mallocis a subroutine provided in the C and C++ programming language's standard libraries for performing dynamic memory allocation.
allocafunction, which allows run-time allocation of variable-sized automatic variables on the stack. C99 supports variable-length arrays of block scope having sizes determined at runtime.
The lifetime of allocated memory is also a concern. Neither static- nor automatic-duration memory is adequate for all situations. Automatic-allocated data cannot persist across multiple function calls, while static data persists for the life of the program whether it is needed or not. In many situations the programmer requires greater flexibility in managing the lifetime of allocated memory.
These limitations are avoided by using dynamic memory allocation in which memory is more explicitly but more flexibly managed, typically by allocating it from a heap, an area of memory structured for this purpose. In C, one uses the library function
malloc to allocate a block of memory on the heap. The program accesses this block of memory via a pointer which
malloc returns. When the memory is no longer needed, the pointer is passed to
free which deallocates the memory so that it can be used for other purposes.
mallocfunction is one of the functions in standard C to allocate memory. Its function prototype is which allocates
sizebytes of memory. If the allocation succeeds, a pointer to the block of memory is returned, else a null pointer is returned.
malloc returns a void pointer (
void *), which indicates that it is a pointer to a region of unknown data type. Note that because
malloc returns a void pointer, it needn't be explicitly cast to a more specific pointer type: ANSI C defines an implicit conversion between the void pointer type and other pointers to objects. An explicit cast of
malloc's return value is sometimes performed because
malloc originally returned a
char *, but this cast is unnecessary in standard C code. However, omitting the cast creates an incompatibility with C++, which requires it.
Memory allocated via
malloc is persistent: it will continue to exist until the program terminates or the memory is explicitly deallocated by the programmer (that is, the block is said to be "freed"). This is achieved by use of the
free function. Its prototype is
which releases the block of memory pointed to by
pointer must have been previously returned by
realloc and must only be passed to
Another problem is when The heap method suffers from a few inherent flaws, stemming entirely from fragmentation. Like any method of memory allocation, the heap will become fragmented; that is, there will be sections of used and unused memory in the allocated space on the heap. A good allocator will attempt to find an unused area of already allocated memory to use before resorting to expanding the heap. The major problem with this method is that the heap has only two significant attributes: base, or the beginning of the heap in virtual memory space; and length, or its size. The heap requires enough system memory to fill its entire length, and its base can never change. Thus, any large areas of unused memory are wasted. The heap can get "stuck" in this position if a small used segment exists at the end of the heap, which could waste any magnitude of address space, from a few megabytes to a few hundred.
returns a null pointer to indicate that no memory is available, or that some other error occurred which prevented memory being allocated.
malloc returns a block of memory that is allocated for the programmer to use, but is uninitialized. The memory is usually initialized by hand if necessary—either via the
memset function, or by one or more assignment statements that dereference the pointer. An alternative is to use the
calloc function, which allocates memory and then initializes it. Its prototype is
which allocates a region of memory large enough to hold
nelements of size
bytes each. The allocated region is initialized to zero.
It is often useful to be able to grow or shrink a block of memory. This can be done using
realloc which returns a pointer to a memory region of the specified size, which contains the same data as the old region pointed to by
pointer (truncated to the minimum of the old and new sizes). If
realloc is unable to resize the memory region in place, it allocates new storage, copies the required data, and frees the old pointer. If this allocation fails,
realloc maintains the original pointer unaltered, and returns the null pointer value. The newly allocated region of memory is uninitialized (its contents are not predictable). The function prototype is
realloc behaves like
malloc if the first argument is NULL:
The improper use of
malloc and related functions can frequently be a source of bugs.
malloc is not guaranteed to succeed — if there is no memory available, or if the program has exceeded the amount of memory it is allowed to reference,
malloc will return a null pointer. Many programs do not check for
malloc failure. Such a program would attempt to use the null pointer returned by
malloc as if it pointed to allocated memory, and the program would crash.
When a call to
realloc succeeds, the return value of the call should eventually be passed to the
free function. This releases the allocated memory, allowing it to be reused to satisfy other memory allocation requests. If this is not done, the allocated memory will not be released until the process exits — in other words, a memory leak will occur. Typically, memory leaks are caused by losing track of pointers, for example not using a temporary pointer for the return value of
realloc, which may lead to the original pointer being overwritten with a null pointer, for example:
Use after free
After a pointer has been passed to
free, it becomes a dangling pointer: it references a region of memory with undefined content, which may not be available for use. The pointer's value cannot be accessed. For example:
Code like this has undefined behavior: its effect may vary. Even attempting to print the variable with printf is undefined behavior (assuming
malloc did not return a null pointer); for example:
Commonly, the system may have reused freed memory for other purposes. Therefore, writing through a pointer to a deallocated region of memory may result in overwriting another piece of data somewhere else in the program. Depending on what data is overwritten, this may result in data corruption or cause the program to crash at a later time. A particularly bad example of this problem is if the same pointer is passed to
free twice, known as a double free. To avoid this, some programmers set pointers to
NULL after passing them to
free(NULL) is safe (it does nothing). However, this will not protect other aliases to the same pointer from being doubly freed.
Freeing unallocated memory
free is passed an address that wasn't allocated by
calloc. This can be caused when a pointer to a literal string or the name of a declared array is passed to
free, for example:
Passing either of the above pointers to
free will result in undefined behaviour.
The implementation of memory management depends greatly upon operating system and architecture. Some operating systems supply an allocator for malloc, while others supply functions to control certain regions of data. The same dynamic memory allocator is often used to implement both malloc and
operator new in C++. Hence, it is referred to below as the allocator rather than
Implementation of the allocator on IA-32 architectures is commonly done using the heap, or data segment. The allocator will usually expand and contract the heap to fulfill allocation requests.
The glibc allocator
The GNU C library (glibc) uses both
mmap on the Linux operating system. The
brk system call will change the size of the heap to be larger or smaller as needed, while the
mmap system call will be used when extremely large segments are allocated. The heap method suffers the same flaws as any other, while the mmap method may avert problems with huge buffers trapping a small allocation at the end after their expiration.
mmap method has its own flaws: it always allocates a segment by mapping entire pages. Mapping even a single byte will use an entire page which is usually 4096 bytes. Although this is usually quite acceptable, many architectures provide large page support (up to four megabytes). The combination of this method with large pages can potentially waste vast amounts of memory. The advantage to the
mmap method is that when the segment is freed, the memory is returned to the system immediately.
OpenBSD's implementation of the
malloc function makes use of
mmap. For requests greater in size than one page, the entire allocation is retrieved using
mmap; smaller sizes are assigned from memory pools maintained by
malloc within a number of "bucket pages," also allocated with
mmap. On a call to
free, memory is released and unmapped from the process address space using
munmap. This system is designed to improve security by taking advantage of the address space layout randomization and gap page features implemented as part of OpenBSD's
mmap system call, and to detect use-after-free bugs—as a large memory allocation is completely unmapped after it is freed, further use causes a segmentation fault and termination of the program.
The Hoard memory allocator is an allocator whose goal is scalable memory allocation performance. Like OpenBSD's allocator, Hoard uses
mmap exclusively, but manages memory in chunks of 64 kilobytes called superblocks. Hoard's heap is logically divided into a single global heap and a number of per-processor heaps. In addition, there is a thread-local cache that can hold a limited number of superblocks. By allocating only from superblocks on the local per-thread or per-processor heap, and moving mostly-empty superblocks to the global heap so they can be reused by other processors, Hoard keeps fragmentation low while achieving near linear scalability with the number of threads.
Operating system kernels need to allocate memory just as application programs do. The implementation of
malloc within a kernel often differs significantly from the implementations used by C libraries, however. For example, memory buffers might need to conform to special restrictions imposed by DMA, or the memory allocation function might be called from interrupt context This necessitates a
malloc implementation tightly integrated with the virtual memory subsystem of the operating system kernel.
Allocation size limits
The largest possible memory block
malloc can allocate depends on the host system, particularly the size of physical memory and the operating system implementation. Theoretically, the largest number should be the maximum value that can be held in a size_t type, which is an implementation-dependent unsigned integer representing the size of an area of memory. The maximum value is
(size_t) −1, or the constant
SIZE_MAX in the C99 standard.
Another problem is when
The heap method suffers from a few inherent flaws, stemming entirely from fragmentation. Like any method of memory allocation, the heap will become fragmented; that is, there will be sections of used and unused memory in the allocated space on the heap. A good allocator will attempt to find an unused area of already allocated memory to use before resorting to expanding the heap. The major problem with this method is that the heap has only two significant attributes: base, or the beginning of the heap in virtual memory space; and length, or its size. The heap requires enough system memory to fill its entire length, and its base can never change. Thus, any large areas of unused memory are wasted. The heap can get "stuck" in this position if a small used segment exists at the end of the heap, which could waste any magnitude of address space, from a few megabytes to a few hundred.