Glibc 分析 on RatherHard の Bloghttps://blog.ratherhard.com/categories/glibc-analyse/Recent content in Glibc 分析 on RatherHard の BlogHugo -- gohugo.iozh-CNglibc-2.39 ret2gets 分析https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.39-ret2gets/Sun, 01 Mar 2026 15:07:00 +0000https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.39-ret2gets/<img src="https://blog.ratherhard.com/" alt="Featured image of post glibc-2.39 ret2gets 分析" /><h2 id="重要结构">重要结构 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">lock</span><span class="p">;</span> <span class="kt">int</span> <span class="n">cnt</span><span class="p">;</span> <span class="kt">void</span> <span class="o">*</span><span class="n">owner</span><span class="p">;</span> <span class="p">}</span> <span class="n">_IO_lock_t</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="源码分析">源码分析 </h2><h3 id="gets">gets </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">char</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="nf">_IO_gets</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">buf</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">count</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">ch</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">retval</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">_IO_acquire_lock</span> <span class="p">(</span><span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">ch</span> <span class="o">=</span> <span class="nf">_IO_getc_unlocked</span> <span class="p">(</span><span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ch</span> <span class="o">==</span> <span class="n">EOF</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">retval</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">unlock_return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ch</span> <span class="o">==</span> <span class="sc">&#39;\n&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* This is very tricky since a file descriptor may be in the </span></span></span><span class="line"><span class="cl"><span class="cm"> non-blocking mode. The error flag doesn&#39;t mean much in this </span></span></span><span class="line"><span class="cl"><span class="cm"> case. We return an error only when there is a new error. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">old_error</span> <span class="o">=</span> <span class="n">stdin</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">&amp;</span> <span class="n">_IO_ERR_SEEN</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">stdin</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="n">_IO_ERR_SEEN</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">buf</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span><span class="p">)</span> <span class="n">ch</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">count</span> <span class="o">=</span> <span class="nf">_IO_getline</span> <span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="n">buf</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">INT_MAX</span><span class="p">,</span> <span class="sc">&#39;\n&#39;</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">stdin</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">&amp;</span> <span class="n">_IO_ERR_SEEN</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">retval</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">unlock_return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">stdin</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">|=</span> <span class="n">old_error</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">buf</span><span class="p">[</span><span class="n">count</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">retval</span> <span class="o">=</span> <span class="n">buf</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nl">unlock_return</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">_IO_release_lock</span> <span class="p">(</span><span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">retval</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>_IO_gets 是 gets 的本体</p> <p>这里重点关注 _IO_acquire_lock 和 _IO_release_lock</p> <h3 id="_io_acquire_lock-和-_io_release_lock">_IO_acquire_lock 和 _IO_release_lock </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp"># define _IO_acquire_lock(_fp) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> do { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> FILE *_IO_acquire_lock_file \ </span></span></span><span class="line"><span class="cl"><span class="cp"> __attribute__((cleanup (_IO_acquire_lock_fct))) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> = (_fp); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> _IO_flockfile (_IO_acquire_lock_file); </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp"># define _IO_release_lock(_fp) ; } while (0) </span></span></span></code></pre></td></tr></table> </div> </div><p>注意 cleanup 属性</p> <h3 id="_io_flockfile-和-_io_funlockfile">_IO_flockfile 和 _IO_funlockfile </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp"># define _IO_flockfile(_fp) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (((_fp)-&gt;_flags &amp; _IO_USER_LOCK) == 0) _IO_lock_lock (*(_fp)-&gt;_lock) </span></span></span><span class="line"><span class="cl"><span class="cp"># define _IO_funlockfile(_fp) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (((_fp)-&gt;_flags &amp; _IO_USER_LOCK) == 0) _IO_lock_unlock (*(_fp)-&gt;_lock) </span></span></span></code></pre></td></tr></table> </div> </div><p>此处 _lock 为 _IO_lock_t 的结构体指针</p> <h3 id="_io_lock_lock-和-_io_lock_unlock">_IO_lock_lock 和 _IO_lock_unlock </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#define _IO_lock_lock(_name) \ </span></span></span><span class="line"><span class="cl"><span class="cp">do { \ </span></span></span><span class="line"><span class="cl"><span class="cp">void *__self = THREAD_SELF; \ </span></span></span><span class="line"><span class="cl"><span class="cp">if (SINGLE_THREAD_P &amp;&amp; (_name).owner == NULL) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).lock = LLL_LOCK_INITIALIZER_LOCKED; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).owner = __self; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp">else if ((_name).owner != __self) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> lll_lock ((_name).lock, LLL_PRIVATE); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).owner = __self; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp">else \ </span></span></span><span class="line"><span class="cl"><span class="cp"> ++(_name).cnt; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } while (0) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define _IO_lock_unlock(_name) \ </span></span></span><span class="line"><span class="cl"><span class="cp">do { \ </span></span></span><span class="line"><span class="cl"><span class="cp">if (SINGLE_THREAD_P &amp;&amp; (_name).cnt == 0) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).owner = NULL; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).lock = 0; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp">else if ((_name).cnt == 0) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).owner = NULL; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> lll_unlock ((_name).lock, LLL_PRIVATE); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp">else \ </span></span></span><span class="line"><span class="cl"><span class="cp"> --(_name).cnt; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } while (0) </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="_io_acquire_lock_fct">_IO_acquire_lock_fct </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">static</span> <span class="kr">inline</span> <span class="kt">void</span> </span></span><span class="line"><span class="cl"><span class="nf">__attribute__</span> <span class="p">((</span><span class="n">__always_inline__</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="nf">_IO_acquire_lock_fct</span> <span class="p">(</span><span class="n">FILE</span> <span class="o">**</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">FILE</span> <span class="o">*</span><span class="n">fp</span> <span class="o">=</span> <span class="o">*</span><span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="n">fp</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">&amp;</span> <span class="n">_IO_USER_LOCK</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">_IO_funlockfile</span> <span class="p">(</span><span class="n">fp</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>由于 cleanup 属性, gets 执行完成后会调用这个</p> <h3 id="_io_stdfile_0_lock">_IO_stdfile_0_lock </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">static</span> <span class="n">_IO_lock_t</span> <span class="n">_IO_stdfile_</span><span class="err">##</span><span class="n">FD</span><span class="err">##</span><span class="n">_lock</span> <span class="o">=</span> <span class="n">_IO_lock_initializer</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#define _IO_lock_initializer { LLL_LOCK_INITIALIZER, 0, NULL } </span></span></span></code></pre></td></tr></table> </div> </div><p>gets 执行完成后, rdi 为 _IO_stdfile_0_lock 的地址,指向一个 _IO_lock_t 结构体</p> <h3 id="thread_self">THREAD_SELF </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp"># define THREAD_SELF \ </span></span></span><span class="line"><span class="cl"><span class="cp"> ({ struct pthread *__self; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> asm (&#34;mov %%fs:%c1,%0&#34; : &#34;=r&#34; (__self) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> : &#34;i&#34; (offsetof (struct pthread, header.self))); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> __self;}) </span></span></span></code></pre></td></tr></table> </div> </div><p>极其高效地获取“当前线程”的线程控制块(TCB,即 struct pthread 结构体)的内存基地址</p> <h2 id="利用思路">利用思路 </h2><p>目标是通过 gets 后 rdi 的残留值传入 puts 以 leak tls</p> <p>在 _IO_gets 中,获取输入之前会先用 _IO_lock_lock 处理 _IO_stdfile_0_lock ,这使得 <code>(_name).owner = __self = THREAD_SELF</code></p> <p>所以只要我们能覆盖前 _IO_stdfile_0_lock 的前 8 字节就可以通过 (_name).owner 去 leak tls</p> <p>但是要注意 _IO_acquire_lock_fct 即 _IO_funlockfile 即 _IO_lock_unlock 会在 gets 结束时执行,这意味着 (_name).cnt 会被减去 1 ,然后若此时 (_name).cnt 为 0 ,那么 (_name).owner 会被清空,无法 leak tls</p> <p>由于 puts 的输出截断于 \x00 ,而 gets 会将末尾设置为 \x00 ,我们需要利用上面 cnt 被减去 1 的机制绕过输出截断</p> <p>若构造 <code>'AAAA\x00\x00\x00'</code> 的 payload ,由于 cnt 只有不为 0 时才会被减去 1 ,而且 cnt 为 0 owner 会被清空,该构造无效</p> <p>因此我们考虑分两次布置:第一次布置 <code>b'A' * 8 + b'\x00' * 6</code> ,目的是触发 <code>(_name).owner == NULL</code> ,第二次布置 <code>b'B' * 4</code> 后即可绕过截断</p> <p>但是在不同 linux 版本的情况下 leak 出的地址与 libc 的偏移会不同,甚至可能 leak 出的是与 ld 相关的部分,这就导致可能需要尝试利用 ld 中的 gadget 再去 leak libc</p>glibc-2.31 ret2dlresolve 分析https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.31-ret2dlresolve/Sun, 08 Feb 2026 01:00:00 +0000https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.31-ret2dlresolve/<img src="https://blog.ratherhard.com/" alt="Featured image of post glibc-2.31 ret2dlresolve 分析" /><h2 id="重要结构">重要结构 </h2><h3 id="link_map">link_map </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">link_map</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* These first few members are part of the protocol with the debugger. </span></span></span><span class="line"><span class="cl"><span class="cm"> This is the same format used in SVR4. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Addr</span><span class="p">)</span> <span class="n">l_addr</span><span class="p">;</span> <span class="cm">/* Difference between the address in the ELF </span></span></span><span class="line"><span class="cl"><span class="cm"> file and the addresses in memory. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">l_name</span><span class="p">;</span> <span class="cm">/* Absolute file name object was found in. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Dyn</span><span class="p">)</span> <span class="o">*</span><span class="n">l_ld</span><span class="p">;</span> <span class="cm">/* Dynamic section of the shared object. */</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">link_map</span> <span class="o">*</span><span class="n">l_next</span><span class="p">,</span> <span class="o">*</span><span class="n">l_prev</span><span class="p">;</span> <span class="cm">/* Chain of loaded objects. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* All following members are internal to the dynamic linker. </span></span></span><span class="line"><span class="cl"><span class="cm"> They may change without notice. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* This is an element which is only ever different from a pointer to </span></span></span><span class="line"><span class="cl"><span class="cm"> the very same copy of this type for ld.so when it is used in more </span></span></span><span class="line"><span class="cl"><span class="cm"> than one namespace. */</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">link_map</span> <span class="o">*</span><span class="n">l_real</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Number of the namespace this link map belongs to. */</span> </span></span><span class="line"><span class="cl"> <span class="n">Lmid_t</span> <span class="n">l_ns</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">libname_list</span> <span class="o">*</span><span class="n">l_libname</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Indexed pointers to dynamic section. </span></span></span><span class="line"><span class="cl"><span class="cm"> [0,DT_NUM) are indexed by the processor-independent tags. </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM,DT_NUM+DT_THISPROCNUM) are indexed by the tag minus DT_LOPROC. </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM+DT_THISPROCNUM,DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM) are </span></span></span><span class="line"><span class="cl"><span class="cm"> indexed by DT_VERSIONTAGIDX(tagvalue). </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM, </span></span></span><span class="line"><span class="cl"><span class="cm"> DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM) are indexed by </span></span></span><span class="line"><span class="cl"><span class="cm"> DT_EXTRATAGIDX(tagvalue). </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM, </span></span></span><span class="line"><span class="cl"><span class="cm"> DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM+DT_VALNUM) are </span></span></span><span class="line"><span class="cl"><span class="cm"> indexed by DT_VALTAGIDX(tagvalue) and </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM+DT_VALNUM, </span></span></span><span class="line"><span class="cl"><span class="cm"> DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM+DT_VALNUM+DT_ADDRNUM) </span></span></span><span class="line"><span class="cl"><span class="cm"> are indexed by DT_ADDRTAGIDX(tagvalue), see &lt;elf.h&gt;. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Dyn</span><span class="p">)</span> <span class="o">*</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_NUM</span> <span class="o">+</span> <span class="n">DT_THISPROCNUM</span> <span class="o">+</span> <span class="n">DT_VERSIONTAGNUM</span> </span></span><span class="line"><span class="cl"> <span class="o">+</span> <span class="n">DT_EXTRANUM</span> <span class="o">+</span> <span class="n">DT_VALNUM</span> <span class="o">+</span> <span class="n">DT_ADDRNUM</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 后略 </span></span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>l_addr (uint64_t)</strong> : ELF 文件中定义的地址与内存中实际地址之间的差值 <blockquote> <p>这就是该模块的【基地址 (Base Address)】 对于开启了 PIE 的程序或 .so 库,这里存的是随机化后的基址 对于未开启 PIE (No-PIE) 的主程序,这里通常是 0</p> </blockquote> </li> <li><strong>l_name</strong> : 找到该对象的绝对文件名 <blockquote> <p>这是一个指针,指向存储库文件路径的字符串(例如 &ldquo;/lib/x86_64-linux-gnu/libc.so.6&rdquo;) 对于主程序,这里通常是空字符串</p> </blockquote> </li> <li><strong>l_ld (Elf64_Dyn)</strong> : 该共享对象的动态段(.dynamic section)的地址 <blockquote> <p>指向内存中 .dynamic 段的指针。这个段里存着 DT_STRTAB, DT_SYMTAB 等标签 _dl_fixup 实际上并不直接用这个 l_ld,而是用后面定义的 l_info 数组(它是由 l_ld 解析生成的)</p> </blockquote> </li> <li><strong>l_next, l_prev</strong> : 已加载对象的链表 <blockquote> <p>双向链表指针 l_next 指向下一个加载的库,l_prev 指向上一个 攻击时通常不需要伪造这两个指针,除非你的攻击链涉及遍历这个链表</p> </blockquote> </li> <li><strong>l_real</strong> : 这是一个通常指向它自己的指针 <blockquote> <p>只有当动态链接器(ld.so)在多个命名空间(namespace)中被使用时,这个指针才会指向不同的副本</p> </blockquote> </li> <li><strong>l_ns (8 bytes)</strong> : 该 link map 所属的命名空间编号 <blockquote> <p>Linux 支持多个链接器命名空间(比如 dlmopen 可以加载一个隔离的库) LM_ID_BASE (通常是 0) 表示主程序所在的默认命名空间</p> </blockquote> </li> <li><strong>l_libname</strong> : 指向一个链表,存储了该共享对象的名称(可能有别名,比如 libc.so.6 和 libc-2.31.so)</li> <li><strong>l_info (Elf64_Dyn)</strong> : 指向动态段(dynamic section)条目的指针数组。 <blockquote> <p>[0, DT_NUM) 范围内的元素:使用**处理器无关的标签(Tag)**直接作为下标索引。 [DT_NUM, &hellip;) 范围内的元素:使用 标签值减去 DT_LOPROC 作为下标索引。 [&hellip;] 范围内的元素:使用 DT_VERSIONTAGIDX(tagvalue) 计算出的值作为下标索引。 &hellip;(后面是关于 Extra, Val, Addr 等特殊标签的索引计算方式)。</p> </blockquote> </li> </ul> <h3 id="elf64_dyn">Elf64_Dyn </h3><p>ELF 64位 动态段条目</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Sxword</span> <span class="n">d_tag</span><span class="p">;</span> <span class="cm">/* Dynamic entry type */</span> </span></span><span class="line"><span class="cl"> <span class="k">union</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Xword</span> <span class="n">d_val</span><span class="p">;</span> <span class="cm">/* Integer value */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Addr</span> <span class="n">d_ptr</span><span class="p">;</span> <span class="cm">/* Address value */</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="n">d_un</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">Elf64_Dyn</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>d_tag (int64_t)</strong> : 这是“类型标签”,用来告诉链接器后面那个 d_un 存的是什么东西 <blockquote> <p>DT_NULL (0): 标记动态段的结束 DT_STRTAB (5): 字符串表(String Table)的地址 DT_SYMTAB (6): 符号表(Symbol Table)的地址 DT_JMPREL (23): 重定位表(Relocation Table,即 .rela.plt)的地址</p> </blockquote> </li> <li><strong>d_un.d_val (uint64_t)</strong> : 当标签表示大小或数量时使用(例如 DT_SYMENT 表示符号表每项的大小)</li> <li><strong>d_un.d_ptr (uint64_t)</strong> : 当标签表示地址时使用</li> </ul> <h3 id="elf64_sym">Elf64_Sym </h3><p>ELF 64位 符号表条目</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Word</span> <span class="n">st_name</span><span class="p">;</span> <span class="cm">/* Symbol name (string tbl index) */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">st_info</span><span class="p">;</span> <span class="cm">/* Symbol type and binding */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">st_other</span><span class="p">;</span> <span class="cm">/* Symbol visibility */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Section</span> <span class="n">st_shndx</span><span class="p">;</span> <span class="cm">/* Section index */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Addr</span> <span class="n">st_value</span><span class="p">;</span> <span class="cm">/* Symbol value */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Xword</span> <span class="n">st_size</span><span class="p">;</span> <span class="cm">/* Symbol size */</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">Elf64_Sym</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>st_name (uint32_t)</strong> : 指向字符串表(String Table, DT_STRTAB)的相对偏移 <blockquote> <p>函数名地址 = DT_STRTAB 基址 + st_name</p> </blockquote> </li> <li><strong>st_info</strong> : 这 1 个字节包含了两个信息 <blockquote> <p>高 4 位 (Bind): 绑定属性(Global, Local, Weak) 低 4 位 (Type): 符号类型(Object, Func, None) 常见值:0x12:即 STB_GLOBAL (1) &laquo; 4 | STT_FUNC (2) ,表示这是一个全局函数</p> </blockquote> </li> <li><strong>st_other</strong> : 符号的可见性 <blockquote> <p>STV_DEFAULT (0): 默认可见性(通常是公开的,可被外部链接) STV_INTERNAL (1): 处理器特定的隐藏类型(很少用) STV_HIDDEN (2): 符号在模块内可见,外部不可见(即使是全局符号) STV_PROTECTED (3): 符号可见,但不能被抢占(Preempted)</p> </blockquote> </li> <li><strong>st_shndx (uint16_t)</strong> : 该符号定义在哪个节(Section)里,它是一个索引值,指向 Section Header Table <blockquote> <p>几个特殊的保留索引值: SHN_UNDEF (0): 未定义符号,表示该符号在本模块中被引用,但定义在其他模块(如 libc.so)中 SHN_ABS (0xfff1): 绝对符号,该符号的值是绝对地址,不随重定位改变 SHN_COMMON (0xfff2): 通用块符号(通常用于未初始化的全局变量)</p> </blockquote> </li> <li><strong>st_value (uint64_t)</strong> : 符号的值(通常是地址) <blockquote> <p>在可重定位文件 (.o) 中:它是相对于所在节(Section)的偏移量 在可执行文件或共享库 (.so) 中: 如果符号已定义(st_shndx != 0):它是符号的虚拟地址(Virtual Address) 如果符号未定义(st_shndx == 0):通常为 0 ,但如果是对齐的 Common 符号,它表示对齐约束</p> </blockquote> </li> <li><strong>st_size (uint64_t)</strong> : 函数或变量的大小</li> </ul> <h3 id="elf64_rela">Elf64_Rela </h3><p>ELF 64位 重定位条目</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Addr</span> <span class="n">r_offset</span><span class="p">;</span> <span class="cm">/* Address */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Xword</span> <span class="n">r_info</span><span class="p">;</span> <span class="cm">/* Relocation type and symbol index */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Sxword</span> <span class="n">r_addend</span><span class="p">;</span> <span class="cm">/* Addend */</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">Elf64_Rela</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>r_offset</strong> : 修正地址,即动态链接器解析出函数的真实地址后,应该把这个地址写到哪里去 <blockquote> <p>指向 GOT 表(Global Offset Table)中的某个条目</p> </blockquote> </li> <li><strong>r_info</strong> : 这是一个复合字段,高 32 位和低 32 位分别代表不同含义 <blockquote> <p>r_info = (Symbol Index &laquo; 32) + Relocation Type 高 32 位:Symbol Index (符号表索引) 告诉链接器:“去符号表(Symbol Table)的第几个条目找这个函数的信息” 低 32 位:Relocation Type (重定位类型) 告诉链接器如何进行重定位 7 即 R_X86_64_JUMP_SLOT</p> </blockquote> </li> <li><strong>r_addend</strong> : 加数,用于计算最终值的常数偏移 <blockquote> <p>最终值 = Symbol Value + Addend</p> </blockquote> </li> </ul> <h2 id="_dl_fixup-源码分析">_dl_fixup 源码分析 </h2><h3 id="_dl_fixup-源码">_dl_fixup 源码 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span><span class="lnt">92 </span><span class="lnt">93 </span><span class="lnt">94 </span><span class="lnt">95 </span><span class="lnt">96 </span><span class="lnt">97 </span><span class="lnt">98 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* This function is called through a special trampoline from the PLT the </span></span></span><span class="line"><span class="cl"><span class="cm"> first time each PLT entry is called. We must perform the relocation </span></span></span><span class="line"><span class="cl"><span class="cm"> specified in the PLT of the given shared object, and return the resolved </span></span></span><span class="line"><span class="cl"><span class="cm"> function address to the trampoline, which will restart the original call </span></span></span><span class="line"><span class="cl"><span class="cm"> to that address. Future calls will bounce directly from the PLT to the </span></span></span><span class="line"><span class="cl"><span class="cm"> function. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">DL_FIXUP_VALUE_TYPE</span> </span></span><span class="line"><span class="cl"><span class="n">attribute_hidden</span> <span class="nf">__attribute</span> <span class="p">((</span><span class="n">noinline</span><span class="p">))</span> <span class="n">ARCH_FIXUP_ATTRIBUTE</span> </span></span><span class="line"><span class="cl"><span class="nf">_dl_fixup</span> <span class="p">(</span> </span></span><span class="line"><span class="cl"><span class="cp"># ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGS </span></span></span><span class="line"><span class="cl"> <span class="n">ELF_MACHINE_RUNTIME_FIXUP_ARGS</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="cp"># endif </span></span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">link_map</span> <span class="o">*</span><span class="n">l</span><span class="p">,</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Word</span><span class="p">)</span> <span class="n">reloc_arg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="k">const</span> <span class="n">symtab</span> </span></span><span class="line"><span class="cl"> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">strtab</span> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_STRTAB</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="n">PLTREL</span> <span class="o">*</span><span class="k">const</span> <span class="n">reloc</span> </span></span><span class="line"><span class="cl"> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="p">(</span><span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">])</span> <span class="o">+</span> <span class="n">reloc_offset</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_SYM</span><span class="p">)</span> <span class="p">(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)];</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="n">refsym</span> <span class="o">=</span> <span class="n">sym</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="k">const</span> <span class="n">rel_addr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_addr</span> <span class="o">+</span> <span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_offset</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">lookup_t</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">DL_FIXUP_VALUE_TYPE</span> <span class="n">value</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Sanity check that we&#39;re really looking at a PLT relocation. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_TYPE</span><span class="p">)(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">==</span> <span class="n">ELF_MACHINE_JMP_SLOT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Look up the target symbol. If the normal lookup rules are not </span></span></span><span class="line"><span class="cl"><span class="cm"> used don&#39;t look in the global scope. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">ST_VISIBILITY</span><span class="p">)</span> <span class="p">(</span><span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_other</span><span class="p">),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="k">struct</span> <span class="n">r_found_version</span> <span class="o">*</span><span class="n">version</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="nf">VERSYMIDX</span> <span class="p">(</span><span class="n">DT_VERSYM</span><span class="p">)]</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Half</span><span class="p">)</span> <span class="o">*</span><span class="n">vernum</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">VERSYMIDX</span> <span class="p">(</span><span class="n">DT_VERSYM</span><span class="p">)]);</span> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Half</span><span class="p">)</span> <span class="n">ndx</span> <span class="o">=</span> <span class="n">vernum</span><span class="p">[</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_SYM</span><span class="p">)</span> <span class="p">(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)]</span> <span class="o">&amp;</span> <span class="mh">0x7fff</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_versions</span><span class="p">[</span><span class="n">ndx</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">version</span><span class="o">-&gt;</span><span class="n">hash</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We need to keep the scope around so do some locking. This is </span></span></span><span class="line"><span class="cl"><span class="cm"> not necessary for objects which cannot be unloaded or when </span></span></span><span class="line"><span class="cl"><span class="cm"> we are not using any threads (yet). */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">flags</span> <span class="o">=</span> <span class="n">DL_LOOKUP_ADD_DEPENDENCY</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">RTLD_SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">THREAD_GSCOPE_SET_FLAG</span> <span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">flags</span> <span class="o">|=</span> <span class="n">DL_LOOKUP_GSCOPE_LOCK</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#ifdef RTLD_ENABLE_FOREIGN_CALL </span></span></span><span class="line"><span class="cl"> <span class="n">RTLD_ENABLE_FOREIGN_CALL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="nf">_dl_lookup_symbol_x</span> <span class="p">(</span><span class="n">strtab</span> <span class="o">+</span> <span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_name</span><span class="p">,</span> <span class="n">l</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">sym</span><span class="p">,</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_scope</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span><span class="p">,</span> <span class="n">ELF_RTYPE_CLASS_PLT</span><span class="p">,</span> <span class="n">flags</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We are done with the global scope. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">RTLD_SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">THREAD_GSCOPE_RESET_FLAG</span> <span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#ifdef RTLD_FINALIZE_FOREIGN_CALL </span></span></span><span class="line"><span class="cl"> <span class="n">RTLD_FINALIZE_FOREIGN_CALL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Currently result contains the base load address (or link map) </span></span></span><span class="line"><span class="cl"><span class="cm"> of the object that defines sym. Now add in the symbol </span></span></span><span class="line"><span class="cl"><span class="cm"> offset. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">result</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">result</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">false</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We already found the symbol. The module (and therefore its load </span></span></span><span class="line"><span class="cl"><span class="cm"> address) is also known. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">true</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">l</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* And now perhaps the relocation addend. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">elf_machine_plt_value</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">reloc</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">sym</span> <span class="o">!=</span> <span class="nb">NULL</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">ST_TYPE</span><span class="p">)</span> <span class="p">(</span><span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_info</span><span class="p">)</span> <span class="o">==</span> <span class="n">STT_GNU_IFUNC</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">elf_ifunc_invoke</span> <span class="p">(</span><span class="nf">DL_FIXUP_VALUE_ADDR</span> <span class="p">(</span><span class="n">value</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Finally, fix up the plt itself. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">GLRO</span><span class="p">(</span><span class="n">dl_bind_not</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">value</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">elf_machine_fixup_plt</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">result</span><span class="p">,</span> <span class="n">refsym</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="n">reloc</span><span class="p">,</span> <span class="n">rel_addr</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="前置声明">前置声明 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* This function is called through a special trampoline from the PLT the </span></span></span><span class="line"><span class="cl"><span class="cm"> first time each PLT entry is called. We must perform the relocation </span></span></span><span class="line"><span class="cl"><span class="cm"> specified in the PLT of the given shared object, and return the resolved </span></span></span><span class="line"><span class="cl"><span class="cm"> function address to the trampoline, which will restart the original call </span></span></span><span class="line"><span class="cl"><span class="cm"> to that address. Future calls will bounce directly from the PLT to the </span></span></span><span class="line"><span class="cl"><span class="cm"> function. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">DL_FIXUP_VALUE_TYPE</span> </span></span><span class="line"><span class="cl"><span class="n">attribute_hidden</span> <span class="nf">__attribute</span> <span class="p">((</span><span class="n">noinline</span><span class="p">))</span> <span class="n">ARCH_FIXUP_ATTRIBUTE</span> </span></span><span class="line"><span class="cl"><span class="nf">_dl_fixup</span> <span class="p">(</span> </span></span><span class="line"><span class="cl"><span class="cp"># ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGS </span></span></span><span class="line"><span class="cl"> <span class="n">ELF_MACHINE_RUNTIME_FIXUP_ARGS</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="cp"># endif </span></span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">link_map</span> <span class="o">*</span><span class="n">l</span><span class="p">,</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Word</span><span class="p">)</span> <span class="n">reloc_arg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="k">const</span> <span class="n">symtab</span> </span></span><span class="line"><span class="cl"> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">strtab</span> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_STRTAB</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="n">PLTREL</span> <span class="o">*</span><span class="k">const</span> <span class="n">reloc</span> </span></span><span class="line"><span class="cl"> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="p">(</span><span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">])</span> <span class="o">+</span> <span class="n">reloc_offset</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_SYM</span><span class="p">)</span> <span class="p">(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)];</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="n">refsym</span> <span class="o">=</span> <span class="n">sym</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="k">const</span> <span class="n">rel_addr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_addr</span> <span class="o">+</span> <span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_offset</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">lookup_t</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">DL_FIXUP_VALUE_TYPE</span> <span class="n">value</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>翻译:</strong> 这个函数是通过一个特殊的跳板(trampoline)从 PLT(过程链接表)中调用的,时机是每个 PLT 条目第一次被调用的时候。 我们必须按照给定共享对象(shared object)的 PLT 中指定的要求,执行重定位操作(relocation),并将解析出来的函数地址返回给那个跳板。 随后,跳板会重新向该地址发起原始的函数调用。 未来的调用将直接从 PLT 跳转到该函数(而不再经过这里)。</p> <p><code>ElfW(Word)</code> 为 <code>uint32_t</code> <code>PLTREL</code> 为 <code>Elf64_Rela</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp"># define D_PTR(map, i) (map)-&gt;i-&gt;d_un.d_ptr </span></span></span></code></pre></td></tr></table> </div> </div><p>整理一下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">symtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="kt">char</span> <span class="o">*</span><span class="n">strtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_STRTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Rela</span> <span class="o">*</span><span class="n">reloc</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="n">reloc_arg</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">32</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">refsym</span> <span class="o">=</span> <span class="n">sym</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="o">*</span><span class="n">rel_addr</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_addr</span> <span class="o">+</span> <span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_offset</span> </span></span><span class="line"><span class="cl"><span class="n">link_map</span> <span class="o">*</span><span class="n">result</span> </span></span><span class="line"><span class="cl"><span class="kt">uint64_t</span> <span class="n">value</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="版本校验">版本校验 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* Sanity check that we&#39;re really looking at a PLT relocation. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_TYPE</span><span class="p">)(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">==</span> <span class="n">ELF_MACHINE_JMP_SLOT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Look up the target symbol. If the normal lookup rules are not </span></span></span><span class="line"><span class="cl"><span class="cm"> used don&#39;t look in the global scope. