Return value of malloc(0)

Andre Albsmeier Andre.Albsmeier at
Sun Jul 2 14:59:38 UTC 2006

On Fri, 30-Jun-2006 at 12:15:21 -0400, Pat Lashley wrote:
> >I went wandering through the C Working Group archives for the heck of
> >it, and apparently a lot of people were confused over this, thinking
> >either as you did or that "unique" meant it would a value unique to
> >the usage of malloc(0).  It's been clarified recently (and will be in
> >the next revision of the standard) to the meaning you understood.
> ...
> >This is wandering into -standards territory, though.  In any case, the
> >answer to thread's original question is "mozilla should fix its code
> >to not assume malloc(0)==NULL".
> Agreed.  (With the usual observation that they, too, are a mainly 
> volunteer-based project; and would probably appreciate the inclusion of a patch 

Well, I was unsure of the correct behaviour. That's why I came here:-).
>From all what I've read so far, I can summarize:

- Returning a non-NULL value from malloc(0) is completely legal.

- We return a non-NULL value which, when dereferenced, always make
  the application crash (as a warning). See the commit message of
  rev. 1.60 of malloc.c:

-------------------------------- snip --------------------------


If zero bytes are allocated, return pointer to the middle of page-zero
(which is protected) so that the programme will crash if it dereferences
this illgotten pointer.

Inspired & Urged by:	Theo de Raadt <deraadt at>

-------------------------------- snap --------------------------

- What we do isn't 100% perfect since we always return the
  same value for each malloc(0).

- It was firefox' fault to crash.

- The manpage is heavily misleading.

Firefox must be fixed but some stuff can be done in FreeBSD as well:

- If we keep our current behaviour we have to change the manpage.
  (As I said before, I could do that if someone will commit it later.)

- We could reverse the meaning of the V-flag (or, introduce a new
  flag to avoid confusion). This would mean that by default a
  malloc(0) will return NULL in future. The new flag can be used
  to change this behaviour to the way it was done before: We hand
  out the value which, when dereferenced, make the programme crash
  as a warning to the author. We note in the manpage that it is
  not 100% legal since we always use the same value.

> with the bug report.  And, of course, that the original poster of this thread 
> should file a bug report with the Mozilla project.)

Please see:

It wasn't me who created this PR but the author of the extension
which actually revealed the bug.


UNIX is an operating system, OS/2 is half an operating system,
Windows is a shell, and DOS is a bootsector virus.

More information about the freebsd-hackers mailing list