c：mallocの配列要素をNULLに設定する（無効な書き込み）

Question

私は並列処理を行っています。私のコードの一部では、わずかに異なる引数で同じプログラムを呼び出す新しいプロセスをforkします。たとえば、ユーザーが最初に "./prog arg1 arg2 arg3"を呼び出した場合、私は "./prog -n 1 arg2 arg3"というexecの新しいプロセスをforkして、そのプログラムがforkしexec "./prog - n 2 arg3。私が考えることができる唯一の方法はexecv（）ですが、execvはNULLに渡されたargv []配列の最後の要素を必要とするため、問題が発生しています。以下は私のコードですが、その下にvalgrindの出力を掲載します。私は「自由（のparamsをコメントアウトした場合、

==28067== Memcheck, a memory error detector 
==28067== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. 
==28067== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info 
==28067== Command: ./prog ./photos/photo1.jpg 
==28067== 
=====Displaying photo 0 (be patient.. XQuartz sucks) 
Enter degrees to rotate image(0,90,180,270): 90 
Enter a caption > thumb 
==28067== Invalid write of size 8 
==28067== at 0x400C58: main (in /usr/prog) 
==28067== Address 0x51fa8d0 is 16 bytes inside a block of size 18 alloc'd 
==28067== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299) 
==28067== by 0x400C05: main (in /usr/prog) 
==28067== 
==28067== Invalid write of size 8 
==28067== at 0x400CC3: main (in /usr/prog) 
==28067== Address 0x51fa8d8 is 6 bytes after a block of size 18 alloc'd 
==28067== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299) 
==28067== by 0x400C05: main (in /usr/prog) 
==28067== 
==28067== Invalid write of size 8 
==28067== at 0x400D0E: main (in /usr/prog) 
==28067== Address 0x51fa8d8 is 6 bytes after a block of size 18 alloc'd 
==28067== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299) 
==28067== by 0x400C05: main (in /usr/prog) 
==28067== 
==28071== Syscall param execve(argv) points to unaddressable byte(s) 
==28071== at 0x4F00CF7: execve (in /usr/lib64/libc-2.23.so) 
==28071== by 0x400CE8: main (in /usr/prog) 
==28071== Address 0x51fa8d2 is 0 bytes after a block of size 18 alloc'd 
==28071== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299) 
==28071== by 0x400C05: main (in /usr/prog) 
==28071== 
==28067== 
==28067== HEAP SUMMARY: 
==28067==  in use at exit: 0 bytes in 0 blocks 
==28067== total heap usage: 5 allocs, 5 frees, 1,051,194 bytes allocated 
==28067== 
==28067== All heap blocks were freed -- no leaks are possible 
==28067== 
==28067== For counts of detected and suppressed errors, rerun with: -v 
==28067== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0) 

興味深いことに：この

*** Error in `./prog': free(): invalid next size (fast): 0x0000000001ac3830 *** 

Valgrindのは、私に語った：私は正常にこのコードを実行すると

 //fork an additional process: ./prog -n (i+1) args... 
     // could accomplish by execv("./prog", paramlist), where paramlist is 
     //  the same as -n (i+1) and then argv, skipping argv[1] 

     //create new paramlist 
     char **params = malloc(sizeof(char*) * argc + 2); 

     sprintf(numbuf, "%d", i+1); 

     //./prog -n (i+1) argv[2:argc-1] 
     params[0] = argv[0]; 
     params[1] = "-n"; 
     params[2] = numbuf; 
     for(int i = 2; i<argc; i++){ //skip argv[0] bc we already assigned it 
      params[i+1] = argv[i];  //skip argv[1] because we just worked on it 

     } 
     params[argc+1] = NULL;   //list must be null terminated 

     pid3 = fork(); 
     if(0 == pid3){ 
      execv("./prog", params); 
      exit(-1); 
     } //no waitpid here, because we'd like this process to continue on its own 

     params[argc+1] = "";   //avoid invalid free 
     free(params); 

は、私は次のエラーを取得します） '行の場合、前の行にあるセグメンテーション違反が発生します。' params [argc + 1] = ""; 。なぜそれができますか？

Answer 1

char **params = malloc(sizeof(char*) * argc + 2); 

はい、

char **params = malloc(sizeof(char*) * (argc + 2));