2025-12-28

typical runtime failures from memory management mistakes

  • many memory bugs manifest far from the original mistake: the error is a symptom at the point where corrupted state is first observed
  • messages vary by kernel, libc, allocator, hardening options, and build flags

part of c memory management

segmentation fault (SIGSEGV)

  • common messages:
Segmentation fault (core dumped)
Program received signal SIGSEGV, Segmentation fault.

  • what it usually means:

    • a load or store used an address that is not mapped in the process address space
    • or an address is mapped but violates permissions (for example write to read-only page)

  • likely causes in memory-management terms:

    • dereference of a zero pointer

    • use-after-free: freed chunk later reused, pointer retained, dereferenced after allocator repurposed or unmapped it

    • out-of-bounds write: overwrote a pointer or vtable-like function pointer, later control/data flow jumps to garbage address

    • returning or storing the address of a stack object past its lifetime, then dereferencing it later

    • calling free on a non-heap pointer: allocator metadata corrupted, later allocator activity dereferences junk and crashes

bus error (SIGBUS)

  • common messages:
Bus error (core dumped)

  • what it usually means:

    • the address is mapped, but the access is invalid at the hardware or kernel level

  • likely causes:

    • misaligned access on architectures that fault on alignment (less common on x86_64, more common elsewhere)

    • mmapped file truncation: accessing a page past the new end of file triggers SIGBUS

    • wild pointer that happens to point into a mapped region with constraints (alignment or device mapping)

illegal instruction (SIGILL) after corruption

  • common messages:
Illegal instruction (core dumped)

  • what it usually means:

    • CPU tried to execute bytes that are not a valid instruction stream for the current mode

  • likely causes:

    • heap/stack corruption overwrote a return address or function pointer, control flow jumps into non-code bytes

    • use-after-free jumped through a function pointer inside an object whose storage was recycled

abort (SIGABRT) from allocator self-checks

  • common messages (glibc-like):
double free or corruption (!prev)
Aborted (core dumped)
free(): invalid pointer
Aborted (core dumped)
munmap_chunk(): invalid pointer
Aborted (core dumped)
malloc(): corrupted top size
Aborted (core dumped)
free(): invalid next size (fast)
Aborted (core dumped)
corrupted size vs. prev_size
Aborted (core dumped)

  • what it usually means:

    • the allocator detected internal invariants were violated and deliberately terminated

  • likely causes by message class:

    • "double free":

      • freeing the same heap pointer twice
      • freeing two distinct pointers that alias the same allocation (for example interior-pointer free after pointer arithmetic)

    • "invalid pointer" / "munmap_chunk(): invalid pointer":

      • free of a pointer not returned by malloc/calloc/realloc
      • free of an interior pointer (not the allocation base)
      • free of stack, static, or mmapped memory using free

    • "corrupted top size" / "invalid next size" / "corrupted size vs prev_size":

      • out-of-bounds write that hit allocator metadata adjacent to the user region
      • write-after-free into a freed chunk that is now on a free list
      • buffer overflow in one allocation corrupting the header of the next allocation

  • diagnostic trap:

    • the abort often occurs in a later malloc/free, not at the original overwrite

stack protector termination (stack smashing)

  • common messages:
*** stack smashing detected ***: terminated
Aborted (core dumped)

  • what it usually means:

    • a compiler-inserted canary near a stack frame was modified before function return

  • likely causes:

    • out-of-bounds write on a stack array

    • copying attacker-controlled or unchecked length into a local buffer

    • overwriting beyon a local struct that contains the canary-adjacent region

fortify source termination (checked libc wrappers)

  • common messages:
*** buffer overflow detected ***: terminated
Aborted (core dumped)
*** invalid size (unsorted) ***: terminated
Aborted (core dumped)

  • what it usually means:

    • libc detected a size or bounds condition it can prove is unsafe (often via compile-time and runtime checks)

  • likely causes:

    • passing a length larger than the destination object to memcpy/memmove/strcpy/strncpy/sprintf variants

    • using strlen on non-terminated memory then copying based on it

"malloc(): memory corruption" with delayed symptoms

  • common symptom patterns:

    • crash in unrelated code (for example inside printf, strcmp, or malloc)
    • nondeterminism: bug disappears under debugger or with different optimization levels
    • crash shifts when adding logging

  • likely causes:

    • small overflows that only damage adjacent heap metadata under certain layouts
    • use-after-free where the freed region is sometimes reused quickly, sometimes not
    • uninitialized pointer or length used in memcpy/free, corrupting heap in a data-dependent way