malloc与free机制探索
来源:互联网 发布:五笔练习软件 编辑:程序博客网 时间:2024/05/16 02:52
I have a Debian with a Linux 2.6 Kernel, and I try to understand how the heap works/behaves with malloc()
and free()
. I tried to search for malloc()
and free()
algorithm and heap structure, but I couldn't find anything helpful. And unfortunately, I know too less about Linux and how memory works, to understand the source code of free()
and malloc()
.
This is an example code:
int main(int argc, char **argv){ char *a, *b, *c; a = malloc(32); b = malloc(32); c = malloc(32); strcpy(a, argv[1]); strcpy(b, argv[2]); strcpy(c, argv[3]); free(c); free(b); free(a);}
With gdb
and run AAAA BBBB CCCC
I can examine the heap. This is the state after the strcpys
but before the frees
:
(gdb) x/32x 0x804c0000x804c000: 0x00000000 0x00000029 0x41414141 0x000000000x804c010: 0x00000000 0x00000000 0x00000000 0x000000000x804c020: 0x00000000 0x00000000 0x00000000 0x000000290x804c030: 0x42424242 0x00000000 0x00000000 0x000000000x804c040: 0x00000000 0x00000000 0x00000000 0x000000000x804c050: 0x00000000 0x00000029 0x43434343 0x000000000x804c060: 0x00000000 0x00000000 0x00000000 0x000000000x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
You can see the char arrays very good. Then I tried to figure out why there are 0x29 (dec 41). I would expect something like 0x20 (dec 32) or 0x24 (dec 36).
- Why does the malloc algorithm wastes this space?
- How is it decided that it is 0x29?
- And what does the 0xf89 at the end stands for?
- How does the program keep track on what's allocated and what is free?
Especially I want to understand how free()
works. After the three frees, the heap looks like this:
(gdb) x/32x 0x804c0000x804c000: 0x00000000 0x00000029 0x0804c028 0x000000000x804c010: 0x00000000 0x00000000 0x00000000 0x000000000x804c020: 0x00000000 0x00000000 0x00000000 0x000000290x804c030: 0x0804c050 0x00000000 0x00000000 0x000000000x804c040: 0x00000000 0x00000000 0x00000000 0x000000000x804c050: 0x00000000 0x00000029 0x00000000 0x000000000x804c060: 0x00000000 0x00000000 0x00000000 0x000000000x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89
- Why is the char array replaced with this specific adress?
- What is the pseudo code what free does?
Look at this example:
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDDDD BBBB CCCC...(gdb) x/32x 0x804c0000x804c000: 0x00000000 0x00000029 0x41414141 0x414141410x804c010: 0x41414141 0x41414141 0x41414141 0x414141410x804c020: 0x41414141 0x41414141 0x44444444 0x000000440x804c030: 0x42424242 0x00000000 0x00000000 0x000000000x804c040: 0x00000000 0x00000000 0x00000000 0x000000000x804c050: 0x00000000 0x00000029 0x43434343 0x000000000x804c060: 0x00000000 0x00000000 0x00000000 0x000000000x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89...(gdb) cProgram exited with code 021.
I have overwritten the 0x29, but the program exits normally. But when I add another byte, I run into a Segmentation Fault:
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDDDD BBBB CCCC...(gdb) x/32x 0x804c0000x804c000: 0x00000000 0x00000029 0x41414141 0x414141410x804c010: 0x41414141 0x41414141 0x41414141 0x414141410x804c020: 0x41414141 0x41414141 0x44444444 0x000044440x804c030: 0x42424242 0x00000000 0x00000000 0x000000000x804c040: 0x00000000 0x00000000 0x00000000 0x000000000x804c050: 0x00000000 0x00000029 0x43434343 0x000000000x804c060: 0x00000000 0x00000000 0x00000000 0x000000000x804c070: 0x00000000 0x00000000 0x00000000 0x00000f89...(gdb) cProgram received signal SIGSEGV, Segmentation fault.0x080498b9 in free (mem=0x804c030) at common/malloc.c:3631
The most important question for me is:
- Why do you get a Segmentation fault in
free()
when you overwrite more bytes? - and how does the
free()
algorithm work? - and how do malloc and free keep track on the adresses?
Thank you very much for reading, kind regards
- malloc与free机制探索
- 关于malloc与free的一些探索
- malloc、free机制初探
- malloc/free 与 new/free
- free与malloc
- malloc与free
- malloc与free 01
- malloc与free 02
- malloc 与 free
- malloc与free
- malloc 与free
- malloc与free详解
- 浅谈malloc()与free()
- malloc与free
- malloc 与Free
- malloc与free
- malloc(),free()与realloc()
- malloc()以及free()的机制
- Android应用程序窗口设计框架三
- LS,MMSE,LMMSE,ML,MAP,LMS,AR,MSE误差介绍
- Oracle 获取某个日期为星期几的方法(不积跬步,无以至千里)
- 被管理员和谐了的最高票答案“知乎数据抓取程序”(.net、c#数据挖掘)
- 母牛生娃
- malloc与free机制探索
- java中实现指定位数“0000”,缺失部分用0补充
- C#进程注入
- Android应用程序窗口设计框架四
- A Stack or A Queue?
- oracle监控自动发邮件预警
- android源码中的c c++库( android中动态和静态版本都有的库)
- android 制作.9.png图片
- 滚动条事件,当页面滚动到距顶部一定高度时某DIV自动隐藏和显示