Linux的堆结构和malloc()和自由()的行为 [英] Linux heap structure and the behaviour with malloc() and free()
问题描述
我有一个Linux 2.6内核Debian的,我试着去理解与如何堆工程/行为的malloc()和免费( )。我试图寻找的malloc()和免费()算法和堆结构,但我无法找到任何东西很有帮助。不幸的是,我知道得少Linux和记忆是如何工作的,了解的免费()和的malloc()<源$ C $ C / code>。
I have a Debian with a Linux 2.6 Kernel, and I try to understand how the heap works/behaves with malloc() and free(). I tried to search for malloc() and free() algorithm and heap structure, but I couldn't find anything helpful. And unfortunately, I know too less about Linux and how memory works, to understand the source code of free() and malloc().
这是一个例子code:
This is an example code:
int main(int argc, char **argv)
{
char *a, *b, *c;
a = malloc(32);
b = malloc(32);
c = malloc(32);
strcpy(a, argv[1]);
strcpy(b, argv[2]);
strcpy(c, argv[3]);
free(c);
free(b);
free(a);
}
使用 GDB 和运行AAAA BBBB CCCC 我可以检查堆。这是继该州 strcpys 但之前的FreeS :
With gdb and run AAAA BBBB CCCC I can examine the heap. This is the state after the strcpys but before the frees:
(gdb) x/32x 0x804c000
0x804c000: 0x00000000 0x00000029 0x41414141 0x00000000
0x804c010: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c020: 0x00000000 0x00000000 0x00000000 0x00000029
0x804c030: 0x42424242 0x00000000 0x00000000 0x00000000
0x804c040: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c050: 0x00000000 0x00000029 0x43434343 0x00000000
0x804c060: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
您可以看到字符数组非常好。然后我试图找出为什么有 0x29 (十进制41)。我希望是这样的 0x20的(十进制32)或 0X24 (十进制36)。
You can see the char arrays very good. Then I tried to figure out why there are 0x29 (dec 41). I would expect something like 0x20 (dec 32) or 0x24 (dec 36).
- 为什么malloc的算法的废物的这个空间?
- 它是如何决定,这是0x29?
- 又是什么在 0xf89 结尾代表什么吗?
- 程序如何保持什么分配的轨道,什么是免费的吗?
- Why does the malloc algorithm wastes this space?
- How is it decided that it is 0x29?
- And what does the 0xf89 at the end stands for?
- How does the program keep track on what's allocated and what is free?
尤其我希望了解如何免费()的作品。三的FreeS后,堆看起来是这样的:
Especially I want to understand how free() works. After the three frees, the heap looks like this:
(gdb) x/32x 0x804c000
0x804c000: 0x00000000 0x00000029 0x0804c028 0x00000000
0x804c010: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c020: 0x00000000 0x00000000 0x00000000 0x00000029
0x804c030: 0x0804c050 0x00000000 0x00000000 0x00000000
0x804c040: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c050: 0x00000000 0x00000029 0x00000000 0x00000000
0x804c060: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
- 为什么被替换的字符数组与此特定ADRESS?
- 什么是伪code做什么自由?
看看下面这个例子:
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDDDD BBBB CCCC
...
(gdb) x/32x 0x804c000
0x804c000: 0x00000000 0x00000029 0x41414141 0x41414141
0x804c010: 0x41414141 0x41414141 0x41414141 0x41414141
0x804c020: 0x41414141 0x41414141 0x44444444 0x00000044
0x804c030: 0x42424242 0x00000000 0x00000000 0x00000000
0x804c040: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c050: 0x00000000 0x00000029 0x43434343 0x00000000
0x804c060: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
...
(gdb) c
Program exited with code 021.
我已覆盖0x29,但程序正常退出。
但是,当我添加其他字节,我遇到分段错误:
I have overwritten the 0x29, but the program exits normally. But when I add another byte, I run into a Segmentation Fault:
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDDDD BBBB CCCC
...
(gdb) x/32x 0x804c000
0x804c000: 0x00000000 0x00000029 0x41414141 0x41414141
0x804c010: 0x41414141 0x41414141 0x41414141 0x41414141
0x804c020: 0x41414141 0x41414141 0x44444444 0x00004444
0x804c030: 0x42424242 0x00000000 0x00000000 0x00000000
0x804c040: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c050: 0x00000000 0x00000029 0x43434343 0x00000000
0x804c060: 0x00000000 0x00000000 0x00000000 0x00000000
0x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
...
(gdb) c
Program received signal SIGSEGV, Segmentation fault.
0x080498b9 in free (mem=0x804c030) at common/malloc.c:3631
对我来说最重要的问题是:
The most important question for me is:
- 为什么你在
分段故障免费()当您覆盖多个字节? - 以及如何做的
免费()算法的工作? - 和 怎么就不会忽略做malloc和free跟踪
- Why do you get a Segmentation fault in
free()when you overwrite more bytes? - and how does the
free()algorithm work? - and how do malloc and free keep track on the adresses?
非常感谢您的阅读,
亲切的问候
Thank you very much for reading, kind regards
推荐答案
最的malloc()实现由堆本身的跟踪堆的状态工作,对前和/或之后的存储器的分配的块。超越分配块导致此数据被破坏 - 某些数据可能包括指针或长度,并破坏这些原因的实施,试图访问无效的内存位置
Most malloc() implementations work by tracking the status of the heap within the heap itself, right before and/or after the allocated blocks of memory. Overrunning an allocated block causes this data to be corrupted -- some of this data may include pointers or lengths, and corrupting those causes the implementation to attempt to access invalid memory locations.
的的malloc()实施工作原理是依赖什么系统上,并在libc您正在使用的详细信息。如果您使用的glibc(如果你在Linux上这是有可能的),还有它是如何工作这里pretty很好的解释:
The details of how the malloc() implementation works are dependent on what system and libc you're using. If you're using glibc (which is likely if you're on Linux), there's a pretty good explanation of how it works here:
<一个href=\"http://gee.cs.oswego.edu/dl/html/malloc.html\">http://gee.cs.oswego.edu/dl/html/malloc.html
假设这是的情况下,你看到的 0x29 大概是按位块大小的OR(32 = 0x20的)和一些标志。这是可能的,因为所有的堆分配被四舍五入到最近的16个字节(或更多的),所以尺寸的低8位总是可以假定为零。
Assuming this is the case, the 0x29 you're seeing is probably a bitwise OR of the block size (32 = 0x20) and some flags. This is possible because all heap allocations are rounded to the nearest 16 bytes (or more!), so the lower eight bits of the size can always be assumed to be zero.
这篇关于Linux的堆结构和malloc()和自由()的行为的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
