#`free` crashes

I want to parse a file from argv into a LIST of TOKENs. The only problem is, whenever I try to free the value of the existing token inside of LEXER so I can write a new value to it, the program will abruptly crash. I have shortened the code to around 150 relevant lines (including helpful comments and debug prints and excluding error checking to reduce line count). I am compiling with gcc on windows 10 using gcc -m32 -O2 test.c -pedantic -Wall -o test.exe and running using .\test.exe test.
Expected output (excluding debug stuff):

id      2

id      2

16      3

16      3

69      3

Actual output (excluding debug stuff):

id      2

id      2

16      3

Any tips or hints will be greatly appreciated.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000074 (pc 0x7ff06dccb42d bp 0x000000000000 sp 0x7ffdac5ed8c0 T0)
==1==The signal is caused by a READ memory access.
==1==Hint: address points to the zero page.
    #0 0x7ff06dccb42d in fgetc (/lib/x86_64-linux-gnu/libc.so.6+0x8b42d) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #1 0x402f73 in main /app/example.c:145
    #2 0x7ff06dc64082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #3 0x4011cd in _start (/app/output.s+0x4011cd) (BuildId: 7c94ee8eee41f3f6fc9391b0710d6e6d3d40447c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x8b42d) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) in fgetc
==1==ABORTING

I'd suggest the additional compile options (for debugging only!):

-g3 -Og -fsanitize=address,undefined

Ah, and the error arises at my end because I can't open the file right now

But if you have memory related issues, then sanitizers are always your way to go

*As a first step

thank you for your help I'm using these option now, but the last compile option -fsanitize=address gives an error:

collect2.exe: error: ld returned 1 exit status```

!wiki How to Use Sanitizers

Ah, it's because of MinGW

Idk, never used that compiler (or C under Windows in general)

I see, I'll look for alternatives in the meantime, thanks

I can also quickly boot to Linux and check it out there

@marsh jackal Has your question been resolved? If so, run !solved :)

Once as a message, once as an image so the coloring is preserved

So this is the line in question:

list->items[list->count++] = item;

so youre getting a heap-buffer-overflow?

yup

This is the output I get up until that point:

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
id    2

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
id    2

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value

is that the entire output?

because this is what I'm getting

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
id      2

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
id      2

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
16      3

[dbg] `tokenWrite` called

and this is how i was able to trace the error back to that call to free

That's the entire output, at least with sanitizer enabled (which aborts upon the first memory issue, whereas C isn't so strict and just lets you have undefined behaviour until everything kinda crashes eventually)

Yeah, without the sanitizer I get

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
id    2

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
id    2

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
16    3

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
16    3

[dbg] `tokenWrite` called
[dbg] Freed old token value
[dbg] Wrote new token value
realloc(): invalid next size
Aborted (core dumped)

So actually a bit more than you

But yeah, as I said it's undefined behaviour, so anything can happen, which is why it's completely normal that our codes have a different output (because different operating system and compiler)

I see, i guess i should try working on linux from now on until i can figure out where the UB is coming from

It's also UB on Linux. The OS isn't the issue, the code is

Just because mine shows more in this case doesn't mean it's generally better

(Although arguably Linux is much better for C)

Oh, I found the bug I think

It's actually in the listPush function

right, thats whats causing the heap overflow on your end right?

list->items = realloc(list->items, sizeof(list->items) + sizeof(item));
```This is the same as doing
```c
... sizeof(void **) + sizeof(void *) ...
```which then probably evaluates to:

... 8 + 8 ...

ohhhh thats absolutely right

so the correct way should be to reallocate it to a block of memory with (n items * sizeof each item) + (sizeof new item) right?

Also the listInit function can be shortened to this:

LIST* listInit(void){
     LIST* list = calloc(1, sizeof(LIST));
     return list;
 }
```Since it makes no sense to `calloc(1, sizeof(void*));` as you can just leave it `NULL` for now.

Then in `listPush` you should change it to this:
```c
LIST* listPush(LIST* list, void* item){
     // reallocate `list->items` to the appropriate size
     list->items = realloc(list->items, (list->count + 1) * sizeof item);
     // append the item and then increment `list->count`
     list->items[list->count++] = item;
     return list;
 }

thats brilliant thank you so much

!solved