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">ST_VISIBILITY</span><span class="p">)</span> <span class="p">(</span><span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_other</span><span class="p">),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="k">struct</span> <span class="n">r_found_version</span> <span class="o">*</span><span class="n">version</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="nf">VERSYMIDX</span> <span class="p">(</span><span class="n">DT_VERSYM</span><span class="p">)]</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Half</span><span class="p">)</span> <span class="o">*</span><span class="n">vernum</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">VERSYMIDX</span> <span class="p">(</span><span class="n">DT_VERSYM</span><span class="p">)]);</span> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Half</span><span class="p">)</span> <span class="n">ndx</span> <span class="o">=</span> <span class="n">vernum</span><span class="p">[</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_SYM</span><span class="p">)</span> <span class="p">(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)]</span> <span class="o">&amp;</span> <span class="mh">0x7fff</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_versions</span><span class="p">[</span><span class="n">ndx</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">version</span><span class="o">-&gt;</span><span class="n">hash</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We need to keep the scope around so do some locking. This is </span></span></span><span class="line"><span class="cl"><span class="cm"> not necessary for objects which cannot be unloaded or when </span></span></span><span class="line"><span class="cl"><span class="cm"> we are not using any threads (yet). */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">flags</span> <span class="o">=</span> <span class="n">DL_LOOKUP_ADD_DEPENDENCY</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">RTLD_SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">THREAD_GSCOPE_SET_FLAG</span> <span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">flags</span> <span class="o">|=</span> <span class="n">DL_LOOKUP_GSCOPE_LOCK</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>首先要求 <code>reloc-&gt;r_info</code> 的低 4 字节为 7 ,不然报错</p> <p>若 <code>sym-&gt;st_other</code> 为 0 ,则进入 if 内部</p> <p>然后是一层检测,决定是否要进行<strong>版本校验(Version Check)</strong>,检查 <code>l_info[50]</code> 是否为 NULL ,正常情况下不为 NULL ,执行后面 if 内部代码</p> <p>但是进入 if 内部后在 64 位下会报错,因为在 <code>vernum[ELFW(R_SYM) (reloc-&gt;r_info)] &amp; 0x7fff</code> 的过程中,由于我们一般伪造的 symtab 位于 bss 段,导致在 64 位下 <code>reloc-&gt;r_info</code> 较大,发生段错误</p> <p>然后是锁相关操作</p> <h3 id="符号查找">符号查找 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="nf">_dl_lookup_symbol_x</span> <span class="p">(</span><span class="n">strtab</span> <span class="o">+</span> <span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_name</span><span class="p">,</span> <span class="cm">/* 参数1: 符号名 */</span> </span></span><span class="line"><span class="cl"> <span class="n">l</span><span class="p">,</span> <span class="cm">/* 参数2: 搜索起始 link_map */</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;</span><span class="n">sym</span><span class="p">,</span> <span class="cm">/* 参数3: 符号结构体指针 (输入/输出) */</span> </span></span><span class="line"><span class="cl"> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_scope</span><span class="p">,</span> <span class="cm">/* 参数4: 搜索范围 (Scope) */</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span><span class="p">,</span> <span class="cm">/* 参数5: 版本信息 */</span> </span></span><span class="line"><span class="cl"> <span class="nf">elf_machine_type_class</span> <span class="p">(</span><span class="n">type</span><span class="p">),</span> <span class="cm">/* 参数6: 类型分类 */</span> </span></span><span class="line"><span class="cl"> <span class="n">flags</span><span class="p">,</span> <span class="cm">/* 参数7: 标志位 */</span> </span></span><span class="line"><span class="cl"> <span class="nb">NULL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We are done with the global scope. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">RTLD_SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">THREAD_GSCOPE_RESET_FLAG</span> <span class="p">();</span> </span></span></code></pre></td></tr></table> </div> </div><p>进入 _dl_lookup_symbol_x</p> <p>出来后是锁操作</p> <h3 id="收尾处理">收尾处理 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* Currently result contains the base load address (or link map) </span></span></span><span class="line"><span class="cl"><span class="cm"> of the object that defines sym. Now add in the symbol </span></span></span><span class="line"><span class="cl"><span class="cm"> offset. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">result</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">result</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">false</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We already found the symbol. The module (and therefore its load </span></span></span><span class="line"><span class="cl"><span class="cm"> address) is also known. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">true</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">l</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* And now perhaps the relocation addend. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">elf_machine_plt_value</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">reloc</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">sym</span> <span class="o">!=</span> <span class="nb">NULL</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">ST_TYPE</span><span class="p">)</span> <span class="p">(</span><span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_info</span><span class="p">)</span> <span class="o">==</span> <span class="n">STT_GNU_IFUNC</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">elf_ifunc_invoke</span> <span class="p">(</span><span class="nf">DL_FIXUP_VALUE_ADDR</span> <span class="p">(</span><span class="n">value</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Finally, fix up the plt itself. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">GLRO</span><span class="p">(</span><span class="n">dl_bind_not</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">value</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">elf_machine_fixup_plt</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">result</span><span class="p">,</span> <span class="n">refsym</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="n">reloc</span><span class="p">,</span> <span class="n">rel_addr</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>if 分支:</strong> 当前 result 变量包含了定义该符号的对象的基加载地址(或者 link_map 指针),现在加上符号的偏移量 即 <code>value = result-&gt;l_addr + sym-&gt;st_value</code></p> <p><strong>else 分支:</strong> 我们已经找到了符号,模块(因此也包括它的加载地址)也是已知的 即 <code>value = l-&gt;l_addr + sym-&gt;st_value</code></p> <p>接下来处理 GNU Indirect Function (IFUNC)</p> <p>最后把 value 写入相应的 GOT 表条目中</p> <p>要求 <code>rel_addr = (void *)(l-&gt;l_addr + reloc-&gt;r_offset)</code> 可写</p> <hr> <h2 id="_dl_runtime_resolve-部分分析">_dl_runtime_resolve 部分分析 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-asm" data-lang="asm"><span class="line"><span class="cl"> <span class="c1"># Copy args pushed by PLT in register. </span></span></span><span class="line"><span class="cl"> <span class="c1"># %rdi: link_map, %rsi: reloc_index </span></span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="p">(</span><span class="no">LOCAL_STORAGE_AREA</span> <span class="err">+</span> <span class="mi">8</span><span class="p">)(</span><span class="nv">%BASE</span><span class="p">),</span> <span class="nv">%RSI_LP</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="no">LOCAL_STORAGE_AREA</span><span class="p">(</span><span class="nv">%BASE</span><span class="p">),</span> <span class="nv">%RDI_LP</span> </span></span><span class="line"><span class="cl"> <span class="nf">call</span> <span class="no">_dl_fixup</span> <span class="c1"># Call resolver. </span></span></span></code></pre></td></tr></table> </div> </div><p><code>LOCAL_STORAGE_AREA(%BASE)</code> 为进入 _dl_runtime_resolve 时 rsp 位置上的值,将传入 rdi ,作为 link_map 指针 <code>(LOCAL_STORAGE_AREA + 8)(%BASE)</code> 为进入 _dl_runtime_resolve 时 rsp + 8 位置上的值,将传入 rsi ,作为 reloc_arg (uint32_t)</p> <hr> <h2 id="64-位下利用">64 位下利用 </h2><p>为了避免段错误,我们引导函数执行至以下片段</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We already found the symbol. The module (and therefore its load </span></span></span><span class="line"><span class="cl"><span class="cm"> address) is also known. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">true</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">l</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>这要求 <code>sym-&gt;st_other</code> 不为 0</p> <p>然后通过 <code>value = l-&gt;l_addr + sym-&gt;st_value</code> 计算出我们希望写入 got 表中的那个地址</p> <p>我们需要:</p> <ul> <li>伪造 <code>link_map-&gt;l_addr</code> 为 libc 中已解析函数与想要执行的目标函数的偏移值,如 <code>addr_system - addr_xxx</code></li> <li>伪造 <code>sym-&gt;st_value</code> 为已经解析过的某个函数的 got 表的位置,这需要布置 sym 的位置</li> <li>也就是相当于 <code>value = l_addr + st_value = addr_system - addr_xxx + real_xxx = real_system</code></li> </ul> <p>又</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">symtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Rela</span> <span class="o">*</span><span class="n">reloc</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="n">reloc_arg</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">32</span><span class="p">]</span> </span></span></code></pre></td></tr></table> </div> </div><p>即</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">sym</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="p">(((</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="n">reloc_arg</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">32</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>再放一遍</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">symtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="kt">char</span> <span class="o">*</span><span class="n">strtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_STRTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Rela</span> <span class="o">*</span><span class="n">reloc</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="n">reloc_arg</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">32</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">refsym</span> <span class="o">=</span> <span class="n">sym</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="o">*</span><span class="n">rel_addr</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_addr</span> <span class="o">+</span> <span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_offset</span> </span></span><span class="line"><span class="cl"><span class="n">link_map</span> <span class="o">*</span><span class="n">result</span> </span></span><span class="line"><span class="cl"><span class="kt">uint64_t</span> <span class="n">value</span> </span></span></code></pre></td></tr></table> </div> </div><p>综上,所有需要伪造的数据为:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#stack: </span></span></span><span class="line"><span class="cl"><span class="n">link_map</span> <span class="o">*</span><span class="n">l</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="n">link_map</span> </span></span><span class="line"><span class="cl"><span class="n">reloc_arg</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#rw: </span></span></span><span class="line"><span class="cl"><span class="n">fake</span> <span class="n">link_map</span> <span class="nl">structure</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">l_addr</span> <span class="o">=</span> <span class="n">addr_system</span> <span class="o">-</span> <span class="n">addr_xxx</span> </span></span><span class="line"><span class="cl"> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_STRTAB</span> <span class="p">(</span><span class="mi">5</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="n">Null</span> <span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> </span></span><span class="line"><span class="cl"> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_SYMTAB</span> <span class="p">(</span><span class="mi">6</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> <span class="n">to</span> <span class="n">fake</span> <span class="n">Elf64_Sym</span> <span class="nf">structure</span> <span class="p">(.</span><span class="n">got</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_JMPREL</span> <span class="p">(</span><span class="mi">23</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> <span class="n">to</span> <span class="n">fake</span> <span class="n">Elf64_Rela</span> <span class="n">structure</span> </span></span><span class="line"><span class="cl"><span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="nl">Elf64_Sym</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">d_ptr</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="nf">Elf64_Sym</span> <span class="p">(.</span><span class="n">got</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="nl">Elf64_Rela</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">d_ptr</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="n">Elf64_Rela</span> </span></span><span class="line"><span class="cl"><span class="n">fake</span> <span class="n">Elf64_Rela</span> <span class="nl">structure</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">r_offset</span> <span class="o">=</span> <span class="n">rwable_addr</span> <span class="o">-</span> <span class="n">l_addr</span> </span></span><span class="line"><span class="cl"> <span class="n">r_info</span> <span class="n">lower</span> <span class="mi">4</span> <span class="n">bytes</span> <span class="o">=</span> <span class="mi">7</span> </span></span><span class="line"><span class="cl"> <span class="n">r_info</span> <span class="n">higher</span> <span class="mi">4</span> <span class="n">bytes</span> <span class="o">=</span> <span class="mi">0</span> </span></span></code></pre></td></tr></table> </div> </div><p>根据偏移对 link_map 进行压缩布局:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="mh">0x00</span><span class="o">--</span><span class="mh">0x08</span> <span class="n">l_addr</span> <span class="o">=</span> <span class="n">addr_system</span> <span class="o">-</span> <span class="n">addr_xxx</span> </span></span><span class="line"><span class="cl"><span class="mh">0x08</span><span class="o">--</span><span class="mh">0x10</span> <span class="n">d_ptr</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="nf">Elf64_Sym</span> <span class="p">(.</span><span class="n">got</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="mh">0x10</span><span class="o">--</span><span class="mh">0x18</span> <span class="n">d_ptr</span> <span class="o">-&gt;</span> <span class="mh">0x18</span> </span></span><span class="line"><span class="cl"><span class="mh">0x18</span><span class="o">--</span><span class="mh">0x20</span> <span class="n">r_offset</span> <span class="o">=</span> <span class="n">rwable_addr</span> <span class="o">-</span> <span class="n">l_addr</span> </span></span><span class="line"><span class="cl"><span class="mh">0x18</span><span class="o">--</span><span class="mh">0x20</span> <span class="n">r_info</span> <span class="o">=</span> <span class="mh">0x00000007</span> </span></span><span class="line"><span class="cl"><span class="p">...</span> </span></span><span class="line"><span class="cl"><span class="mh">0x38</span><span class="o">--</span><span class="mi">0</span><span class="n">x</span><span class="o">??</span> <span class="n">l_info</span> </span></span><span class="line"><span class="cl"><span class="mh">0x68</span><span class="o">--</span><span class="mh">0x70</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_STRTAB</span> <span class="p">(</span><span class="mi">5</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="mh">0x00</span> </span></span><span class="line"><span class="cl"><span class="mh">0x70</span><span class="o">--</span><span class="mh">0x78</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_SYMTAB</span> <span class="p">(</span><span class="mi">6</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="mh">0x00</span> </span></span><span class="line"><span class="cl"><span class="p">...</span> </span></span><span class="line"><span class="cl"><span class="mh">0xF8</span><span class="o">--</span><span class="mh">0x100</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_JMPREL</span> <span class="p">(</span><span class="mi">23</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="mh">0x08</span> </span></span></code></pre></td></tr></table> </div> </div><p>stack 布局:</p> <p>注意 _dl_runtime_resolve 有点像 srop 会还原寄存器</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">0 高地址 </span></span><span class="line"><span class="cl">fake_link_map_base_addr </span></span><span class="line"><span class="cl">ret2plt0 </span></span><span class="line"><span class="cl">寄存器操作 rop 链 低地址 </span></span></code></pre></td></tr></table> </div> </div>glibc-2.35 ptmalloc2 分析https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.35-ptmalloc2/Mon, 08 Dec 2025 19:07:00 +0000https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.35-ptmalloc2/<img src="https://blog.ratherhard.com/" alt="Featured image of post glibc-2.35 ptmalloc2 分析" /><h1 id="重要结构">重要结构 </h1><h2 id="常数速查">常数速查 </h2><p>以 64 位为准</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">SIZE_SZ</span> <span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="n">MALLOC_ALIGNMENT</span> <span class="mi">16</span> </span></span><span class="line"><span class="cl"><span class="n">MALLOC_ALIGN_MASK</span> <span class="mi">0</span><span class="n">b1111</span> </span></span><span class="line"><span class="cl"><span class="n">MINSIZE</span> <span class="mi">32</span> </span></span><span class="line"><span class="cl"><span class="n">TCACHE_MAX_BINS</span> <span class="mi">64</span> </span></span><span class="line"><span class="cl"><span class="n">TCACHE_FILL_COUNT</span> <span class="mi">7</span> </span></span><span class="line"><span class="cl"><span class="n">CHUNK_HDR_SZ</span> <span class="mi">16</span> </span></span><span class="line"><span class="cl"><span class="n">SMALLBIN_WIDTH</span> <span class="mi">16</span> </span></span><span class="line"><span class="cl"><span class="n">SMALLBIN_CORRECTION</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="n">MIN_LARGE_SIZE</span> <span class="mi">1024</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="chunk">chunk </h2><p><strong>chunk</strong> 是内存分配的基本单位,它其实是一个内存块。chunk 被分配 (malloc) 后能够存储用户数据,空闲时 (free) 能够插入 bin 中,随时做好被分配的准备。</p> <p>程序向操作系统申请一块连续的堆区域后,该块区域整体初始化为一个 <strong>top chunk</strong> ,第一次 malloc 的操作可以理解为从 top chunk 中分割出一块内存供程序使用。</p> <p>我们把 chunk 划分为两个部分: <strong>chunk_header</strong> 和 <strong>chunk_content</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">+--------------------+ 低地址 </span></span><span class="line"><span class="cl">| chunk_header | </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl">| | </span></span><span class="line"><span class="cl">| | </span></span><span class="line"><span class="cl">| chunk_content | </span></span><span class="line"><span class="cl">| | </span></span><span class="line"><span class="cl">| | </span></span><span class="line"><span class="cl">+--------------------+ 高地址 </span></span></code></pre></td></tr></table> </div> </div><p>下面的 malloc_chunk 中的 mchunk_prev_size 和 mchunk_size 即 chunk_header</p> <h3 id="malloc_chunk-结构体">malloc_chunk 结构体 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">malloc_chunk</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">mchunk_prev_size</span><span class="p">;</span> <span class="cm">/* Size of previous chunk (if free). */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">mchunk_size</span><span class="p">;</span> <span class="cm">/* Size in bytes, including overhead. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">malloc_chunk</span><span class="o">*</span> <span class="n">fd</span><span class="p">;</span> <span class="cm">/* double links -- used only if free. */</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">malloc_chunk</span><span class="o">*</span> <span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Only used for large blocks: pointer to next larger size. */</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">malloc_chunk</span><span class="o">*</span> <span class="n">fd_nextsize</span><span class="p">;</span> <span class="cm">/* double links -- used only if free. */</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">malloc_chunk</span><span class="o">*</span> <span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></td></tr></table> </div> </div><p>主要字段说明如下:</p> <ul> <li><strong>mchunk_prev_size</strong> :8 字节,简称 <strong>prev_size</strong>,表示前一个 chunk 的大小。</li> <li><strong>mchunk_size</strong> :8 字节,简称 <strong>size</strong> ,表示当前 chunk 的大小。size 的低 3 位是标志位,3 个标志说明如下: <ul> <li><strong>PREV_INUSE</strong> ( P 位):最低位,表示前一个 chunk 是否在某个 bin 中,0 表示前一个 chunk 在某个 bin 中,1 表示前一个 chunk 不在任何 bin 中。</li> <li><strong>IS_MMAPPED</strong> ( M 位):第二低位,表示当前 chunk 是否通过 mmap 分配, 1 是 0 否。若 M 位为 1 ,则忽略 A 位和 P 位。</li> <li><strong>NON_MAIN_ARENA</strong> ( A 位):第三低位,表示当前 chunk 是否属于主线程的分配区( malloc_state ), 0 是 1 否。</li> </ul> </li> <li><strong>fd</strong> :8 字节,指向下一个(先进入链表)空闲 chunk 的指针。这个字段仅在当前 chunk 是空闲时有效。如果当前 chunk 已分配,那么fd字段被复用为可用内存( 8 字节)。</li> <li><strong>bk</strong> :指向前一个(后进入链表)空闲 chunk 的指针。该字段和fd功能类似。</li> <li><strong>fd_nextsize</strong> :8 字节,largebins 中指向下一个(先进入链表)比当前 chunk 小的空闲 chunk 。用于 largebins 快速查找不同大小的空闲 chunk ,提高分配效率,如果当前 chunk 是已分配的,那么 fd_nextsize 字段被复用为可用内存( 8 字节)。</li> <li><strong>bk_nextsize</strong> :8 字节,largebins 中指向前一个(后进入链表)比当前 chunk 大的空闲 chunk ,和 fd_nextsize 功能类似。</li> </ul> <h2 id="malloc_state-结构体">malloc_state 结构体 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">malloc_state</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Serialize access. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_define</span> <span class="p">(,</span> <span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Flags (formerly in max_fast). */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">flags</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Set if the fastbin chunks contain recently inserted free blocks. */</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Note this is a bool but not all targets support atomics on booleans. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">have_fastchunks</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Fastbins */</span> </span></span><span class="line"><span class="cl"> <span class="n">mfastbinptr</span> <span class="n">fastbinsY</span><span class="p">[</span><span class="n">NFASTBINS</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Base of the topmost chunk -- not otherwise kept in a bin */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">top</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* The remainder from the most recent split of a small request */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">last_remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Normal bins packed as described above */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">bins</span><span class="p">[</span><span class="n">NBINS</span> <span class="o">*</span> <span class="mi">2</span> <span class="o">-</span> <span class="mi">2</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Bitmap of bins */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">binmap</span><span class="p">[</span><span class="n">BINMAPSIZE</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Linked list */</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">malloc_state</span> <span class="o">*</span><span class="n">next</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Linked list for free arenas. Access to this field is serialized </span></span></span><span class="line"><span class="cl"><span class="cm"> by free_list_lock in arena.c. */</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">malloc_state</span> <span class="o">*</span><span class="n">next_free</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Number of threads attached to this arena. 0 if the arena is on </span></span></span><span class="line"><span class="cl"><span class="cm"> the free list. Access to this field is serialized by </span></span></span><span class="line"><span class="cl"><span class="cm"> free_list_lock in arena.c. */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">attached_threads</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Memory allocated from the system in this arena. */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">system_mem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">max_system_mem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></td></tr></table> </div> </div><p>struct malloc_state 是 glibc 内存分配器的核心数据结构,通常被称为 <strong>Arena</strong> 。它保存了一个分配区的所有元数据、空闲链表状态以及统计信息。</p> <p>以下是对其所有成员的深度解析:</p> <p><strong>1. 并发控制与标志</strong></p> <ul> <li> <p><strong><code>__libc_lock_define (, mutex);</code></strong></p> <ul> <li><strong>用途</strong>:互斥锁。</li> <li><strong>解析</strong>:由于多个线程可能共享同一个 Arena,在进行分配或释放操作(修改 Bins 链表等)之前,线程必须先获取这把锁。主分配区和线程分配区都靠它实现线程安全。</li> </ul> </li> <li> <p><strong><code>int flags;</code></strong></p> <ul> <li><strong>用途</strong>:分配区状态标志。</li> <li><strong>解析</strong>:存储一些底层状态。最重要的是 CONTIGUOUS_BIT (0x2) ,用于标记该 Arena 管理的内存空间是否是连续的(主分配区通常是连续的,通过 brk 扩展;非主分配区由多个 mmap 堆组成,可能不连续)。</li> </ul> </li> <li> <p><strong><code>int have_fastchunks;</code></strong></p> <ul> <li><strong>用途</strong>:快速标记 fastbins 是否为空。</li> <li><strong>解析</strong>:这是一个布尔优化的标志。当有块进入 fastbin 时设为 1。在 malloc 的某些路径(如 malloc_consolidate )中,它会先检查这个位,如果是 0 就直接跳过,从而节省扫描整个 fastbinsY 数组的时间。</li> </ul> </li> </ul> <p><strong>2. 核心堆块容器 (Bins)</strong></p> <ul> <li> <p><strong><code>mfastbinptr fastbinsY[NFASTBINS];</code></strong></p> <ul> <li><strong>用途</strong>:<strong>Fastbins</strong> 链表数组。</li> <li><strong>解析</strong>:专门处理小内存块(默认 64 位下 16~128 字节)的<strong>单向链表</strong>。Fastbin 中的块不会被合并(除非触发 consolidate),因此分配速度极快。NFASTBINS 通常为 10。</li> </ul> </li> <li> <p><strong><code>mchunkptr top;</code></strong></p> <ul> <li><strong>用途</strong>:<strong>Top Chunk</strong> 指针。</li> <li><strong>解析</strong>:指向当前 Arena 中位置最高、也是最后一块待分配的大内存区域。当所有的 Bins(Fast, Small, Large, Unsorted)都无法满足分配需求时,malloc 会从 Top Chunk 中“切”出一块内存。如果 Top Chunk 也不够,则会调用 sbrk 或 mmap 向系统申请。</li> </ul> </li> <li> <p><strong><code>mchunkptr last_remainder;</code></strong></p> <ul> <li><strong>用途</strong>:<strong>Last Remainder Chunk</strong>。</li> <li><strong>解析</strong>:这是一种特殊优化。当分配一个 Small Chunk,而 Unsorted Bin 中只有一块较大的空闲块时,大块会被分割,剩下的部分就存放在 last_remainder。这样可以提高<strong>局部性</strong>,即连续的小分配请求更有可能来自同一物理区域。</li> </ul> </li> <li> <p><strong><code>mchunkptr bins[NBINS * 2 - 2];</code></strong></p> <ul> <li><strong>用途</strong>:<strong>普通 Bins</strong> 数组(Unsorted, Small, Large)。</li> <li><strong>解析</strong>:这是 malloc 的主要仓库。 <ul> <li>它是双向链表。</li> <li><code>bins[0]</code> 不使用,<code>bins[1]</code> 是 <strong>Unsorted Bin</strong>(最近释放且未分类的块)。</li> <li>后续是 <strong>Small Bins</strong>(固定大小)和 <strong>Large Bins</strong>(范围大小)。</li> <li>为什么是 <code>* 2</code>?因为每个 bin 需要一对 fd(前驱)和 bk(后继)指针来表示链表头。</li> </ul> </li> </ul> </li> </ul> <p><strong>3. 查询优化</strong></p> <ul> <li><strong><code>unsigned int binmap[BINMAPSIZE];</code></strong> <ul> <li><strong>用途</strong>:<strong>Bins 位图</strong>。</li> <li><strong>解析</strong>:为了快速定位哪个 bin 里有空闲内存。位图中的每一位对应 bins 数组中的一个 bin。malloc 使用位运算指令(如 ffs )快速找到非空的 bin,而不需要遍历 126 个 bin。</li> </ul> </li> </ul> <p><strong>4. 链表结构与统计</strong></p> <ul> <li> <p><strong><code>struct malloc_state *next;</code></strong></p> <ul> <li><strong>用途</strong>:全局 Arena 链表。</li> <li><strong>解析</strong>:所有的 Arena 都通过这个指针连成一串。main_arena 位于链表首部。当线程找不到可用 Arena 时,会沿着这个指针寻找。</li> </ul> </li> <li> <p><strong><code>struct malloc_state *next_free;</code></strong></p> <ul> <li><strong>用途</strong>:空闲 Arena 链表。</li> <li><strong>解析</strong>:当一个线程退出时,它绑定的 Arena 会被放入这个“空闲链表”,以便下一个新创建的线程复用。</li> </ul> </li> <li> <p><strong><code>INTERNAL_SIZE_T attached_threads;</code></strong></p> <ul> <li><strong>用途</strong>:引用计数。</li> <li><strong>解析</strong>:统计当前有多少个线程正在使用(绑定)这个 Arena。这有助于 glibc 决定是否需要创建新的 Arena 来降低竞争。</li> </ul> </li> <li> <p><strong><code>INTERNAL_SIZE_T system_mem;</code></strong></p> <ul> <li><strong>用途</strong>:当前分配区占用的系统内存总量。</li> <li><strong>解析</strong>:记录了从操作系统(brk/mmap)拿到的总字节数。</li> </ul> </li> <li> <p><strong><code>INTERNAL_SIZE_T max_system_mem;</code></strong></p> <ul> <li><strong>用途</strong>:历史峰值内存。</li> <li><strong>解析</strong>:记录 system_mem 曾达到的最大值。</li> </ul> </li> </ul> <h2 id="malloc_par-结构体">malloc_par 结构体 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">malloc_par</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Tunable parameters */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">trim_threshold</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">top_pad</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">mmap_threshold</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">arena_test</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">arena_max</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if HAVE_TUNABLES </span></span></span><span class="line"><span class="cl"> <span class="cm">/* Transparent Large Page support. */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">thp_pagesize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* A value different than 0 means to align mmap allocation to hp_pagesize </span></span></span><span class="line"><span class="cl"><span class="cm"> add hp_flags on flags. */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">hp_pagesize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">hp_flags</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Memory map support */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">n_mmaps</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">n_mmaps_max</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">max_n_mmaps</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* the mmap_threshold is dynamic, until the user sets </span></span></span><span class="line"><span class="cl"><span class="cm"> it manually, at which point we need to disable any </span></span></span><span class="line"><span class="cl"><span class="cm"> dynamic behavior. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">no_dyn_threshold</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Statistics */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">mmapped_mem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">max_mmapped_mem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* First address handed out by MORECORE/sbrk. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">sbrk_base</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* Maximum number of buckets to use. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tcache_bins</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tcache_max_bytes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Maximum number of chunks in each bucket. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tcache_count</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Maximum number of chunks to remove from the unsorted list, which </span></span></span><span class="line"><span class="cl"><span class="cm"> aren&#39;t used to prefill the cache. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tcache_unsorted_limit</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></td></tr></table> </div> </div><p>struct malloc_par(通常在源码中以全局变量 mp_ 形式存在)是 glibc 内存分配器的<strong>全局配置参数表</strong>。</p> <p>与 malloc_state(管理具体的内存块)不同,malloc_par 负责控制<strong>分配器的整体行为策略</strong>(如:什么时候用 mmap 而不是 sbrk ? Tcache 的限制是多少?)。</p> <p>以下是所有成员的分块解析:</p> <p><strong>1. 核心可调参数 (Tunables)</strong> 这些参数直接影响分配器的性能和内存碎片控制:</p> <ul> <li><strong><code>unsigned long trim_threshold;</code></strong> <ul> <li><strong>用途</strong>:收缩阈值。</li> <li><strong>解析</strong>:当 top chunk 的大小超过这个值时,malloc 会尝试调用 malloc_trim 将空闲内存归还给操作系统。默认通常为 128KB。</li> </ul> </li> <li><strong><code>INTERNAL_SIZE_T top_pad;</code></strong> <ul> <li><strong>用途</strong>:堆顶填充。</li> <li><strong>解析</strong>:每次通过 sbrk 扩展堆时,会额外申请这么多的空间,以减少未来频繁调用系统调用的次数。</li> </ul> </li> <li><strong><code>INTERNAL_SIZE_T mmap_threshold;</code></strong> <ul> <li><strong>用途</strong>:<strong>mmap 阈值</strong>(非常关键)。</li> <li><strong>解析</strong>:当申请的字节数大于此值时,malloc 不从堆分配,而是直接调用 mmap。这有助于防止大块内存产生的空洞阻塞堆的收缩。</li> </ul> </li> <li><strong><code>INTERNAL_SIZE_T arena_test;</code></strong> <ul> <li><strong>用途</strong>:Arena 冲突检测阈值。</li> <li><strong>解析</strong>:用于决定何时创建新 Arena。在 64 位系统上,通常在 CPU 核心数较多时,以此为参考动态增加 Arena 数量。</li> </ul> </li> <li><strong><code>INTERNAL_SIZE_T arena_max;</code></strong> <ul> <li><strong>用途</strong>:<strong>Arena 最大数量限制</strong>。</li> <li><strong>解析</strong>:限制进程可以创建的 Arena 总数(通常 64 位下为 8 * 核心数 )。防止 Arena 过多导致内存浪费。</li> </ul> </li> </ul> <p><strong>2. 大页内存支持 (Large Pages)</strong></p> <ul> <li><strong><code>INTERNAL_SIZE_T thp_pagesize;</code></strong>:透明大页(Transparent Large Pages)的大小。</li> <li><strong><code>INTERNAL_SIZE_T hp_pagesize;</code></strong>:显式大页(Huge Pages)的大小。</li> <li><strong><code>int hp_flags;</code></strong>:调用 mmap 时传递给内核的大页标志位(如 MAP_HUGETLB )。</li> </ul> <p><strong>3. Mmap 状态与动态阈值</strong></p> <ul> <li><strong><code>int n_mmaps;</code></strong>:当前正在使用的通过 mmap 分配的块的数量。</li> <li><strong><code>int n_mmaps_max;</code></strong>:历史上同时存在的 mmap 块的最大数量。</li> <li><strong><code>int max_n_mmaps;</code></strong>:允许的 mmap 块的最大数量限制。</li> <li><strong><code>int no_dyn_threshold;</code></strong> <ul> <li><strong>解析</strong>:glibc 默认会<strong>动态调整</strong> mmap_threshold(根据已释放的块大小自动调优)。如果用户通过 mallopt 手动设置了阈值,该变量会置 1,关闭自动调整逻辑。</li> </ul> </li> </ul> <p><strong>4. 统计信息</strong></p> <ul> <li><strong><code>INTERNAL_SIZE_T mmapped_mem;</code></strong>:当前通过 mmap 分配的内存总字节数。</li> <li><strong><code>INTERNAL_SIZE_T max_mmapped_mem;</code></strong>:历史上 mmapped_mem 达到的峰值。</li> </ul> <p><strong>5. 堆基址</strong></p> <ul> <li><strong><code>char *sbrk_base;</code></strong> <ul> <li><strong>解析</strong>:程序第一次调用 sbrk 时返回的地址。它标记了主堆区域的起始位置,用于判断某个指针是否属于主堆。</li> </ul> </li> </ul> <p><strong>6. Tcache 机制参数</strong></p> <ul> <li><strong><code>size_t tcache_bins;</code></strong> <ul> <li><strong>解析</strong>:Tcache 链表的数量。默认是 <strong>64</strong>。</li> </ul> </li> <li><strong><code>size_t tcache_max_bytes;</code></strong> <ul> <li><strong>解析</strong>:Tcache 能够容纳的最大块大小。默认通常是 <strong>1032 字节</strong>(64位)。超过此大小的 free 块不会进入 Tcache。</li> </ul> </li> <li><strong><code>size_t tcache_count;</code></strong> <ul> <li><strong>解析</strong>:<strong>每个 Tcache Bin 存放块的数量限制</strong>。默认是 <strong>7</strong>。如果某个 size 的 Tcache 已经有 7 个块了,再 free 的块就会进入 Fastbin 或 Unsorted Bin。</li> </ul> </li> <li><strong><code>size_t tcache_unsorted_limit;</code></strong> <ul> <li><strong>解析</strong>:当从 Unsorted Bin 批量取块填补 Tcache 时的数量限制。防止单次分配在整理链表上耗时过长。</li> </ul> </li> </ul> <h2 id="main_arena-配置">main_arena 配置 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* There are several instances of this struct (&#34;arenas&#34;) in this </span></span></span><span class="line"><span class="cl"><span class="cm"> malloc. If you are adapting this malloc in a way that does NOT use </span></span></span><span class="line"><span class="cl"><span class="cm"> a static or mmapped malloc_state, you MUST explicitly zero-fill it </span></span></span><span class="line"><span class="cl"><span class="cm"> before using. This malloc relies on the property that malloc_state </span></span></span><span class="line"><span class="cl"><span class="cm"> is initialized to all zeroes (as is true of C statics). */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">struct</span> <span class="n">malloc_state</span> <span class="n">main_arena</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">mutex</span> <span class="o">=</span> <span class="n">_LIBC_LOCK_INITIALIZER</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">next</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">attached_threads</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></td></tr></table> </div> </div><p>main_arena 存在于 libc.so 的数据段,地址是固定的;而 Thread Arena 是动态 mmap 出来的,它是唯一一个在 main() 函数执行前就已经存在的分配区,且它是整个分配区循环链表的头结点。</p> <h2 id="mp_-配置">mp_ 配置 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* There is only one instance of the malloc parameters. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">struct</span> <span class="n">malloc_par</span> <span class="n">mp_</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">top_pad</span> <span class="o">=</span> <span class="n">DEFAULT_TOP_PAD</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">n_mmaps_max</span> <span class="o">=</span> <span class="n">DEFAULT_MMAP_MAX</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">mmap_threshold</span> <span class="o">=</span> <span class="n">DEFAULT_MMAP_THRESHOLD</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">trim_threshold</span> <span class="o">=</span> <span class="n">DEFAULT_TRIM_THRESHOLD</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="cp">#define NARENAS_FROM_NCORES(n) ((n) * (sizeof (long) == 4 ? 2 : 8)) </span></span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">arena_test</span> <span class="o">=</span> <span class="nf">NARENAS_FROM_NCORES</span> <span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">tcache_count</span> <span class="o">=</span> <span class="n">TCACHE_FILL_COUNT</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">tcache_bins</span> <span class="o">=</span> <span class="n">TCACHE_MAX_BINS</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">tcache_max_bytes</span> <span class="o">=</span> <span class="nf">tidx2usize</span> <span class="p">(</span><span class="n">TCACHE_MAX_BINS</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">tcache_unsorted_limit</span> <span class="o">=</span> <span class="mi">0</span> <span class="cm">/* No limit. */</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></td></tr></table> </div> </div><p>如果说 main_arena 是堆管理的“执行者”,那么 mp_ 就是“策略制定者”。它定义了分配器在全局范围内如何与操作系统交互。</p> <p><strong>1. 