Invalid deletion of pointer

Pointer deallocation using delete without corresponding allocation using new

expand all in page

Description

This defect occurs when:

  • You release a block of memory with the delete operator but the memory was previously not allocated with the new operator.

  • You release a block of memory with the delete operator using the single-object notation but the memory was previously allocated as an array with the new operator.

This defect applies only to C++ source files.

Risk

The risk depends on the cause of the issue:

  • The delete operator releases a block of memory allocated on the heap. If you try to access a location on the heap that you did not allocate previously, a segmentation fault can occur.

  • If you use the single-object notation for delete on a pointer that is previously allocated with the array notation for new, the behavior is undefined.

The issue can also highlight other coding errors. For instance, you perhaps wanted to use the delete operator or a previous new operator on a different pointer.

Fix

The fix depends on the cause of the issue:

  • In most cases, you can fix the issue by removing the delete statement. If the pointer is not allocated memory from the heap with the new operator, you do not need to release the pointer with delete. You can simply reuse the pointer as required or let the object be destroyed at the end of its scope.

  • In case of mismatched notation for new and delete, correct the mismatch. For instance, to allocate and deallocate a single object, use this notation:

    classType* ptr = new classType;
delete ptr;

    To allocate and deallocate an array objects, use this notation:

    classType* p2 = new classType[10];
delete[] p2;

If the issue highlights a coding error such as use of delete or new on the wrong pointer, correct the error.

Examples

expand all

void assign_ones(void)
{
    int ptr[10];

    for(int i=0;i<10;i++)
        *(ptr+i)=1;  

    delete[] ptr;   
}

The pointer ptr is released using the delete operator. However, ptr points to a memory location that was not dynamically allocated.

Correction: Remove Pointer Deallocation

If the number of elements of the array ptr is known at compile time, one possible correction is to remove the deallocation of the pointer ptr.

void assign_ones(void) 
{
    int ptr[10];

    for(int i=0;i<10;i++)
        *(ptr+i)=1;  
}
Correction — Add Pointer Allocation

If the number of array elements is not known at compile time, one possible correction is to dynamically allocate memory to the array ptr using the new operator.

void assign_ones(int num) 
{
    int *ptr = new int[num]; 

    for(int i=0; i < num; i++)
        *(ptr+i) = 1;

    delete[] ptr;
   }

int main (void)
{
    int *p_scale = new int[5];

    //more code using scal

    delete p_scale;
}

In this example, p_scale is initialized to an array of size 5 using new int[5]. However, p_scale is deleted with delete instead of delete[]. The new-delete pair does not match. Do not use delete without the brackets when deleting arrays.

Correction — Match delete to new

One possible correction is to add brackets so the delete matches the new [] declaration.

int main (void)
{
    int *p_scale = new int[5];

    //more code using p_scale

    delete[] p_scale;
}
Correction — Match new to delete

Another possible correction is to change the declaration of p_scale. If you meant to initialize p_scale as 5 itself instead of an array of size 5, you must use different syntax. For this correction, change the square brackets in the initialization to parentheses. Leave the delete statement as it is.

int main (void)
{
    int *p_scale = new int(5);

    //more code using p_scale

    delete p_scale;
}

Result Information

Group: Dynamic memory
Language: C++
Default: On for handwritten code, off for generated code
Command-Line Syntax: BAD_DELETE
Impact: High
CWE ID: 404

See Also

| |

Topics

Introduced in R2013b

Polyspace Bug Finder Documentation

Support