* better

[mascara-docs.git] / lang / C / the.ansi.c.programming.language / c.programming.notes.int / sx7.html

<!DOCTYPE HTML PUBLIC "-//W3O//DTD W3 HTML 2.0//EN">
<!-- This collection of hypertext pages is Copyright 1995-7 by Steve Summit. -->
<!-- This material may be freely redistributed and used -->
<!-- but may not be republished or sold without permission. -->
<html>
<head>
<link rev="owner" href="mailto:scs@eskimo.com">
<link rev="made" href="mailto:scs@eskimo.com">
<title>Chapter 21: Pointer Allocation Strategies</title>
<link href="sx6b.html" rev=precedes>
<link href="sx8.html" rel=precedes>
<link href="top.html" rev=subdocument>
</head>
<body>
<H1>Chapter 21: Pointer Allocation Strategies</H1>

<p>Pointers are viewed by many as the bane of C programming,
because out-of-control pointers can do a lot of damage,
and can be hard to track down.
But real programs tend to make heavy use of pointers.
How can we keep pointers under control?
</p><p>The big problem with pointers, of course,
is that they can point anywhere,
including to places they're not supposed to.
When a pointer points to the wrong place
(perhaps because it was never initialized properly,
such that it essentially points to a random place),
a fetch of the data it ``points'' to will result in
garbage
(or may cause the program to crash with a memory access
violation),
and a <em>write</em> of some new data to the location it
``points'' to will damage some other part of your
program, or of some other program, or of the operating system
(or may cause the program to crash).
Crashes, in fact, though they're frustrating and annoying,
may be preferable to the alternatives,
namely performing quiet but meaningless computations
or damaging other code,
both of which can be even more annoying and even harder to track down.
</p><p>Our goal, then, is to make sure that our pointers are always
<dfn>valid</dfn>,
or when they are not,
to make sure that
we can
know that they are not.
First, then, let's discuss what we mean by a ``valid pointer.''
</p><p>A valid pointer
(more precisely, a valid pointer value)
is one that does in fact point to an object of the
type that the pointer is declared to point to.
Furthermore, if the pointer will be used to store new values,
the old value must be sitting in writable memory

(that is, it must not be a variable that was declared <TT>const</TT>,
or a string that results from a string literal).
In contrast to valid pointers,
we may distinguish among several kinds of invalid pointers:
null pointers,
uninitialized pointers,
pointers to memory that used to exist but has disappeared,
pointers to memory that once came from <TT>malloc</TT> but has
since been freed.
</p><p>The tricky thing about valid and invalid pointers
is that there's no simple way in C to ask ``is this pointer
valid?'' or ``is this pointer invalid?''.
The only questions we can ask about pointers are
``is this pointer equal to this other pointer?'',
``is this pointer unequal to this other pointer?'',
and, for pointers into the same array,
``is this pointer greater or less than this other pointer?''.
</p><p>Part one of our strategy for managing pointers,
then,
will be to arrange that all or most invalid pointers are null pointers.
Whenever we do anything which would cause a pointer to be invalid,
that is,
whenever we declare one
(such that it would otherwise have a garbage initial value),
or whenever we do something that causes the memory which one of
our pointers used to point to to disappear,
we'll set the pointer to <TT>NULL</TT>.
Having done so, we can test whether the pointer is currently
valid by checking if it's not equal to the null pointer,
or contrariwise,
we can test whether it's invalid by checking if it's equal to the
null pointer.
</p><p>Remember that C doesn't generally do any of this
automatically.
It does not guarantee that all newly-allocated pointers are
initialized to null pointers,
and it does not insert automatic validity checks before you try
to use a pointer.
If you want to be sure that a pointer is initialized to a null
pointer,
<em>you</em> must generally set it to <TT>NULL</TT>.
If you have a pointer which you're thinking of using but which
might or might not be valid
(and if it's a pointer which you believe you'd have set to
<TT>NULL</TT> if it was invalid),
<em>you</em> must precede your use of the pointer with a test of
the form
<pre>
        if(p != NULL)
</pre>
</p><p>Furthermore,
if you write the test
<TT>if(p != NULL)</TT>,
it does not in the general case mean
``is <TT>p</TT> valid?''.
The test
<TT>if(p != NULL)
</TT>can only be used to mean
``is <TT>p</TT> valid?''
<em>if</em> you have taken care
to make sure that
all non-valid pointers
have been set to null.
</p><p>(There is one condition under which C does guarantee that a
pointer variable will be initialized to a null pointer,
and that is when the pointer variable is a global variable or a
member of a global structure,
or more precisely,
when it is part of a variable, array, or structure which has
static duration.)
</p><p>Remember, too,
that the shorthand form
<pre>
        if(p)
</pre>
is precisely equivalent to
<TT>if(p != NULL)</TT>.
So you may be able to read
<TT>if(p)
</TT>as
``if <TT>p</TT> is valid'',
but again,
only if
you've ensured that
whenever <TT>p</TT> is not valid,
it is set to null.
</p><p>The degree of care with which you have to implement a pointer
management strategy may be different for
different pointer variables
you use.
If a pointer variable is immediately set to a valid pointer
value,
and if nothing ever happens which could make it become invalid,
then there's no need to check it before each time you use it.
Similarly, if a pointer is set to point to different locations
from time to time,
but it can be shown that it will always be valid,
there's again no reason to test it all the time.
However, if a particular pointer is valid some of the time and
invalid
other