堆扩展与收缩策略</strong></p> <ul> <li><strong><code>.top_pad = DEFAULT_TOP_PAD</code></strong> <ul> <li><strong>默认值</strong>:通常为 0。</li> <li><strong>作用</strong>:当 malloc 通过 sbrk 增加堆空间时,额外申请的“填充”大小。虽然默认为 0,但在实际运行中,分配器可能会为了减少系统调用次数而申请比需求更多的空间。</li> </ul> </li> <li><strong><code>.trim_threshold = DEFAULT_TRIM_THRESHOLD</code></strong> <ul> <li><strong>默认值</strong>:128 KB。</li> <li><strong>作用</strong>:收缩阈值。当 top chunk的空闲空间超过这个值时,free 会自动调用 sbrk(-size) 将内存归还给内核。</li> </ul> </li> <li><strong><code>.mmap_threshold = DEFAULT_MMAP_THRESHOLD</code></strong> <ul> <li><strong>默认值</strong>:128 KB。</li> <li><strong>作用</strong>:<strong>核心决策点</strong>。如果用户申请的内存大于此值,free 将放弃从堆分配,转而使用 mmap 直接向内核申请一块独立的匿名映射区域。</li> <li><strong>动态特性</strong>:在现代 glibc 中,如果没有手动设置此值,它会根据已释放块的大小<strong>动态增长</strong>,以减少频繁 mmap/munmap 带来的性能抖动。</li> </ul> </li> </ul> <p><strong>2. Mmap 限制</strong></p> <ul> <li><strong><code>.n_mmaps_max = DEFAULT_MMAP_MAX</code></strong> <ul> <li><strong>默认值</strong>:通常是 65536。</li> <li><strong>作用</strong>:限制进程同时拥有的 mmap 分配块的总数。这是为了防止大量零碎的 mmap 耗尽操作系统的虚拟内存区域资源。</li> </ul> </li> </ul> <p><strong>3. Arena 创建逻辑</strong></p> <ul> <li><strong><code>.arena_test = NARENAS_FROM_NCORES (1)</code></strong></li> <li><strong>宏定义解析</strong>:<code>#define NARENAS_FROM_NCORES(n) ((n) * (sizeof (long) == 4 ? 2 : 8))</code> <ul> <li><strong>32位系统 (long=4)</strong>:每个核心对应 2 个 Arena。</li> <li><strong>64位系统 (long=8)</strong>:每个核心对应 8 个 Arena。</li> <li><strong>逻辑说明</strong>:这里初始化传入参数为 1。意味着在单核配置参考下,64位系统默认“预设”了 8 个 Arena 的探测阈值。</li> <li><strong>设计目的</strong>:这是为了在性能(减少锁竞争)和内存( Arena 结构体本身占空间)之间取得平衡。64位系统内存大,所以允许创建更多的 Arena(最高可达 8 * 核心数 )。</li> </ul> </li> </ul> <p><strong>4. Tcache (Thread Local Cache) 配置</strong> 这是 glibc 2.26+ 性能大幅提升的关键,它在 malloc_state 之外为每个线程提供了一层极速缓存。</p> <ul> <li><strong><code>.tcache_count = TCACHE_FILL_COUNT</code></strong> <ul> <li><strong>默认值</strong>:<strong>7</strong>。</li> <li><strong>作用</strong>:每个 Tcache bin 最多存放多少个空闲块。如果一个线程连续释放 10 个 0x20 的块,前 7 个进 Tcache,后 3 个才会进全局的 Fastbin。</li> </ul> </li> <li><strong><code>.tcache_bins = TCACHE_MAX_BINS</code></strong> <ul> <li><strong>默认值</strong>:<strong>64</strong>。</li> <li><strong>作用</strong>:Tcache 覆盖的大小范围数量。</li> </ul> </li> <li><strong><code>.tcache_max_bytes = tidx2usize (TCACHE_MAX_BINS-1)</code></strong> <ul> <li><strong>默认值</strong>:通常是 <strong>1032 字节</strong> (64位系统)。</li> <li><strong>作用</strong>:Tcache 管理的最大块尺寸。在这个尺寸以下的内存申请,都会优先检查线程本地缓存,<strong>不需要加锁</strong>,速度极快。</li> </ul> </li> <li><strong><code>.tcache_unsorted_limit = 0</code></strong> <ul> <li><strong>作用</strong>:限制从 <code>unsorted bin</code> 搬运块到 Tcache 的数量。设置为 <code>0</code> 表示<strong>不限制</strong>,即尽可能填满 Tcache 桶。</li> </ul> </li> </ul> <hr> <h1 id="__libc_malloc-源码分析">__libc_malloc 源码分析 </h1><h2 id="__libc_malloc-源码">__libc_malloc 源码 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">void</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="nf">__libc_malloc</span> <span class="p">(</span><span class="kt">size_t</span> <span class="n">bytes</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mstate</span> <span class="n">ar_ptr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">_Static_assert</span> <span class="p">(</span><span class="n">PTRDIFF_MAX</span> <span class="o">&lt;=</span> <span class="n">SIZE_MAX</span> <span class="o">/</span> <span class="mi">2</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;PTRDIFF_MAX is not more than half of SIZE_MAX&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">__malloc_initialized</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">ptmalloc_init</span> <span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* int_free also calls request2size, be careful to not pad twice. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tbytes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">checked_request2size</span> <span class="p">(</span><span class="n">bytes</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">tbytes</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">__set_errno</span> <span class="p">(</span><span class="n">ENOMEM</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">tbytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">MAYBE_INIT_TCACHE</span> <span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">DIAG_PUSH_NEEDS_COMMENT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">tcache</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">tcache_get</span> <span class="p">(</span><span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">tag_new_usable</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">DIAG_POP_NEEDS_COMMENT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">tag_new_usable</span> <span class="p">(</span><span class="nf">_int_malloc</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">main_arena</span><span class="p">,</span> <span class="n">bytes</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="o">!</span><span class="n">victim</span> <span class="o">||</span> <span class="nf">chunk_is_mmapped</span> <span class="p">(</span><span class="nf">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">))</span> <span class="o">||</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">==</span> <span class="nf">arena_for_chunk</span> <span class="p">(</span><span class="nf">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">)));</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">arena_get</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">_int_malloc</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Retry with another arena only if we were able to find a usable arena </span></span></span><span class="line"><span class="cl"><span class="cm"> before. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">victim</span> <span class="o">&amp;&amp;</span> <span class="n">ar_ptr</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LIBC_PROBE</span> <span class="p">(</span><span class="n">memory_malloc_retry</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">ar_ptr</span> <span class="o">=</span> <span class="nf">arena_get_retry</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">_int_malloc</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ar_ptr</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_unlock</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">tag_new_usable</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="o">!</span><span class="n">victim</span> <span class="o">||</span> <span class="nf">chunk_is_mmapped</span> <span class="p">(</span><span class="nf">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">))</span> <span class="o">||</span> </span></span><span class="line"><span class="cl"> <span class="n">ar_ptr</span> <span class="o">==</span> <span class="nf">arena_for_chunk</span> <span class="p">(</span><span class="nf">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">)));</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="nf">libc_hidden_def</span> <span class="p">(</span><span class="n">__libc_malloc</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="tcache-相关">Tcache 相关 </h2><h3 id="调用-checked_request2size">调用 checked_request2size </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* int_free also calls request2size, be careful to not pad twice. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tbytes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">checked_request2size</span> <span class="p">(</span><span class="n">bytes</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">tbytes</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">__set_errno</span> <span class="p">(</span><span class="n">ENOMEM</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>checked_request2size 负责检查 bytes 是否会导致溢出,并根据申请的 bytes 计算实际应分配的内存大小,用 tbytes 记录,这块内存大小即 chunk 的实际大小</p> <p>request2size 宏中 SIZE_SZ 为 size_t 类型的大小, MALLOC_ALIGN_MASK 为 MALLOC_ALIGNMENT - 1 ,其中 MALLOC_ALIGNMENT 是内存对齐的字节数, MINSIZE 为堆分配的最小字节数</p> <p>64 位下, SIZE_SZ 为 8 , MALLOC_ALIGNMENT 为 16 , MALLOC_ALIGN_MASK 为 0b1111 , MINSIZE 为 32 32 位下, SIZE_SZ 为 4 , MALLOC_ALIGNMENT 为 8 , MALLOC_ALIGN_MASK 为 0b111 , MINSIZE 为 16</p> <p>64 位 下 request2size 满足 0x8 舍 0x9 入: 0x28 -&gt; 0x30 , 0x29 -&gt; 0x40 ,其结果是对齐 16 位的</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* pad request bytes into a usable size -- internal version */</span> </span></span><span class="line"><span class="cl"><span class="cm">/* Note: This must be a macro that evaluates to a compile time constant </span></span></span><span class="line"><span class="cl"><span class="cm"> if passed a literal constant. */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define request2size(req) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (((req) + SIZE_SZ + MALLOC_ALIGN_MASK &lt; MINSIZE) ? \ </span></span></span><span class="line"><span class="cl"><span class="cp"> MINSIZE : \ </span></span></span><span class="line"><span class="cl"><span class="cp"> ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) &amp; ~MALLOC_ALIGN_MASK) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cm">/* Check if REQ overflows when padded and aligned and if the resulting value </span></span></span><span class="line"><span class="cl"><span class="cm"> is less than PTRDIFF_T. Returns TRUE and the requested size or MINSIZE in </span></span></span><span class="line"><span class="cl"><span class="cm"> case the value is less than MINSIZE on SZ or false if any of the previous </span></span></span><span class="line"><span class="cl"><span class="cm"> check fail. */</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="kr">inline</span> <span class="kt">bool</span> </span></span><span class="line"><span class="cl"><span class="nf">checked_request2size</span> <span class="p">(</span><span class="kt">size_t</span> <span class="n">req</span><span class="p">,</span> <span class="kt">size_t</span> <span class="o">*</span><span class="n">sz</span><span class="p">)</span> <span class="nf">__nonnull</span> <span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">req</span> <span class="o">&gt;</span> <span class="n">PTRDIFF_MAX</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">false</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* When using tagged memory, we cannot share the end of the user </span></span></span><span class="line"><span class="cl"><span class="cm"> block with the header for the next chunk, so ensure that we </span></span></span><span class="line"><span class="cl"><span class="cm"> allocate blocks that are rounded up to the granule size. Take </span></span></span><span class="line"><span class="cl"><span class="cm"> care not to overflow from close to MAX_SIZE_T to a small </span></span></span><span class="line"><span class="cl"><span class="cm"> number. Ideally, this would be part of request2size(), but that </span></span></span><span class="line"><span class="cl"><span class="cm"> must be a macro that produces a compile time constant if passed </span></span></span><span class="line"><span class="cl"><span class="cm"> a constant literal. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">mtag_enabled</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Ensure this is not evaluated if !mtag_enabled, see gcc PR 99551. */</span> </span></span><span class="line"><span class="cl"> <span class="k">asm</span> <span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">req</span> <span class="o">=</span> <span class="p">(</span><span class="n">req</span> <span class="o">+</span> <span class="p">(</span><span class="n">__MTAG_GRANULE_SIZE</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span> <span class="o">&amp;</span> </span></span><span class="line"><span class="cl"> <span class="o">~</span><span class="p">(</span><span class="kt">size_t</span><span class="p">)(</span><span class="n">__MTAG_GRANULE_SIZE</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">sz</span> <span class="o">=</span> <span class="nf">request2size</span> <span class="p">(</span><span class="n">req</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="调用-csize2tidx">调用 csize2tidx </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">tbytes</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>回到 __libc_malloc ,csize2tidx 负责将分配的字节数 nb 线性映射为对应 num_slots 和 entries 的下标 tc_idx,即 0x20 -&gt; 0 , 0x30 -&gt; 1 &hellip; 0x410 -&gt; 63</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* When &#34;x&#34; is from chunksize(). */</span> </span></span><span class="line"><span class="cl"><span class="cp"># define csize2tidx(x) (((x) - MINSIZE + MALLOC_ALIGNMENT - 1) / MALLOC_ALIGNMENT) </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* The smallest size we can malloc is an aligned minimal chunk */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define MINSIZE \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (unsigned long)(((MIN_CHUNK_SIZE+MALLOC_ALIGN_MASK) &amp; ~MALLOC_ALIGN_MASK)) </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="初始化-tcache">初始化 Tcache </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="nf">MAYBE_INIT_TCACHE</span> <span class="p">();</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="tcache_init-源码">tcache_init 源码 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp"># define MAYBE_INIT_TCACHE() \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (__glibc_unlikely (tcache == NULL)) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> tcache_init(); </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">static</span> <span class="kt">void</span> </span></span><span class="line"><span class="cl"><span class="nf">tcache_init</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mstate</span> <span class="n">ar_ptr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">victim</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">size_t</span> <span class="n">bytes</span> <span class="o">=</span> <span class="k">sizeof</span> <span class="p">(</span><span class="n">tcache_perthread_struct</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache_shutting_down</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">arena_get</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">_int_malloc</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">victim</span> <span class="o">&amp;&amp;</span> <span class="n">ar_ptr</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">ar_ptr</span> <span class="o">=</span> <span class="nf">arena_get_retry</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">_int_malloc</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ar_ptr</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_unlock</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* In a low memory situation, we may not be able to allocate memory </span></span></span><span class="line"><span class="cl"><span class="cm"> - in which case, we just keep trying later. However, we </span></span></span><span class="line"><span class="cl"><span class="cm"> typically do this very early, so either there is sufficient </span></span></span><span class="line"><span class="cl"><span class="cm"> memory, or there isn&#39;t enough memory to do non-trivial </span></span></span><span class="line"><span class="cl"><span class="cm"> allocations anyway. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache</span> <span class="o">=</span> <span class="p">(</span><span class="n">tcache_perthread_struct</span> <span class="o">*</span><span class="p">)</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span> <span class="p">(</span><span class="n">tcache</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span> <span class="p">(</span><span class="n">tcache_perthread_struct</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>tcache_init 展示了 malloc 是如何“自举”的。为了实现无锁的 Tcache 分配,它必须先通过有锁的 _int_malloc 分配出 Tcache 结构。这意味着每个线程的第一次 malloc 总是比较慢的,因为要进 tcache_init 走加锁路径</p> <h3 id="分配-tcache">分配 Tcache </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="n">DIAG_PUSH_NEEDS_COMMENT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">tcache</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">tcache_get</span> <span class="p">(</span><span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">tag_new_usable</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">DIAG_POP_NEEDS_COMMENT</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>当 tc_idx 未超界且 tcache 中存在 free chunk 时使用 tcache_get (tc_idx) 获取一个 chunk 并将该 chunk 标记为 usable</p> <h4 id="mp_-结构体">mp_ 结构体 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* There is only one instance of the malloc parameters. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">struct</span> <span class="n">malloc_par</span> <span class="n">mp_</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">top_pad</span> <span class="o">=</span> <span class="n">DEFAULT_TOP_PAD</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">n_mmaps_max</span> <span class="o">=</span> <span class="n">DEFAULT_MMAP_MAX</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">mmap_threshold</span> <span class="o">=</span> <span class="n">DEFAULT_MMAP_THRESHOLD</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">trim_threshold</span> <span class="o">=</span> <span class="n">DEFAULT_TRIM_THRESHOLD</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="cp">#define NARENAS_FROM_NCORES(n) ((n) * (sizeof (long) == 4 ? 2 : 8)) </span></span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">arena_test</span> <span class="o">=</span> <span class="nf">NARENAS_FROM_NCORES</span> <span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">tcache_count</span> <span class="o">=</span> <span class="n">TCACHE_FILL_COUNT</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">tcache_bins</span> <span class="o">=</span> <span class="n">TCACHE_MAX_BINS</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">tcache_max_bytes</span> <span class="o">=</span> <span class="nf">tidx2usize</span> <span class="p">(</span><span class="n">TCACHE_MAX_BINS</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="n">tcache_unsorted_limit</span> <span class="o">=</span> <span class="mi">0</span> <span class="cm">/* No limit. */</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span> <span class="o">=</span> <span class="n">TCACHE_FILL_COUNT</span> <span class="o">=</span> <span class="mi">7</span> </span></span><span class="line"><span class="cl"><span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span> <span class="o">=</span> <span class="n">TCACHE_MAX_BINS</span> <span class="o">=</span> <span class="mi">64</span> </span></span><span class="line"><span class="cl"><span class="n">mp_</span><span class="p">.</span><span class="n">tcache_max_bytes</span> <span class="o">=</span> <span class="nf">tidx2usize</span> <span class="p">(</span><span class="n">TCACHE_MAX_BINS</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="o">=</span> <span class="mh">0x408</span> </span></span></code></pre></td></tr></table> </div> </div><p>由此可知,tc_idx 上限为 63,仅 0x20 , 0x30 &hellip; 0x410 大小的 chunk 会被 Tcache 管辖</p> <h4 id="tcache-结构体">Tcache 结构体 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* We overlay this structure on the user-data portion of a chunk when </span></span></span><span class="line"><span class="cl"><span class="cm"> the chunk is stored in the per-thread cache. */</span> </span></span><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> <span class="n">tcache_entry</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">next</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* This field exists to detect double frees. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">uintptr_t</span> <span class="n">key</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">tcache_entry</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cm">/* There is one of these for each thread, which contains the </span></span></span><span class="line"><span class="cl"><span class="cm"> per-thread cache (hence &#34;tcache_perthread_struct&#34;). Keeping </span></span></span><span class="line"><span class="cl"><span class="cm"> overall size low is mildly important. Note that COUNTS and ENTRIES </span></span></span><span class="line"><span class="cl"><span class="cm"> are redundant (we could have just counted the linked list each </span></span></span><span class="line"><span class="cl"><span class="cm"> time), this is for performance reasons. */</span> </span></span><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> <span class="n">tcache_perthread_struct</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint16_t</span> <span class="n">counts</span><span class="p">[</span><span class="n">TCACHE_MAX_BINS</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">entries</span><span class="p">[</span><span class="n">TCACHE_MAX_BINS</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">tcache_perthread_struct</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="n">__thread</span> <span class="kt">bool</span> <span class="n">tcache_shutting_down</span> <span class="o">=</span> <span class="nb">false</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="n">__thread</span> <span class="n">tcache_perthread_struct</span> <span class="o">*</span><span class="n">tcache</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cm">/* Process-wide key to try and catch a double-free in the same thread. */</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="kt">uintptr_t</span> <span class="n">tcache_key</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>tcache 是单向链表, LIFO</p> <p>tcache_entry 结构体起始于 chunk + 0x10 字节处,这正是原本返回给用户的指针地址 next 字段 占用了原本 fd 的位置 key 字段 占用了原本 bk 的位置</p> <p>counts 用于统计每个类别的 BIN 中有多少 free chunk , entries 是属于该 BIN 的 free chunk 的链表头</p> <p>tcache_perthread_struct 本身也是堆内存。如果你在 GDB 中查看一个线程,你会发现它的 tcache 指针通常指向该线程申请的第一个大块内存</p> <p>tcache_key 和 tcache_entry 中的 key 针对 Double Free 进行防护,暂略</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[ 线程 A 的 TLS 区域 ] </span></span><span class="line"><span class="cl"> | </span></span><span class="line"><span class="cl"> +-- tcache 指针 ----+ </span></span><span class="line"><span class="cl"> | </span></span><span class="line"><span class="cl">[ 堆内存 (Heap / Arena) ] &lt;---+ </span></span><span class="line"><span class="cl"> | | </span></span><span class="line"><span class="cl"> +--&gt; [ tcache_perthread_struct ] (管理结构) </span></span><span class="line"><span class="cl"> | </span></span><span class="line"><span class="cl"> +-- entries[0] --&gt; [ 空闲块 1 ] --&gt; [ 空闲块 2 ] </span></span><span class="line"><span class="cl"> | </span></span><span class="line"><span class="cl"> +-- entries[1] --&gt; [ 空闲块 A ] --&gt; [ 空闲块 B ] </span></span></code></pre></td></tr></table> </div> </div><h4 id="tcache_get-源码">tcache_get 源码 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* Caller must ensure that we know tc_idx is valid and there&#39;s </span></span></span><span class="line"><span class="cl"><span class="cm"> available chunks to remove. */</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="n">__always_inline</span> <span class="kt">void</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="nf">tcache_get</span> <span class="p">(</span><span class="kt">size_t</span> <span class="n">tc_idx</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">e</span> <span class="o">=</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="o">!</span><span class="nf">aligned_OK</span> <span class="p">(</span><span class="n">e</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): unaligned tcache chunk detected&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">e</span><span class="o">-&gt;</span><span class="n">next</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">--</span><span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">e</span><span class="o">-&gt;</span><span class="n">key</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="n">e</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="protect_ptr-宏">PROTECT_PTR 宏 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* Safe-Linking: </span></span></span><span class="line"><span class="cl"><span class="cm"> Use randomness from ASLR (mmap_base) to protect single-linked lists </span></span></span><span class="line"><span class="cl"><span class="cm"> of Fast-Bins and TCache. That is, mask the &#34;next&#34; pointers of the </span></span></span><span class="line"><span class="cl"><span class="cm"> lists&#39; chunks, and also perform allocation alignment checks on them. </span></span></span><span class="line"><span class="cl"><span class="cm"> This mechanism reduces the risk of pointer hijacking, as was done with </span></span></span><span class="line"><span class="cl"><span class="cm"> Safe-Unlinking in the double-linked lists of Small-Bins. </span></span></span><span class="line"><span class="cl"><span class="cm"> It assumes a minimum page size of 4096 bytes (12 bits). Systems with </span></span></span><span class="line"><span class="cl"><span class="cm"> larger pages provide less entropy, although the pointer mangling </span></span></span><span class="line"><span class="cl"><span class="cm"> still works. */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define PROTECT_PTR(pos, ptr) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> ((__typeof (ptr)) ((((size_t) pos) &gt;&gt; 12) ^ ((size_t) ptr))) </span></span></span><span class="line"><span class="cl"><span class="cp">#define REVEAL_PTR(ptr) PROTECT_PTR (&amp;ptr, ptr) </span></span></span></code></pre></td></tr></table> </div> </div><p>tcache_get 获取 <code>tcache-&gt;entries[tc_idx]</code> 中存放的指针,并让 <code>tcache-&gt;entries[tc_idx]-&gt;next</code> 解密后取代 <code>tcache-&gt;entries[tc_idx]</code> ,然后减少 BIN 的计数,并将取出的 tcache_entry 的 key 标记清空</p> <p>可以注意到,<code>tcache-&gt;entries[tc_idx]</code> 存的指针并没有被加密,而 tcache_entry 的 next 指针均会被加密,加密方式为指针与右移 12 位的指针在堆上的地址进行异或</p> <h4 id="tag_new_usable-源码">tag_new_usable 源码 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* If memory tagging is enabled the layout changes to accommodate the granule </span></span></span><span class="line"><span class="cl"><span class="cm"> size, this is wasteful for small allocations so not done by default. </span></span></span><span class="line"><span class="cl"><span class="cm"> Both the chunk header and user data has to be granule aligned. */</span> </span></span><span class="line"><span class="cl"><span class="nf">_Static_assert</span> <span class="p">(</span><span class="n">__MTAG_GRANULE_SIZE</span> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;memory tagging is not supported with large granule.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="n">__always_inline</span> <span class="kt">void</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="nf">tag_new_usable</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="n">ptr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">mtag_enabled</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">ptr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">cp</span> <span class="o">=</span> <span class="nf">mem2chunk</span><span class="p">(</span><span class="n">ptr</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">ptr</span> <span class="o">=</span> <span class="nf">__libc_mtag_tag_region</span> <span class="p">(</span><span class="nf">__libc_mtag_new_tag</span> <span class="p">(</span><span class="n">ptr</span><span class="p">),</span> <span class="nf">memsize</span> <span class="p">(</span><span class="n">cp</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">ptr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* Convert a user mem pointer to a chunk address and extract the right tag. */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define mem2chunk(mem) ((mchunkptr)tag_at (((char*)(mem) - CHUNK_HDR_SZ))) </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#define CHUNK_HDR_SZ (2 * SIZE_SZ) </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* This is the size of the real usable data in the chunk. Not valid for </span></span></span><span class="line"><span class="cl"><span class="cm"> dumped heap chunks. */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define memsize(p) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (__MTAG_GRANULE_SIZE &gt; SIZE_SZ &amp;&amp; __glibc_unlikely (mtag_enabled) ? \ </span></span></span><span class="line"><span class="cl"><span class="cp"> chunksize (p) - CHUNK_HDR_SZ : \ </span></span></span><span class="line"><span class="cl"><span class="cp"> chunksize (p) - CHUNK_HDR_SZ + (chunk_is_mmapped (p) ? 0 : SIZE_SZ)) </span></span></span></code></pre></td></tr></table> </div> </div><p>mem2chunk 将原本指向 chunk 数据区的指针转换至 chunk header 区域</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">ptr</span> <span class="o">=</span> <span class="nf">__libc_mtag_tag_region</span> <span class="p">(</span><span class="nf">__libc_mtag_new_tag</span> <span class="p">(</span><span class="n">ptr</span><span class="p">),</span> <span class="nf">memsize</span> <span class="p">(</span><span class="n">cp</span><span class="p">));</span> </span></span></code></pre></td></tr></table> </div> </div><p>主要用于对新分配的内存进行标签初始化</p> <h2 id="有锁分配相关">有锁分配相关 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">tag_new_usable</span> <span class="p">(</span><span class="nf">_int_malloc</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">main_arena</span><span class="p">,</span> <span class="n">bytes</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="o">!</span><span class="n">victim</span> <span class="o">||</span> <span class="nf">chunk_is_mmapped</span> <span class="p">(</span><span class="nf">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">))</span> <span class="o">||</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">==</span> <span class="nf">arena_for_chunk</span> <span class="p">(</span><span class="nf">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">)));</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">arena_get</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">_int_malloc</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Retry with another arena only if we were able to find a usable arena </span></span></span><span class="line"><span class="cl"><span class="cm"> before. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">victim</span> <span class="o">&amp;&amp;</span> <span class="n">ar_ptr</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LIBC_PROBE</span> <span class="p">(</span><span class="n">memory_malloc_retry</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">ar_ptr</span> <span class="o">=</span> <span class="nf">arena_get_retry</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">_int_malloc</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ar_ptr</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_unlock</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">tag_new_usable</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="o">!</span><span class="n">victim</span> <span class="o">||</span> <span class="nf">chunk_is_mmapped</span> <span class="p">(</span><span class="nf">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">))</span> <span class="o">||</span> </span></span><span class="line"><span class="cl"> <span class="n">ar_ptr</span> <span class="o">==</span> <span class="nf">arena_for_chunk</span> <span class="p">(</span><span class="nf">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">)));</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">victim</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>arena 相关暂略,剩下的部分交给了 _int_malloc</p> <hr> <h1 id="_int_malloc-源码分析">_int_malloc 源码分析 </h1><h2 id="_int_malloc-源码">_int_malloc 源码 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span><span class="lnt">216 </span><span class="lnt">217 </span><span class="lnt">218 </span><span class="lnt">219 </span><span class="lnt">220 </span><span class="lnt">221 </span><span class="lnt">222 </span><span class="lnt">223 </span><span class="lnt">224 </span><span class="lnt">225 </span><span class="lnt">226 </span><span class="lnt">227 </span><span class="lnt">228 </span><span class="lnt">229 </span><span class="lnt">230 </span><span class="lnt">231 </span><span class="lnt">232 </span><span class="lnt">233 </span><span class="lnt">234 </span><span class="lnt">235 </span><span class="lnt">236 </span><span class="lnt">237 </span><span class="lnt">238 </span><span class="lnt">239 </span><span class="lnt">240 </span><span class="lnt">241 </span><span class="lnt">242 </span><span class="lnt">243 </span><span class="lnt">244 </span><span class="lnt">245 </span><span class="lnt">246 </span><span class="lnt">247 </span><span class="lnt">248 </span><span class="lnt">249 </span><span class="lnt">250 </span><span class="lnt">251 </span><span class="lnt">252 </span><span class="lnt">253 </span><span class="lnt">254 </span><span class="lnt">255 </span><span class="lnt">256 </span><span class="lnt">257 </span><span class="lnt">258 </span><span class="lnt">259 </span><span class="lnt">260 </span><span class="lnt">261 </span><span class="lnt">262 </span><span class="lnt">263 </span><span class="lnt">264 </span><span class="lnt">265 </span><span class="lnt">266 </span><span class="lnt">267 </span><span class="lnt">268 </span><span class="lnt">269 </span><span class="lnt">270 </span><span class="lnt">271 </span><span class="lnt">272 </span><span class="lnt">273 </span><span class="lnt">274 </span><span class="lnt">275 </span><span class="lnt">276 </span><span class="lnt">277 </span><span class="lnt">278 </span><span class="lnt">279 </span><span class="lnt">280 </span><span class="lnt">281 </span><span class="lnt">282 </span><span class="lnt">283 </span><span class="lnt">284 </span><span class="lnt">285 </span><span class="lnt">286 </span><span class="lnt">287 </span><span class="lnt">288 </span><span class="lnt">289 </span><span class="lnt">290 </span><span class="lnt">291 </span><span class="lnt">292 </span><span class="lnt">293 </span><span class="lnt">294 </span><span class="lnt">295 </span><span class="lnt">296 </span><span class="lnt">297 </span><span class="lnt">298 </span><span class="lnt">299 </span><span class="lnt">300 </span><span class="lnt">301 </span><span class="lnt">302 </span><span class="lnt">303 </span><span class="lnt">304 </span><span class="lnt">305 </span><span class="lnt">306 </span><span class="lnt">307 </span><span class="lnt">308 </span><span class="lnt">309 </span><span class="lnt">310 </span><span class="lnt">311 </span><span class="lnt">312 </span><span class="lnt">313 </span><span class="lnt">314 </span><span class="lnt">315 </span><span class="lnt">316 </span><span class="lnt">317 </span><span class="lnt">318 </span><span class="lnt">319 </span><span class="lnt">320 </span><span class="lnt">321 </span><span class="lnt">322 </span><span class="lnt">323 </span><span class="lnt">324 </span><span class="lnt">325 </span><span class="lnt">326 </span><span class="lnt">327 </span><span class="lnt">328 </span><span class="lnt">329 </span><span class="lnt">330 </span><span class="lnt">331 </span><span class="lnt">332 </span><span class="lnt">333 </span><span class="lnt">334 </span><span class="lnt">335 </span><span class="lnt">336 </span><span class="lnt">337 </span><span class="lnt">338 </span><span class="lnt">339 </span><span class="lnt">340 </span><span class="lnt">341 </span><span class="lnt">342 </span><span class="lnt">343 </span><span class="lnt">344 </span><span class="lnt">345 </span><span class="lnt">346 </span><span class="lnt">347 </span><span class="lnt">348 </span><span class="lnt">349 </span><span class="lnt">350 </span><span class="lnt">351 </span><span class="lnt">352 </span><span class="lnt">353 </span><span class="lnt">354 </span><span class="lnt">355 </span><span class="lnt">356 </span><span class="lnt">357 </span><span class="lnt">358 </span><span class="lnt">359 </span><span class="lnt">360 </span><span class="lnt">361 </span><span class="lnt">362 </span><span class="lnt">363 </span><span class="lnt">364 </span><span class="lnt">365 </span><span class="lnt">366 </span><span class="lnt">367 </span><span class="lnt">368 </span><span class="lnt">369 </span><span class="lnt">370 </span><span class="lnt">371 </span><span class="lnt">372 </span><span class="lnt">373 </span><span class="lnt">374 </span><span class="lnt">375 </span><span class="lnt">376 </span><span class="lnt">377 </span><span class="lnt">378 </span><span class="lnt">379 </span><span class="lnt">380 </span><span class="lnt">381 </span><span class="lnt">382 </span><span class="lnt">383 </span><span class="lnt">384 </span><span class="lnt">385 </span><span class="lnt">386 </span><span class="lnt">387 </span><span class="lnt">388 </span><span class="lnt">389 </span><span class="lnt">390 </span><span class="lnt">391 </span><span class="lnt">392 </span><span class="lnt">393 </span><span class="lnt">394 </span><span class="lnt">395 </span><span class="lnt">396 </span><span class="lnt">397 </span><span class="lnt">398 </span><span class="lnt">399 </span><span class="lnt">400 </span><span class="lnt">401 </span><span class="lnt">402 </span><span class="lnt">403 </span><span class="lnt">404 </span><span class="lnt">405 </span><span class="lnt">406 </span><span class="lnt">407 </span><span class="lnt">408 </span><span class="lnt">409 </span><span class="lnt">410 </span><span class="lnt">411 </span><span class="lnt">412 </span><span class="lnt">413 </span><span class="lnt">414 </span><span class="lnt">415 </span><span class="lnt">416 </span><span class="lnt">417 </span><span class="lnt">418 </span><span