting == queue->max_lenght){
            queue -> inserting = 0;
        }
        queue -> structure[queue -> inserting] = data;
        queue -> inserting += 1;
        queue -> lenght += 1;
        succes = true;
    }
    return succes;
}

if ((queue -> max_lenght) <= (queue -> lenght))包含无效状态，其中queue -> max_lenght 小于 queue->lenght。这绝不应该发生。

最好使用assert检查所有内容是否有效。这是一个调试语句，用于声明必须为真assert( queue->length <= queue->max_length )的内容。如果不是，程序将崩溃并通知您断言失败。否则，您的代码会尝试插入太多元素并且已经包含太多元素。

在push_to_queue开始时使用该断言，您可以查看if( queue->max_length == queue->length )。

我建议您在尝试在更大的程序中使用它之前对您的队列库进行单元测试。使用普通和边缘情况测试每种方法。例如......

void test_delete_queue() {
    queue_t *q = create_queue(3);

    int nums[3] = {4,5,6};
    for( int i = 0; i < 3; i++ ) {
        push_to_queue(q, &num);
    }

    delete_queue(q);
}

虽然这似乎不包含任何测试，但它会让您知道delete_queue没有段错误并且使用valgrind运行它会检测到任何泄漏。

另一个例子，在阅读代码时，我对queue->inserting和queue->extracting非常怀疑。在我看来，如果你推动和弹出足够的话他们会失去同步。所以我测试了它。令我惊讶的是，它有效！现在我们确定这不是问题。

void test_push_pop() {
    queue_t *q = create_queue(3);

    int nums[4] = {10, 20, 30, 40};

    /* Push twice then pop once */
    assert( push_to_queue(q, &nums[0]) );
    assert( push_to_queue(q, &nums[1]) );
    assert( (int*)pop_from_queue(q) == &nums[0] );

    /* Push and pop again */
    assert( push_to_queue(q, &nums[2]) );
    assert( (int*)pop_from_queue(q) == &nums[1] );

    /* Push one more than the max length. This should be ok
       as we've already popped twice */
    assert( push_to_queue(q, &nums[3] ) );
    assert( (int*)pop_from_queue(q) == &nums[2] );
    assert( (int*)pop_from_queue(q) == &nums[3] );

    assert( get_queue_size(q) == 0 );

    delete_queue(q);
}

但pop的类似测试不起作用，因为它会释放整个队列。

结构中的大小读取无效

1 个答案: