there is strange malloc functions which I not used

Question

I use pin to analyze my simple program.

It has 4 malloc functions, however, when I use pin with pintool named malloctrace, it shows more than 4 mallocs.

What are these malloc functions?

My OS is Ubuntu 12.04 64bit. below items are code what I make and result of pintool.

#include <stdio.h>
#define SIZE 100

int main()
{
    int *test1 = (int*)malloc(SIZE* sizeof(int));
    int *test2 = (int*)malloc(SIZE* sizeof(int));
    int i, j;
    int *test3 = (int*)malloc(16*sizeof(int));
    int *test4 = (char*)malloc(SIZE* sizeof(int));

    test1[0] = 2;
    test1[2] = 3;
    test2[0] = 5;

    printf("test1's addr : %p , test1's val = %d    \n", test1, test1[0]);
    printf("test1's addr : %p , test1's val = %d    \n", &test1[1], test1[1]);
    printf("test2's addr : %p , test2's val = %d    \n", &test1[9], test1[9]);


    return 0;
}

       name           size          start_addr           malloc_IP          access_cnt
     malloc          0x589                   0      0x7ffff7de557e                   0
     malloc          0x489                   0      0x7ffff7de557e                   0
     malloc            0xf                   0      0x7ffff7ddd29e                   0
     malloc           0x4b                   0      0x7ffff7df01b2                   0
     malloc           0x28                   0      0x7ffff7de1fe7                   0
     malloc         0x14a0                   0      0x7ffff7de202c                   0
     malloc           0x28                   0      0x7ffff7de22ad                   0
     malloc           0x48                   0      0x7ffff7ddf9d3                   0
     malloc           0x5c                   0      0x7ffff7ddf9d3                   0
     malloc           0x5c                   0      0x7ffff7ddf9d3                   0
     malloc           0x39                   0      0x7ffff7ddf9d3                   0
     malloc           0x20                   0      0x7ffff7de294e                   0
     malloc          0x492                   0      0x7ffff7de557e                   0
     malloc           0x20                   0      0x7ffff7de57ed                   0
     malloc           0x28                   0      0x7ffff7de776f                   0
     malloc           0x38                   0      0x7ffff7de7900                   0
     malloc           0x48                   0      0x7ffff7deab5a                   0
     malloc           0x48                   0      0x7ffff7deab5a                   0
     malloc          0x228                   0      0x7ffff7deab5a                   0
     malloc           0x90                   0      0x7ffff7deab5a                   0
     malloc          0x410                   0      0x7ffff7ddaf22                   0
     malloc          0x110                   0      0x7ffff7debd52                   0
     malloc          0x190                   0            0x4013d2                   0
     malloc          0x190            0x603010            0x4013d2                   0
     malloc          0x190            0x6031b0            0x4013e0                   0
     malloc           0x40            0x603350            0x4013ee                   0
     malloc          0x190            0x6033a0            0x4013fc                   0
       free              0                   0            0x401688                   0
       free              0                   0            0x401688                   0
       free              0                   0            0x401688                   0
       free              0                   0            0x401688                   0
       free              0                   0            0x4016b0                   0
       free              0                   0            0x4016b0                   0
       free              0                   0            0x4016d7                   0
       free              0                   0            0x4016d7                   0
       free              0                   0            0x4016d7                   0
       free              0                   0            0x4016d7                   0
       free              1                   0            0x4016e8                   0
       free              0                   0            0x4016e8                   0
       free              0                   0            0x401718                   0
       free              0                   0            0x401718                   0

paxdiablo · Answer 1 · 2013-11-27T07:39:40.897

It's quite possible that other stuff may be calling malloc under the covers, including the C runtime code (as an example, for thread-specific data used by things such as strtok) or even your analysis tool itself.

If you examine the start address of all those memory blocks, you'll notice that all but the ones you do are 0 (100 4-byte int variables take op 400 or 0x190 bytes, 16 of them take up 64 or 0x40 bytes).

That may be relevant here, although it may also be that you're the only one not cleaning up after yourself :-)

By the way, you shouldn't cast the return value of malloc in C since it can hide certain subtle errors, such as when your int and pointer sizes are different widths and you forget to include stdlib.h, both of which may be possible here given you're running in a 64-bit environment.

C is perfectly capable of implicitly casting the void * returned from malloc into any other pointer type.

Michael · Answer 2 · 2013-11-27T07:50:02.840

You can use gdb to find out what is going on and who calls malloc(). In your case you will a see a lot breaks in ld-linux.so:

Breakpoint 3, malloc (n=n@entry=136) at dl-minimal.c:93
93  in dl-minimal.c
(gdb) where
#0  malloc (n=n@entry=136) at dl-minimal.c:93
#1  0xb7ff3baa in calloc (nmemb=nmemb@entry=17, size=size@entry=8) at dl-minimal.c:113
#2  0xb7fef628 in allocate_dtv (result=result@entry=0xb7e00900) at dl-tls.c:296
#3  0xb7fefaf8 in _dl_allocate_tls_storage () at dl-tls.c:364
#4  0xb7fdecc7 in init_tls () at rtld.c:771
#5  0xb7fe0fcd in dl_main (phdr=0x8048034, phnum=9, user_entry=0xbfffedbc, auxv=0xbfffef5c) at rtld.c:1819
#6  0xb7ff33b6 in _dl_sysdep_start (start_argptr=start_argptr@entry=0xbfffee50, dl_main=dl_main@entry=0xb7fdf720 <dl_main>) at ../elf/dl-sysdep.c:241
#7  0xb7fe2dd4 in _dl_start_final (arg=0xbfffee50) at rtld.c:337
#8  _dl_start (arg=0xbfffee50) at rtld.c:563
#9  0xb7fdf197 in _start () from /lib/ld-linux.so.2

_start function is enter point to a program and it is called before main() function. So it is not visible in the program text but it exists and it has a calls to different functions at start up time.
Also there is ldd utility which shows all the dynamic libraries used by executable:

ldd main
    linux-gate.so.1 =>  (0xb7724000)
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7547000)
    /lib/ld-linux.so.2 (0xb7725000)

So any of linked to executable file libraries can use malloc().

score 1 · Answer 3 · answered Nov 28 '13 at 14:40

The malloc calls which are important for you is this

 malloc          0x190            0x603010            0x4013d2                   0
 malloc          0x190            0x6031b0            0x4013e0                   0
 malloc           0x40            0x603350            0x4013ee                   0
 malloc          0x190            0x6033a0            0x4013fc

Rest are being called internally by some system calls .

there is strange malloc functions which I not used

3 Answers3