class="lnt">419 </span><span class="lnt">420 </span><span class="lnt">421 </span><span class="lnt">422 </span><span class="lnt">423 </span><span class="lnt">424 </span><span class="lnt">425 </span><span class="lnt">426 </span><span class="lnt">427 </span><span class="lnt">428 </span><span class="lnt">429 </span><span class="lnt">430 </span><span class="lnt">431 </span><span class="lnt">432 </span><span class="lnt">433 </span><span class="lnt">434 </span><span class="lnt">435 </span><span class="lnt">436 </span><span class="lnt">437 </span><span class="lnt">438 </span><span class="lnt">439 </span><span class="lnt">440 </span><span class="lnt">441 </span><span class="lnt">442 </span><span class="lnt">443 </span><span class="lnt">444 </span><span class="lnt">445 </span><span class="lnt">446 </span><span class="lnt">447 </span><span class="lnt">448 </span><span class="lnt">449 </span><span class="lnt">450 </span><span class="lnt">451 </span><span class="lnt">452 </span><span class="lnt">453 </span><span class="lnt">454 </span><span class="lnt">455 </span><span class="lnt">456 </span><span class="lnt">457 </span><span class="lnt">458 </span><span class="lnt">459 </span><span class="lnt">460 </span><span class="lnt">461 </span><span class="lnt">462 </span><span class="lnt">463 </span><span class="lnt">464 </span><span class="lnt">465 </span><span class="lnt">466 </span><span class="lnt">467 </span><span class="lnt">468 </span><span class="lnt">469 </span><span class="lnt">470 </span><span class="lnt">471 </span><span class="lnt">472 </span><span class="lnt">473 </span><span class="lnt">474 </span><span class="lnt">475 </span><span class="lnt">476 </span><span class="lnt">477 </span><span class="lnt">478 </span><span class="lnt">479 </span><span class="lnt">480 </span><span class="lnt">481 </span><span class="lnt">482 </span><span class="lnt">483 </span><span class="lnt">484 </span><span class="lnt">485 </span><span class="lnt">486 </span><span class="lnt">487 </span><span class="lnt">488 </span><span class="lnt">489 </span><span class="lnt">490 </span><span class="lnt">491 </span><span class="lnt">492 </span><span class="lnt">493 </span><span class="lnt">494 </span><span class="lnt">495 </span><span class="lnt">496 </span><span class="lnt">497 </span><span class="lnt">498 </span><span class="lnt">499 </span><span class="lnt">500 </span><span class="lnt">501 </span><span class="lnt">502 </span><span class="lnt">503 </span><span class="lnt">504 </span><span class="lnt">505 </span><span class="lnt">506 </span><span class="lnt">507 </span><span class="lnt">508 </span><span class="lnt">509 </span><span class="lnt">510 </span><span class="lnt">511 </span><span class="lnt">512 </span><span class="lnt">513 </span><span class="lnt">514 </span><span class="lnt">515 </span><span class="lnt">516 </span><span class="lnt">517 </span><span class="lnt">518 </span><span class="lnt">519 </span><span class="lnt">520 </span><span class="lnt">521 </span><span class="lnt">522 </span><span class="lnt">523 </span><span class="lnt">524 </span><span class="lnt">525 </span><span class="lnt">526 </span><span class="lnt">527 </span><span class="lnt">528 </span><span class="lnt">529 </span><span class="lnt">530 </span><span class="lnt">531 </span><span class="lnt">532 </span><span class="lnt">533 </span><span class="lnt">534 </span><span class="lnt">535 </span><span class="lnt">536 </span><span class="lnt">537 </span><span class="lnt">538 </span><span class="lnt">539 </span><span class="lnt">540 </span><span class="lnt">541 </span><span class="lnt">542 </span><span class="lnt">543 </span><span class="lnt">544 </span><span class="lnt">545 </span><span class="lnt">546 </span><span class="lnt">547 </span><span class="lnt">548 </span><span class="lnt">549 </span><span class="lnt">550 </span><span class="lnt">551 </span><span class="lnt">552 </span><span class="lnt">553 </span><span class="lnt">554 </span><span class="lnt">555 </span><span class="lnt">556 </span><span class="lnt">557 </span><span class="lnt">558 </span><span class="lnt">559 </span><span class="lnt">560 </span><span class="lnt">561 </span><span class="lnt">562 </span><span class="lnt">563 </span><span class="lnt">564 </span><span class="lnt">565 </span><span class="lnt">566 </span><span class="lnt">567 </span><span class="lnt">568 </span><span class="lnt">569 </span><span class="lnt">570 </span><span class="lnt">571 </span><span class="lnt">572 </span><span class="lnt">573 </span><span class="lnt">574 </span><span class="lnt">575 </span><span class="lnt">576 </span><span class="lnt">577 </span><span class="lnt">578 </span><span class="lnt">579 </span><span class="lnt">580 </span><span class="lnt">581 </span><span class="lnt">582 </span><span class="lnt">583 </span><span class="lnt">584 </span><span class="lnt">585 </span><span class="lnt">586 </span><span class="lnt">587 </span><span class="lnt">588 </span><span class="lnt">589 </span><span class="lnt">590 </span><span class="lnt">591 </span><span class="lnt">592 </span><span class="lnt">593 </span><span class="lnt">594 </span><span class="lnt">595 </span><span class="lnt">596 </span><span class="lnt">597 </span><span class="lnt">598 </span><span class="lnt">599 </span><span class="lnt">600 </span><span class="lnt">601 </span><span class="lnt">602 </span><span class="lnt">603 </span><span class="lnt">604 </span><span class="lnt">605 </span><span class="lnt">606 </span><span class="lnt">607 </span><span class="lnt">608 </span><span class="lnt">609 </span><span class="lnt">610 </span><span class="lnt">611 </span><span class="lnt">612 </span><span class="lnt">613 </span><span class="lnt">614 </span><span class="lnt">615 </span><span class="lnt">616 </span><span class="lnt">617 </span><span class="lnt">618 </span><span class="lnt">619 </span><span class="lnt">620 </span><span class="lnt">621 </span><span class="lnt">622 </span><span class="lnt">623 </span><span class="lnt">624 </span><span class="lnt">625 </span><span class="lnt">626 </span><span class="lnt">627 </span><span class="lnt">628 </span><span class="lnt">629 </span><span class="lnt">630 </span><span class="lnt">631 </span><span class="lnt">632 </span><span class="lnt">633 </span><span class="lnt">634 </span><span class="lnt">635 </span><span class="lnt">636 </span><span class="lnt">637 </span><span class="lnt">638 </span><span class="lnt">639 </span><span class="lnt">640 </span><span class="lnt">641 </span><span class="lnt">642 </span><span class="lnt">643 </span><span class="lnt">644 </span><span class="lnt">645 </span><span class="lnt">646 </span><span class="lnt">647 </span><span class="lnt">648 </span><span class="lnt">649 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> ------------------------------ malloc ------------------------------ </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="kt">void</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="nf">_int_malloc</span> <span class="p">(</span><span class="n">mstate</span> <span class="n">av</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">bytes</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">nb</span><span class="p">;</span> <span class="cm">/* normalized request size */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">idx</span><span class="p">;</span> <span class="cm">/* associated bin index */</span> </span></span><span class="line"><span class="cl"> <span class="n">mbinptr</span> <span class="n">bin</span><span class="p">;</span> <span class="cm">/* associated bin */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">victim</span><span class="p">;</span> <span class="cm">/* inspected/selected chunk */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">size</span><span class="p">;</span> <span class="cm">/* its size */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">victim_index</span><span class="p">;</span> <span class="cm">/* its bin index */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">remainder</span><span class="p">;</span> <span class="cm">/* remainder from a split */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">remainder_size</span><span class="p">;</span> <span class="cm">/* its size */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">block</span><span class="p">;</span> <span class="cm">/* bit map traverser */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">bit</span><span class="p">;</span> <span class="cm">/* bit map traverser */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">map</span><span class="p">;</span> <span class="cm">/* current word of binmap */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">fwd</span><span class="p">;</span> <span class="cm">/* misc temp for linking */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">bck</span><span class="p">;</span> <span class="cm">/* misc temp for linking */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tcache_unsorted_count</span><span class="p">;</span> <span class="cm">/* count of unsorted chunks processed */</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Convert request size to internal form by adding SIZE_SZ bytes </span></span></span><span class="line"><span class="cl"><span class="cm"> overhead plus possibly more to obtain necessary alignment and/or </span></span></span><span class="line"><span class="cl"><span class="cm"> to obtain a size of at least MINSIZE, the smallest allocatable </span></span></span><span class="line"><span class="cl"><span class="cm"> size. Also, checked_request2size returns false for request sizes </span></span></span><span class="line"><span class="cl"><span class="cm"> that are so large that they wrap around zero when padded and </span></span></span><span class="line"><span class="cl"><span class="cm"> aligned. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">checked_request2size</span> <span class="p">(</span><span class="n">bytes</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">__set_errno</span> <span class="p">(</span><span class="n">ENOMEM</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* There are no usable arenas. Fall back to sysmalloc to get a chunk from </span></span></span><span class="line"><span class="cl"><span class="cm"> mmap. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">av</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">sysmalloc</span> <span class="p">(</span><span class="n">nb</span><span class="p">,</span> <span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If the size qualifies as a fastbin, first check corresponding bin. </span></span></span><span class="line"><span class="cl"><span class="cm"> This code is safe to execute even if av is not yet initialized, so we </span></span></span><span class="line"><span class="cl"><span class="cm"> can try it without checking, which saves some time on this fast path. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define REMOVE_FB(fb, victim, pp) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> do \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> victim = pp; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (victim == NULL) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> break; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> pp = REVEAL_PTR (victim-&gt;fd); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (__glibc_unlikely (pp != NULL &amp;&amp; misaligned_chunk (pp))) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> malloc_printerr (&#34;malloc(): unaligned fastbin chunk detected&#34;); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp"> while ((pp = catomic_compare_and_exchange_val_acq (fb, pp, victim)) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> != victim); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> </span></span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="nf">get_max_fast</span> <span class="p">()))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">mfastbinptr</span> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">pp</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): unaligned fastbin chunk detected 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">REMOVE_FB</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="n">pp</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_likely</span> <span class="p">(</span><span class="n">victim</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">victim_idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">victim_idx</span> <span class="o">!=</span> <span class="n">idx</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): memory corruption (fast)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_remalloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* While we&#39;re here, if we see other chunks of the same size, </span></span></span><span class="line"><span class="cl"><span class="cm"> stash them in the tcache. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">tc_victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* While bin not empty and tcache not full, copy chunks. */</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">)</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): unaligned fastbin chunk detected 3&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">tc_victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">REMOVE_FB</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="n">pp</span><span class="p">,</span> <span class="n">tc_victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If a small request, check regular bin. Since these &#34;smallbins&#34; </span></span></span><span class="line"><span class="cl"><span class="cm"> hold one size each, no searching within bins is necessary. </span></span></span><span class="line"><span class="cl"><span class="cm"> (For a large request, we need to wait until unsorted chunks are </span></span></span><span class="line"><span class="cl"><span class="cm"> processed to find best fit. But for small ones, fits are exact </span></span></span><span class="line"><span class="cl"><span class="cm"> anyway, so we can check now, which is faster.) </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">smallbin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="n">victim</span> <span class="o">=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">))</span> <span class="o">!=</span> <span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">victim</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): smallbin double linked list corrupted&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">bin</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* While we&#39;re here, if we see other chunks of the same size, </span></span></span><span class="line"><span class="cl"><span class="cm"> stash them in the tcache. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">tc_victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* While bin not empty and tcache not full, copy chunks over. */</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">))</span> <span class="o">!=</span> <span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">tc_victim</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">bin</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If this is a large request, consolidate fastbins before continuing. </span></span></span><span class="line"><span class="cl"><span class="cm"> While it might look excessive to kill all fastbins before </span></span></span><span class="line"><span class="cl"><span class="cm"> even seeing if there is space available, this avoids </span></span></span><span class="line"><span class="cl"><span class="cm"> fragmentation problems normally associated with fastbins. </span></span></span><span class="line"><span class="cl"><span class="cm"> Also, in practice, programs tend to have runs of either small or </span></span></span><span class="line"><span class="cl"><span class="cm"> large requests, but less often mixtures, so consolidation is not </span></span></span><span class="line"><span class="cl"><span class="cm"> invoked all that often in most programs. And the programs that </span></span></span><span class="line"><span class="cl"><span class="cm"> it is called frequently in otherwise tend to fragment. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">largebin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">atomic_load_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_consolidate</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Process recently freed or remaindered chunks, taking one only if </span></span></span><span class="line"><span class="cl"><span class="cm"> it is exact fit, or, if this a small request, the chunk is remainder from </span></span></span><span class="line"><span class="cl"><span class="cm"> the most recent non-exact fit. Place other traversed chunks in </span></span></span><span class="line"><span class="cl"><span class="cm"> bins. Note that this step is the only place in any routine where </span></span></span><span class="line"><span class="cl"><span class="cm"> chunks are placed in bins. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> The outer loop here is needed because we might not realize until </span></span></span><span class="line"><span class="cl"><span class="cm"> near the end of malloc that we should have consolidated, so must </span></span></span><span class="line"><span class="cl"><span class="cm"> do so and retry. This happens at most once, and only when we would </span></span></span><span class="line"><span class="cl"><span class="cm"> otherwise need to expand memory to service a &#34;small&#34; request. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">tcache_nb</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache_nb</span> <span class="o">=</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">return_cached</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">tcache_unsorted_count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(;;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">iters</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">victim</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">)</span> <span class="o">!=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">next</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&gt;</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): invalid size (unsorted)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">next</span><span class="p">)</span> <span class="o">&lt;</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">next</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): invalid next size (unsorted)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">((</span><span class="nf">prev_size</span> <span class="p">(</span><span class="n">next</span><span class="p">)</span> <span class="o">&amp;</span> <span class="o">~</span><span class="p">(</span><span class="n">SIZE_BITS</span><span class="p">))</span> <span class="o">!=</span> <span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): mismatching next-&gt;prev_size (unsorted)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">victim</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): unsorted double linked list corrupted&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">prev_inuse</span> <span class="p">(</span><span class="n">next</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): invalid next-&gt;prev_inuse (unsorted)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If a small request, try to use last remainder if it is the </span></span></span><span class="line"><span class="cl"><span class="cm"> only chunk in unsorted bin. This helps promote locality for </span></span></span><span class="line"><span class="cl"><span class="cm"> runs of consecutive small requests. This is the only </span></span></span><span class="line"><span class="cl"><span class="cm"> exception to best-fit, and applies only when there is </span></span></span><span class="line"><span class="cl"><span class="cm"> no exact fit for a small chunk. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">)</span> <span class="o">&amp;&amp;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">==</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span> <span class="o">&amp;&amp;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">==</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">last_remainder</span> <span class="o">&amp;&amp;</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span><span class="p">)</span> <span class="o">&gt;</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span> <span class="o">+</span> <span class="n">MINSIZE</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* split and reattach remainder */</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder_size</span> <span class="o">=</span> <span class="n">size</span> <span class="o">-</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">last_remainder</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">remainder_size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span> <span class="o">|</span> <span class="n">PREV_INUSE</span> <span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">?</span> <span class="nl">NON_MAIN_ARENA</span> <span class="p">:</span> <span class="mi">0</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* remove from unsorted list */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">victim</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): corrupted unsorted chunks 3&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Take now instead of binning if exact fit */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">size</span> <span class="o">==</span> <span class="n">nb</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* Fill cache first, return to user only if cache fills. </span></span></span><span class="line"><span class="cl"><span class="cm"> We may return one of these chunks later. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache_nb</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">return_cached</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* place chunk in bin */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim_index</span> <span class="o">=</span> <span class="nf">smallbin_index</span> <span class="p">(</span><span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim_index</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim_index</span> <span class="o">=</span> <span class="nf">largebin_index</span> <span class="p">(</span><span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim_index</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* maintain large bins in sorted order */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fwd</span> <span class="o">!=</span> <span class="n">bck</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Or with inuse bit to speed comparisons */</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">|=</span> <span class="n">PREV_INUSE</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* if smaller than smallest, bypass loop below */</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">chunk_main_arena</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">chunk_main_arena</span> <span class="p">(</span><span class="n">fwd</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="n">size</span> <span class="o">&lt;</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">fwd</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">chunk_main_arena</span> <span class="p">(</span><span class="n">fwd</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="n">size</span> </span></span><span class="line"><span class="cl"> <span class="o">==</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">fwd</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Always insert in the second position. */</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">!=</span> <span class="n">fwd</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): largebin double linked list corrupted (nextsize)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">fwd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): largebin double linked list corrupted (bk)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">mark_bin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim_index</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* If we&#39;ve processed as many chunks as we&#39;re allowed while </span></span></span><span class="line"><span class="cl"><span class="cm"> filling the cache, return one of the cached ones. */</span> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">tcache_unsorted_count</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">return_cached</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_unsorted_limit</span> <span class="o">&gt;</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">tcache_unsorted_count</span> <span class="o">&gt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_unsorted_limit</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">tcache_get</span> <span class="p">(</span><span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define MAX_ITERS 10000 </span></span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">++</span><span class="n">iters</span> <span class="o">&gt;=</span> <span class="n">MAX_ITERS</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* If all the small chunks we found ended up cached, return one now. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">return_cached</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">tcache_get</span> <span class="p">(</span><span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If a large request, scan through the chunks of current bin in </span></span></span><span class="line"><span class="cl"><span class="cm"> sorted order to find smallest that fits. Use the skip list for this. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* skip scan if empty or largest chunk is too small */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="n">victim</span> <span class="o">=</span> <span class="nf">first</span> <span class="p">(</span><span class="n">bin</span><span class="p">))</span> <span class="o">!=</span> <span class="n">bin</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">victim</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">&gt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">))</span> <span class="o">&lt;</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Avoid removing the first entry for a size so that the skip </span></span></span><span class="line"><span class="cl"><span class="cm"> list does not have to be rerouted. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span> <span class="o">!=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">victim</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">==</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">remainder_size</span> <span class="o">=</span> <span class="n">size</span> <span class="o">-</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Exhaust */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">remainder_size</span> <span class="o">&lt;</span> <span class="n">MINSIZE</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Split */</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We cannot assume the unsorted list is empty and therefore </span></span></span><span class="line"><span class="cl"><span class="cm"> have to perform a complete insert here. */</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">!=</span> <span class="n">bck</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): corrupted unsorted chunks&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">remainder_size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span> <span class="o">|</span> <span class="n">PREV_INUSE</span> <span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">?</span> <span class="nl">NON_MAIN_ARENA</span> <span class="p">:</span> <span class="mi">0</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Search for a chunk by scanning bins, starting with next largest </span></span></span><span class="line"><span class="cl"><span class="cm"> bin. This search is strictly by best-fit; i.e., the smallest </span></span></span><span class="line"><span class="cl"><span class="cm"> (with ties going to approximately the least recently used) chunk </span></span></span><span class="line"><span class="cl"><span class="cm"> that fits is selected. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> The bitmap avoids needing to check that most blocks are nonempty. </span></span></span><span class="line"><span class="cl"><span class="cm"> The particular case of skipping all bins during warm-up phases </span></span></span><span class="line"><span class="cl"><span class="cm"> when no chunks have been returned yet is faster than it might look. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">idx</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">block</span> <span class="o">=</span> <span class="nf">idx2block</span> <span class="p">(</span><span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">map</span> <span class="o">=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">binmap</span><span class="p">[</span><span class="n">block</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">=</span> <span class="nf">idx2bit</span> <span class="p">(</span><span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(;;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Skip rest of block if there are no more set bits in this block. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">bit</span> <span class="o">&gt;</span> <span class="n">map</span> <span class="o">||</span> <span class="n">bit</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">++</span><span class="n">block</span> <span class="o">&gt;=</span> <span class="n">BINMAPSIZE</span><span class="p">)</span> <span class="cm">/* out of bins */</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">use_top</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">map</span> <span class="o">=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">binmap</span><span class="p">[</span><span class="n">block</span><span class="p">])</span> <span class="o">==</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="p">(</span><span class="n">block</span> <span class="o">&lt;&lt;</span> <span class="n">BINMAPSHIFT</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Advance to bin with set bit. There must be one. */</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">bit</span> <span class="o">&amp;</span> <span class="n">map</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">next_bin</span> <span class="p">(</span><span class="n">bin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">&lt;&lt;=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="n">bit</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Inspect the bin. It is likely to be non-empty */</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* If a false alarm (empty bin), clear the bit. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span> <span class="o">==</span> <span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">binmap</span><span class="p">[</span><span class="n">block</span><span class="p">]</span> <span class="o">=</span> <span class="n">map</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="n">bit</span><span class="p">;</span> <span class="cm">/* Write through */</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">next_bin</span> <span class="p">(</span><span class="n">bin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">&lt;&lt;=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We know the first chunk in this bin is big enough to use. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">remainder_size</span> <span class="o">=</span> <span class="n">size</span> <span class="o">-</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* unlink */</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Exhaust */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">remainder_size</span> <span class="o">&lt;</span> <span class="n">MINSIZE</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Split */</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We cannot assume the unsorted list is empty and therefore </span></span></span><span class="line"><span class="cl"><span class="cm"> have to perform a complete insert here. */</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">!=</span> <span class="n">bck</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): corrupted unsorted chunks 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* advertise as last remainder */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">last_remainder</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">remainder_size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span> <span class="o">|</span> <span class="n">PREV_INUSE</span> <span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">?</span> <span class="nl">NON_MAIN_ARENA</span> <span class="p">:</span> <span class="mi">0</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nl">use_top</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If large enough, split off the chunk bordering the end of memory </span></span></span><span class="line"><span class="cl"><span class="cm"> (held in av-&gt;top). Note that this is in accord with the best-fit </span></span></span><span class="line"><span class="cl"><span class="cm"> search rule. In effect, av-&gt;top is treated as larger (and thus </span></span></span><span class="line"><span class="cl"><span class="cm"> less well fitting) than any other available chunk since it can </span></span></span><span class="line"><span class="cl"><span class="cm"> be extended to be as large as necessary (up to system </span></span></span><span class="line"><span class="cl"><span class="cm"> limitations). </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> We require that av-&gt;top always exists (i.e., has size &gt;= </span></span></span><span class="line"><span class="cl"><span class="cm"> MINSIZE) after initialization, so if it would otherwise be </span></span></span><span class="line"><span class="cl"><span class="cm"> exhausted by current request, it is replenished. (The main </span></span></span><span class="line"><span class="cl"><span class="cm"> reason for ensuring it exists is that we may need MINSIZE space </span></span></span><span class="line"><span class="cl"><span class="cm"> to put in fenceposts in sysmalloc.) </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&gt;</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): corrupted top size&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span> <span class="o">+</span> <span class="n">MINSIZE</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder_size</span> <span class="o">=</span> <span class="n">size</span> <span class="o">-</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span> <span class="o">|</span> <span class="n">PREV_INUSE</span> <span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">?</span> <span class="nl">NON_MAIN_ARENA</span> <span class="p">:</span> <span class="mi">0</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* When we are using atomic ops to free fast chunks we can get </span></span></span><span class="line"><span class="cl"><span class="cm"> here for all block sizes. */</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">atomic_load_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_consolidate</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* restore original bin index */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">smallbin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">largebin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Otherwise, relay to handle system-dependent cases </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">sysmalloc</span> <span class="p">(</span><span class="n">nb</span><span class="p">,</span> <span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="前置处理">前置处理 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">nb</span><span class="p">;</span> <span class="cm">/* normalized request size */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">idx</span><span class="p">;</span> <span class="cm">/* associated bin index */</span> </span></span><span class="line"><span class="cl"> <span class="n">mbinptr</span> <span class="n">bin</span><span class="p">;</span> <span class="cm">/* associated bin */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">victim</span><span class="p">;</span> <span class="cm">/* inspected/selected chunk */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">size</span><span class="p">;</span> <span class="cm">/* its size */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">victim_index</span><span class="p">;</span> <span class="cm">/* its bin index */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">remainder</span><span class="p">;</span> <span class="cm">/* remainder from a split */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">remainder_size</span><span class="p">;</span> <span class="cm">/* its size */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">block</span><span class="p">;</span> <span class="cm">/* bit map traverser */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">bit</span><span class="p">;</span> <span class="cm">/* bit map traverser */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">map</span><span class="p">;</span> <span class="cm">/* current word of binmap */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">fwd</span><span class="p">;</span> <span class="cm">/* misc temp for linking */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">bck</span><span class="p">;</span> <span class="cm">/* misc temp for linking */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tcache_unsorted_count</span><span class="p">;</span> <span class="cm">/* count of unsorted chunks processed */</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Convert request size to internal form by adding SIZE_SZ bytes </span></span></span><span class="line"><span class="cl"><span class="cm"> overhead plus possibly more to obtain necessary alignment and/or </span></span></span><span class="line"><span class="cl"><span class="cm"> to obtain a size of at least MINSIZE, the smallest allocatable </span></span></span><span class="line"><span class="cl"><span class="cm"> size. Also, checked_request2size returns false for request sizes </span></span></span><span class="line"><span class="cl"><span class="cm"> that are so large that they wrap around zero when padded and </span></span></span><span class="line"><span class="cl"><span class="cm"> aligned. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">checked_request2size</span> <span class="p">(</span><span class="n">bytes</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">__set_errno</span> <span class="p">(</span><span class="n">ENOMEM</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* There are no usable arenas. Fall back to sysmalloc to get a chunk from </span></span></span><span class="line"><span class="cl"><span class="cm"> mmap. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">av</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">sysmalloc</span> <span class="p">(</span><span class="n">nb</span><span class="p">,</span> <span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>nb 为实际应分配的内存大小, sysmalloc 部分暂略</p> <h2 id="fastbin-相关">fastbin 相关 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If the size qualifies as a fastbin, first check corresponding bin. </span></span></span><span class="line"><span class="cl"><span class="cm"> This code is safe to execute even if av is not yet initialized, so we </span></span></span><span class="line"><span class="cl"><span class="cm"> can try it without checking, which saves some time on this fast path. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define REMOVE_FB(fb, victim, pp) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> do \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> victim = pp; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (victim == NULL) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> break; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> pp = REVEAL_PTR (victim-&gt;fd); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (__glibc_unlikely (pp != NULL &amp;&amp; misaligned_chunk (pp))) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> malloc_printerr (&#34;malloc(): unaligned fastbin chunk detected&#34;); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp"> while ((pp = catomic_compare_and_exchange_val_acq (fb, pp, victim)) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> != victim); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> </span></span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="nf">get_max_fast</span> <span class="p">()))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">mfastbinptr</span> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">pp</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): unaligned fastbin chunk detected 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">REMOVE_FB</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="n">pp</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_likely</span> <span class="p">(</span><span class="n">victim</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">victim_idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">victim_idx</span> <span class="o">!=</span> <span class="n">idx</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): memory corruption (fast)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_remalloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* While we&#39;re here, if we see other chunks of the same size, </span></span></span><span class="line"><span class="cl"><span class="cm"> stash them in the tcache. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">tc_victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* While bin not empty and tcache not full, copy chunks. */</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">)</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): unaligned fastbin chunk detected 3&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">tc_victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">REMOVE_FB</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="n">pp</span><span class="p">,</span> <span class="n">tc_victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>fastbin 是单向链表, LIFO</p> <h3 id="remove_fb-宏">REMOVE_FB 宏 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#define REMOVE_FB(fb, victim, pp) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> do \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> victim = pp; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (victim == NULL) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> break; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> pp = REVEAL_PTR (victim-&gt;fd); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (__glibc_unlikely (pp != NULL &amp;&amp; misaligned_chunk (pp))) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> malloc_printerr (&#34;malloc(): unaligned fastbin chunk detected&#34;); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp"> while ((pp = catomic_compare_and_exchange_val_acq (fb, pp, victim)) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> != victim); \ </span></span></span></code></pre></td></tr></table> </div> </div><p>宏参数含义</p> <ul> <li>fb: 指向 fastbin 链表头的指针(即 <code>&amp;main_arena.fastbinsY[i]</code> )。</li> <li>victim: 输出参数,成功时指向被取出的内存块。</li> <li>pp: 临时变量,最初存放旧的链表头,成功后作为新链表头。</li> </ul> <p>无锁原子操作 (CAS) 是该宏最核心的部分。为了避免在分配内存时频繁加锁带来的性能损耗,glibc 使用了 catomic_compare_and_exchange_val_acq:</p> <ul> <li>语义:这是一个 CAS ( Compare-And-Swap )操作。它会检查 *fb (当前的 fastbin 链表头)是否仍然等于 victim。</li> <li>如果相等:说明没有其他线程修改链表头,它会将 *fb 更新为 pp(即 victim-&gt;fd ),成功弹出 victim 。</li> <li>如果不相等:说明在执行逻辑期间,有其他线程抢先分配或插入了块, CAS 失败。此时 pp 会被更新为当前的 *fb (新的链表头),循环再次尝试,直到成功。</li> </ul> <p>过程要求 pp 的地址对齐 16 位</p> <h3 id="获取-index">获取 index </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="nf">get_max_fast</span> <span class="p">()))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">mfastbinptr</span> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">pp</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>追溯得到 get_max_fast () 返回 DEFAULT_MXFAST ,为 <code>64 * SIZE_SZ / 4</code> ,即 0x80 字节</p> <p>首先判断应分配内存大小 nb 是否在 fastbin 的管辖范围内,然后根据 nb 的大小计算在 fastbin 中的 index</p> <p>fb 为对应 fastbin 的头指针</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* offset 2 to use otherwise unindexable first 2 bins */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define fastbin_index(sz) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> ((((unsigned int) (sz)) &gt;&gt; (SIZE_SZ == 8 ? 4 : 3)) - 2) </span></span></span></code></pre></td></tr></table> </div> </div><p>由此, 0x20 -&gt; 0 , 0x30 -&gt; 1 &hellip; 0x80 -&gt; 7</p> <h3 id="取出-chunk-并检验">取出 chunk 并检验 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): unaligned fastbin chunk detected 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">REMOVE_FB</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="n">pp</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_likely</span> <span class="p">(</span><span class="n">victim</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">victim_idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">victim_idx</span> <span class="o">!=</span> <span class="n">idx</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): memory corruption (fast)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_remalloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>要求 victim 的地址对齐 16 位</p> <p>SINGLE_THREAD_P 宏判断当前进程是否只有一个线程,若是,则直接更新 fb 为 next ,否则用 REMOVE_FB 宏更新,并维护 fb , pp , victim 的正确性</p> <p>victim_idx 为被取出 chunk 的 size 字段对应的 fastbin index</p> <p>比对 victim_idx 和 idx ,要求同一个 size 字段与 fastbin 应该存放的大小相符</p> <p>check_remalloced_chunk 正常情况下为空,不用管</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Bits to mask off when extracting size </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> Note: IS_MMAPPED is intentionally not masked off from size field in </span></span></span><span class="line"><span class="cl"><span class="cm"> macros for which mmapped chunks should never be seen. This should </span></span></span><span class="line"><span class="cl"><span class="cm"> cause helpful core dumps to occur if it is tried by accident by </span></span></span><span class="line"><span class="cl"><span class="cm"> people extending or adapting this malloc. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define SIZE_BITS (PREV_INUSE | IS_MMAPPED | NON_MAIN_ARENA) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cm">/* Get size, ignoring use bits */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define chunksize(p) (chunksize_nomask (p) &amp; ~(SIZE_BITS)) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cm">/* Like chunksize, but do not mask SIZE_BITS. */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define chunksize_nomask(p) ((p)-&gt;mchunk_size) </span></span></span></code></pre></td></tr></table> </div> </div><p>chunksize 会去除标志位</p> <h3 id="向-tcache-中转移-fastbin">向 Tcache 中转移 fastbin </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* While we&#39;re here, if we see other chunks of the same size, </span></span></span><span class="line"><span class="cl"><span class="cm"> stash them in the tcache. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">tc_victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* While bin not empty and tcache not full, copy chunks. */</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">)</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): unaligned fastbin chunk detected 3&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">tc_victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">REMOVE_FB</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="n">pp</span><span class="p">,</span> <span class="n">tc_victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span></code></pre></td></tr></table> </div> </div><p>过程要求 tc_victim 的地址对齐 16 位</p> <h3 id="分配成功">分配成功 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="smallbin-相关">smallbin 相关 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If a small request, check regular bin. Since these &#34;smallbins&#34; </span></span></span><span class="line"><span class="cl"><span class="cm"> hold one size each, no searching within bins is necessary. </span></span></span><span class="line"><span class="cl"><span class="cm"> (For a large request, we need to wait until unsorted chunks are </span></span></span><span class="line"><span class="cl"><span class="cm"> processed to find best fit. But for small ones, fits are exact </span></span></span><span class="line"><span class="cl"><span class="cm"> anyway, so we can check now, which is faster.) </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">smallbin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="n">victim</span> <span class="o">=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">))</span> <span class="o">!=</span> <span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">victim</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): smallbin double linked list corrupted&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">bin</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* While we&#39;re here, if we see other chunks of the same size, </span></span></span><span class="line"><span class="cl"><span class="cm"> stash them in the tcache. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">tc_victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* While bin not empty and tcache not full, copy chunks over. */</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">))</span> <span class="o">!=</span> <span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">tc_victim</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">bin</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>smallbin 是双向循环链表, FIFO</p> <h3 id="索引">索引 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">smallbin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Indexing </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> Bins for sizes &lt; 512 bytes contain chunks of all the same size, spaced </span></span></span><span class="line"><span class="cl"><span class="cm"> 8 bytes apart. Larger bins are approximately logarithmically spaced: </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> 64 bins of size 8 </span></span></span><span class="line"><span class="cl"><span class="cm"> 32 bins of size 64 </span></span></span><span class="line"><span class="cl"><span class="cm"> 16 bins of size 512 </span></span></span><span class="line"><span class="cl"><span class="cm"> 8 bins of size 4096 </span></span></span><span class="line"><span class="cl"><span class="cm"> 4 bins of size 32768 </span></span></span><span class="line"><span class="cl"><span class="cm"> 2 bins of size 262144 </span></span></span><span class="line"><span class="cl"><span class="cm"> 1 bin of size what&#39;s left </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> There is actually a little bit of slop in the numbers in bin_index </span></span></span><span class="line"><span class="cl"><span class="cm"> for the sake of speed. This makes no difference elsewhere. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> The bins top out around 1MB because we expect to service large </span></span></span><span class="line"><span class="cl"><span class="cm"> requests via mmap. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> Bin 0 does not exist. Bin 1 is the unordered list; if that would be </span></span></span><span class="line"><span class="cl"><span class="cm"> a valid chunk size the small bins are bumped up one. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define NBINS 128 </span></span></span><span class="line"><span class="cl"><span class="cp">#define NSMALLBINS 64 </span></span></span><span class="line"><span class="cl"><span class="cp">#define SMALLBIN_WIDTH MALLOC_ALIGNMENT </span></span></span><span class="line"><span class="cl"><span class="cp">#define SMALLBIN_CORRECTION (MALLOC_ALIGNMENT &gt; CHUNK_HDR_SZ) </span></span></span><span class="line"><span class="cl"><span class="cp">#define MIN_LARGE_SIZE ((NSMALLBINS - SMALLBIN_CORRECTION) * SMALLBIN_WIDTH) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define in_smallbin_range(sz) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> ((unsigned long) (sz) &lt; (unsigned long) MIN_LARGE_SIZE) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define smallbin_index(sz) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> ((SMALLBIN_WIDTH == 16 ? (((unsigned) (sz)) &gt;&gt; 4) : (((unsigned) (sz)) &gt;&gt; 3))\ </span></span></span><span class="line"><span class="cl"><span class="cp"> + SMALLBIN_CORRECTION) </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> <span class="n">malloc_chunk</span> <span class="o">*</span><span class="n">mbinptr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cm">/* addressing -- note that bin_at(0) does not exist */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define bin_at(m, i) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (mbinptr) (((char *) &amp;((m)-&gt;bins[((i) - 1) * 2])) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> - offsetof (struct malloc_chunk, fd)) </span></span></span></code></pre></td></tr></table> </div> </div><p>根据应分配的 chunk 大小计算 smallbin 的索引,并注意到从 smallbin_idx 到 bins 的索引还有换算</p> <p>0x20 -&gt; 2 -&gt; 2 , 0x30 -&gt; 3 -&gt; 4 &hellip; 0x400 -&gt; 40 -&gt; 78</p> <p>然后取出对应 bin 的链表头</p> <h3 id="脱链">脱链 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="n">victim</span> <span class="o">=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">))</span> <span class="o">!=</span> <span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">victim</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): smallbin double linked list corrupted&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">bin</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>last (bin)</code> 即 bin-&gt;bk</p> <p><code>if ((victim = last (bin)) != bin)</code> 判断条件:如果 <code>victim == bin</code> ,说明链表为空(只有一个头节点),代码将跳过此段</p> <p><code>if (__glibc_unlikely (bck-&gt;fd != victim))</code> 要求在双向链表中,victim 的前驱节点的后继指针``victim-&gt;bk-&gt;fd` 必须指向 victim 自己,若满足要求,则设置与它物理相邻下一个高地址的 chunk 的 prev_inuse 位为 1 并脱链</p> <p>注意到,我们要取出的 victim 为 bin-&gt;bk ,事实上, bin 本身是一个哨兵,不代表任何 chunk</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#define set_inuse_bit_at_offset(p, s) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (((mchunkptr) (((char *) (p)) + (s)))-&gt;mchunk_size |= PREV_INUSE) </span></span></span></code></pre></td></tr></table> </div> </div><p>该宏设置与它物理相邻下一个高地址的 chunk 的 prev_inuse 位为 1</p> <h3 id="向-tcache-中转移-smallbin">向 Tcache 中转移 smallbin </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* While we&#39;re here, if we see other chunks of the same size, </span></span></span><span class="line"><span class="cl"><span class="cm"> stash them in the tcache. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">tc_victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* While bin not empty and tcache not full, copy chunks over. */</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">))</span> <span class="o">!=</span> <span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tc_victim</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">tc_victim</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">bin</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">tc_victim</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span></code></pre></td></tr></table> </div> </div><p>由于重新取出 tcache 时不会操作 prev_inuse ,所以这里会提前处理</p> <h3 id="分配成功-1">分配成功 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="largebin-相关">largebin 相关 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If this is a large request, consolidate fastbins before continuing. </span></span></span><span class="line"><span class="cl"><span class="cm"> While it might look excessive to kill all fastbins before </span></span></span><span class="line"><span class="cl"><span class="cm"> even seeing if there is space available, this avoids </span></span></span><span class="line"><span class="cl"><span class="cm"> fragmentation problems normally associated with fastbins. </span></span></span><span class="line"><span class="cl"><span class="cm"> Also, in practice, programs tend to have runs of either small or </span></span></span><span class="line"><span class="cl"><span class="cm"> large requests, but less often mixtures, so consolidation is not </span></span></span><span class="line"><span class="cl"><span class="cm"> invoked all that often in most programs. And the programs that </span></span></span><span class="line"><span class="cl"><span class="cm"> it is called frequently in otherwise tend to fragment. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">largebin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">atomic_load_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_consolidate</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>largebin 是双向循环且沿 fb 时 size 单调递减的链表,在同一 Size 组内部表现为 FIFO</p> <h3 id="largebin_index-宏分析">largebin_index 宏分析 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="c1">// XXX It remains to be seen whether it is good to keep the widths of </span></span></span><span class="line"><span class="cl"><span class="c1">// XXX the buckets the same or whether it should be scaled by a factor </span></span></span><span class="line"><span class="cl"><span class="c1">// XXX of two as well. </span></span></span><span class="line"><span class="cl"><span class="cp">#define largebin_index_64(sz) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (((((unsigned long) (sz)) &gt;&gt; 6) &lt;= 48) ? 48 + (((unsigned long) (sz)) &gt;&gt; 6) :\ </span></span></span><span class="line"><span class="cl"><span class="cp"> ((((unsigned long) (sz)) &gt;&gt; 9) &lt;= 20) ? 91 + (((unsigned long) (sz)) &gt;&gt; 9) :\ </span></span></span><span class="line"><span class="cl"><span class="cp"> ((((unsigned long) (sz)) &gt;&gt; 12) &lt;= 10) ? 110 + (((unsigned long) (sz)) &gt;&gt; 12) :\ </span></span></span><span class="line"><span class="cl"><span class="cp"> ((((unsigned long) (sz)) &gt;&gt; 15) &lt;= 4) ? 119 + (((unsigned long) (sz)) &gt;&gt; 15) :\ </span></span></span><span class="line"><span class="cl"><span class="cp"> ((((unsigned long) (sz)) &gt;&gt; 18) &lt;= 2) ? 124 + (((unsigned long) (sz)) &gt;&gt; 18) :\ </span></span></span><span class="line"><span class="cl"><span class="cp"> 126) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define largebin_index(sz) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (SIZE_SZ == 8 ? largebin_index_64 (sz) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> : MALLOC_ALIGNMENT == 16 ? largebin_index_32_big (sz) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> : largebin_index_32 (sz)) </span></span></span></code></pre></td></tr></table> </div> </div><p>这个宏是 <code>ptmalloc</code> 用于将内存块的大小(size)映射到对应的 <strong>Large Bin 索引</strong> 的核心逻辑。</p> <p>它的设计思路非常巧妙,采用的是<strong>分段线性映射</strong>(Piecewise Linear Mapping)。简单来说:<strong>随着内存块越来越大,Bin 所覆盖的范围也越来越广,但分辨率(精确度)越来越低。</strong></p> <p>以下是该映射逻辑的深度拆解:</p> <p><strong>1. 核心设计原则:对数级增长</strong> Small Bins 是等差数列(每 16 字节一个 Bin),而 Large Bins 是分组的。为了平衡查找效率和空间碎片,<code>ptmalloc</code> 将 Large Bins 分成了 <strong>6 个组(Intervals)</strong>,每组的步长(Step)呈指数级增长。</p> <p><strong>2. 六个组的详细映射分析</strong></p> <p>我们将 <code>sz &gt;&gt; n</code> 理解为按 $2^n$ 的步长进行划分:</p> <table> <thead> <tr> <th style="text-align: left">组别</th> <th style="text-align: left">大小范围 (64位系统)</th> <th style="text-align: left">步长 (Step)</th> <th style="text-align: left">索引计算公式</th> <th style="text-align: left">对应 Bin 数量</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><strong>第 1 组</strong></td> <td style="text-align: left">1024B ~ 3072B</td> <td style="text-align: left"><strong>64 B</strong> (<code>&gt;&gt;6</code>)</td> <td style="text-align: left">$48 + (sz &raquo; 6)$</td> <td style="text-align: left">32 个 (Bin 64-95)</td> </tr> <tr> <td style="text-align: left"><strong>第 2 组</strong></td> <td style="text-align: left">3072B ~ 10KB</td> <td style="text-align: left"><strong>512 B</strong> (<code>&gt;&gt;9</code>)</td> <td style="text-align: left">$91 + (sz &raquo; 9)$</td> <td style="text-align: left">16 个 (Bin 96-111)</td> </tr> <tr> <td style="text-align: left"><strong>第 3 组</strong></td> <td style="text-align: left">10KB ~ 40KB</td> <td style="text-align: left"><strong>4KB</strong> (<code>&gt;&gt;12</code>)</td> <td style="text-align: left">$110 + (sz &raquo; 12)$</td> <td style="text-align: left">8 个 (Bin 112-119)</td> </tr> <tr> <td style="text-align: left"><strong>第 4 组</strong></td> <td style="text-align: left">40KB ~ 128KB</td> <td style="text-align: left"><strong>32KB</strong> (<code>&gt;&gt;15</code>)</td> <td style="text-align: left">$119 + (sz &raquo; 15)$</td> <td style="text-align: left">4 个 (Bin 120-123)</td> </tr> <tr> <td style="text-align: left"><strong>第 5 组</strong></td> <td style="text-align: left">128KB ~ 512KB</td> <td style="text-align: left"><strong>256KB</strong> (<code>&gt;&gt;18</code>)</td> <td style="text-align: left">$124 + (sz &raquo; 18)$</td> <td style="text-align: left">2 个 (Bin 124-125)</td> </tr> <tr> <td style="text-align: left"><strong>第 6 组</strong></td> <td style="text-align: left">&gt; 512KB</td> <td style="text-align: left"><strong>无</strong></td> <td style="text-align: left"><strong>固定为 126</strong></td> <td style="text-align: left">1 个 (Bin 126)</td> </tr> </tbody> </table> <p><code>if (atomic_load_relaxed (&amp;av-&gt;have_fastchunks))</code> 检查 fastbin 中是否有空闲块,若有,则进入 malloc_consolidate</p> <h3 id="largebin-结构">Largebin 结构 </h3><p>我们可以将 Largebin 的结构总结为一种 <strong>“双层嵌套式跳跃循环双向链表”</strong> 。</p> <p>它不仅管理着大量的堆块,还通过精妙的索引机制保证了在处理不同大小堆块时的搜索效率。以下是 Largebin 结构的完整解构:</p> <hr> <h4 id="1-核心分层设计-the-dual-layer-system">1. 核心分层设计 (The Dual-Layer System) </h4><p>Largebin 的最独特之处在于它同时维护了两套逻辑链表,这两套链表物理上共存于同一组 Chunk 之中:</p> <h5 id="第一层主链表-the-main-fdbk-loop">第一层:主链表 (The Main <code>fd</code>/<code>bk</code> Loop) </h5><ul> <li><strong>成员</strong>:包含该 Bin 范围内<strong>所有</strong>被释放的 Chunk。</li> <li><strong>排序</strong>:按 <strong>Size 从大到小</strong> 严格排序。</li> <li><strong>哨兵参与</strong>:main_arena 中的 Bin 头部(哨兵)参与此链表。 <ul> <li><code>bin-&gt;fd</code> 指向该 Bin 中<strong>最大</strong>的 Chunk。</li> <li><code>bin-&gt;bk</code> 指向该 Bin 中<strong>最小</strong>的 Chunk。</li> </ul> </li> <li><strong>作用</strong>:维护所有可用堆块的物理地址索引,是 unlink 操作的基础。</li> </ul> <h5 id="第二层快车道-the-nextsize-index-loop">第二层:快车道 (The <code>nextsize</code> Index Loop) </h5><ul> <li><strong>成员</strong>:仅包含每个 Size 组中的<strong>第一个 Chunk(即“组长”)</strong>。</li> <li><strong>排序</strong>:同样按 Size 递减排序。</li> <li><strong>哨兵避让</strong>:哨兵不具备 nextsize 指针,因此<strong>不参与</strong>此链表。</li> <li><strong>闭环方式</strong>:最小组长的 fd_nextsize 直接指向最大组长,形成自闭环。</li> <li><strong>作用</strong>:实现“跳表”机制,搜索时直接跳过成百上千个相同大小的堆块。</li> </ul> <hr> <h4 id="2-组长-跟随者模型-leader-follower-model">2. “组长-跟随者”模型 (Leader-Follower Model) </h4><p>这是 Largebin 维持秩序的核心逻辑:</p> <ul> <li><strong>组长 (Leader)</strong>: <ul> <li>身份标识:<code>p-&gt;fd_nextsize != NULL</code>。</li> <li>物理位置:它是该 Size 组中<strong>离哨兵最近</strong>(在 fd 方向最靠前)的块。</li> <li>责任:持有 <code>nextsize</code> 指针,负责与其他尺寸的组长通信。</li> </ul> </li> <li><strong>跟随者 (Follower)</strong>: <ul> <li>身份标识:<code>p-&gt;fd_nextsize == NULL</code>。</li> <li>物理位置:紧跟在组长之后。</li> <li>责任:只通过 fd/bk 维持在主链表中的位置。被 unlink 时操作极快,不影响索引结构。</li> </ul> </li> </ul> <hr> <h4 id="3-关键字段及其指向总结">3. 关键字段及其指向总结 </h4><table> <thead> <tr> <th style="text-align: left">字段</th> <th style="text-align: left">含义</th> <th style="text-align: left">指向特性</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><strong>mchunk_prev_size</strong></td> <td style="text-align: left">物理相邻低地址块大小</td> <td style="text-align: left">永远指向物理上的“前一家”,用于 free 时的向后合并。</td> </tr> <tr> <td style="text-align: left"><strong>fd</strong></td> <td style="text-align: left">逻辑后继</td> <td style="text-align: left">指向主链表中的下一个 Chunk(Size $\le$ 当前块)。</td> </tr> <tr> <td style="text-align: left"><strong>bk</strong></td> <td style="text-align: left">逻辑前驱</td> <td style="text-align: left">指向主链表中的上一个 Chunk(Size $\ge$ 当前块)。</td> </tr> <tr> <td style="text-align: left"><strong>fd_nextsize</strong></td> <td style="text-align: left">跨组后继</td> <td style="text-align: left"><strong>仅组长持有</strong>。指向下一个<strong>更小尺寸</strong>的组长。最小组长指回最大组长。</td> </tr> <tr> <td style="text-align: left"><strong>bk_nextsize</strong></td> <td style="text-align: left">跨组前驱</td> <td style="text-align: left"><strong>仅组长持有</strong>。指向上一个<strong>更大尺寸</strong>的组长。最大组长指回最小组长。</td> </tr> </tbody> </table> <hr> <h4 id="4-操作行为准则-operational-dynamics">4. 操作行为准则 (Operational Dynamics) </h4><ol> <li><strong>搜索 (Search)</strong>:malloc 申请内存时,先看 <code>bin-&gt;fd</code> 的 fd_nextsize。如果请求 4500B,它会通过 nextsize 链表跳过整个 6000B 组和 5000B 组,直接定位到第一个可能满足条件的组。</li> <li><strong>插入 (Insertion)</strong>:新块从 Unsorted Bin 归位时,如果发现已有同尺寸组,总是插入到<strong>组长之后</strong>作为跟随者。这样无需改动 nextsize 链表,效率为 $O(1)$。</li> <li><strong>脱链 (Unlink)</strong>: <ul> <li>如果是<strong>跟随者</strong>:直接修改 fd/bk 闭合。</li> <li>如果是<strong>组长</strong>:将 fd_nextsize/bk_nextsize 的所有权移交给它的 fd(二把手),然后二把手晋升为新组长。</li> </ul> </li> </ol> <h2 id="malloc_consolidate-源码分析">malloc_consolidate 源码分析 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> ------------------------- malloc_consolidate ------------------------- </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> malloc_consolidate is a specialized version of free() that tears </span></span></span><span class="line"><span class="cl"><span class="cm"> down chunks held in fastbins. Free itself cannot be used for this </span></span></span><span class="line"><span class="cl"><span class="cm"> purpose since, among other things, it might place chunks back onto </span></span></span><span class="line"><span class="cl"><span class="cm"> fastbins. So, instead, we need to use a minor variant of the same </span></span></span><span class="line"><span class="cl"><span class="cm"> code. </span></span></span><span class="line"><span class="cl"><span class="cm">*/</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="kt">void</span> <span class="nf">malloc_consolidate</span><span class="p">(</span><span class="n">mstate</span> <span class="n">av</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mfastbinptr</span><span class="o">*</span> <span class="n">fb</span><span class="p">;</span> <span class="cm">/* current fastbin being consolidated */</span> </span></span><span class="line"><span class="cl"> <span class="n">mfastbinptr</span><span class="o">*</span> <span class="n">maxfb</span><span class="p">;</span> <span class="cm">/* last fastbin (for loop control) */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">p</span><span class="p">;</span> <span class="cm">/* current chunk being consolidated */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">nextp</span><span class="p">;</span> <span class="cm">/* next chunk to consolidate */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">unsorted_bin</span><span class="p">;</span> <span class="cm">/* bin header */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">first_unsorted</span><span class="p">;</span> <span class="cm">/* chunk to link to */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* These have same use as in free() */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">nextchunk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">prevsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">nextinuse</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">atomic_store_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">,</span> <span class="nb">false</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">unsorted_bin</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span><span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Remove each chunk from fast bin and consolidate it, placing it </span></span></span><span class="line"><span class="cl"><span class="cm"> then in unsorted bin. Among other reasons for doing this, </span></span></span><span class="line"><span class="cl"><span class="cm"> placing in unsorted bin avoids needing to calculate actual bins </span></span></span><span class="line"><span class="cl"><span class="cm"> until malloc is sure that chunks aren&#39;t immediately going to be </span></span></span><span class="line"><span class="cl"><span class="cm"> reused anyway. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">maxfb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">NFASTBINS</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="nf">atomic_exchange_acq</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc_consolidate(): &#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;unaligned fastbin chunk detected&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">))</span> <span class="o">!=</span> <span class="n">fb</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc_consolidate(): invalid chunk size&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_inuse_chunk</span><span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">nextp</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Slightly streamlined version of consolidation code in free() */</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">nextchunk</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">nextsize</span> <span class="o">=</span> <span class="nf">chunksize</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">prev_inuse</span><span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">prevsize</span> <span class="o">=</span> <span class="nf">prev_size</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">prevsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="o">-</span><span class="p">((</span><span class="kt">long</span><span class="p">)</span> <span class="n">prevsize</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">chunksize</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">!=</span> <span class="n">prevsize</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted size vs. prev_size in fastbins&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">nextchunk</span> <span class="o">!=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">nextinuse</span> <span class="o">=</span> <span class="nf">inuse_bit_at_offset</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">,</span> <span class="n">nextsize</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">nextinuse</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">nextchunk</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">clear_inuse_bit_at_offset</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">first_unsorted</span> <span class="o">=</span> <span class="n">unsorted_bin</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">unsorted_bin</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">first_unsorted</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">unsorted_bin</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">first_unsorted</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">while</span> <span class="p">(</span> <span class="p">(</span><span class="n">p</span> <span class="o">=</span> <span class="n">nextp</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">while</span> <span class="p">(</span><span class="n">fb</span><span class="o">++</span> <span class="o">!=</span> <span class="n">maxfb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>malloc_consolidate 是 free() 函数的一个专门化版本,用于清理(拆解)存放在 fastbins 中的堆块。free() 函数本身不能用于此目的,主要原因之一是它可能会将堆块重新放回 fastbins 中。因此,我们需要使用一套基于相同逻辑但略有不同的变体代码。</p> <h4 id="前置处理-1">前置处理 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="n">mfastbinptr</span><span class="o">*</span> <span class="n">fb</span><span class="p">;</span> <span class="cm">/* current fastbin being consolidated */</span> </span></span><span class="line"><span class="cl"> <span class="n">mfastbinptr</span><span class="o">*</span> <span class="n">maxfb</span><span class="p">;</span> <span class="cm">/* last fastbin (for loop control) */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">p</span><span class="p">;</span> <span class="cm">/* current chunk being consolidated */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">nextp</span><span class="p">;</span> <span class="cm">/* next chunk to consolidate */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">unsorted_bin</span><span class="p">;</span> <span class="cm">/* bin header */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">first_unsorted</span><span class="p">;</span> <span class="cm">/* chunk to link to */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* These have same use as in free() */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">nextchunk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">prevsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">nextinuse</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">atomic_store_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">,</span> <span class="nb">false</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">unsorted_bin</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span><span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>atomic_store_relaxed (&amp;av-&gt;have_fastchunks, false);</code> 将“是否存在 Fastbin 块”的标志位重置为 false</p> <p>然后获取 unsorted_bin 链表头</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Unsorted chunks </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> All remainders from chunk splits, as well as all returned chunks, </span></span></span><span class="line"><span class="cl"><span class="cm"> are first placed in the &#34;unsorted&#34; bin. They are then placed </span></span></span><span class="line"><span class="cl"><span class="cm"> in regular bins after malloc gives them ONE chance to be used before </span></span></span><span class="line"><span class="cl"><span class="cm"> binning. So, basically, the unsorted_chunks list acts as a queue, </span></span></span><span class="line"><span class="cl"><span class="cm"> with chunks being placed on it in free (and malloc_consolidate), </span></span></span><span class="line"><span class="cl"><span class="cm"> and taken off (to be either used or placed in bins) in malloc. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> The NON_MAIN_ARENA flag is never set for unsorted chunks, so it </span></span></span><span class="line"><span class="cl"><span class="cm"> does not have to be taken into account in size comparisons. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cm">/* The otherwise unindexable 1-bin is used to hold unsorted chunks. */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define unsorted_chunks(M) (bin_at (M, 1)) </span></span></span></code></pre></td></tr></table> </div> </div><p>翻译: 所有由内存块分割产生的余块(remainders),以及所有归还的内存块(被释放的 chunks),都会首先被放入“unsorted” bin。