# typical runtime failures from memory management mistakes
* many memory bugs manifest far from the original mistake: the error is a symptom at the point where corrupted state is first observed
* messages vary by kernel, libc, allocator, hardening options, and build flags

part of [c memory management](../memory.html)

### segmentation fault (SIGSEGV)
* common messages:
```text
Segmentation fault (core dumped)
```
```text
Program received signal SIGSEGV, Segmentation fault.
```
* what it usually means:
  * a load or store used an address that is not mapped in the process address space
  * or an address is mapped but violates permissions (for example write to read-only page)
* likely causes in memory-management terms:
  * dereference of a zero pointer
  * use-after-free: freed chunk later reused, pointer retained, dereferenced after allocator repurposed or unmapped it
  * out-of-bounds write: overwrote a pointer or vtable-like function pointer, later control/data flow jumps to garbage address
  * returning or storing the address of a stack object past its lifetime, then dereferencing it later
  * calling free on a non-heap pointer: allocator metadata corrupted, later allocator activity dereferences junk and crashes

### bus error (SIGBUS)
* common messages:
```text
Bus error (core dumped)
```
* what it usually means:
  * the address is mapped, but the access is invalid at the hardware or kernel level
* likely causes:
  * misaligned access on architectures that fault on alignment (less common on x86\_64, more common elsewhere)
  * mmapped file truncation: accessing a page past the new end of file triggers SIGBUS
  * wild pointer that happens to point into a mapped region with constraints (alignment or device mapping)

### illegal instruction (SIGILL) after corruption
* common messages:
```text
Illegal instruction (core dumped)
```
* what it usually means:
  * CPU tried to execute bytes that are not a valid instruction stream for the current mode
* likely causes:
  * heap/stack corruption overwrote a return address or function pointer, control flow jumps into non-code bytes
  * use-after-free jumped through a function pointer inside an object whose storage was recycled

### abort (SIGABRT) from allocator self-checks
* common messages (glibc-like):
```text
double free or corruption (!prev)
Aborted (core dumped)
```
```text
free(): invalid pointer
Aborted (core dumped)
```
```text
munmap_chunk(): invalid pointer
Aborted (core dumped)
```
```text
malloc(): corrupted top size
Aborted (core dumped)
```
```text
free(): invalid next size (fast)
Aborted (core dumped)
```
```text
corrupted size vs. prev_size
Aborted (core dumped)
```
* what it usually means:
  * the allocator detected internal invariants were violated and deliberately terminated
* likely causes by message class:
  * "double free":
    * freeing the same heap pointer twice
    * freeing two distinct pointers that alias the same allocation (for example interior-pointer free after pointer arithmetic)
  * "invalid pointer" / "munmap\_chunk(): invalid pointer":
    * free of a pointer not returned by malloc/calloc/realloc
    * free of an interior pointer (not the allocation base)
    * free of stack, static, or mmapped memory using free
  * "corrupted top size" / "invalid next size" / "corrupted size vs prev\_size":
    * out-of-bounds write that hit allocator metadata adjacent to the user region
    * write-after-free into a freed chunk that is now on a free list
    * buffer overflow in one allocation corrupting the header of the next allocation
* diagnostic trap:
  * the abort often occurs in a later malloc/free, not at the original overwrite

### stack protector termination (stack smashing)
* common messages:
```text
*** stack smashing detected ***: terminated
Aborted (core dumped)
```
* what it usually means:
  * a compiler-inserted canary near a stack frame was modified before function return
* likely causes:
  * out-of-bounds write on a stack array
  * copying attacker-controlled or unchecked length into a local buffer
  * overwriting beyon a local struct that contains the canary-adjacent region

### fortify source termination (checked libc wrappers)
* common messages:
```text
*** buffer overflow detected ***: terminated
Aborted (core dumped)
```
```text
*** invalid size (unsorted) ***: terminated
Aborted (core dumped)
```
* what it usually means:
  * libc detected a size or bounds condition it can prove is unsafe (often via compile-time and runtime checks)
* likely causes:
  * passing a length larger than the destination object to memcpy/memmove/strcpy/strncpy/sprintf variants
  * using strlen on non-terminated memory then copying based on it

### "malloc(): memory corruption" with delayed symptoms
* common symptom patterns:
  * crash in unrelated code (for example inside printf, strcmp, or malloc)
  * nondeterminism: bug disappears under debugger or with different optimization levels
  * crash shifts when adding logging
* likely causes:
  * small overflows that only damage adjacent heap metadata under certain layouts
  * use-after-free where the freed region is sometimes reused quickly, sometimes not
  * uninitialized pointer or length used in memcpy/free, corrupting heap in a data-dependent way