/* Initialize a malloc_state struct. This is called only from within __malloc_consolidate, which needs be called in the same contexts anyway. It is never called directly outside of __malloc_consolidate because some optimizing compilers try to inline it at all call points, which turns out not to be an optimization at all. (Inlining it in __malloc_consolidate is fine though.) */ static void malloc_init_state(mstate av) { int i; mbinptr bin; /* Establish circular links for normal bins */ for (i = 1; i < NBINS; ++i) { bin = bin_at(av,i); bin->fd = bin->bk = bin; } av->top_pad = DEFAULT_TOP_PAD; av->n_mmaps_max = DEFAULT_MMAP_MAX; av->mmap_threshold = DEFAULT_MMAP_THRESHOLD; av->trim_threshold = DEFAULT_TRIM_THRESHOLD; #if MORECORE_CONTIGUOUS set_contiguous(av); #else set_noncontiguous(av); #endif set_max_fast(av, DEFAULT_MXFAST); av->top = initial_top(av); av->pagesize = malloc_getpagesize; }
/* Initialize a malloc_state struct. This is called only from within __malloc_consolidate, which needs be called in the same contexts anyway. It is never called directly outside of __malloc_consolidate because some optimizing compilers try to inline it at all call points, which turns out not to be an optimization at all. (Inlining it in __malloc_consolidate is fine though.) */ static void malloc_init_state(mstate av) { int i; mbinptr bin; /* Establish circular links for normal bins */ for (i = 1; i < NBINS; ++i) { bin = bin_at(av,i); bin->fd = bin->bk = bin; } av->top_pad = DEFAULT_TOP_PAD; av->n_mmaps_max = DEFAULT_MMAP_MAX; av->mmap_threshold = DEFAULT_MMAP_THRESHOLD; av->trim_threshold = DEFAULT_TRIM_THRESHOLD; #if MORECORE_CONTIGUOUS set_contiguous(av); #else set_noncontiguous(av); #endif set_max_fast(av, DEFAULT_MXFAST); //av->top = initial_top(av); init_linked_list(&(av->ustate_list)); //init ustate list av->pagesize = malloc_getpagesize; // add new mstate to the mstate list list_insert_tail(&(get_abstate()->mstate_list), (void *)av); }
/* libc_hidden_proto(mallinfo) */ struct mallinfo mallinfo(void) { mstate av; struct mallinfo mi; unsigned int i; mbinptr b; mchunkptr p; size_t avail; size_t fastavail; int nblocks; int nfastblocks; __MALLOC_LOCK; av = get_malloc_state(); /* Ensure initialization */ if (av->top == 0) { __malloc_consolidate(av); } check_malloc_state(); /* Account for top */ avail = chunksize(av->top); nblocks = 1; /* top always exists */ /* traverse fastbins */ nfastblocks = 0; fastavail = 0; for (i = 0; i < NFASTBINS; ++i) { for (p = av->fastbins[i]; p != 0; p = p->fd) { ++nfastblocks; fastavail += chunksize(p); } } avail += fastavail; /* traverse regular bins */ for (i = 1; i < NBINS; ++i) { b = bin_at(av, i); for (p = last(b); p != b; p = p->bk) { ++nblocks; avail += chunksize(p); } } mi.smblks = nfastblocks; mi.ordblks = nblocks; mi.fordblks = avail; mi.uordblks = av->sbrked_mem - avail; mi.arena = av->sbrked_mem; mi.hblks = av->n_mmaps; mi.hblkhd = av->mmapped_mem; mi.fsmblks = fastavail; mi.keepcost = chunksize(av->top); mi.usmblks = av->max_total_mem; __MALLOC_UNLOCK; return mi; }
void malloc_init_state(struct malloc_state *av) { int i; mchunkptr bin; for (i = 1; i < 128; ++i) { bin = bin_at(av,i); bin->fd = bin->bk = bin; } }
