malloc(0) returns 0x800 on FreeBSD 6.2 ?

Dan Nelson dnelson at
Mon Dec 11 10:47:43 PST 2006

In the last episode (Dec 11), Luigi Rizzo said:
> i was debugging a program on FreeBSD 6, and much to my surprise, i
> noticed that malloc(0) returns 0x800, as shown by this program:
> 	> more a.c
> 	#include <stdio.h>
> 	int main(int argc, char *argv[])
> 	{
> 		char *p = malloc(0);
> 		printf(" malloc 0 returns %p\n", p);
> 	}
> 	> cc -o a a.c
> 	> ./a
> 	 malloc 0 returns 0x800
> if you look at the source this is indeed clear - internally the 0x800
> is ZEROSIZEPTR and is set when a zero length is passed to malloc()
> unless you have malloc_sysv set.

Right, it passed you a pointer to which you may write 0 bytes to;
exactly what the program asked for :)

The FreeBSD 6.x behaviour is slightly against POSIX rules that state
all successful malloc calls must return unique pointers, so the 7.x
malloc silently rounds zero-size mallocs to 1.  Ideally malloc would
return unique pointers to blocks of memory set to MPROT_NONE via
mprotect() (you could fit 8192 of these pointers in an 8k page), to
prevent applications from using that byte of memory.

	Dan Nelson
	dnelson at

More information about the freebsd-stable mailing list