C Dangling Pointers

In computer programming, memory is allocated for holding data object. After the work is done the memory is deallocated so that this memory can be used to store any other data object.

A dangling pointer is that pointer which has been allocated but does not point to any entity. While programming, pointers are used that contain memory addresses of data objects. Dangling pointer is a pointer that points to the memory location even after its deallocation. Or we can say that it is pointer that does not point to a valid data object of the appropriate type. The memory location pointed by dangling pointer is known as dangling reference.

Now if we access the data stored at that memory location using the dangling pointer then it will result in program crash or an unpredictable behaviour.

Consider the blow example

void function(){
	int *ptr = (int *)malloc(SIZE);
	. . . . . .
	. . . . . . 
	free(ptr);	//ptr now becomes dangling pointer which is pointing to dangling reference
}

In above example we first allocated a memory and stored its address in ptr. After executing few statements we deallocated the memory. Now still ptr is pointing to same memory address so it becomes dangling pointer.

Other examples below.

In the above figure, Pointer 3 is a dangling pointer as it is pointing to to the de-allocated object. Pointer 1 and Pointer 2 are the pointers that point to the allocated objects, i.e., Object 1 and Object 2, respectively.

Let's understand the dangling pointer through some C programs.

When de-allocate the memory

Using free() function to de-allocate the memory.

#include <stdio.h>
int main()
{
   int *ptr=(int *)malloc(sizeof(int));
   int a=560;
   ptr=&a;
   free(ptr);
   return 0;
}

In the above code, we have created two variables, i.e., *ptr and a where 'ptr' is a pointer and 'a' is a integer variable. The *ptr is a pointer variable which is created with the help of malloc() function. As we know that malloc() function returns void, so we use int * to convert void pointer into int pointer.

The statement int *ptr=(int *)malloc(sizeof(int)); will allocate the memory with 4 bytes shown in the below image:

The statement free(ptr) de-allocates the memory as shown in the below image with a cross sign, and 'ptr' pointer becomes dangling as it is pointing to the de-allocated memory.

If we assign the NULL value to the 'ptr', then 'ptr' will not point to the deleted memory. Therefore, we can say that ptr is not a dangling pointer, as shown in the below image:

When variable goes out of the scope

When the variable goes out of the scope then the pointer pointing to the variable becomes a dangling pointer.

#include<stdio.h>
int main()
{
    char *str;
    {
        char a = ?A?;
        str = &a;
    }
    // a falls out of scope 
    // str is now a dangling pointer 
    printf("%s", *str);
}

In the above code, we did the following steps.

• First, we declare the pointer variable named 'str'.
• In the inner scope, we declare a character variable. The str pointer contains the address of the variable 'a'.
• When the control comes out of the inner scope, 'a' variable will no longer be available, so str points to the de-allocated memory. It means that the str pointer becomes the dangling pointer.

When calling the Function

Now, we will see how the pointer becomes dangling when we call the function.

Let's understand through an example.

#include <stdio.h>
    int *fun(){
    int y=10;
    return &y;
  }
int main()
{
int *p=fun();
printf("%d", *p);
return 0;
}

In the above code, we did the following steps

• First, we create the main() function in which we have declared 'p' pointer that contains the return value of the fun().
• When the fun() is called, then the control moves to the context of the int *fun(), the fun() returns the address of the 'y' variable.
• When control comes back to the context of the main() function, it means the variable 'y' is no longer available. Therefore, we can say that the 'p' pointer is a dangling pointer as it points to the de-allocated memory.

>Let's represent the working of the above code diagrammatically.

Let's consider another example of a dangling pointer.

#include <stdio.h>
int *fun()
{
    static int y=10;
    return &y;
}
int main()
{
   int *p=fun();
   printf("%d", *p);
    return 0;
}

The above code is similar to the previous one but the only difference is that the variable 'y' is static. We know that static variable stores in the global memory.

Now, we represent the working of the above code diagrammatically.

The above diagram shows the stack memory. First, the fun() function is called, then the control moves to the context of the int *fun(). As 'y' is a static variable, so it stores in the global memory; Its scope is available throughout the program. When the address value is returned, then the control comes back to the context of the main(). The pointer 'p' contains the address of 'y', i.e., 100. When we print the value of '*p', then it prints the value of 'y', i.e., 10. Therefore, we can say that the pointer 'p' is not a dangling pointer as it contains the address of the variable which is stored in the global memory.

The dangling pointer errors can be avoided by initializing the pointer to the NULL value. If we assign the NULL value to the pointer, then the pointer will not point to the de-allocated memory. Just assign NULL to the pointer after the deallocation of memory that it was pointing. It means now pointer is not pointing to any memory address.

void function(){
	int *ptr = (int *)malloc(SIZE);
	. . . . . .
	. . . . . . 
	free(ptr);	//ptr now becomes dangling pointer which is pointing to dangling reference
	ptr=NULL;	//now ptr is not dangling pointer
}