void * __malloc_get_state (void) { struct malloc_save_state *ms; int i; mbinptr b; ms = (struct malloc_save_state *) __libc_malloc (sizeof (*ms)); if (!ms) return 0; (void) mutex_lock (&main_arena.mutex); malloc_consolidate (&main_arena); ms->magic = MALLOC_STATE_MAGIC; ms->version = MALLOC_STATE_VERSION; ms->av[0] = 0; ms->av[1] = 0; /* used to be binblocks, now no longer used */ ms->av[2] = top (&main_arena); ms->av[3] = 0; /* used to be undefined */ for (i = 1; i < NBINS; i++) { b = bin_at (&main_arena, i); if (first (b) == b) ms->av[2 * i + 2] = ms->av[2 * i + 3] = 0; /* empty bin */ else { ms->av[2 * i + 2] = first (b); ms->av[2 * i + 3] = last (b); } } ms->sbrk_base = mp_.sbrk_base; ms->sbrked_mem_bytes = main_arena.system_mem; ms->trim_threshold = mp_.trim_threshold; ms->top_pad = mp_.top_pad; ms->n_mmaps_max = mp_.n_mmaps_max; ms->mmap_threshold = mp_.mmap_threshold; ms->check_action = check_action; ms->max_sbrked_mem = main_arena.max_system_mem; ms->max_total_mem = 0; ms->n_mmaps = mp_.n_mmaps; ms->max_n_mmaps = mp_.max_n_mmaps; ms->mmapped_mem = mp_.mmapped_mem; ms->max_mmapped_mem = mp_.max_mmapped_mem; ms->using_malloc_checking = using_malloc_checking; ms->max_fast = get_max_fast (); ms->arena_test = mp_.arena_test; ms->arena_max = mp_.arena_max; ms->narenas = narenas; (void) mutex_unlock (&main_arena.mutex); return (void *) ms; }
/* ------------------------------ pos_test_function ------------------------------ */ void pos_print_free_chunks(char *name) { struct malloc_state * av; mbinptr bin; mchunkptr p; int i; av = (struct malloc_state *)pos_lookup_mstate(name); if (av == NULL || !have_init_key(av)) { printf("\n Can't print free chunks.\n"); return; } printf("\n ******************** Free chunks of `%s` ************************\n", name); printf(" * 1. Fast bins(0~7)\n"); for (i=0; i< NFASTBINS ; i++) { p = (mchunkptr)fastbin(av, i); while (p!=0) { printf(" * [%3d] addr=0x%lX, size=%lu", i, (unsigned long int)p, (unsigned long int)chunksize(p)); if (chunk_is_first(p)) printf("(F)\n"); else if (chunk_is_last(p)) printf("(L)\n"); else printf("(M)\n"); p = p->fd; } } printf(" * 2. Unsorted(1) / Small(2~63) / Large(64~128) bins\n"); for (i=1; i < NBINS; i++) { bin = bin_at(av,i); p = bin->fd; while (p != bin) { printf(" * [%3d] addr=0x%lX, size=%lu", i, (unsigned long int)p, (unsigned long int)chunksize(p)); if (chunk_is_first(p)) printf("(F)\n"); else if (chunk_is_last(p)) printf("(L)\n"); else printf("(M)\n"); p = p->fd; } } printf(" ***********************************************************************\n"); }
//static void void pos_malloc_init_state(char *name, mstate av) { mchunkptr first_chunk; unsigned long first_size; mchunkptr last_chunk; unsigned long last_size; mchunkptr bck; mchunkptr fwd; int i; mbinptr bin; // init mutex key pthread_mutex_init( &av->mutex,NULL ) ; // initialize malloc_state #if CONSISTENCY == 1 set_init_key_log(name, av); #else set_init_key(av); #endif // Below codes don't need logging. for (i=1; i < NBINS; i++) { bin = bin_at(av,i); bin->fd = bin->bk = bin; } //set_max_fast(DEFAULT_MXFAST); clear_fastchunks(av); for (i=0; i< NFASTBINS ; i++) { av->fastbinsY[i] = 0; } // first chunk first_chunk = chunk_at_offset(av, sizeof(struct malloc_state)); first_size = (PAGESIZE - sizeof(struct malloc_state) - 2*SIZE_SZ)/2; // 956 //#if CONSISTENCY == 1 //first_size = (128*1024-1)*4096 + 960; //536867776 //first_size = request2size(first_size); // 536867792 //#else first_size = 960; //#endif //insert_to_unsorted(av, first_chunk, bck, fwd, first_size); set_head(first_chunk, first_size | FIRST_CHUNK | PREV_INUSE); set_foot(first_chunk, first_size); clear_inuse_bit_at_offset(first_chunk, first_size); // last_chunk last_chunk = chunk_at_offset(first_chunk, first_size); //last_size = first_size; //#if CONSISTENCY == 1 ////last_size = (128*1024)*4096 + 944; // 536867760 //last_size = (256*1024)*4096 - first_size - 2*SIZE_SZ; //last_size = request2size(last_size); // 536874032 //#else // last_size = 988; last_size = 1800; //#endif insert_to_unsorted(av, last_chunk, bck, fwd, last_size); set_head(last_chunk, last_size | LAST_CHUNK | PREV_INUSE); set_foot(last_chunk, last_size); clear_inuse_bit_at_offset(last_chunk, last_size); av->last_remainder = 0; for (i=0; i<BINMAPSIZE; i++) { av->binmap[i] = 0; } av->system_mem = PAGESIZE; av -> prime_obj = NULL; }
static Void_t* pos_int_malloc(char *name, mstate av, size_t bytes) { INTERNAL_SIZE_T nb; unsigned int idx; mbinptr bin; mchunkptr victim; INTERNAL_SIZE_T size; int victim_index; mchunkptr remainder; unsigned long remainder_size; unsigned int block; unsigned int bit; unsigned int map; mchunkptr fwd; mchunkptr bck; //const char *errstr = NULL; size_t pagemask = PAGESIZE - 1; //16바이트 단위로 정렬 checked_request2size(bytes, nb); #if MALLOC_DEBUG == 1 printf("before fastbin\n") ; #endif // 1. fast bin (<=144) // 1. fast bin (<=144) /* if ((unsigned long)(nb) <= (unsigned long)(get_max_fast())) { idx = fastbin_index(nb); // printf("idx = %d\n" , idx) ; mfastbinptr* fb = &fastbin(av, idx); victim = *fb; if (victim != 0) { if (fastbin_index (chunksize (victim)) != idx) { errstr = "malloc(): memory corruption (fast)"; errout: malloc_printerr (check_action, errstr, chunk2mem (victim)); } #if CONSISTENCY == 1 POS_WRITE_VAUE(name, (unsigned long *)fb, (unsigned long)victim->fd); #else *fb = victim->fd; #endif void *p = chunk2mem(victim); return p; } } */ // 2. small bin (<=1008) if (in_smallbin_range(nb)) { #if MALLOC_DEBUG == 1 printf("inside smallbin if\n") ; #endif idx = smallbin_index(nb); bin = bin_at(av,idx); victim = last(bin); if ( victim != bin && victim != NULL ) { bck = victim->bk; /* if (bck->fd != victim) { errstr = "malloc(): smallbin double linked list corrupted"; goto errout; }*/ #if CONSISTENCY == 1 set_inuse_bit_at_offset_log(name, victim, nb); POS_WRITE_VAUE(name, (unsigned long *)&bin->bk, (unsigned long)bck); POS_WRITE_VAUE(name, (unsigned long *)&bin->fd, (unsigned long)bin); #else set_inuse_bit_at_offset(victim, nb); bin->bk = bck; bck->fd = bin; #endif void *p = chunk2mem(victim); return p; } } else { idx = largebin_index(nb); if (have_fastchunks(av)) { pos_malloc_consolidate(name, av); } } #if MALLOC_DEBUG==1 printf("before unsorted bin\n") ; #endif for(;;) { int iters = 0; // 3. unsorted bin while ((victim = unsorted_chunks(av)->bk) != unsorted_chunks(av)) { bck = victim->bk; /*if (victim->size <= 2 * SIZE_SZ || victim->size > av->system_mem) malloc_printerr (check_action, "malloc(): memory corruption", chunk2mem (victim));*/ size = chunksize(victim); if (in_smallbin_range(nb) && bck == unsorted_chunks(av) && victim == av->last_remainder && (unsigned long)(size) > (unsigned long)(nb + MINSIZE)) { remainder_size = size - nb; remainder = chunk_at_offset(victim, nb); #if CONSISTENCY == 1 POS_WRITE_VAUE(name, (unsigned long *)&unsorted_chunks(av)->bk, (unsigned long)remainder); POS_WRITE_VAUE(name, (unsigned long *)&unsorted_chunks(av)->fd, (unsigned long)remainder); POS_WRITE_VAUE(name, (unsigned long *)&av->last_remainder, (unsigned long)remainder); #else unsorted_chunks(av)->bk = unsorted_chunks(av)->fd = remainder; av->last_remainder = remainder; #endif remainder->bk = remainder->fd = unsorted_chunks(av); if (!in_smallbin_range(remainder_size)) { remainder->fd_nextsize = NULL; remainder->bk_nextsize = NULL; } // Remainder dosen't need logging... if (chunk_is_last(victim)) set_head(remainder, remainder_size | LAST_CHUNK | PREV_INUSE); else set_head(remainder, remainder_size | PREV_INUSE); // set PREV_INUSE flag.. #if CONSISTENCY == 1 if (chunk_is_first(victim)) { set_head_log(name, victim, nb | FIRST_CHUNK | PREV_INUSE); } else { set_head_log(name, victim, nb | PREV_INUSE); } set_foot_log(name, remainder, remainder_size); #else if (chunk_is_first(victim)) set_head(victim, nb | FIRST_CHUNK | PREV_INUSE); else set_head(victim, nb | PREV_INUSE); set_foot(remainder, remainder_size); #endif void *p = chunk2mem(victim); return p; } #if CONSISTENCY == 1 POS_WRITE_VAUE(name, (unsigned long *)&unsorted_chunks(av)->bk, (unsigned long)bck); POS_WRITE_VAUE(name, (unsigned long *)&bck->fd, (unsigned long)unsorted_chunks(av)); #else unsorted_chunks(av)->bk = bck; bck->fd = unsorted_chunks(av); #endif if (size == nb) { #if CONSISTENCY == 1 set_inuse_bit_at_offset_log(name, victim, size); #else set_inuse_bit_at_offset(victim, size); #endif void *p = chunk2mem(victim); return p; } if (in_smallbin_range(size)) { victim_index = smallbin_index(size); bck = bin_at(av, victim_index); fwd = bck->fd; } else { victim_index = largebin_index(size); bck = bin_at(av, victim_index); fwd = bck->fd; if (fwd != bck) { size |= PREV_INUSE; //In order not to use chunksize() if ((unsigned long)(size) < (unsigned long)(bck->bk->size)) { fwd = bck; bck = bck->bk; // Current victim was in the unsorted bin that fd_nextsize dosen't need.. so, we don't leave log.. (We don't leave log for fd_nextsize below..) victim->fd_nextsize = fwd->fd; victim->bk_nextsize = fwd->fd->bk_nextsize; #if CONSISTENCY == 1 POS_WRITE_VAUE(name, (unsigned long *)&fwd->fd->bk_nextsize, (unsigned long)victim); POS_WRITE_VAUE(name, (unsigned long *)&victim->bk_nextsize->fd_nextsize, (unsigned long)victim); #else fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim; #endif } else { while ((unsigned long) size < fwd->size) { fwd = fwd->fd_nextsize; } if ((unsigned long) size == (unsigned long) fwd->size) fwd = fwd->fd; else { victim->fd_nextsize = fwd; victim->bk_nextsize = fwd->bk_nextsize; #if CONSISTENCY == 1 POS_WRITE_VAUE(name, (unsigned long *)&fwd->bk_nextsize, (unsigned long)victim); POS_WRITE_VAUE(name, (unsigned long *)&victim->bk_nextsize->fd_nextsize, (unsigned long)victim); #else fwd->bk_nextsize = victim; victim->bk_nextsize->fd_nextsize = victim; #endif } bck = fwd->bk; } } else victim->fd_nextsize = victim->bk_nextsize = victim; } #if CONSISTENCY == 1 mark_bin_log(name, av, victim_index); POS_WRITE_VAUE(name, (unsigned long *)&victim->bk, (unsigned long)bck); POS_WRITE_VAUE(name, (unsigned long *)&victim->fd, (unsigned long)fwd); POS_WRITE_VAUE(name, (unsigned long *)&fwd->bk, (unsigned long)victim); POS_WRITE_VAUE(name, (unsigned long *)&bck->fd, (unsigned long)victim); #else mark_bin(av, victim_index); victim->bk = bck; victim->fd = fwd; fwd->bk = victim; bck->fd = victim; #endif #define MAX_ITERS 10000 if (++iters >= MAX_ITERS) break; } #if MALLOC_DEBUG == 1 printf("before large bin\n") ; #endif // 4. large bin (1024<=) if (!in_smallbin_range(nb)) { bin = bin_at(av, idx); #if MALLOC_DEBUG printf(" bin = [%p]\n " ,bin ) ; #endif if ((victim = first(bin)) != bin && (unsigned long)(victim->size) >= (unsigned long)(nb)) { victim = victim->bk_nextsize; while (((unsigned long)(size = chunksize(victim)) < (unsigned long)(nb))) victim = victim->bk_nextsize; //if (victim != last(bin) && victim->size == victim->fd->size) if (victim != last(bin) && chunksize(victim) == chunksize(victim->fd)) victim = victim->fd; remainder_size = size - nb; #if CONSISTENCY == 1 unlink_log(name, victim, bck, fwd); #else unlink(victim, bck, fwd); #endif if (remainder_size < MINSIZE) { #if CONSISTENCY == 1 set_inuse_bit_at_offset_log(name, victim, size); #else set_inuse_bit_at_offset(victim, size); #endif } else { remainder = chunk_at_offset(victim, nb); #if CONSISTENCY == 1 insert_to_unsorted_log(name, av, remainder, bck, fwd, remainder_size); #else insert_to_unsorted(av, remainder, bck, fwd, remainder_size); #endif // Remainder dosen't need logging... if (chunk_is_last(victim)) set_head(remainder, remainder_size | LAST_CHUNK | PREV_INUSE); else set_head(remainder, remainder_size | PREV_INUSE); // set PREV_INUSE flag.. #if CONSISTENCY == 1 if (chunk_is_first(victim)) { set_head_log(name, victim, nb | FIRST_CHUNK | PREV_INUSE); } else { set_head_log(name, victim, nb | PREV_INUSE); } set_foot_log(name, remainder, remainder_size); #else if (chunk_is_first(victim)) set_head(victim, nb | FIRST_CHUNK | PREV_INUSE); else set_head(victim, nb | PREV_INUSE); set_foot(remainder, remainder_size); #endif } void *p = chunk2mem(victim); return p; } } ++idx; bin = bin_at(av,idx); block = idx2block(idx); map = av->binmap[block]; bit = idx2bit(idx); #if MALLOC_DEBUG == 1 printf("DDD\n") ; #endif for (;;) { if (bit > map || bit == 0) { do { if (++block >= BINMAPSIZE){ goto new_alloc; } } while ( (map = av->binmap[block]) == 0); bin = bin_at(av, (block << BINMAPSHIFT)); bit = 1; } while ((bit & map) == 0) { bin = next_bin(bin); bit <<= 1; } #if MALLOC_DEBUG == 1 printf("before victim\n") ; #endif victim = last(bin); if (victim == bin) { #if MALLOC_DEBUG == 1 printf("victim == bin\n") ; #endif #if CONSISTENCY == 1 POS_WRITE_VAUE(name, (unsigned long *)&av->binmap[block], (unsigned long)(map &~bit)); #else av->binmap[block] = map &= ~bit; #endif bin = next_bin(bin); bit <<= 1; } else { #if MALLOC_DEBUG == 1 printf("victim != bin\n") ; #endif size = chunksize(victim); remainder_size = size - nb; #if CONSISTENCY == 1 unlink_log(name, victim, bck, fwd); #else unlink(victim, bck, fwd); #endif #if MALLOC_DEBUG == 1 printf("unlink\n") ; #endif if (remainder_size < MINSIZE) { #if