Use freed memory could really crash ?

Question

The following code access to memory that is no more allocated.

#include <stdio.h>
int main()
{
        int * ptr = new int(5);
        delete ptr;
        return *ptr;
}

The pointer access to memory that is no more allocated but till the memory is accessible it will just return a value. I wonder if, practically, it is possible that the program ends crashing with a segmentation violation signal.

EDIT: I run in a loop the program more than 100000 times without crash, that does not means it will never crash, just that it has not crashed during theses 100000 times. Perhaps it is not possible with a so simple program ?

Answer 1

Yes, it could really crash ;)

Your example is actually too simple to crash though. For your example to crash, your process (the standard C library) would have to return the memory to the Operating System in the delete command. Since the memory on most systems today is organized in pages, you would have to allocate memory big enough so that when its freed, the whole page is freed and returned to the OS. The segmentation fault occurs when you access memory that is not mapped - this is the case of the memory that was returned to the OS. But, you are allocating too small amount of memory for that to happen.

If you want a crash, give the system more chance :)

#include <stdio.h>
#include <string.h>

// number of megabytes you will allocate
#define N 100
 
int main()
{
        char *ptr[N];
        int i;

        for (i = 0; i < N; i++) {
                ptr[i] = new char[1*1024*1024];
        }
        // if you remove the following loop, it won't crash
        for (i = 0; i < N; i++) {
                delete ptr[i];
        }
        return ptr[0][2000];
}

This crashes every time on my system. Even in your case it could crash if your int would be just the last thing on that page (well not surely, depends on the implementation of the standard C library), but a lot of chance would be needed for that, and its implementation dependent.

I just created more likely crash-case for you to actually believe it could happen :-)

Answer 2

A case that crash with a segmentation violation (based on the example of Thomas) could be :

#include <stdio.h>
#include <string.h>

int main()
{
        size_t size = 1024*1024;
        char *ptr = new char[size];
        memset(ptr,255,size);
        delete [] ptr;
        return ptr[0];
}

Answer 3

The C standard only says that deferencing a freed pointer is undefined behaviour. It does not say it has to crash. It says nothing about what should happen really.

You would have to understand what "delete" actually does. Probably memory is just lazyly deleted by the operating system, and marked as free for available use, but since no other process has taken ownership of this memory between the 'delete ptr' and the 'return ptr', it does not surprise me that you do not segfault here.

But again, your question cannot be answered anymore than by saying it's undefined behaviour. What the baheviour is can depend on the implementation and the operating system, and be random and unpredictable (such as dependant on another process having had time to appropriate this memory between the delete and the return).

Answer 4

ptr still contains a memory address. Whether or not accessing this particular address in the context of your process depends on the state of the operating system's memory management and whether the heap management of your system's C++ compiler might return memory freed due to delete to the OS memory management. If it's gone, you'll see a segment violation.

But chances are that accessing the address is still possible and your program won't be terminated due to trespassing. But even if this is certain, you won't have any guarantee that the value returned from main is still the value the variable held before the delete. Heap memory management is a very intricate piece of software and there's no telling what happens to the chunk of memory while it is returned.

Finally, if your program uses threads, another thread may have requested memory and received and changed what was returned a few nanoseconds ago.

So: don't, never, ever!

Answer 5

Yes, you should never work on freed memory.

The use of heap allocated memory after it has been freed or deleted leads to undefined system behavior.

Sometimes it could appears to work, sometimes it does not work, depending if your freed memory is reused.

Answer 6

I wonder if it is possible that this makes crash the program with a segmentation violation signal or such kind of thing.

Yes. De-referencing a deleted pointer is undefined behaviour. One of the things could happen is a crash. Another is that the program could silently exit without any problems.