Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!spool.mu.edu!agate!lima.berkeley.edu!bks
From: bks@lima.berkeley.edu (Bradley K. Sherman)
Newsgroups: comp.lang.c
Subject: Re: Failure INSIDE malloc() ??
Keywords: nasty bugs
Message-ID: <1991Jun21.215939.25484@agate.berkeley.edu>
Date: 21 Jun 91 21:59:39 GMT
References: <1991Jun19.131709.13260@risky.ecs.umass.edu> <2170006@hpldsla.sid.hp.com>
Sender: usenet@agate.berkeley.edu (USENET Administrator)
Organization: University of California at Berkeley
Lines: 29


C programs that do a lot of mapping between 1 based entities (screen
positions, page layouts, etc.) and internal 0 based arrays often have
code that looks something like:

	Yarra = malloc( MAXCOLS );
	...

	foo( row, col, otherstuff )
	{
	   ...
	   Yarra[col - 1] = something;
	   ...
	}

Now, exactly where to do the 1 to 0 mapping is not always clear and
sometimes, especially early in program development, it is done twice!
If "col" started out as 1 in this example and had already been converted
to 0 earlier in the program then the statement above will access Yarra[-1].

The result of accessing the minus-first element of a malloc'ed array
is implementation dependent, but if it doesn't core-dump immediately
you are in for one hell of a search for this bug when it does make
its presence known.  Doing this using the MSC compiler on MessyDos
can produce some real consciousness raising effects.

---------------------------------
	Brad Sherman (bks@alfa.berkeley.edu)
myjob( bug ){ fix(bug); done() ? fired() : myjob(getbug()); }