C - Accessing data AFTER memory has been free()ed?

Question

I\'m reading a lot about malloc() and free() in Standard C. As I understand it, you malloc() for some memory exactly once and then you free() that

Answer 1

The crash in your code is due to double free. Appendix J.2 of C11 says that behaviour is undefined for example when:

The pointer argument to the free or realloc function does not match a pointer earlier returned by a memory management function, or the space has been deallocated by a call to free or realloc (7.22.3.3, 7.22.3.5).

However it is possible to write code that will crash on Linux just by reading a value from memory that was just freed.

In glibc + Linux there are two different mechanisms of memory allocations. One uses the brk/sbrk to resize the data segment, and the other uses the mmap system call to ask the operating system to give large chunks of memory. The former is used for small allocations, like your 10 characters above, and mmap for large chunks. So you might get a crash by even accessing the memory just after free:

#include 
#include 

int main(){
    char* p = malloc(1024 * 1024);
    printf("%d\n", *p);
    free(p);
    printf("%d\n", *p);
}

And finally, the C11 standard says that the behaviour is undefined even when

The value of a pointer that refers to space deallocated by a call to the free or realloc function is used (7.22.3).

This means that after not only that dereferencing the pointer (*p) has undefined behaviour, but also that it is not safe to use the pointer in any other way, even doing p == NULL has UB. This follows from C11 6.2.4p2 that says:

The value of a pointer becomes indeterminate when the object it points to (or just past) reaches the end of its lifetime.