CONSISTENCY == 1 set_inuse_bit_at_offset_log(name, victim, size); #else #if MALLOC_DEBUG == 1 printf("D\n") ; printf("victim : %p\n", victim) ; printf("size: %d\n" ,size) ; #endif set_inuse_bit_at_offset(victim, size); #endif } else { #if MALLOC_DEBUG == 1 printf("remainder\n") ; #endif remainder = chunk_at_offset(victim, nb); #if CONSISTENCY == 1 insert_to_unsorted_log(name, av, remainder, bck, fwd, remainder_size); #else #if MALLOC_DEBUG == 1 printf("av=%p\n",av) ; printf("%p %p %p\n", remainder , bck , fwd); printf("%d\n" , remainder_size) ; #endif insert_to_unsorted(av, remainder, bck, fwd, remainder_size); #endif #if MALLOC_DEBUG == 1 printf("%p %p %p\n", remainder , bck , fwd); printf("s\n") ; #endif if (in_smallbin_range(nb)) { #if CONSISTENCY == 1 POS_WRITE_VAUE(name, (unsigned long *)&av->last_remainder, (unsigned long)remainder); #else av->last_remainder = remainder; #endif } #if MALLOC_DEBUG == 1 printf("s\n") ; #endif if (chunk_is_last(victim)) set_head(remainder, remainder_size | LAST_CHUNK | PREV_INUSE); else set_head(remainder, remainder_size | PREV_INUSE); // set PREV_INUSE flag.. #if CONSISTENCY == 1 if (chunk_is_first(victim)) { set_head_log(name, victim, nb | FIRST_CHUNK | PREV_INUSE); } else { set_head_log(name, victim, nb | PREV_INUSE); } #if MALLOC_DEBUG == 1 printf("s\n") ; #endif set_foot_log(name, remainder, remainder_size); #else if (chunk_is_first(victim)) set_head(victim, nb | FIRST_CHUNK | PREV_INUSE); else set_head(victim, nb | PREV_INUSE); set_foot(remainder, remainder_size); #endif } #if MALLOC_DEBUG == 1 printf("s\n") ; #endif void *p = chunk2mem(victim); return p; } } new_alloc: #if MALLOC_DEBUG == 1 printf("before newallocation\n"); #endif // 6. new allocation size = (nb + MINSIZE +2*SIZE_SZ + pagemask) & ~pagemask; size += DEFAULT_PAD; //char* mm = (char*)(SEG_ALLOC(0, size, PROT_READ|PROT_WRITE, MAP_PRIVATE)); char *mm = (char *)pos_seg_alloc(name, size); memset(mm , 0 , size); #if MALLOC_DEBUG == 1 printf(" mm = %p\n" , mm) ; #endif #if CONSISTENCY == 1 pos_log_insert_malloc_free(name, (unsigned long)mm, size); #endif //if (mm != MAP_FAILED) { if (mm != (char *)0) { #if CONSISTENCY == 1 POS_WRITE_VAUE(name, (unsigned long *)&av->system_mem, (unsigned long)(av->system_mem+size)); #else av->system_mem += size; #endif // printf("D!\n") ; mchunkptr p; p = (mchunkptr)mm; remainder_size = size - nb - 2*SIZE_SZ; remainder = chunk_at_offset(p, nb); #if CONSISTENCY == 1 insert_to_unsorted_log(name, av, remainder, bck, fwd, remainder_size); #else insert_to_unsorted(av, remainder, bck, fwd, remainder_size); #endif /*if (in_smallbin_range(nb)) av->last_remainder = remainder;*/ // set PREV_INUSE flag.. //#if CONSISTENCY == 1 //#elseif set_head(p, nb | FIRST_CHUNK | PREV_INUSE); set_head(remainder, remainder_size | LAST_CHUNK | PREV_INUSE); set_foot(remainder, remainder_size); clear_inuse_bit_at_offset(remainder, remainder_size); //#endif //return p; return chunk2mem(p); } else return 0; } }