在将它们移入常规 bin(small/large bins)之前,malloc 会给予它们仅有一次被直接使用的机会。 因此,从本质上讲,unsorted_chunks 列表充当了一个队列的角色:内存块在执行 free(以及 malloc_consolidate)时被放入该队列,并在执行 malloc 时被移出该队列(移出后要么直接用于满足当前的分配请求,要么被分拣到对应的常规 bin 中)。 此外,对于 unsorted 块,NON_MAIN_ARENA 标志位永远不会被设置,因此在进行内存块大小的比较时,无需考虑该标志位的影响。</p> <p>unsortedbin 在 bins 中的索引为 0</p> <h3 id="取出-fastbin-链表">取出 fastbin 链表 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Remove each chunk from fast bin and consolidate it, placing it </span></span></span><span class="line"><span class="cl"><span class="cm"> then in unsorted bin. Among other reasons for doing this, </span></span></span><span class="line"><span class="cl"><span class="cm"> placing in unsorted bin avoids needing to calculate actual bins </span></span></span><span class="line"><span class="cl"><span class="cm"> until malloc is sure that chunks aren&#39;t immediately going to be </span></span></span><span class="line"><span class="cl"><span class="cm"> reused anyway. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">maxfb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">NFASTBINS</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="nf">atomic_exchange_acq</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc_consolidate(): &#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;unaligned fastbin chunk detected&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">))</span> <span class="o">!=</span> <span class="n">fb</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc_consolidate(): invalid chunk size&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_inuse_chunk</span><span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">nextp</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>p = atomic_exchange_acq (fb, NULL);</code> 以原子方式,一次性拎走(提取)整条 Fastbin 链表,并同时将该 Bin 清空。</p> <p>要求 p 的地址对齐 16 位</p> <p>然后获取 p 中 size 的对应 index ,要求与 fastbin 索引一致</p> <p>然后解码 p-&gt;fd 赋予 nextp</p> <h3 id="合并操作">合并操作 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* Slightly streamlined version of consolidation code in free() */</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">nextchunk</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">nextsize</span> <span class="o">=</span> <span class="nf">chunksize</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">prev_inuse</span><span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">prevsize</span> <span class="o">=</span> <span class="nf">prev_size</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">prevsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="o">-</span><span class="p">((</span><span class="kt">long</span><span class="p">)</span> <span class="n">prevsize</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">chunksize</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">!=</span> <span class="n">prevsize</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted size vs. prev_size in fastbins&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>当物理上前一个 chunk 是 free 状态时,若 chunksize(p) != prevsize 检查通过,即当前 chunk 的 prevsize 与前一个 chunk 的 size 匹配,则触发 unlink_chunk</p> <h3 id="unlink_chunk-源码分析">unlink_chunk 源码分析 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* Take a chunk off a bin list. */</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="kt">void</span> </span></span><span class="line"><span class="cl"><span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">mstate</span> <span class="n">av</span><span class="p">,</span> <span class="n">mchunkptr</span> <span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">!=</span> <span class="nf">prev_size</span> <span class="p">(</span><span class="nf">next_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted size vs. prev_size&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">bk</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">!=</span> <span class="n">p</span> <span class="o">||</span> <span class="n">bk</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted double-linked list&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bk</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="o">&amp;&amp;</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">!=</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">!=</span> <span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted double-linked list (not small)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fd</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">==</span> <span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="校验与脱链">校验与脱链 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">!=</span> <span class="nf">prev_size</span> <span class="p">(</span><span class="nf">next_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted size vs. prev_size&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">bk</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">!=</span> <span class="n">p</span> <span class="o">||</span> <span class="n">bk</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted double-linked list&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bk</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fd</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>chunksize (p) != prev_size (next_chunk (p))</code> 检测要求被取出块 p 的 size 与其物理相邻的高地址块的 prevsize 匹配</p> <p><code>__builtin_expect (fd-&gt;bk != p || bk-&gt;fd != p, 0)</code> 检测要求当前块前驱的后继和后继的前驱均为自己</p> <p>校验完成,脱链</p> <h4 id="nextsize-链表维护">Nextsize 链表维护 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="o">&amp;&amp;</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">!=</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">!=</span> <span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted double-linked list (not small)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fd</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">==</span> <span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>!in_smallbin_range (chunksize_nomask (p)) &amp;&amp; p-&gt;fd_nextsize != NULL</code> 检测要求块 p 的 size 不属于 smallbin 的管辖范围,即 p 属于 largebin 的管辖范围,且 p-&gt;fd_nextsize 不为空,即 p 是该 Size 组的组长,即距离哨兵最近的那个。这确保 p 一定在 largebin 或 unsortedbin 中</p> <p>而接下来的 double-link 检测则排除了 p 位于 unsortedbin 的情况,由此 p 一定在 largebin 中</p> <p>fd_nextsize 和 bk_nextsize 参与构建了一个按 Size 排序的沿 bk 单调递增的不包含哨兵的双向循环链表,该链表是 largebin 链表的一个子链表,而这段代码正是维护了这个链表</p> <h3 id="合并策略">合并策略 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">nextchunk</span> <span class="o">!=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">nextinuse</span> <span class="o">=</span> <span class="nf">inuse_bit_at_offset</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">,</span> <span class="n">nextsize</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">nextinuse</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">nextchunk</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">clear_inuse_bit_at_offset</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">first_unsorted</span> <span class="o">=</span> <span class="n">unsorted_bin</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">unsorted_bin</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">first_unsorted</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">unsorted_bin</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">first_unsorted</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">while</span> <span class="p">(</span> <span class="p">(</span><span class="n">p</span> <span class="o">=</span> <span class="n">nextp</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">while</span> <span class="p">(</span><span class="n">fb</span><span class="o">++</span> <span class="o">!=</span> <span class="n">maxfb</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>set_head 和 set_foot 分别设置 size 和对应的 prev_size</p> <p>综合该段代码和前面的分析, malloc_consolidate 的作用是:</p> <ol> <li><strong>合并策略</strong>: <ul> <li><strong>向后看(低地址)</strong>:在进入这段代码前, p 已经和低地址块合并过了。</li> <li><strong>向前看(高地址)</strong>:这段代码检查 nextchunk 是否空闲,能合就合。</li> </ul> </li> <li><strong>结果去向</strong>: <ul> <li>如果碰到了 <strong>Top Chunk</strong> $\rightarrow$ 合并进去,壮大荒野。</li> <li>如果没碰到 <strong>Top Chunk</strong> $\rightarrow$ 塞进 <strong>Unsorted Bin</strong>,等下次 malloc 时再重新分配或归类。</li> </ul> </li> </ol> <h3 id="总结">总结 </h3><p>malloc_consolidate 会将 fastbin 中的块合并后,放入以下两个地方之一:</p> <ol> <li><strong>Unsorted Bin</strong>(绝大多数情况)</li> <li><strong>Top Chunk</strong>(如果合并后的块在物理地址上紧邻 Top Chunk)</li> </ol> <h4 id="详细的过程拆解">详细的过程拆解 </h4><p>你可以把 malloc_consolidate 想象成一个“粉碎机”+“焊机”,它处理 fastbin 块的逻辑如下:</p> <h5 id="第一步取样与合并">第一步:取样与合并 </h5><p>它会遍历所有的 fastbins,把里面的每一个 chunk 拿出来。拿出来之后,它<strong>不会</strong>立即给这个 chunk 找新家,而是先看它的“邻居”:</p> <ul> <li><strong>向后合并(低地址)</strong>:检查物理相邻的低地址块是否空闲。如果是,利用 prev_size 找到它,把它从它所在的 bin 中 unlink 掉,和当前块合并。</li> <li><strong>向前合并(高地址)</strong>:检查物理相邻的高地址块是否空闲。如果是,把它从所在的 bin 中 unlink 掉,和当前块合并。</li> </ul> <h5 id="第二步根据位置决定去向">第二步:根据位置决定去向 </h5><p>经过第一步,这个 chunk 可能已经从小碎片变成了大块。现在它面临两个选择:</p> <ol> <li> <p><strong>并入 Top Chunk</strong>:</p> <ul> <li>如果合并后的块,其高地址方向紧挨着 <strong>Top Chunk</strong>。</li> <li><strong>结果</strong>:它不会进入任何 bin,而是直接被“吸入” Top Chunk,增加 Top Chunk 的大小,并更新 <code>av-&gt;top</code> 的指针。</li> </ul> </li> <li> <p><strong>放入 Unsorted Bin</strong>:</p> <ul> <li>如果合并后的块,其高地址方向<strong>不是</strong> Top Chunk。</li> <li><strong>结果</strong>:它会被放入 <strong>Unsorted Bin</strong>。</li> <li><strong>注意</strong>:此时它<strong>还没有</strong>进入 Smallbin 或 Largebin。只有在接下来的 _int_malloc 循环遍历 Unsorted Bin 时,才会根据它的最终大小,把它分拣(Place)到对应的 Smallbin 或 Largebin 中。</li> </ul> </li> </ol> <h4 id="效应">效应 </h4><p>在 malloc_consolidate 运行结束后:</p> <ul> <li><strong>Fastbins</strong>:变为空(Empty)。</li> <li><strong>Unsorted Bin</strong>:多了很多合并后的中大型堆块。</li> <li><strong>Top Chunk</strong>:可能变得更大。</li> <li><strong>Small/Large Bins</strong>:<strong>此时没有任何变化</strong>(它们的变化发生在随后的 _int_malloc 流程中)。</li> </ul> <h2 id="unsortedbin-相关处理">unsortedbin 相关处理 </h2><h3 id="转移准备">转移准备 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Process recently freed or remaindered chunks, taking one only if </span></span></span><span class="line"><span class="cl"><span class="cm"> it is exact fit, or, if this a small request, the chunk is remainder from </span></span></span><span class="line"><span class="cl"><span class="cm"> the most recent non-exact fit. Place other traversed chunks in </span></span></span><span class="line"><span class="cl"><span class="cm"> bins. Note that this step is the only place in any routine where </span></span></span><span class="line"><span class="cl"><span class="cm"> chunks are placed in bins. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> The outer loop here is needed because we might not realize until </span></span></span><span class="line"><span class="cl"><span class="cm"> near the end of malloc that we should have consolidated, so must </span></span></span><span class="line"><span class="cl"><span class="cm"> do so and retry. This happens at most once, and only when we would </span></span></span><span class="line"><span class="cl"><span class="cm"> otherwise need to expand memory to service a &#34;small&#34; request. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">tcache_nb</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache_nb</span> <span class="o">=</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">return_cached</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">tcache_unsorted_count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span></code></pre></td></tr></table> </div> </div><p>翻译: 处理最近释放的(recently freed)或切分剩余的(remaindered)堆块。只有在以下两种情况时才直接取用堆块:一是大小完全匹配(exact fit);二是对于小尺寸(small request)申请,该块是最近一次非精确匹配后切剩下的余料。 将其余遍历到的堆块放入对应的 bin 中(即 Smallbin 或 Largebin)。请注意,这一步是整个分配程序中唯一一处将堆块放入(归类到)对应 bin 的地方。 此处需要一个外层循环,是因为直到分配过程接近尾声时,我们才可能意识到应当进行内存合并(consolidation),此时必须执行合并并重试分配。这种情况最多只会发生一次,且仅当在不合并就必须扩展内存(即调用 sbrk/mmap)来满足“小尺寸”申请时才会触发。</p> <p>同时准备把 unsortedbin 转移至 tcache</p> <h3 id="各种检查">各种检查 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(;;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">iters</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">victim</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">)</span> <span class="o">!=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">next</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&gt;</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): invalid size (unsorted)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">next</span><span class="p">)</span> <span class="o">&lt;</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">next</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): invalid next size (unsorted)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">((</span><span class="nf">prev_size</span> <span class="p">(</span><span class="n">next</span><span class="p">)</span> <span class="o">&amp;</span> <span class="o">~</span><span class="p">(</span><span class="n">SIZE_BITS</span><span class="p">))</span> <span class="o">!=</span> <span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): mismatching next-&gt;prev_size (unsorted)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">victim</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): unsorted double linked list corrupted&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">prev_inuse</span> <span class="p">(</span><span class="n">next</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): invalid next-&gt;prev_inuse (unsorted)&#34;</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>外层 for 循环作用如翻译所言:</p> <blockquote> <p>此处需要一个外层循环,是因为直到分配过程接近尾声时,我们才可能意识到应当进行内存合并(consolidation),此时必须执行合并并重试分配。这种情况最多只会发生一次,且仅当在不合并就必须扩展内存(即调用 sbrk/mmap)来满足“小尺寸”申请时才会触发。</p> </blockquote> <p>内层 while 对 unsorted_chunks 作遍历,直到 unsortedbin 为空</p> <p>此处针对 unsorted_chunks 的检查有:</p> <ol> <li>当前 Chunk 尺寸合法性检查</li> <li>下一个 Chunk 尺寸合法性检查</li> <li>size 与 prev_size 的一致性检查</li> <li>double linked 检查</li> <li>PREV_INUSE (P) 标志位一致性检查</li> </ol> <h3 id="切割余料">切割余料 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If a small request, try to use last remainder if it is the </span></span></span><span class="line"><span class="cl"><span class="cm"> only chunk in unsorted bin. This helps promote locality for </span></span></span><span class="line"><span class="cl"><span class="cm"> runs of consecutive small requests. This is the only </span></span></span><span class="line"><span class="cl"><span class="cm"> exception to best-fit, and applies only when there is </span></span></span><span class="line"><span class="cl"><span class="cm"> no exact fit for a small chunk. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">)</span> <span class="o">&amp;&amp;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">==</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span> <span class="o">&amp;&amp;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">==</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">last_remainder</span> <span class="o">&amp;&amp;</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span><span class="p">)</span> <span class="o">&gt;</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span> <span class="o">+</span> <span class="n">MINSIZE</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* split and reattach remainder */</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder_size</span> <span class="o">=</span> <span class="n">size</span> <span class="o">-</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">last_remainder</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">remainder_size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span> <span class="o">|</span> <span class="n">PREV_INUSE</span> <span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">?</span> <span class="nl">NON_MAIN_ARENA</span> <span class="p">:</span> <span class="mi">0</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="翻译">翻译: </h4><p>如果是小尺寸请求(small request),且 Unsorted Bin 中只有一个堆块,则尝试使用‘最近一次切分剩下的余料’(last remainder)。这有助于提升连续小尺寸请求序列的局部性(locality)。这是对‘最佳适配’(best-fit)原则的唯一例外,且仅在没有找到大小完全精确匹配(exact fit)的小堆块时才会生效</p> <h4 id="触发条件">触发条件: </h4><p>为了不让这种例外导致严重的内存碎片,它必须满足: 是 Small Request:申请的大小在 Smallbin 范围内。 Unsorted Bin 只有这一个块:如果还有别的块,说明还没分拣完,必须按规矩办事。 没有 Exact Fit:如果你申请 0x20,而 Unsorted Bin 里正好有一个 0x20 的块,那肯定优先用那个,不需要切余料。</p> <h3 id="脱链以及大小匹配情形">脱链,以及大小匹配情形 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* remove from unsorted list */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">victim</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): corrupted unsorted chunks 3&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Take now instead of binning if exact fit */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">size</span> <span class="o">==</span> <span class="n">nb</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* Fill cache first, return to user only if cache fills. </span></span></span><span class="line"><span class="cl"><span class="cm"> We may return one of these chunks later. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache_nb</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">return_cached</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>把 chunk 从 unsortedbin 脱链</p> <p>若发现该 chunk 符合申请的 size ,考虑:</p> <ol> <li>可以放进 tcache 则放进 tcache ,然后 continue 回去读下一个 chunk</li> <li>否则直接返回该 chunk</li> </ol> <h3 id="放进-smallbin">放进 smallbin </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* place chunk in bin */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim_index</span> <span class="o">=</span> <span class="nf">smallbin_index</span> <span class="p">(</span><span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim_index</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>该 chunk 不符合申请的 size ,但符合 in_smallbin_range ,那就先放进 smallbin</p> <h3 id="放进-largebin">放进 largebin </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim_index</span> <span class="o">=</span> <span class="nf">largebin_index</span> <span class="p">(</span><span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim_index</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* maintain large bins in sorted order */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fwd</span> <span class="o">!=</span> <span class="n">bck</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Or with inuse bit to speed comparisons */</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">|=</span> <span class="n">PREV_INUSE</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* if smaller than smallest, bypass loop below */</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">chunk_main_arena</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">chunk_main_arena</span> <span class="p">(</span><span class="n">fwd</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="n">size</span> <span class="o">&lt;</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">fwd</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">chunk_main_arena</span> <span class="p">(</span><span class="n">fwd</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="n">size</span> </span></span><span class="line"><span class="cl"> <span class="o">==</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">fwd</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Always insert in the second position. */</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">!=</span> <span class="n">fwd</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): largebin double linked list corrupted (nextsize)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">!=</span> <span class="n">fwd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): largebin double linked list corrupted (bk)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>否则考虑将 chunk 放入 largebin 中,并维护单调性,过程中有 double linked 审查</p> <p>注意,这时候只更新了 fwd 和 bck ,还没插入 victim</p> <h3 id="while-循环收尾">while 循环收尾 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="nf">mark_bin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim_index</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* If we&#39;ve processed as many chunks as we&#39;re allowed while </span></span></span><span class="line"><span class="cl"><span class="cm"> filling the cache, return one of the cached ones. */</span> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">tcache_unsorted_count</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">return_cached</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_unsorted_limit</span> <span class="o">&gt;</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">tcache_unsorted_count</span> <span class="o">&gt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_unsorted_limit</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">tcache_get</span> <span class="p">(</span><span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define MAX_ITERS 10000 </span></span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">++</span><span class="n">iters</span> <span class="o">&gt;=</span> <span class="n">MAX_ITERS</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="cm">/* If all the small chunks we found ended up cached, return one now. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">return_cached</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">tcache_get</span> <span class="p">(</span><span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span></code></pre></td></tr></table> </div> </div><p>正式插入 victim ,并在 binmap 中打上标记</p> <p>如果 return_cached 满足且 tcache 对从 unsortedbin 的转移做了限制且目前已超出限制,则返回之前记录的转移至 tcache 中的 chunk</p> <p>设定内层 while 循环的最大迭代次数</p> <p>内层 while 循环边界在此</p> <p>如果我们找到的所有小块(small chunks)最终都存入了 tcache,那么现在就返回其中一个。</p> <h4 id="binmap-相关">Binmap 相关 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Binmap </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> To help compensate for the large number of bins, a one-level index </span></span></span><span class="line"><span class="cl"><span class="cm"> structure is used for bin-by-bin searching. `binmap&#39; is a </span></span></span><span class="line"><span class="cl"><span class="cm"> bitvector recording whether bins are definitely empty so they can </span></span></span><span class="line"><span class="cl"><span class="cm"> be skipped over during during traversals. The bits are NOT always </span></span></span><span class="line"><span class="cl"><span class="cm"> cleared as soon as bins are empty, but instead only </span></span></span><span class="line"><span class="cl"><span class="cm"> when they are noticed to be empty during traversal in malloc. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cm">/* Conservatively use 32 bits per map word, even if on 64bit system */</span> </span></span><span class="line"><span class="cl"><span class="cp">#define BINMAPSHIFT 5 </span></span></span><span class="line"><span class="cl"><span class="cp">#define BITSPERMAP (1U &lt;&lt; BINMAPSHIFT) </span></span></span><span class="line"><span class="cl"><span class="cp">#define BINMAPSIZE (NBINS / BITSPERMAP) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define idx2block(i) ((i) &gt;&gt; BINMAPSHIFT) </span></span></span><span class="line"><span class="cl"><span class="cp">#define idx2bit(i) ((1U &lt;&lt; ((i) &amp; ((1U &lt;&lt; BINMAPSHIFT) - 1)))) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define mark_bin(m, i) ((m)-&gt;binmap[idx2block (i)] |= idx2bit (i)) </span></span></span><span class="line"><span class="cl"><span class="cp">#define unmark_bin(m, i) ((m)-&gt;binmap[idx2block (i)] &amp;= ~(idx2bit (i))) </span></span></span><span class="line"><span class="cl"><span class="cp">#define get_binmap(m, i) ((m)-&gt;binmap[idx2block (i)] &amp; idx2bit (i)) </span></span></span></code></pre></td></tr></table> </div> </div><p>Binmap 是 malloc 中的一个<strong>极其高效的性能优化机制</strong>。</p> <p>简单来说,它的作用是:<strong>在“箱子索引图”(binmap)中打个勾,标记第 i 号 bin 现在已经不是空的了。</strong></p> <p>在 malloc 的分配过程中,当 Unsorted Bin 里的块被分拣完后,系统需要去 Smallbins 或 Largebins 里寻找合适的块。</p> <ul> <li><strong>笨办法</strong>:从目标的 bin 开始,一个一个往后检查每个 bin 是否为空。如果连续 50 个 bin 都是空的,这种遍历会非常浪费 CPU 时间。</li> <li><strong>聪明办法(glibc 的做法)</strong>:维护一个<strong>位图(Bitmap)</strong>。每个 bit 代表一个 bin: <ul> <li>如果 bit 是 1,表示这个 bin <strong>可能</strong>有空闲块。</li> <li>如果 bit 是 0,表示这个 bin <strong>一定</strong>是空的。</li> </ul> </li> <li><strong>加速效果</strong>:通过检查位图(利用 CPU 的位运算指令,如 ffs 或 bsf),malloc 可以瞬间跳过几十个空的 bin,直接定位到最近的非空 bin</li> </ul> <h2 id="扫描-largebin">扫描 largebin </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If a large request, scan through the chunks of current bin in </span></span></span><span class="line"><span class="cl"><span class="cm"> sorted order to find smallest that fits. Use the skip list for this. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* skip scan if empty or largest chunk is too small */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="n">victim</span> <span class="o">=</span> <span class="nf">first</span> <span class="p">(</span><span class="n">bin</span><span class="p">))</span> <span class="o">!=</span> <span class="n">bin</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">victim</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">&gt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">))</span> <span class="o">&lt;</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Avoid removing the first entry for a size so that the skip </span></span></span><span class="line"><span class="cl"><span class="cm"> list does not have to be rerouted. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span> <span class="o">!=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">victim</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">==</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">remainder_size</span> <span class="o">=</span> <span class="n">size</span> <span class="o">-</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Exhaust */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">remainder_size</span> <span class="o">&lt;</span> <span class="n">MINSIZE</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Split */</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We cannot assume the unsorted list is empty and therefore </span></span></span><span class="line"><span class="cl"><span class="cm"> have to perform a complete insert here. */</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">!=</span> <span class="n">bck</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): corrupted unsorted chunks&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">remainder_size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span> <span class="o">|</span> <span class="n">PREV_INUSE</span> <span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">?</span> <span class="nl">NON_MAIN_ARENA</span> <span class="p">:</span> <span class="mi">0</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>如果是大尺寸请求,按排序顺序遍历当前 bin 中的堆块,以寻找满足要求的最小堆块(即最佳适配)。为此利用跳表(skip list,指 nextsize 指针链表)来实现。</p> <p>如果 bin 为空,或者最大的堆块也太小(无法满足请求尺寸),则跳过扫描。</p> <p>避免移除同尺寸堆块中的第一个条目(组长),这样就不必重新调整跳表(nextsize 链表)的指针指向。</p> <p>如果剩余部分的大小不足以作为一个独立堆块,则将整个堆块全部分配给用户)。</p> <p>如果剩余部分足够大,可以作为一个独立的堆块存在。</p> <p>我们不能假设 Unsorted 链表是空的,因此必须在后续执行完整的插入操作(将切分出的余料放入 Unsorted Bin),同时记得清空 nextsize 指针。</p> <h2 id="检索-binmap">检索 binmap </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Search for a chunk by scanning bins, starting with next largest </span></span></span><span class="line"><span class="cl"><span class="cm"> bin. This search is strictly by best-fit; i.e., the smallest </span></span></span><span class="line"><span class="cl"><span class="cm"> (with ties going to approximately the least recently used) chunk </span></span></span><span class="line"><span class="cl"><span class="cm"> that fits is selected. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> The bitmap avoids needing to check that most blocks are nonempty. </span></span></span><span class="line"><span class="cl"><span class="cm"> The particular case of skipping all bins during warm-up phases </span></span></span><span class="line"><span class="cl"><span class="cm"> when no chunks have been returned yet is faster than it might look. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">idx</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">block</span> <span class="o">=</span> <span class="nf">idx2block</span> <span class="p">(</span><span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">map</span> <span class="o">=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">binmap</span><span class="p">[</span><span class="n">block</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">=</span> <span class="nf">idx2bit</span> <span class="p">(</span><span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(;;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Skip rest of block if there are no more set bits in this block. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">bit</span> <span class="o">&gt;</span> <span class="n">map</span> <span class="o">||</span> <span class="n">bit</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">++</span><span class="n">block</span> <span class="o">&gt;=</span> <span class="n">BINMAPSIZE</span><span class="p">)</span> <span class="cm">/* out of bins */</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">use_top</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">map</span> <span class="o">=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">binmap</span><span class="p">[</span><span class="n">block</span><span class="p">])</span> <span class="o">==</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="p">(</span><span class="n">block</span> <span class="o">&lt;&lt;</span> <span class="n">BINMAPSHIFT</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Advance to bin with set bit. There must be one. */</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">bit</span> <span class="o">&amp;</span> <span class="n">map</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">next_bin</span> <span class="p">(</span><span class="n">bin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">&lt;&lt;=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="n">bit</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Inspect the bin. It is likely to be non-empty */</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* If a false alarm (empty bin), clear the bit. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span> <span class="o">==</span> <span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">binmap</span><span class="p">[</span><span class="n">block</span><span class="p">]</span> <span class="o">=</span> <span class="n">map</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="n">bit</span><span class="p">;</span> <span class="cm">/* Write through */</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">next_bin</span> <span class="p">(</span><span class="n">bin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">&lt;&lt;=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We know the first chunk in this bin is big enough to use. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">remainder_size</span> <span class="o">=</span> <span class="n">size</span> <span class="o">-</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* unlink */</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Exhaust */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">remainder_size</span> <span class="o">&lt;</span> <span class="n">MINSIZE</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Split */</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We cannot assume the unsorted list is empty and therefore </span></span></span><span class="line"><span class="cl"><span class="cm"> have to perform a complete insert here. */</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">!=</span> <span class="n">bck</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): corrupted unsorted chunks 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* advertise as last remainder */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">last_remainder</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">remainder_size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span> <span class="o">|</span> <span class="n">PREV_INUSE</span> <span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">?</span> <span class="nl">NON_MAIN_ARENA</span> <span class="p">:</span> <span class="mi">0</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="初始化">初始化 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Search for a chunk by scanning bins, starting with next largest </span></span></span><span class="line"><span class="cl"><span class="cm"> bin. This search is strictly by best-fit; i.e., the smallest </span></span></span><span class="line"><span class="cl"><span class="cm"> (with ties going to approximately the least recently used) chunk </span></span></span><span class="line"><span class="cl"><span class="cm"> that fits is selected. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> The bitmap avoids needing to check that most blocks are nonempty. </span></span></span><span class="line"><span class="cl"><span class="cm"> The particular case of skipping all bins during warm-up phases </span></span></span><span class="line"><span class="cl"><span class="cm"> when no chunks have been returned yet is faster than it might look. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">idx</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">block</span> <span class="o">=</span> <span class="nf">idx2block</span> <span class="p">(</span><span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">map</span> <span class="o">=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">binmap</span><span class="p">[</span><span class="n">block</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">=</span> <span class="nf">idx2bit</span> <span class="p">(</span><span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(;;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span></code></pre></td></tr></table> </div> </div><p>通过扫描 bins 来寻找堆块,从紧邻的下一个较大的 bin 开始。这种搜索严格遵循“最佳适配”(best-fit)原则;也就是说,会选择满足要求的最小堆块(如果大小相同,则大致选择最久未使用的那个)。</p> <p>位图(bitmap)机制避免了检查大多数(为空的)bin 块的需要。在程序刚启动(预热阶段)、尚无堆块被释放回 bin 时,跳过所有 bin 的这种特定情况,其执行速度比看起来还要快。</p> <p>找到对应的 binmap ,初始化相关要素</p> <p>进入内层 for 循环</p> <h3 id="定位-bin">定位 bin </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* Skip rest of block if there are no more set bits in this block. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">bit</span> <span class="o">&gt;</span> <span class="n">map</span> <span class="o">||</span> <span class="n">bit</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">++</span><span class="n">block</span> <span class="o">&gt;=</span> <span class="n">BINMAPSIZE</span><span class="p">)</span> <span class="cm">/* out of bins */</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">use_top</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">map</span> <span class="o">=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">binmap</span><span class="p">[</span><span class="n">block</span><span class="p">])</span> <span class="o">==</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">bin_at</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="p">(</span><span class="n">block</span> <span class="o">&lt;&lt;</span> <span class="n">BINMAPSHIFT</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Advance to bin with set bit. There must be one. */</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">bit</span> <span class="o">&amp;</span> <span class="n">map</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">next_bin</span> <span class="p">(</span><span class="n">bin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">&lt;&lt;=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="n">bit</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Inspect the bin. It is likely to be non-empty */</span> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="nf">last</span> <span class="p">(</span><span class="n">bin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* If a false alarm (empty bin), clear the bit. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span> <span class="o">==</span> <span class="n">bin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">binmap</span><span class="p">[</span><span class="n">block</span><span class="p">]</span> <span class="o">=</span> <span class="n">map</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="n">bit</span><span class="p">;</span> <span class="cm">/* Write through */</span> </span></span><span class="line"><span class="cl"> <span class="n">bin</span> <span class="o">=</span> <span class="nf">next_bin</span> <span class="p">(</span><span class="n">bin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">bit</span> <span class="o">&lt;&lt;=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>如果当前 block 中没有多余的标记,那么去找后边的 block,找不到就用 top_chunk</p> <p>推进到对应比特位已置位的那个 bin。此时一定能找到一个。</p> <p>检查该 bin。它很可能不是空的。</p> <p>如果是误报(即 bin 实际上是空的),则清除该位图比特位,然后再次迭代检索 binmap。</p> <h3 id="取出这个-chunk">取出这个 chunk </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We know the first chunk in this bin is big enough to use. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">remainder_size</span> <span class="o">=</span> <span class="n">size</span> <span class="o">-</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* unlink */</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Exhaust */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">remainder_size</span> <span class="o">&lt;</span> <span class="n">MINSIZE</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_inuse_bit_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_non_main_arena</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Split */</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We cannot assume the unsorted list is empty and therefore </span></span></span><span class="line"><span class="cl"><span class="cm"> have to perform a complete insert here. */</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">!=</span> <span class="n">bck</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): corrupted unsorted chunks 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* advertise as last remainder */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">last_remainder</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">remainder_size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span> <span class="o">|</span> <span class="n">PREV_INUSE</span> <span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">?</span> <span class="nl">NON_MAIN_ARENA</span> <span class="p">:</span> <span class="mi">0</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>使 chunk 脱链</p> <p>如果剩余部分的大小不足以作为一个独立堆块,则将整个堆块全部分配给用户)。</p> <p>如果剩余部分足够大,可以作为一个独立的堆块存在。</p> <p>我们不能假设 Unsorted 链表是空的,因此必须在后续执行完整的插入操作(将切分出的余料放入 Unsorted Bin),同时记得清空 nextsize 指针。</p> <p>然后返回这个 chunk</p> <h2 id="使用-top_chunk">使用 top_chunk </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="nl">use_top</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If large enough, split off the chunk bordering the end of memory </span></span></span><span class="line"><span class="cl"><span class="cm"> (held in av-&gt;top). Note that this is in accord with the best-fit </span></span></span><span class="line"><span class="cl"><span class="cm"> search rule. In effect, av-&gt;top is treated as larger (and thus </span></span></span><span class="line"><span class="cl"><span class="cm"> less well fitting) than any other available chunk since it can </span></span></span><span class="line"><span class="cl"><span class="cm"> be extended to be as large as necessary (up to system </span></span></span><span class="line"><span class="cl"><span class="cm"> limitations). </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> We require that av-&gt;top always exists (i.e., has size &gt;= </span></span></span><span class="line"><span class="cl"><span class="cm"> MINSIZE) after initialization, so if it would otherwise be </span></span></span><span class="line"><span class="cl"><span class="cm"> exhausted by current request, it is replenished. (The main </span></span></span><span class="line"><span class="cl"><span class="cm"> reason for ensuring it exists is that we may need MINSIZE space </span></span></span><span class="line"><span class="cl"><span class="cm"> to put in fenceposts in sysmalloc.) </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">victim</span> <span class="o">=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&gt;</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;malloc(): corrupted top size&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">size</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span> <span class="o">+</span> <span class="n">MINSIZE</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder_size</span> <span class="o">=</span> <span class="n">size</span> <span class="o">-</span> <span class="n">nb</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">remainder</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span> <span class="o">=</span> <span class="n">remainder</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">victim</span><span class="p">,</span> <span class="n">nb</span> <span class="o">|</span> <span class="n">PREV_INUSE</span> <span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">av</span> <span class="o">!=</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">?</span> <span class="nl">NON_MAIN_ARENA</span> <span class="p">:</span> <span class="mi">0</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span> <span class="p">(</span><span class="n">remainder</span><span class="p">,</span> <span class="n">remainder_size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_malloced_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">victim</span><span class="p">,</span> <span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">victim</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* When we are using atomic ops to free fast chunks we can get </span></span></span><span class="line"><span class="cl"><span class="cm"> here for all block sizes. */</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">atomic_load_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_consolidate</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* restore original bin index */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">in_smallbin_range</span> <span class="p">(</span><span class="n">nb</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">smallbin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">idx</span> <span class="o">=</span> <span class="nf">largebin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Otherwise, relay to handle system-dependent cases </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="nf">sysmalloc</span> <span class="p">(</span><span class="n">nb</span><span class="p">,</span> <span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">p</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">alloc_perturb</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>如果(Top Chunk)足够大,就切分出紧邻内存末尾的那个堆块(由 av-&gt;top 持有)。注意,这符合“最佳适配”(best-fit)搜索规则。实际上,av-&gt;top 被视为比任何其他可用堆块都大(因此匹配度较低),因为它可以在必要时进行扩展(直至系统限制)。</p> <p>我们要求 av-&gt;top 在初始化后始终存在(即大小大于 MINSIZE),因此如果它将被当前请求耗尽,则必须对其进行补充。(确保其存在的主要原因是,在 sysmalloc 中,我们可能需要 MINSIZE 的空间来放置“栅栏桩”。)</p> <p><code>if ((unsigned long) (size) &gt;= (unsigned long) (nb + MINSIZE))</code> 如果切割后的剩余空间大于最小应分配内存,则直接切割分配</p> <p><code>else if (atomic_load_relaxed (&amp;av-&gt;have_fastchunks))</code> 否则考虑从 fastbin 中拿出可能存在块合并,放入 unsortedbin 或 top_chunk 中,同时更新 idx ,以外层 for 为基准再迭代一轮</p> <p>如果还是没有空间,那就只好用 sysmalloc 了</p> <p>外层 for 循环边界在此</p> <p>_int_malloc 函数边界在此,分析完成</p> <h2 id="small_request-处理总结">small_request 处理总结 </h2><p>在 glibc 2.35 中,处理一个 small_request(通常指 64 位系统下,不含头部大小在 1016 字节以下的请求,即最终 size &lt;= 1024 字节)是一个多层级的搜索过程。</p> <p>为了提升性能,glibc 采用了从“最快且私有”到“最慢且全局”的搜索策略。以下是 small_request 在 _int_malloc 中可能经过的一切流程:</p> <h3 id="1-尺寸计算与对齐-checked_request2size">1. 尺寸计算与对齐 (checked_request2size) </h3><p>首先,malloc 会将你申请的 bytes 加上 CHUNK_HDR_SZ(16 字节),并向上对齐到 16 字节。</p> <ul> <li>例如 malloc(0x20) -&gt; 实际 size 为 0x30。</li> <li>如果符合 smallbin 范围,进入后续逻辑。</li> </ul> <h3 id="2-第一关tcache-thread-local-cache--最快路径">2. 第一关:Tcache (Thread Local Cache) —— 最快路径 </h3><p>这是 glibc 2.26 之后引入的线程私有缓存,<strong>不需要加锁</strong>。</p> <ul> <li><strong>搜索</strong>:根据计算出的 size 找到对应的 tcache 索引。</li> <li><strong>命中</strong>:如果 <code>tcache-&gt;entries[idx]</code> 有块,直接弹出一个返回。</li> <li><strong>安全检查</strong>:2.35 版本会检查 tcache 的 key 字段(防止 double free)以及指针的对齐性。</li> </ul> <h3 id="3-第二关fastbins--快速路径">3. 第二关:Fastbins —— 快速路径 </h3><p>如果 Tcache 没命中,且 size 属于 Fastbin 范围(通常 &lt;= 0x80):</p> <ul> <li><strong>加锁</strong>:获取当前 Arena 的互斥锁。</li> <li><strong>搜索</strong>:在 <code>av-&gt;fastbinsY</code> 中查找。</li> <li><strong>命中</strong>: <ol> <li>从栈顶取出一个块。</li> <li><strong>Tcache 填充</strong>:这是 2.35 的特性。如果发现了命中,它会尝试把该 fastbin 链表里剩下的块全都“挪”到当前线程的 Tcache 中,直到 Tcache 填满(默认 7 个)。</li> <li>返回该块。</li> </ol> </li> </ul> <h3 id="4-第三关smallbins--确定性路径">4. 第三关:Smallbins —— 确定性路径 </h3><p>如果不是 Fastbin 尺寸,或者 Fastbin 为空:</p> <ul> <li><strong>搜索</strong>:直接在 <code>av-&gt;bins</code> 的对应 Smallbin 索引处查看。</li> <li><strong>命中</strong>: <ol> <li>从链表末尾(BK 方向)取出一个块(FIFO 机制)。</li> <li><strong>安全检查</strong>:执行 Safe Unlink 检查(即 <code>victim-&gt;bk-&gt;fd == victim</code>)。</li> <li><strong>标志位</strong>:设置该块的 PREV_INUSE。</li> <li><strong>Tcache 填充</strong>:同样,如果对应 Smallbin 还有剩余块,会批量存入 Tcache,然后返回其中一个。</li> </ol> </li> </ul> <h3 id="5-第四关unsorted-bin-遍历--整理与中转">5. 第四关:Unsorted Bin 遍历 —— 整理与中转 </h3><p>如果 Smallbins 也没命中,说明目前没有大小正好合适的空闲块。此时 malloc 必须开始“干苦活”:遍历 Unsorted Bin。</p> <p>在此过程中,malloc 会处理之前被 free 掉但还没归类的块:</p> <ul> <li><strong>Last Remainder 优化</strong>:如果申请的是 small request,且 Unsorted Bin 中只有一个块且它是 last_remainder,且大小足够切分,则直接切分: <ul> <li>切出一块给用户,剩下的作为新的 last_remainder 留在 Unsorted Bin 中。</li> </ul> </li> <li><strong>分拣与精确匹配</strong>:如果上述不成立,开始循环遍历 Unsorted Bin: <ol> <li>把块从 Unsorted Bin 移除(执行前面讨论过的各种安全检查)。</li> <li>如果大小<strong>完全一致</strong>(Exact Fit):停止分拣,直接给用户(或者放入 Tcache 备用)。</li> <li>如果大小不一致:根据大小把这个块扔进对应的 <strong>Smallbin</strong> 或 <strong>Largebin</strong>,并更新 binmap。</li> </ol> </li> </ul> <h3 id="6-第五关binmap-搜索--寻找大块切分">6. 第五关:Binmap 搜索 —— 寻找大块切分 </h3><p>如果 Unsorted Bin 遍历完了还没找到正好相等的块(且 Tcache 也没填满):</p> <ul> <li><strong>搜索比目标大的 Bin</strong>:通过 binmap 快速定位比当前 size 大的最小非空 Smallbin 或 Largebin。</li> <li><strong>切分(Splitting)</strong>: <ol> <li>找到一个比需求大的块。</li> <li>切开它:前半部分给用户,后半部分作为 <strong>Remainder</strong> 放入 Unsorted Bin。</li> </ol> </li> </ul> <h3 id="7-第六关top-chunk--最后的荒野">7. 第六关:Top Chunk —— 最后的荒野 </h3><p>如果连大块都没有了:</p> <ul> <li><strong>检查 Top Chunk</strong>:看 <code>av-&gt;top</code> 的剩余空间是否足够。</li> <li><strong>切分</strong>:如果够,从 Top Chunk 切出一块。Top Chunk 的起始地址增加,剩余 size 减少。</li> </ul> <h3 id="8-第七关绝望的挣扎--consolidation">8. 第七关:绝望的挣扎 —— Consolidation </h3><p>如果 Top Chunk 也不够大:</p> <ul> <li><strong>检查 Fastbins</strong>:看 fastbins 里是不是还有没合并的碎片。</li> <li><strong>调用 malloc_consolidate</strong>:清空 fastbins,把它们合并后扔进 Unsorted Bin。</li> <li><strong>重试</strong>:回到步骤 5(Unsorted Bin 遍历),再给一次机会。这种情况在整个分配逻辑中<strong>只允许发生一次</strong>。</li> </ul> <h3 id="9-第八关向操作系统要钱--sysmalloc">9. 第八关:向操作系统要钱 —— sysmalloc </h3><p>如果上述所有招数都用完了,还没内存:</p> <ul> <li><strong>sbrk / mmap</strong>:调用内核接口增加堆空间(brk 扩展)或申请新的内存映射(mmap)。</li> <li>如果系统也没内存了,返回 NULL 并设置 errno 为 ENOMEM。</li> </ul> <h3 id="总结-1">总结: </h3><ol> <li><strong>Tcache 优先级极高</strong>:几乎所有的命中(Fastbin, Smallbin, Unsorted Bin Exact Fit)都会伴随一个“填满 Tcache”的动作。</li> <li><strong>安全检查增强</strong>:2.35 引入了更严格的指针保护和双向链表校验。</li> <li><strong>局部性优先</strong>:通过 Last Remainder 和 Tcache 填充极力保证连续申请的小块在物理地址上靠近,提升缓存命中率。</li> </ol> <p>这个流程体现了从<strong>私有缓存 -&gt; 快速链表 -&gt; 整理分拣 -&gt; 物理切分 -&gt; 系统申请</strong>的严密逻辑</p> <h2 id="large_request-处理总结">large_request 处理总结 </h2><p>在 glibc 2.35 中,large_request 指的是申请的内存大小(计算对齐和头部后)超过了 Smallbin 的上限(通常在 64 位系统上 <strong>&gt; 1024 字节</strong>)。</p> <p>处理 Large Request 的过程比 Small Request 更加复杂,因为它涉及 <strong>Best-fit(最佳适配)</strong> 算法和特殊的 <strong>Nextsize 双向跳表</strong> 结构。以下是 large_request 在 _int_malloc 中可能经过的一切流程:</p> <h3 id="1-尺寸计算与-tcache-检查入口点">1. 尺寸计算与 Tcache 检查(入口点) </h3><p>首先,malloc 会计算最终的 nb(request size + 16 字节对齐)。</p> <ul> <li><strong>Tcache 命中(即便很大)</strong>: <ul> <li>注意:Tcache 默认的最大尺寸是 <strong>1032 字节</strong>(TCACHE_MAX_SZ)。</li> <li>如果你的请求正好在这个边界内(例如请求 1000 字节,nb 为 1024),它仍会先查 Tcache。如果命中,直接返回。</li> </ul> </li> <li><strong>进入主分配器</strong>: <ul> <li>如果超过 Tcache 范围,或者 Tcache 未命中,则获取 Arena 锁并进入 _int_malloc。</li> </ul> </li> </ul> <h3 id="2-预处理fastbin-合并特殊触发">2. 预处理:Fastbin 合并(特殊触发) </h3><p>对于 Large Request,glibc 有一个“激进合并”策略:</p> <ul> <li><strong>触发条件</strong>:如果申请的尺寸非常大(大于 FASTBIN_CONSOLIDATION_THRESHOLD,通常 64KB),或者在后续流程中发现 Bins 和 Top Chunk 都不够用。</li> <li><strong>动作</strong>:调用 malloc_consolidate。这会把 Fastbins 中的所有零碎小块合并并扔进 Unsorted Bin。</li> <li><strong>目的</strong>:大内存申请往往意味着内存压力大,提前整理碎片可以防止因碎片化导致的分配失败。</li> </ul> <h3 id="3-跨过-fastbin-和-smallbin-路径">3. 跨过 Fastbin 和 Smallbin 路径 </h3><p>由于 nb 属于 Large 范围:</p> <ul> <li>代码会直接跳过 Fastbin 查找逻辑。</li> <li>代码会直接跳过 Smallbin 查找逻辑(<code>in_smallbin_range(nb)</code> 为假)。</li> </ul> <h3 id="4-遍历-unsorted-bin整理与分拣">4. 遍历 Unsorted Bin(整理与分拣) </h3><p>这是 Large Request 分配中最关键的一步。malloc 并不直接去 Largebins 找,而是先清理 Unsorted Bin。</p> <ul> <li><strong>遍历链表</strong>:从 Unsorted Bin 的末尾(bk)向前遍历。</li> <li><strong>Exact Fit(精确匹配)</strong>: <ul> <li>如果遍历到一个块,大小正好等于 nb。</li> <li><strong>动作</strong>:将此块直接返回。</li> <li><em>注意</em>:Large Request <strong>不使用</strong> Small Request 那种“Last Remainder”切分优化。</li> </ul> </li> <li><strong>分拣入 Bin</strong>: <ul> <li>如果大小不匹配,将该块从 Unsorted Bin 移除,放入它该去的 Smallbin 或 Largebin。</li> <li><strong>Largebin 特有维护</strong>:如果要放入 Largebin,系统必须维护 fd_nextsize 链表,确保 Largebin 内部依然是<strong>按 Size 降序排序</strong>的。</li> <li><strong>限制</strong>:为了防止遍历时间过长,glibc 通常限制每次遍历 Unsorted Bin 的块数(最多 10000 块,防止拒绝服务攻击)。</li> </ul> </li> </ul> <h3 id="5-扫描目标的-largebin寻找最佳适配">5. 扫描目标的 Largebin(寻找最佳适配) </h3><p>如果在 Unsorted Bin 中没找到精确匹配,现在才开始正式搜索对应的 Largebin。</p> <ul> <li><strong>确定索引</strong>:计算 nb 属于哪一个 Largebin(Largebin 是按范围划分的,例如 1024-1088 字节是一个 bin)。</li> <li><strong>利用 Nextsize 链表(跳表)搜索</strong>: <ol> <li>找到该 Largebin 的第一个块(最大块 <code>victim = first(bin)</code>)。</li> <li>如果最大块都比 nb 小,直接跳过此 bin。</li> <li>如果够大,利用 <strong>bk_nextsize</strong> 从“大”往“小”跳。</li> <li><strong>寻找最小的符合条件的块</strong>:跳到第一个 <strong>Size &lt; nb</strong> 的组,然后回退一步,找到那个 <strong>Size &gt;= nb 的最小组</strong>。</li> </ol> </li> <li><strong>组内优化</strong>: <ul> <li>找到合适的 Size 组后,为了避免修改 fd_nextsize 链表(减少脱链成本),malloc 会优先取该组的<strong>第二个块</strong>(Follower),而不是组长(Leader)。</li> </ul> </li> <li><strong>切分(Splitting)</strong>: <ul> <li>找到 victim 后,计算 <code>remainder_size = size - nb</code>。</li> <li><strong>余料处理</strong>:如果剩下的部分 $&gt;=$ MINSIZE(32字节),将余料切下来,放入 <strong>Unsorted Bin</strong>。</li> <li><strong>耗尽处理</strong>:如果余料太小,直接把整个块给用户。</li> </ul> </li> </ul> <h3 id="6-搜索更高级别的-bins">6. 搜索更高级别的 Bins </h3><p>如果在目标 Largebin 里没找到:</p> <ul> <li><strong>Binmap 加速</strong>:检查 binmap,寻找比当前 bin 索引更大的、非空的 bin。</li> <li><strong>Best-fit 逻辑</strong>:一旦找到一个非空的更大的 bin,逻辑同上:从该 bin 里的最小块开始切分(因为大 bin 里的任何块都一定满足申请要求)。</li> </ul> <h3 id="7-切分-top-chunk">7. 切分 Top Chunk </h3><p>如果所有的 Bins(Unsorted, Small, Large)都翻遍了还没找到:</p> <ul> <li><strong>检查 Top Chunk</strong>:看 <code>av-&gt;top</code> 的空间是否足够。</li> <li><strong>动作</strong>:如果足够,切出 nb,更新 Top Chunk 的位置。</li> </ul> <h3 id="8-终极尝试sysmalloc">8. 终极尝试:Sysmalloc </h3><p>如果 Top Chunk 也不够了:</p> <ul> <li><strong>第二次合并</strong>:如果之前没做过 malloc_consolidate,现在会做一次,然后重试一遍搜索逻辑。</li> <li><strong>系统申请</strong>:调用 sysmalloc。 <ul> <li><strong>mmap 路径</strong>:如果申请的尺寸非常巨大(超过 mmap_threshold,默认 128KB),sysmalloc 会直接调用 mmap 向内核要一块独立的匿名映射内存,不从堆里出。</li> <li><strong>brk 路径</strong>:否则,调用 brk 扩展堆顶。</li> </ul> </li> </ul> <h3 id="9-核心防御检查安全">9. 核心防御检查(安全) </h3><p>在 Large Request 流程中,glibc 2.35 强化的检查包括:</p> <ol> <li><strong>Unsorted Bin 损坏检查</strong>:检查双向链表的 fd/bk 是否被非法篡改。</li> <li><strong>Largebin 下一跳校验</strong>:在利用 fd_nextsize 遍历时,校验 <code>p-&gt;fd_nextsize-&gt;bk_nextsize == p</code>。</li> <li><strong>Size vs Prev_size 校验</strong>:在切分或脱链时,验证相邻块的元数据一致性。</li> </ol> <h3 id="总结-2">总结 </h3><p>对于一个 Large Request,它的旅程通常是:</p> <ol> <li><strong>跳过小快灵的 Fast/Small bin 逻辑。</strong></li> <li><strong>在 Unsorted Bin 里被迫充当“分拣工”,把路上的块都归位。</strong></li> <li><strong>在 Largebin 里通过 nextsize 指针进行跳跃式搜索,寻找那个既能装下它、又最不浪费空间的“最佳座位”。</strong></li> <li><strong>如果实在没位子,就去切 Top Chunk 或找操作系统“买地” (mmap)。</strong></li> </ol> <hr> <h1 id="__libc_free-源码分析">__libc_free 源码分析 </h1><h2 id="__libc_free-源码">__libc_free 源码 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">void</span> </span></span><span class="line"><span class="cl"><span class="nf">__libc_free</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="n">mem</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mstate</span> <span class="n">ar_ptr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">p</span><span class="p">;</span> <span class="cm">/* chunk corresponding to mem */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">mem</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="cm">/* free(0) has no effect */</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Quickly check that the freed pointer matches the tag for the memory. </span></span></span><span class="line"><span class="cl"><span class="cm"> This gives a useful double-free detection. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">mtag_enabled</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="k">volatile</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">mem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">err</span> <span class="o">=</span> <span class="n">errno</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="nf">mem2chunk</span> <span class="p">(</span><span class="n">mem</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">chunk_is_mmapped</span> <span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="cm">/* release mmapped memory. */</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* See if the dynamic brk/mmap threshold needs adjusting. </span></span></span><span class="line"><span class="cl"><span class="cm"> Dumped fake mmapped chunks do not affect the threshold. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">mp_</span><span class="p">.</span><span class="n">no_dyn_threshold</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">mmap_threshold</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="n">DEFAULT_MMAP_THRESHOLD_MAX</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">mp_</span><span class="p">.</span><span class="n">mmap_threshold</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">mp_</span><span class="p">.</span><span class="n">trim_threshold</span> <span class="o">=</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">mp_</span><span class="p">.</span><span class="n">mmap_threshold</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">LIBC_PROBE</span> <span class="p">(</span><span class="n">memory_mallopt_free_dyn_thresholds</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">mp_</span><span class="p">.</span><span class="n">mmap_threshold</span><span class="p">,</span> <span class="n">mp_</span><span class="p">.</span><span class="n">trim_threshold</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">munmap_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">MAYBE_INIT_TCACHE</span> <span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Mark the chunk as belonging to the library again. */</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="nf">tag_region</span> <span class="p">(</span><span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">p</span><span class="p">),</span> <span class="nf">memsize</span> <span class="p">(</span><span class="n">p</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">ar_ptr</span> <span class="o">=</span> <span class="nf">arena_for_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">_int_free</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">__set_errno</span> <span class="p">(</span><span class="n">err</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="nf">libc_hidden_def</span> <span class="p">(</span><span class="n">__libc_free</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="chunk_is_mmapped-处理">chunk_is_mmapped 处理 </h2><h3 id="动态阈值调整-dynamic-threshold-adjustment">动态阈值调整 (Dynamic Threshold Adjustment) </h3><p>这是 glibc 的一种优化机制。为了提高性能,它会根据程序的分配习惯动态调整 mmap_threshold。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">mp_</span><span class="p">.</span><span class="n">no_dyn_threshold</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">mmap_threshold</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="n">DEFAULT_MMAP_THRESHOLD_MAX</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong><code>!mp_.no_dyn_threshold</code></strong>:检查是否启用了动态阈值调整(默认开启,除非用户通过 mallopt 禁用了它)。</li> <li><strong><code>chunksize_nomask (p) &gt; mp_.mmap_threshold</code></strong>:如果当前释放的 chunk 大小比当前的 mmap_threshold 还要大。</li> <li><strong><code>chunksize_nomask (p) &lt;= DEFAULT_MMAP_THRESHOLD_MAX</code></strong>:当前大小没有超过硬上限(通常是 32MB 或 64MB)。</li> </ul> <p><strong>调整逻辑:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">mp_</span><span class="p">.</span><span class="n">mmap_threshold</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="n">mp_</span><span class="p">.</span><span class="n">trim_threshold</span> <span class="o">=</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">mp_</span><span class="p">.</span><span class="n">mmap_threshold</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nf">LIBC_PROBE</span> <span class="p">(</span><span class="n">memory_mallopt_free_dyn_thresholds</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="n">mp_</span><span class="p">.</span><span class="n">mmap_threshold</span><span class="p">,</span> <span class="n">mp_</span><span class="p">.</span><span class="n">trim_threshold</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>更新阈值</strong>:如果程序频繁释放很大的内存块,glibc 会调高 mmap_threshold。这意味着之后申请类似大小的内存时,可能会改用 brk(堆)而不是 mmap。</li> <li><strong>目的</strong>:减少 mmap/munmap 系统调用的次数。mmap 涉及页表操作和内核交互,开销比移动堆指针(sbrk)大。</li> <li><strong>联动调整</strong>:同时调高 trim_threshold(堆收缩阈值),确保堆不会过于频繁地缩减。</li> </ul> <h3 id="2-执行内存归还">2. 执行内存归还 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="nf">munmap_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>这是真正的释放操作。对于 heap chunk,free 后会将其放入各种 bins(如 fastbins, smallbins)中以便复用,<strong>不会立即还给系统</strong>。</p> <p>但对于 <strong>mmap chunk</strong>:</p> <ul> <li>它直接调用 munmap 系统调用。</li> <li>内核会将这块虚拟内存从进程的地址空间中移除。</li> <li><strong>物理内存释放</strong>:对应的物理页帧会被内核回收。</li> <li><strong>特点</strong>: <ul> <li><strong>彻底释放</strong>:内存立刻还给 OS。</li> <li><strong>无碎片</strong>:因为它不在堆里,不会造成堆碎片。</li> <li><strong>性能开销</strong>:由于涉及系统调用和页表刷新(TLB shootdown),在大规模频繁操作时比堆操作慢。</li> </ul> </li> </ul> <h2 id="munmap_chunk-源码">munmap_chunk 源码 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">static</span> <span class="kt">void</span> </span></span><span class="line"><span class="cl"><span class="nf">munmap_chunk</span> <span class="p">(</span><span class="n">mchunkptr</span> <span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">pagesize</span> <span class="o">=</span> <span class="nf">GLRO</span> <span class="p">(</span><span class="n">dl_pagesize</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">chunk_is_mmapped</span> <span class="p">(</span><span class="n">p</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">uintptr_t</span> <span class="n">mem</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">uintptr_t</span> <span class="n">block</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)</span> <span class="n">p</span> <span class="o">-</span> <span class="nf">prev_size</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">total_size</span> <span class="o">=</span> <span class="nf">prev_size</span> <span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">+</span> <span class="n">size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Unfortunately we have to do the compilers job by hand here. Normally </span></span></span><span class="line"><span class="cl"><span class="cm"> we would test BLOCK and TOTAL-SIZE separately for compliance with the </span></span></span><span class="line"><span class="cl"><span class="cm"> page size. But gcc does not recognize the optimization possibility </span></span></span><span class="line"><span class="cl"><span class="cm"> (in the moment at least) so we combine the two values into one before </span></span></span><span class="line"><span class="cl"><span class="cm"> the bit test. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">((</span><span class="n">block</span> <span class="o">|</span> <span class="n">total_size</span><span class="p">)</span> <span class="o">&amp;</span> <span class="p">(</span><span class="n">pagesize</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span> <span class="o">!=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="o">!</span><span class="nf">powerof2</span> <span class="p">(</span><span class="n">mem</span> <span class="o">&amp;</span> <span class="p">(</span><span class="n">pagesize</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;munmap_chunk(): invalid pointer&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">atomic_decrement</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">mp_</span><span class="p">.</span><span class="n">n_mmaps</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">atomic_add</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">mp_</span><span class="p">.</span><span class="n">mmapped_mem</span><span class="p">,</span> <span class="o">-</span><span class="n">total_size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* If munmap failed the process virtual memory address space is in a </span></span></span><span class="line"><span class="cl"><span class="cm"> bad shape. Just leave the block hanging around, the process will </span></span></span><span class="line"><span class="cl"><span class="cm"> terminate shortly anyway since not much can be done. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">__munmap</span> <span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">block</span><span class="p">,</span> <span class="n">total_size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>这段代码来自于 <code>glibc</code> 的 <code>malloc.c</code>,位于 <code>munmap_chunk</code> 函数中。该函数专门负责销毁那些通过 <code>mmap</code> 分配的内存块。</p> <h3 id="1-注释翻译">1. 注释翻译 </h3> <blockquote> <p>“不幸的是,我们在这里必须手动完成编译器应该做的工作。通常情况下,我们会分别测试 <code>BLOCK</code>(内存块地址)和 <code>TOTAL-SIZE</code>(总大小)是否符合页大小(对齐要求)。但 GCC(至少目前)还无法识别这种优化可能性,因此我们在进行位运算测试之前,先将这两个值合并为一个。”</p> </blockquote> <h3 id="2-代码逻辑分析">2. 代码逻辑分析 </h3><p>这段代码的核心任务是:<strong>在调用内核接口释放内存前,进行严格的安全检查和统计数据更新。</strong></p> <h4 id="a-核心安全检查对齐校验">A. 核心安全检查:对齐校验 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">((</span><span class="n">block</span> <span class="o">|</span> <span class="n">total_size</span><span class="p">)</span> <span class="o">&amp;</span> <span class="p">(</span><span class="n">pagesize</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span> <span class="o">!=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="o">!</span><span class="nf">powerof2</span> <span class="p">(</span><span class="n">mem</span> <span class="o">&amp;</span> <span class="p">(</span><span class="n">pagesize</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;munmap_chunk(): invalid pointer&#34;</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><ol> <li> <p><strong>为什么需要页对齐?</strong> <code>mmap</code> 和 <code>munmap</code> 是系统调用,它们操作的单位是<strong>页</strong>(Page,通常是 4KB)。内核要求传递给 <code>munmap</code> 的起始地址和长度必须是 <code>pagesize</code> 的整数倍。如果不对齐,内核会返回错误,甚至可能导致程序非预期行为。</p> </li> <li> <p><strong>注释中的优化手段 (<code>block | total_size</code>):</strong></p> <ul> <li><code>pagesize - 1</code> 生成一个掩码(例如页大小是 4096 (0x1000),掩码就是 0xFFF)。</li> <li>按位与 <code>&amp; (pagesize - 1)</code> 如果不等于 0,说明低位有值,即没有对齐。</li> <li><strong>手动优化点</strong>:开发者没有写成 <code>(block &amp; mask) || (total_size &amp; mask)</code>,而是写成 <code>(block | total_size) &amp; mask</code>。通过一次“按位或”运算,只要其中任何一个值没对齐,最终结果都会反映出来。这样减少了一次分支判断。</li> </ul> </li> <li> <p><strong><code>mem &amp; (pagesize - 1)</code> 检查:</strong></p> <ul> <li>mem 通常是用户可见的内存地址。</li> <li>这里进一步确认该指针在页内的偏移是否符合预期(通常 mmap 返回的地址页内偏移应该是固定的)。如果地址完全乱了,直接触发 malloc_printerr 报错。</li> </ul> </li> </ol> <h4 id="b-统计数据更新">B. 统计数据更新 </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="nf">atomic_decrement</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">mp_</span><span class="p">.</span><span class="n">n_mmaps</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="nf">atomic_add</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">mp_</span><span class="p">.</span><span class="n">mmapped_mem</span><span class="p">,</span> <span class="o">-</span><span class="n">total_size</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>当一个 mmap 块被释放时,glibc 需要更新全局的内存状态:</p> <ul> <li><strong><code>mp_.n_mmaps</code></strong>:记录当前进程通过 mmap 分配的内存块<strong>数量</strong>。这里执行原子减 1。</li> <li><strong><code>mp_.mmapped_mem</code></strong>:记录当前进程通过 mmap 分配的内存<strong>总字节数</strong>。这里减去当前块的大小。</li> <li><strong>atomic_ 前缀</strong>:保证了多线程环境下这些全局变量更新的原子性,防止出现竞态条件导致统计数据错误。</li> </ul> <h2 id="非-mmap-处理">非 mmap 处理 </h2><p>如果 p 不是 mmap 分配的,则通过 _int_free 处理</p> <h1 id="_int_free-源码分析">_int_free 源码分析 </h1><h2 id="_int_free-源码">_int_free 源码 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span><span class="lnt">216 </span><span class="lnt">217 </span><span class="lnt">218 </span><span class="lnt">219 </span><span class="lnt">220 </span><span class="lnt">221 </span><span class="lnt">222 </span><span class="lnt">223 </span><span class="lnt">224 </span><span class="lnt">225 </span><span class="lnt">226 </span><span class="lnt">227 </span><span class="lnt">228 </span><span class="lnt">229 </span><span class="lnt">230 </span><span class="lnt">231 </span><span class="lnt">232 </span><span class="lnt">233 </span><span class="lnt">234 </span><span class="lnt">235 </span><span class="lnt">236 </span><span class="lnt">237 </span><span class="lnt">238 </span><span class="lnt">239 </span><span class="lnt">240 </span><span class="lnt">241 </span><span class="lnt">242 </span><span class="lnt">243 </span><span class="lnt">244 </span><span class="lnt">245 </span><span class="lnt">246 </span><span class="lnt">247 </span><span class="lnt">248 </span><span class="lnt">249 </span><span class="lnt">250 </span><span class="lnt">251 </span><span class="lnt">252 </span><span class="lnt">253 </span><span class="lnt">254 </span><span class="lnt">255 </span><span class="lnt">256 </span><span class="lnt">257 </span><span class="lnt">258 </span><span class="lnt">259 </span><span class="lnt">260 </span><span class="lnt">261 </span><span class="lnt">262 </span><span class="lnt">263 </span><span class="lnt">264 </span><span class="lnt">265 </span><span class="lnt">266 </span><span class="lnt">267 </span><span class="lnt">268 </span><span class="lnt">269 </span><span class="lnt">270 </span><span class="lnt">271 </span><span class="lnt">272 </span><span class="lnt">273 </span><span class="lnt">274 </span><span class="lnt">275 </span><span class="lnt">276 </span><span class="lnt">277 </span><span class="lnt">278 </span><span class="lnt">279 </span><span class="lnt">280 </span><span class="lnt">281 </span><span class="lnt">282 </span><span class="lnt">283 </span><span class="lnt">284 </span><span class="lnt">285 </span><span class="lnt">286 </span><span class="lnt">287 </span><span class="lnt">288 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> ------------------------------ free ------------------------------ </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="kt">void</span> </span></span><span class="line"><span class="cl"><span class="nf">_int_free</span> <span class="p">(</span><span class="n">mstate</span> <span class="n">av</span><span class="p">,</span> <span class="n">mchunkptr</span> <span class="n">p</span><span class="p">,</span> <span class="kt">int</span> <span class="n">have_lock</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">size</span><span class="p">;</span> <span class="cm">/* its size */</span> </span></span><span class="line"><span class="cl"> <span class="n">mfastbinptr</span> <span class="o">*</span><span class="n">fb</span><span class="p">;</span> <span class="cm">/* associated fastbin */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">nextchunk</span><span class="p">;</span> <span class="cm">/* next contiguous chunk */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">nextsize</span><span class="p">;</span> <span class="cm">/* its size */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">nextinuse</span><span class="p">;</span> <span class="cm">/* true if nextchunk is used */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">prevsize</span><span class="p">;</span> <span class="cm">/* size of previous contiguous chunk */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">bck</span><span class="p">;</span> <span class="cm">/* misc temp for linking */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">fwd</span><span class="p">;</span> <span class="cm">/* misc temp for linking */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Little security check which won&#39;t hurt performance: the </span></span></span><span class="line"><span class="cl"><span class="cm"> allocator never wrapps around at the end of the address space. </span></span></span><span class="line"><span class="cl"><span class="cm"> Therefore we can exclude some size values which might appear </span></span></span><span class="line"><span class="cl"><span class="cm"> here by accident or by &#34;design&#34; from some intruder. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">((</span><span class="kt">uintptr_t</span><span class="p">)</span> <span class="n">p</span> <span class="o">&gt;</span> <span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)</span> <span class="o">-</span><span class="n">size</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">),</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): invalid pointer&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We know that each chunk is at least MINSIZE bytes in size or a </span></span></span><span class="line"><span class="cl"><span class="cm"> multiple of MALLOC_ALIGNMENT. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&lt;</span> <span class="n">MINSIZE</span> <span class="o">||</span> <span class="o">!</span><span class="nf">aligned_OK</span> <span class="p">(</span><span class="n">size</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): invalid size&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_inuse_chunk</span><span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">!=</span> <span class="nb">NULL</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check to see if it&#39;s already in the tcache. */</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">e</span> <span class="o">=</span> <span class="p">(</span><span class="n">tcache_entry</span> <span class="o">*</span><span class="p">)</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* This test succeeds on double free. However, we don&#39;t 100% </span></span></span><span class="line"><span class="cl"><span class="cm"> trust it (it also matches random payload data at a 1 in </span></span></span><span class="line"><span class="cl"><span class="cm"> 2^&lt;size_t&gt; chance), so verify it&#39;s not an unlikely </span></span></span><span class="line"><span class="cl"><span class="cm"> coincidence before aborting. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">e</span><span class="o">-&gt;</span><span class="n">key</span> <span class="o">==</span> <span class="n">tcache_key</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">tmp</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">cnt</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">LIBC_PROBE</span> <span class="p">(</span><span class="n">memory_tcache_double_free</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="n">e</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">tmp</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">tmp</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">tmp</span><span class="o">-&gt;</span><span class="n">next</span><span class="p">),</span> <span class="o">++</span><span class="n">cnt</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">cnt</span> <span class="o">&gt;=</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): too many chunks detected in tcache&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="o">!</span><span class="nf">aligned_OK</span> <span class="p">(</span><span class="n">tmp</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): unaligned chunk detected in tcache 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tmp</span> <span class="o">==</span> <span class="n">e</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): double free detected in tcache 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* If we get here, it was a coincidence. We&#39;ve wasted a </span></span></span><span class="line"><span class="cl"><span class="cm"> few cycles, but don&#39;t abort. */</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If eligible, place chunk on a fastbin so it can be found </span></span></span><span class="line"><span class="cl"><span class="cm"> and used quickly in malloc. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="n">size</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="nf">get_max_fast</span> <span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if TRIM_FASTBINS </span></span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If TRIM_FASTBINS set, don&#39;t place chunks </span></span></span><span class="line"><span class="cl"><span class="cm"> bordering top into fastbins </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">)</span> <span class="o">!=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">&gt;=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">bool</span> <span class="n">fail</span> <span class="o">=</span> <span class="nb">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We might not have a lock at this point and concurrent modifications </span></span></span><span class="line"><span class="cl"><span class="cm"> of system_mem might result in a false positive. Redo the test after </span></span></span><span class="line"><span class="cl"><span class="cm"> getting the lock. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">have_lock</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_lock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fail</span> <span class="o">=</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> <span class="o">&gt;=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_unlock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fail</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): invalid next size (fast)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">free_perturb</span> <span class="p">(</span><span class="nf">chunk2mem</span><span class="p">(</span><span class="n">p</span><span class="p">),</span> <span class="n">size</span> <span class="o">-</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">atomic_store_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">,</span> <span class="nb">true</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span><span class="p">(</span><span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Atomically link P to its fastbin: P-&gt;FD = *FB; *FB = P; */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">old</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">,</span> <span class="n">old2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check that the top of the bin is not the record we are going to </span></span></span><span class="line"><span class="cl"><span class="cm"> add (i.e., double free). */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">old</span> <span class="o">==</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (fasttop)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">PROTECT_PTR</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">,</span> <span class="n">old</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check that the top of the bin is not the record we are going to </span></span></span><span class="line"><span class="cl"><span class="cm"> add (i.e., double free). */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">old</span> <span class="o">==</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (fasttop)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">old2</span> <span class="o">=</span> <span class="n">old</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">PROTECT_PTR</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">,</span> <span class="n">old</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">old</span> <span class="o">=</span> <span class="nf">catomic_compare_and_exchange_val_rel</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="n">old2</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">!=</span> <span class="n">old2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check that size of fastbin chunk at the top is the same as </span></span></span><span class="line"><span class="cl"><span class="cm"> size of the chunk that we are adding. We can dereference OLD </span></span></span><span class="line"><span class="cl"><span class="cm"> only if we have the lock, otherwise it might have already been </span></span></span><span class="line"><span class="cl"><span class="cm"> allocated again. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">have_lock</span> <span class="o">&amp;&amp;</span> <span class="n">old</span> <span class="o">!=</span> <span class="nb">NULL</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">fastbin_index</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">old</span><span class="p">))</span> <span class="o">!=</span> <span class="n">idx</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;invalid fastbin entry (free)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Consolidate other non-mmapped chunks as they arrive. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">chunk_is_mmapped</span><span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* If we&#39;re single-threaded, don&#39;t lock the arena. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">have_lock</span> <span class="o">=</span> <span class="nb">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">have_lock</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_lock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">nextchunk</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Lightweight tests: check whether the block is already the </span></span></span><span class="line"><span class="cl"><span class="cm"> top block. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">p</span> <span class="o">==</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (top)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Or whether the next chunk is beyond the boundaries of the arena. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">contiguous</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">nextchunk</span> </span></span><span class="line"><span class="cl"> <span class="o">&gt;=</span> <span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span> <span class="o">+</span> <span class="nf">chunksize</span><span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">)),</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (out)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Or whether the block is actually not marked used. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="o">!</span><span class="nf">prev_inuse</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (!prev)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">nextsize</span> <span class="o">=</span> <span class="nf">chunksize</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">nextchunk</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">nextsize</span> <span class="o">&gt;=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): invalid next size (normal)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">free_perturb</span> <span class="p">(</span><span class="nf">chunk2mem</span><span class="p">(</span><span class="n">p</span><span class="p">),</span> <span class="n">size</span> <span class="o">-</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* consolidate backward */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">prev_inuse</span><span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">prevsize</span> <span class="o">=</span> <span class="nf">prev_size</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">prevsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="o">-</span><span class="p">((</span><span class="kt">long</span><span class="p">)</span> <span class="n">prevsize</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">chunksize</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">!=</span> <span class="n">prevsize</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted size vs. prev_size while consolidating&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">nextchunk</span> <span class="o">!=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* get and clear inuse bit */</span> </span></span><span class="line"><span class="cl"> <span class="n">nextinuse</span> <span class="o">=</span> <span class="nf">inuse_bit_at_offset</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">,</span> <span class="n">nextsize</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* consolidate forward */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">nextinuse</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">nextchunk</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">clear_inuse_bit_at_offset</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Place the chunk in unsorted chunk list. Chunks are </span></span></span><span class="line"><span class="cl"><span class="cm"> not placed into regular bins until after they have </span></span></span><span class="line"><span class="cl"><span class="cm"> been given one chance to be used in malloc. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span><span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">!=</span> <span class="n">bck</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): corrupted unsorted chunks&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_free_chunk</span><span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If the chunk borders the current high end of memory, </span></span></span><span class="line"><span class="cl"><span class="cm"> consolidate into top </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_chunk</span><span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If freeing a large space, consolidate possibly-surrounding </span></span></span><span class="line"><span class="cl"><span class="cm"> chunks. Then, if the total unused topmost memory exceeds trim </span></span></span><span class="line"><span class="cl"><span class="cm"> threshold, ask malloc_trim to reduce top. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> Unless max_fast is 0, we don&#39;t know if there are fastbins </span></span></span><span class="line"><span class="cl"><span class="cm"> bordering top, so we cannot tell for sure whether threshold </span></span></span><span class="line"><span class="cl"><span class="cm"> has been reached unless fastbins are consolidated. But we </span></span></span><span class="line"><span class="cl"><span class="cm"> don&#39;t want to consolidate on each free. As a compromise, </span></span></span><span class="line"><span class="cl"><span class="cm"> consolidation is performed if FASTBIN_CONSOLIDATION_THRESHOLD </span></span></span><span class="line"><span class="cl"><span class="cm"> is reached. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="n">size</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">FASTBIN_CONSOLIDATION_THRESHOLD</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">atomic_load_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_consolidate</span><span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">==</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="cp">#ifndef MORECORE_CANNOT_TRIM </span></span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="nf">chunksize</span><span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">))</span> <span class="o">&gt;=</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="n">mp_</span><span class="p">.</span><span class="n">trim_threshold</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">systrim</span><span class="p">(</span><span class="n">mp_</span><span class="p">.</span><span class="n">top_pad</span><span class="p">,</span> <span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Always try heap_trim(), even if the top chunk is not </span></span></span><span class="line"><span class="cl"><span class="cm"> large, because the corresponding heap might go away. */</span> </span></span><span class="line"><span class="cl"> <span class="n">heap_info</span> <span class="o">*</span><span class="n">heap</span> <span class="o">=</span> <span class="nf">heap_for_ptr</span><span class="p">(</span><span class="nf">top</span><span class="p">(</span><span class="n">av</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span><span class="p">(</span><span class="n">heap</span><span class="o">-&gt;</span><span class="n">ar_ptr</span> <span class="o">==</span> <span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">heap_trim</span><span class="p">(</span><span class="n">heap</span><span class="p">,</span> <span class="n">mp_</span><span class="p">.</span><span class="n">top_pad</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">have_lock</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_unlock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If the chunk was allocated via mmap, release via munmap(). </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">munmap_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="前置处理-2">前置处理 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">size</span><span class="p">;</span> <span class="cm">/* its size */</span> </span></span><span class="line"><span class="cl"> <span class="n">mfastbinptr</span> <span class="o">*</span><span class="n">fb</span><span class="p">;</span> <span class="cm">/* associated fastbin */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">nextchunk</span><span class="p">;</span> <span class="cm">/* next contiguous chunk */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">nextsize</span><span class="p">;</span> <span class="cm">/* its size */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">nextinuse</span><span class="p">;</span> <span class="cm">/* true if nextchunk is used */</span> </span></span><span class="line"><span class="cl"> <span class="n">INTERNAL_SIZE_T</span> <span class="n">prevsize</span><span class="p">;</span> <span class="cm">/* size of previous contiguous chunk */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">bck</span><span class="p">;</span> <span class="cm">/* misc temp for linking */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">fwd</span><span class="p">;</span> <span class="cm">/* misc temp for linking */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Little security check which won&#39;t hurt performance: the </span></span></span><span class="line"><span class="cl"><span class="cm"> allocator never wrapps around at the end of the address space. </span></span></span><span class="line"><span class="cl"><span class="cm"> Therefore we can exclude some size values which might appear </span></span></span><span class="line"><span class="cl"><span class="cm"> here by accident or by &#34;design&#34; from some intruder. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">((</span><span class="kt">uintptr_t</span><span class="p">)</span> <span class="n">p</span> <span class="o">&gt;</span> <span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)</span> <span class="o">-</span><span class="n">size</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">misaligned_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">),</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): invalid pointer&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We know that each chunk is at least MINSIZE bytes in size or a </span></span></span><span class="line"><span class="cl"><span class="cm"> multiple of MALLOC_ALIGNMENT. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&lt;</span> <span class="n">MINSIZE</span> <span class="o">||</span> <span class="o">!</span><span class="nf">aligned_OK</span> <span class="p">(</span><span class="n">size</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): invalid size&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_inuse_chunk</span><span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>检查 p + size 是否超过了地址空间的上限(即是否发生了整数溢出),以及地址对齐</p> <p>进行尺寸堆块检查和尺寸对齐检查</p> <h2 id="放入-tcache">放入 Tcache </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#if USE_TCACHE </span></span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="nf">csize2tidx</span> <span class="p">(</span><span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">!=</span> <span class="nb">NULL</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check to see if it&#39;s already in the tcache. */</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">e</span> <span class="o">=</span> <span class="p">(</span><span class="n">tcache_entry</span> <span class="o">*</span><span class="p">)</span> <span class="nf">chunk2mem</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* This test succeeds on double free. However, we don&#39;t 100% </span></span></span><span class="line"><span class="cl"><span class="cm"> trust it (it also matches random payload data at a 1 in </span></span></span><span class="line"><span class="cl"><span class="cm"> 2^&lt;size_t&gt; chance), so verify it&#39;s not an unlikely </span></span></span><span class="line"><span class="cl"><span class="cm"> coincidence before aborting. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">e</span><span class="o">-&gt;</span><span class="n">key</span> <span class="o">==</span> <span class="n">tcache_key</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">tmp</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">cnt</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">LIBC_PROBE</span> <span class="p">(</span><span class="n">memory_tcache_double_free</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="n">e</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">tmp</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">tmp</span> <span class="o">=</span> <span class="nf">REVEAL_PTR</span> <span class="p">(</span><span class="n">tmp</span><span class="o">-&gt;</span><span class="n">next</span><span class="p">),</span> <span class="o">++</span><span class="n">cnt</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">cnt</span> <span class="o">&gt;=</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): too many chunks detected in tcache&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="o">!</span><span class="nf">aligned_OK</span> <span class="p">(</span><span class="n">tmp</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): unaligned chunk detected in tcache 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tmp</span> <span class="o">==</span> <span class="n">e</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): double free detected in tcache 2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* If we get here, it was a coincidence. We&#39;ve wasted a </span></span></span><span class="line"><span class="cl"><span class="cm"> few cycles, but don&#39;t abort. */</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span></code></pre></td></tr></table> </div> </div><p>有 double free 检测,若发现 <code>e-&gt;key == tcache_key</code> ,则扫描整条链表,若出现 tcache 数量过大、地址不对齐或回环,则报错,否则当作偶然处理</p> <p>正常放入 Tcache</p> <h2 id="放入-fastbin">放入 fastbin </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If eligible, place chunk on a fastbin so it can be found </span></span></span><span class="line"><span class="cl"><span class="cm"> and used quickly in malloc. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="n">size</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="nf">get_max_fast</span> <span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#if TRIM_FASTBINS </span></span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If TRIM_FASTBINS set, don&#39;t place chunks </span></span></span><span class="line"><span class="cl"><span class="cm"> bordering top into fastbins </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">)</span> <span class="o">!=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">&gt;=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">bool</span> <span class="n">fail</span> <span class="o">=</span> <span class="nb">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We might not have a lock at this point and concurrent modifications </span></span></span><span class="line"><span class="cl"><span class="cm"> of system_mem might result in a false positive. Redo the test after </span></span></span><span class="line"><span class="cl"><span class="cm"> getting the lock. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">have_lock</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_lock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fail</span> <span class="o">=</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> <span class="o">&gt;=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_unlock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fail</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): invalid next size (fast)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">free_perturb</span> <span class="p">(</span><span class="nf">chunk2mem</span><span class="p">(</span><span class="n">p</span><span class="p">),</span> <span class="n">size</span> <span class="o">-</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">atomic_store_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">,</span> <span class="nb">true</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span><span class="p">(</span><span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Atomically link P to its fastbin: P-&gt;FD = *FB; *FB = P; */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">old</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">,</span> <span class="n">old2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check that the top of the bin is not the record we are going to </span></span></span><span class="line"><span class="cl"><span class="cm"> add (i.e., double free). */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">old</span> <span class="o">==</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (fasttop)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">PROTECT_PTR</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">,</span> <span class="n">old</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check that the top of the bin is not the record we are going to </span></span></span><span class="line"><span class="cl"><span class="cm"> add (i.e., double free). */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">old</span> <span class="o">==</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (fasttop)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">old2</span> <span class="o">=</span> <span class="n">old</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">PROTECT_PTR</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">,</span> <span class="n">old</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">old</span> <span class="o">=</span> <span class="nf">catomic_compare_and_exchange_val_rel</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="n">old2</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">!=</span> <span class="n">old2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check that size of fastbin chunk at the top is the same as </span></span></span><span class="line"><span class="cl"><span class="cm"> size of the chunk that we are adding. We can dereference OLD </span></span></span><span class="line"><span class="cl"><span class="cm"> only if we have the lock, otherwise it might have already been </span></span></span><span class="line"><span class="cl"><span class="cm"> allocated again. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">have_lock</span> <span class="o">&amp;&amp;</span> <span class="n">old</span> <span class="o">!=</span> <span class="nb">NULL</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">fastbin_index</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">old</span><span class="p">))</span> <span class="o">!=</span> <span class="n">idx</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;invalid fastbin entry (free)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="检验">检验 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">&gt;=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">bool</span> <span class="n">fail</span> <span class="o">=</span> <span class="nb">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We might not have a lock at this point and concurrent modifications </span></span></span><span class="line"><span class="cl"><span class="cm"> of system_mem might result in a false positive. Redo the test after </span></span></span><span class="line"><span class="cl"><span class="cm"> getting the lock. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">have_lock</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_lock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fail</span> <span class="o">=</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">chunksize</span> <span class="p">(</span><span class="nf">chunk_at_offset</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> <span class="o">&gt;=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_unlock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fail</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): invalid next size (fast)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>检验相邻下一个 chunk 的 size 的合规性</p> <h3 id="插入-fastbin">插入 fastbin </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="nf">free_perturb</span> <span class="p">(</span><span class="nf">chunk2mem</span><span class="p">(</span><span class="n">p</span><span class="p">),</span> <span class="n">size</span> <span class="o">-</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">atomic_store_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">,</span> <span class="nb">true</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">idx</span> <span class="o">=</span> <span class="nf">fastbin_index</span><span class="p">(</span><span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="nf">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Atomically link P to its fastbin: P-&gt;FD = *FB; *FB = P; */</span> </span></span><span class="line"><span class="cl"> <span class="n">mchunkptr</span> <span class="n">old</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">,</span> <span class="n">old2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check that the top of the bin is not the record we are going to </span></span></span><span class="line"><span class="cl"><span class="cm"> add (i.e., double free). */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">old</span> <span class="o">==</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (fasttop)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">PROTECT_PTR</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">,</span> <span class="n">old</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check that the top of the bin is not the record we are going to </span></span></span><span class="line"><span class="cl"><span class="cm"> add (i.e., double free). */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">old</span> <span class="o">==</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (fasttop)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">old2</span> <span class="o">=</span> <span class="n">old</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="nf">PROTECT_PTR</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">,</span> <span class="n">old</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">old</span> <span class="o">=</span> <span class="nf">catomic_compare_and_exchange_val_rel</span> <span class="p">(</span><span class="n">fb</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="n">old2</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="o">!=</span> <span class="n">old2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Check that size of fastbin chunk at the top is the same as </span></span></span><span class="line"><span class="cl"><span class="cm"> size of the chunk that we are adding. We can dereference OLD </span></span></span><span class="line"><span class="cl"><span class="cm"> only if we have the lock, otherwise it might have already been </span></span></span><span class="line"><span class="cl"><span class="cm"> allocated again. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">have_lock</span> <span class="o">&amp;&amp;</span> <span class="n">old</span> <span class="o">!=</span> <span class="nb">NULL</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">fastbin_index</span> <span class="p">(</span><span class="nf">chunksize</span> <span class="p">(</span><span class="n">old</span><span class="p">))</span> <span class="o">!=</span> <span class="n">idx</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;invalid fastbin entry (free)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>有简单的防 double free 逻辑,只校验 fastbin 的 top</p> <h2 id="放入-bin">放入 bin </h2><h3 id="前置处理-3">前置处理 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Consolidate other non-mmapped chunks as they arrive. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="nf">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">chunk_is_mmapped</span><span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* If we&#39;re single-threaded, don&#39;t lock the arena. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">have_lock</span> <span class="o">=</span> <span class="nb">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">have_lock</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_lock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">nextchunk</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Lightweight tests: check whether the block is already the </span></span></span><span class="line"><span class="cl"><span class="cm"> top block. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">p</span> <span class="o">==</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (top)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Or whether the next chunk is beyond the boundaries of the arena. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">contiguous</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">nextchunk</span> </span></span><span class="line"><span class="cl"> <span class="o">&gt;=</span> <span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span> <span class="o">+</span> <span class="nf">chunksize</span><span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">)),</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (out)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Or whether the block is actually not marked used. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="o">!</span><span class="nf">prev_inuse</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;double free or corruption (!prev)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">nextsize</span> <span class="o">=</span> <span class="nf">chunksize</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">chunksize_nomask</span> <span class="p">(</span><span class="n">nextchunk</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="n">nextsize</span> <span class="o">&gt;=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): invalid next size (normal)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">free_perturb</span> <span class="p">(</span><span class="nf">chunk2mem</span><span class="p">(</span><span class="n">p</span><span class="p">),</span> <span class="n">size</span> <span class="o">-</span> <span class="n">CHUNK_HDR_SZ</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>上锁,校验</p> <p>禁止 free 掉 top chunk</p> <p>禁止下一个 chunk 地址越界</p> <p>禁止下一个 chunk 的 prev_inuse 位为 0 (防止 double free)</p> <p>检验相邻下一个 chunk 的 size 的合规性</p> <h3 id="合并-chunk">合并 chunk </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* consolidate backward */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">prev_inuse</span><span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">prevsize</span> <span class="o">=</span> <span class="nf">prev_size</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">prevsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="nf">chunk_at_offset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="o">-</span><span class="p">((</span><span class="kt">long</span><span class="p">)</span> <span class="n">prevsize</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">chunksize</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">!=</span> <span class="n">prevsize</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;corrupted size vs. prev_size while consolidating&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">nextchunk</span> <span class="o">!=</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* get and clear inuse bit */</span> </span></span><span class="line"><span class="cl"> <span class="n">nextinuse</span> <span class="o">=</span> <span class="nf">inuse_bit_at_offset</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">,</span> <span class="n">nextsize</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* consolidate forward */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">nextinuse</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">unlink_chunk</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">nextchunk</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">clear_inuse_bit_at_offset</span><span class="p">(</span><span class="n">nextchunk</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> Place the chunk in unsorted chunk list. Chunks are </span></span></span><span class="line"><span class="cl"><span class="cm"> not placed into regular bins until after they have </span></span></span><span class="line"><span class="cl"><span class="cm"> been given one chance to be used in malloc. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">bck</span> <span class="o">=</span> <span class="nf">unsorted_chunks</span><span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span> <span class="o">=</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">!=</span> <span class="n">bck</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_printerr</span> <span class="p">(</span><span class="s">&#34;free(): corrupted unsorted chunks&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">fwd</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">in_smallbin_range</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">fd_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">-&gt;</span><span class="n">bk_nextsize</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fwd</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_foot</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">check_free_chunk</span><span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>向后合并时要求 prevsize 与 size 匹配</p> <p>放入 unsortedbin 时校验了双向链表的完整性</p> <h3 id="并入-top-chunk">并入 top chunk </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If the chunk borders the current high end of memory, </span></span></span><span class="line"><span class="cl"><span class="cm"> consolidate into top </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">+=</span> <span class="n">nextsize</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">set_head</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">size</span> <span class="o">|</span> <span class="n">PREV_INUSE</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span> <span class="o">=</span> <span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_chunk</span><span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="归还空间">归还空间 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If freeing a large space, consolidate possibly-surrounding </span></span></span><span class="line"><span class="cl"><span class="cm"> chunks. Then, if the total unused topmost memory exceeds trim </span></span></span><span class="line"><span class="cl"><span class="cm"> threshold, ask malloc_trim to reduce top. </span></span></span><span class="line"><span class="cl"><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> Unless max_fast is 0, we don&#39;t know if there are fastbins </span></span></span><span class="line"><span class="cl"><span class="cm"> bordering top, so we cannot tell for sure whether threshold </span></span></span><span class="line"><span class="cl"><span class="cm"> has been reached unless fastbins are consolidated. But we </span></span></span><span class="line"><span class="cl"><span class="cm"> don&#39;t want to consolidate on each free. As a compromise, </span></span></span><span class="line"><span class="cl"><span class="cm"> consolidation is performed if FASTBIN_CONSOLIDATION_THRESHOLD </span></span></span><span class="line"><span class="cl"><span class="cm"> is reached. </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="n">size</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">FASTBIN_CONSOLIDATION_THRESHOLD</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">atomic_load_relaxed</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">have_fastchunks</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc_consolidate</span><span class="p">(</span><span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">av</span> <span class="o">==</span> <span class="o">&amp;</span><span class="n">main_arena</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="cp">#ifndef MORECORE_CANNOT_TRIM </span></span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="nf">chunksize</span><span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">top</span><span class="p">))</span> <span class="o">&gt;=</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="n">mp_</span><span class="p">.</span><span class="n">trim_threshold</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nf">systrim</span><span class="p">(</span><span class="n">mp_</span><span class="p">.</span><span class="n">top_pad</span><span class="p">,</span> <span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Always try heap_trim(), even if the top chunk is not </span></span></span><span class="line"><span class="cl"><span class="cm"> large, because the corresponding heap might go away. */</span> </span></span><span class="line"><span class="cl"> <span class="n">heap_info</span> <span class="o">*</span><span class="n">heap</span> <span class="o">=</span> <span class="nf">heap_for_ptr</span><span class="p">(</span><span class="nf">top</span><span class="p">(</span><span class="n">av</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span><span class="p">(</span><span class="n">heap</span><span class="o">-&gt;</span><span class="n">ar_ptr</span> <span class="o">==</span> <span class="n">av</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">heap_trim</span><span class="p">(</span><span class="n">heap</span><span class="p">,</span> <span class="n">mp_</span><span class="p">.</span><span class="n">top_pad</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>如果 free 掉的空间比较大,那么在把 top chunk 的多余空间归还给操作系统前,先 malloc_consolidate 处理下 fastbin 中的碎片化内存</p> <h3 id="结算">结算 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">have_lock</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">__libc_lock_unlock</span> <span class="p">(</span><span class="n">av</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> If the chunk was allocated via mmap, release via munmap(). </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">munmap_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div>