Linux 堆结构和 malloc() 和 free() 的行为 [英] Linux heap structure and the behaviour with malloc() and free()
问题描述
我有一个带有 Linux 2.6 内核的 Debian,我尝试了解堆如何使用 malloc()
和 free()
工作/表现.我试图搜索 malloc()
和 free()
算法和堆结构,但找不到任何有用的东西.不幸的是,我对 Linux 和内存如何工作的了解太少,无法理解 free()
和 malloc()
的源代码.
I have a Debian with a Linux 2.6 Kernel, and I try to understand how the heap works/behaves with malloc()
and free()
. I tried to search for malloc()
and free()
algorithm and heap structure, but I couldn't find anything helpful. And unfortunately, I know too less about Linux and how memory works, to understand the source code of free()
and malloc()
.
这是一个示例代码:
int main(int argc, char **argv)
{
char *a, *b, *c;
a = malloc(32);
b = malloc(32);
c = malloc(32);
strcpy(a, argv[1]);
strcpy(b, argv[2]);
strcpy(c, argv[3]);
free(c);
free(b);
free(a);
}
使用 gdb
和 run AAAA BBBB CCCC
我可以检查堆.这是 strcpys
之后 frees
之前的状态:
With gdb
and run AAAA BBBB CCCC
I can examine the heap. This is the state after the strcpys
but before the frees
:
(gdb) x/32x 0x804c000
0x804c000: 0x00000000 0x00000029 0x41414141 0x00000000
0x804c010: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c020: 0x00000000 0x00000000 0x00000000 0x00000029
0x804c030: 0x42424242 0x00000000 0x00000000 0x00000000
0x804c040: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c050: 0x00000000 0x00000029 0x43434343 0x00000000
0x804c060: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
您可以很好地看到 char 数组.然后我试图弄清楚为什么会有 0x29(12 月 41 日).我希望像 0x20(12 月 32 日)或 0x24(12 月 36 日)这样的东西.
You can see the char arrays very good. Then I tried to figure out why there are 0x29 (dec 41). I would expect something like 0x20 (dec 32) or 0x24 (dec 36).
- 为什么 malloc 算法会浪费这个空间?
- 怎么判断是0x29?
- 最后的 0xf89 代表什么?
- 程序如何跟踪分配的内容和免费的内容?
- Why does the malloc algorithm wastes this space?
- How is it decided that it is 0x29?
- And what does the 0xf89 at the end stands for?
- How does the program keep track on what's allocated and what is free?
特别想了解 free()
是如何工作的.三个释放后,堆看起来像这样:
Especially I want to understand how free()
works. After the three frees, the heap looks like this:
(gdb) x/32x 0x804c000
0x804c000: 0x00000000 0x00000029 0x0804c028 0x00000000
0x804c010: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c020: 0x00000000 0x00000000 0x00000000 0x00000029
0x804c030: 0x0804c050 0x00000000 0x00000000 0x00000000
0x804c040: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c050: 0x00000000 0x00000029 0x00000000 0x00000000
0x804c060: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
- 为什么用这个特定的地址替换 char 数组?
- free 的伪代码是什么?
看这个例子:
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDDDD BBBB CCCC
...
(gdb) x/32x 0x804c000
0x804c000: 0x00000000 0x00000029 0x41414141 0x41414141
0x804c010: 0x41414141 0x41414141 0x41414141 0x41414141
0x804c020: 0x41414141 0x41414141 0x44444444 0x00000044
0x804c030: 0x42424242 0x00000000 0x00000000 0x00000000
0x804c040: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c050: 0x00000000 0x00000029 0x43434343 0x00000000
0x804c060: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
...
(gdb) c
Program exited with code 021.
我已经覆盖了 0x29,但程序正常退出.但是当我添加另一个字节时,我遇到了分段错误:
I have overwritten the 0x29, but the program exits normally. But when I add another byte, I run into a Segmentation Fault:
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDDDD BBBB CCCC
...
(gdb) x/32x 0x804c000
0x804c000: 0x00000000 0x00000029 0x41414141 0x41414141
0x804c010: 0x41414141 0x41414141 0x41414141 0x41414141
0x804c020: 0x41414141 0x41414141 0x44444444 0x00004444
0x804c030: 0x42424242 0x00000000 0x00000000 0x00000000
0x804c040: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c050: 0x00000000 0x00000029 0x43434343 0x00000000
0x804c060: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
...
(gdb) c
Program received signal SIGSEGV, Segmentation fault.
0x080498b9 in free (mem=0x804c030) at common/malloc.c:3631
对我来说最重要的问题是:
The most important question for me is:
- 当您覆盖更多字节时,为什么会在
free()
中出现分段错误? free()
算法是如何工作的?- malloc 和 free 如何跟踪地址?
- Why do you get a Segmentation fault in
free()
when you overwrite more bytes? - and how does the
free()
algorithm work? - and how do malloc and free keep track on the adresses?
非常感谢您的阅读,亲切的问候
Thank you very much for reading, kind regards
推荐答案
大多数 malloc()
实现通过跟踪堆本身的状态来工作,就在分配之前和/或之后内存块.超出分配的块会导致此数据损坏——其中一些数据可能包括指针或长度,损坏这些数据会导致实现尝试访问无效的内存位置.
Most malloc()
implementations work by tracking the status of the heap within the heap itself, right before and/or after the allocated blocks of memory. Overrunning an allocated block causes this data to be corrupted -- some of this data may include pointers or lengths, and corrupting those causes the implementation to attempt to access invalid memory locations.
malloc()
实现如何工作的细节取决于您使用的系统和 libc.如果您使用的是 glibc(如果您使用的是 Linux,则很可能),这里有一个很好的解释它的工作原理:
The details of how the malloc()
implementation works are dependent on what system and libc you're using. If you're using glibc (which is likely if you're on Linux), there's a pretty good explanation of how it works here:
http://gee.cs.oswego.edu/dl/html/malloc.html
假设是这种情况,您看到的 0x29
可能是块大小 (32 = 0x20
) 和一些标志的按位或.这是可能的,因为所有堆分配都四舍五入到最接近的 16 个字节(或更多!),因此始终可以假定大小的低 8 位为零.
Assuming this is the case, the 0x29
you're seeing is probably a bitwise OR of the block size (32 = 0x20
) and some flags. This is possible because all heap allocations are rounded to the nearest 16 bytes (or more!), so the lower eight bits of the size can always be assumed to be zero.
这篇关于Linux 堆结构和 malloc() 和 free() 的行为的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!