of the time,
or in particular,
if it records some optional data which might or might not be
present,
then you'll want to be very careful to set the pointer to
<TT>NULL</TT> whenever it's not valid
(or whenever the optional data is not present),
and to test the pointer before using it (that is, before fetching
or writing to the location that it points to).
</p><p>Everything we've just said about ``pointer variables''
is equally true,
and perhaps more important,
for pointer fields within structures.
When you define a structure, you will typically be allocating
many instances of that structure,
so you will have many instances of that pointer.
You will typically have central pieces of code which operate on
instances of that structure,
meaning that each time the
piece of
code runs,
it may be operating on a different instance of the structure,
so if the pointer field is one that isn't always valid
(that is,
isn't valid in all instances of the structure),
the code had better test it before using it.
Similarly, the code had better set the pointer field to
<TT>NULL</TT> if it ever invalidates it.
</p><p>For example, one of the first features we added to the adventure game
was a long description for objects and rooms.
But the long description is optional;
not all objects and rooms have one.
Suppose
we chose to use a <TT>char *</TT>
within <TT>struct object</TT> and <TT>struct room</TT>
to point at a dynamically-allocated string containing the long description.
(This choice would be preferable to a fixed-size array of <TT>char</TT>
because it may be the case that some long descriptions will be elaborately long,
and we'd neither want to limit the potential length of descriptions
by having a too-small array
nor waste space for objects with short or empty descriptions
by always using a too-large array.)
For each
instance of an
object or room structure,
we'd initialize
the description field to contain a null pointer.
For each
room or object
with a long description,
we'd set the description field to contain a pointer to the appropriate
(and appropriately-allocated)
string.
Finally, when it came time to print the descrition,
we'd use code like
<pre>
        if(objp-&gt;desc != NULL)
                printf("%s\n", objp-&gt;desc);
        else    printf("You see nothing special about the %s.\n", objp-&gt;name);
</pre>
</p><p>Particular care is needed when pointers point to
dynamically-allocated memory,
managed with the standard library functions <TT>malloc</TT>,
<TT>free</TT>,
and <TT>realloc</TT>.
Somehow,
it's easier to make mistakes here,
and their consequences tend to be more damaging and harder to
track down.
</p><p>First of all,
of course,
you must always ensure that the allocation functions
<TT>malloc</TT> and <TT>realloc</TT> succeed.
These functions return null pointers
when they are unable to allocate the requested memory,
so you must <em>always</em> check the return value
to see that it is not a null pointer,
before using it.
(If the return value is a null pointer,
you will generally print some kind of error message
and abort
at least
the particular function that needed the allocated memory,
or perhaps abort the entire program.)
</p><p>Don't get in the habit of assuming that
a single, simple call to <TT>malloc</TT> will ``always'' succeed.
Don't make excuses like
``this program doesn't use much memory to begin with,
and I'm only allocating 10 bytes here,
so how can it possibly fail?''
For one thing, there are more reasons for <TT>malloc</TT>
to fail--and return a null pointer--than
that there was no more memory.
Typically, <TT>malloc</TT> will also return a null pointer
if it is able to detect that you have misused
some of the memory that you have previously allocated,
perhaps by writing to more of it than you asked for.
In this case, <TT>malloc</TT> is trying to tell you something,
something you need to know,
and although its voice is small
(and although tracking down the problem that it's complaining about
may be difficult),
you will only have more problems,
and more difficult to track down,
if <TT>malloc</TT> returns a null pointer
but you then use that pointer as if it were valid.
(As an example of how it can be alarmingly easy
to misuse the memory that <TT>malloc</TT> gives you,
consider this hypothetical scrap of code
for making a dynamically-allocated copy of a string:
<pre>
        char *copystring = malloc(strlen(originalstring))       /* Beware... */
        if(copystring != NULL)
                strcpy(copystring, originalstring);
</pre>
Hint:
what about the <TT>\0</TT> that terminates the string?)
</p><p>In a program that allocates a lot of different pieces of memory
for a lot of different things,

