19

This question is meant to be used as a canonical duplicate for this FAQ:

I am allocating data dynamically inside a function and everything works well, but only inside the function where the allocation takes place. When I attempt to use the same data outside the function, I get crashes or other unexpected program behavior.

Here is a MCVE:

#include <stdlib.h>
#include <stdio.h>

void create_array (int* data, int size)
{
  data = malloc(sizeof(*data) * size);
  for(int i=0; i<size; i++)
  {
    data[i] = i;
  }

  print_array(data, size);
}

void print_array (int* data, int size)
{
  for(int i=0; i<size; i++)
  {
    printf("%d ", data[i]);
  }
  printf("\n");
}

int main (void)
{
  int* data;
  const int size = 5;

  create_array(data, size);
  print_array(data, size);  // crash here

  free(data);
}

Whenever print_array is called from inside the create_array function, I get the expected output 0 1 2 3 4, but when I call it from main, I get a program crash.

What is the reason for this?

Lundin
  • 155,020
  • 33
  • 213
  • 341
  • 5
    I almost downvoted you for making such a stupid mistake :) – Jean-François Fabre Sep 14 '16 at 09:25
  • 1
    @Jean-FrançoisFabre Unfortunately I haven't found a way to make the question a community wiki, only the answer. I've poked the mods, so hopefully it will get converted to community wiki soon. – Lundin Sep 14 '16 at 09:27
  • 2
    I think can be better hosted on Documentation Beta. – LPs Sep 14 '16 at 09:27
  • @LPs By all means, feel free to copy/pasta it over there. You can't use a Documentation page for close-as-duplicate though. Nor will it pop up when people post a new question nor search for the answer themselves. – Lundin Sep 14 '16 at 09:30
  • @RestlessC0bra No, there's nothing wrong with this code. Don't use broken compilers/static analysers. The particular error you describe is a typical, well-known "false positive", it is a common bug found in many tools. – Lundin Mar 17 '17 at 11:57
  • 2
    @RestlessC0bra False positives = tool bugs = broken tool. VS2015 is a C++ compiler. In C mode, it is very much broken and everyone knows it. It does not conform to the C standard, nor does it conform to the previous C standard from 1999, nor does it conform to the ancient C90/ANSI standard. It is also well-known to whine about perfectly fine C code, since Microsoft think they alone should have the authority to dictate which language features that are good and bad, rather than the C standard committee. – Lundin Mar 17 '17 at 12:06
  • 1
    @Lundin I would give you bounty for your comment if I could! – Matthieu May 17 '19 at 23:12

1 Answers1

17

The reason for this bug is that the data used by the create_array function is a local variable that only exists inside that function. The assigned memory address obtained from malloc is only stored in this local variable and never returned to the caller.

Consider this simple example:

void func (int x)
{
  x = 1;
  printf("%d", x);
}

...
int a;
func(a);
printf("%d", a); // bad, undefined behavior - the program might crash or print garbage

Here, a copy of the variable a is stored locally inside the function, as the parameter x. This is known as pass-by-value.

When x is modified, only that local variable gets changed. The variable a in the caller remains unchanged, and since a is not initialized, it will contain "garbage" and cannot be reliably used.

Pointers are no exception to this pass-by-value rule. In your example, the pointer variable data is passed by value to the function. The data pointer inside the function is a local copy and the assigned address from malloc is never passed back to the caller.

So the pointer variable in the caller remains uninitialized and therefore the program crashes. In addition, the create_array function has also created a memory leak, since after that function execution, there is no longer any pointer in the program keeping track of that chunk of allocated memory.

There are two ways you can modify the function to work as expected. Either by returning a copy of the local variable back to the caller:

int* create_array (int size)
{
  int* data = malloc(sizeof(*data) * size);
  for(int i=0; i<size; i++)
  {
    data[i] = i;
  }

  print_array(data, size);

  return data;
}

int main (void)
{
  int* data;
  const int size = 5;

  data = create_array(size);
  print_array(data, size);
}

or by passing the address to the caller's pointer variable and write directly to the caller variable:

void create_array (int** data, int size)
{
  int* tmp = malloc(sizeof(*tmp) * size);
  for(int i=0; i<size; i++)
  {
    tmp[i] = i;
  }

  *data = tmp;      
  print_array(*data, size);
}

int main (void)
{
  int* data;
  const int size = 5;

  create_array(&data, size);
  print_array(data, size);
}

Either form is fine.

CiaPan
  • 8,142
  • 2
  • 18
  • 32
Lundin
  • 155,020
  • 33
  • 213
  • 341
  • @RestlessC0bra Thanks, it's been fixed. Though this is a community wiki so you are free to edit it too. – Lundin Mar 17 '17 at 12:50