/* The Shellcoder's Handbook: Discovering and Exploiting Security Holes Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta, Riley Hassell Publisher: John Wiley & Sons ISBN: 0764544683 Chapter 5: Heap Overflows Code Snippet #1 Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com */ bin = bin_at(av, idx); for (victim = last(bin); victim != bin; victim = victim->bk) { size = chunksize(victim); if ((unsigned long)(size) >= (unsigned long)(nb)) { remainder_size = size - nb; unlink(victim, bck, fwd); /* Exhaust */ if (remainder_size < MINSIZE) { set_inuse_bit_at_offset(victim, size); if (av != &main_arena) victim->size |= NON_MAIN_ARENA; check_malloced_chunk(av, victim, nb);
int __malloc_set_state(void* msptr) { struct malloc_save_state* ms = (struct malloc_save_state*)msptr; size_t i; mbinptr b; disallow_malloc_check = 1; ptmalloc_init(); if(ms->magic != MALLOC_STATE_MAGIC) return -1; /* Must fail if the major version is too high. */ if((ms->version & ~0xffl) > (MALLOC_STATE_VERSION & ~0xffl)) return -2; (void)mutex_lock(&main_arena.mutex); /* There are no fastchunks. */ clear_fastchunks(&main_arena); if (ms->version >= 4) set_max_fast(ms->max_fast); else set_max_fast(64); /* 64 used to be the value we always used. */ for (i=0; i<NFASTBINS; ++i) fastbin (&main_arena, i) = 0; for (i=0; i<BINMAPSIZE; ++i) main_arena.binmap[i] = 0; top(&main_arena) = ms->av[2]; main_arena.last_remainder = 0; for(i=1; i<NBINS; i++) { b = bin_at(&main_arena, i); if(ms->av[2*i+2] == 0) { assert(ms->av[2*i+3] == 0); first(b) = last(b) = b; } else { if(ms->version >= 3 && (i<NSMALLBINS || (largebin_index(chunksize(ms->av[2*i+2]))==i && largebin_index(chunksize(ms->av[2*i+3]))==i))) { first(b) = ms->av[2*i+2]; last(b) = ms->av[2*i+3]; /* Make sure the links to the bins within the heap are correct. */ first(b)->bk = b; last(b)->fd = b; /* Set bit in binblocks. */ mark_bin(&main_arena, i); } else { /* Oops, index computation from chunksize must have changed. Link the whole list into unsorted_chunks. */ first(b) = last(b) = b; b = unsorted_chunks(&main_arena); ms->av[2*i+2]->bk = b; ms->av[2*i+3]->fd = b->fd; b->fd->bk = ms->av[2*i+3]; b->fd = ms->av[2*i+2]; } } } if (ms->version < 3) { /* Clear fd_nextsize and bk_nextsize fields. */ b = unsorted_chunks(&main_arena)->fd; while (b != unsorted_chunks(&main_arena)) { if (!in_smallbin_range(chunksize(b))) { b->fd_nextsize = NULL; b->bk_nextsize = NULL; } b = b->fd; } } mp_.sbrk_base = ms->sbrk_base; main_arena.system_mem = ms->sbrked_mem_bytes; mp_.trim_threshold = ms->trim_threshold; mp_.top_pad = ms->top_pad; mp_.n_mmaps_max = ms->n_mmaps_max; mp_.mmap_threshold = ms->mmap_threshold; check_action = ms->check_action; main_arena.max_system_mem = ms->max_sbrked_mem; mp_.n_mmaps = ms->n_mmaps; mp_.max_n_mmaps = ms->max_n_mmaps; mp_.mmapped_mem = ms->mmapped_mem; mp_.max_mmapped_mem = ms->max_mmapped_mem; /* add version-dependent code here */ if (ms->version >= 1) { /* Check whether it is safe to enable malloc checking, or whether it is necessary to disable it. */ if (ms->using_malloc_checking && !using_malloc_checking && !disallow_malloc_check) __malloc_check_init (); else if (!ms->using_malloc_checking && using_malloc_checking) { __malloc_hook = NULL; __free_hook = NULL; __realloc_hook = NULL; __memalign_hook = NULL; using_malloc_checking = 0; } } if (ms->version >= 4) { #ifdef PER_THREAD mp_.arena_test = ms->arena_test; mp_.arena_max = ms->arena_max; narenas = ms->narenas; #endif } check_malloc_state(&main_arena); (void)mutex_unlock(&main_arena.mutex); return 0; }