it can be a real nuisance to have to check
each pointer returned
from each call to <TT>malloc</TT>
to make sure it's not null.
One popular shortcut is to define
a ``wrapper'' function around malloc,
which calls <TT>malloc</TT>
and checks the return value
in one central place.
For example,
the adventure game uses the function
<pre>
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include "chkmalloc.h"

void *
chkmalloc(size_t sz)
{
void *ret = malloc(sz);
if(ret == NULL)
        {
        fprintf(stderr, "Out of memory\n");
        exit(EXIT_FAILURE);
        }
return ret;
}
</pre>
One way to think about <TT>chkmalloc</TT>
is that it centralizes the test on
<TT>malloc</TT>'s return value.
Another way of thinking about it
is that it is a special, alternate version of <TT>malloc</TT>
that never returns <TT>NULL</TT>.
(The fact that it never returns <TT>NULL</TT>
does not mean that it never fails,
but just that if/when it does fail,
it signifies this
by calling <TT>exit</TT>
instead of
returning <TT>NULL</TT>.)
Aborting the entire program
when a call to <TT>malloc</TT> fails
may seem draconian,
and there are programs
(e.g. text editors)
for which it would be a completely unacceptable strategy,
but it's fine for our purposes,
especially if it doesn't happen very often.
(In any case, aborting the program cleanly
with a message like ``Out of memory''
is still vastly preferable to crashing horribly and mysteriously,
which is what programs that don't check
<TT>malloc</TT>'s return value
eventually
do.)
</p><p>Another
area of concern
is that
when you're calling <TT>free</TT> and <TT>realloc</TT>,
there are more ways for pointers to become invalid.
For example,
consider the code
<pre>
        /* p is known to have come from malloc() */
        free(p);
</pre>
After calling <TT>free</TT>, is <TT>p</TT> valid or invalid?
C uses pass-by-value, so <TT>p</TT>'s value hasn't changed.
(The <TT>free</TT> function couldn't change it if it tried.)
But <TT>p</TT> is most definitely now <em>invalid</em>;
it no longer points to memory which the program can use.
However, it does still point just where it used to,
so if the program accidentally uses it,
there will still seem to be data there,
except that the data will be sitting in memory which may now
have been allocated to ``someone else''!
Therefore, if the variable <TT>p</TT> persists
(that is, if it's something other than a local variable that's
about to disappear when its function returns,
or a pointer field within a structure which is all about to
disappear),
it would probably be a good idea to set <TT>p</TT> to <TT>NULL</TT>:
<pre>
        free(p);
        p = NULL;
</pre>
(Of course, setting <TT>p</TT> to <TT>NULL</TT> only accomplishes
something if later uses
of <TT>p</TT> check it before using it.)
</p><p>Finally, let's think about <TT>realloc</TT>.
<TT>realloc</TT>, remember,
attempts to enlarge a chunk of memory which we originally
obtained from <TT>malloc</TT>.
(It lets us change our mind about how much memory we had asked for.)
