C Error: free(): invalid next size (fast):, different behaviour of C program on OSX, Linux

Question

This question has been asked several times, but since I think my situation is I think more specific:

I have a C program, which works perfectly on my OSX system (too huge to copy). I already tested it with Valgrind, and I am not missing any frees /mallocs /or writes, all problems are solved 100%.

When I now run the program over ssh on an external sever, when I run with not that many data (see code below, my_length < 1000), it works without any problem. But with a larger dataset, using the Linux terminal I get this error:

 *** Error in `./a.out': free(): invalid next size (fast): 0x00000000016b9ed0 ***
 ======= Backtrace: =========
 /lib64/libc.so.6[0x3e50475cff]
 /lib64/libc.so.6[0x3e5047cff8]
 ./a.out[0x41083c]
 ./a.out[0x402374]
 /lib64/libc.so.6(__libc_start_main+0xf5)[0x3e50421d65]
 ./a.out[0x400e79]
 ======= Memory map: ========
  00400000-00418000 r-xp 00000000 00:4d 89038   

[...]

and when I run it on Solaris it complains :

malloc failed

at a line where I allocate a three dimensional array:

 int ***A, ***B, ***C;
 A = malloc(sizeof(int**)*2); B = malloc(sizeof(int**)*2); C = malloc(sizeof(int**)*2);
 int i;
 for (i = 0; i < 2; i++) {
    A[i] = malloc(sizeof(int*)* my_length);
    B[i] = malloc(sizeof(int*)* my_length);
    C[i] = malloc(sizeof(int*)* my_length);
    for (j = 0; j <= my_length2; j++) {
        A[i][j] = malloc(sizeof(int)* my_length2);
        B[i][j] = malloc(sizeof(int)* my_length2);
        C[i][j] = malloc(sizeof(int)* my_length2);<== malloc failed here??
    }   
}

where my_length and my_length2 get really really huge!

I am getting desperate! Does someone have any clue what my problem could be?

Answer 1

Ok I found one possible solution, I was increasing my values step by step, and now valgrind reports following:

==3954== Invalid write of size 8
==3954==    at 0x344C1B: _platform_memmove$VARIANT$Unknown (in       /usr/lib/system/libsystem_platform.dylib)
==3954==    by 0x1C4D74: __memcpy_chk (in /usr/lib/system/libsystem_c.dylib)
==3954==    by 0x10000B2E4: my_method (delete.c:1461)
==3954==    by 0x1000025B3: main (delete.c:365)
==3954==  Address 0x1020611a0 is 16 bytes after a block of size 2,096 alloc'd
==3954==    at 0x56AA: realloc (vg_replace_malloc.c:698)
==3954==    by 0x10000B21E: my_method (delete.c:1458)
==3954==    by 0x1000025B3: main (delete.c:365)

And this is the code, because I have no idea why this appears:S

if (temp_length + strlen(new_substring)
                > max_seq_lens[i]) {

            max_len[i] *= 2;
            my_array[i].name = realloc(sizeof(char)* max_seq_lens[i]); <=== 
        }
 temp_length += (some_num);

SO here temp_length is saving the current length of my my_array[i].name, I am trying to concatenate a new string (new_substring) and before I concatenate them, I tried to check if the memory is enough, I really don't see my mistake here :S

Answer 2

There are so many duplicates found for this question that annoyingly, I cannot find the right one for you.

The basic problem is that your program has most definitely written over the memory block tracking information that the malloc/free library uses.

Somewhere in your program is a memory write that is out of bounds.