But <TT>realloc</TT> is not always able to enlarge a chunk of memory in-place;
sometimes it must go elsewhere in memory to find a contiguous
piece of memory big enough to satisfy the enlargement request.
So what
about this code?
<pre>
        newp = realloc(oldp, newsize);
</pre>
Is <TT>oldp</TT> valid or invalid after this call?
It depends on whether <TT>realloc</TT> returned the old pointer
value or not
(that is, on whether it was able to enlarge the memory block
in-place or had to go elsewhere).
Most of the time,
you will use <TT>realloc</TT> something like this:
<pre>
        newp = realloc(p, newsize);
        if(newp != NULL)
                {
                /* success; got newsize */
                p = newp;
                }
        else    {
                /* failure; p still points to block of old size */
                }
</pre>
With a setup like this,
<TT>p</TT> remains valid,
and <TT>newp</TT> is a temporary variable which we don't use further
after testing it and perhaps assigning it to <TT>p</TT>.
</p><p>A final issue concerns pointer <dfn>aliases</dfn>.
If several pointers point into the same block of memory,
and if that block of memory moves or disappears,
<em>all</em> the old pointers become invalid.
If you have a sequence of code which amounts to
<pre>
        p2 = p;
        ...
        free(p);
        p = NULL;
</pre>
then setting <TT>p</TT> to <TT>NULL</TT> may not have been sufficient,
because <TT>p2</TT> just became invalid, too, and may also need
setting to <TT>NULL</TT>.
The situation is particularly tricky with <TT>realloc</TT>:
suppose that you have a pointer to a chunk of memory:
<pre>
        char *p = malloc(10);
</pre>
and another pointer which points within that chunk:
<pre>
        char *p2 = p + 5;
</pre>
Now, if you reallocate <TT>p</TT>,
and if <TT>realloc</TT>
has to go elsewhere
and so
returns a different pointer value
which you assign to <TT>p</TT>,
you've also got to fix up <TT>p2</TT>,
because it just had the rug yanked out from under it,
and is now invalid.
To keep <TT>p2</TT> up-to-date,
you might use code like this:
<pre>
        int p2offset = p2 - p;
        newp = realloc(p, newsize);
        if(newp != NULL)
                {
                /* success; got newsize */
                p = newp;
                p2 = p + p2offset;
                }
        else    {
                /* failure; p and p2 still point to block of old size */
                }
</pre>
Before calling <TT>realloc</TT>,
we record (in the <TT>int</TT> variable <TT>p2offset</TT>)
how far beyond <TT>p</TT>
the secondary pointer
<TT>p2</TT> used to point,
so that we can generate a corresponding new value of <TT>p2</TT>
if <TT>p</TT> moves.
</p><hr>
<p>
Read sequentially:
<a href="sx6b.html" rev=precedes>prev</a>
<a href="sx8.html" rel=precedes>next</a>
<a href="top.html" rev=subdocument>up</a>
<a href="top.html">top</a>
</p>
<p>
This page by <a href="http://www.eskimo.com/~scs/">Steve Summit</a>
// <a href="copyright.html">Copyright</a> 1996-1999
// <a href="mailto:scs@eskimo.com">mail feedback</a>
</p>
</body>
</html>