/*
Initialize a malloc_state struct.
This is called only from within __malloc_consolidate, which needs
be called in the same contexts anyway. It is never called directly
outside of __malloc_consolidate because some optimizing compilers try
to inline it at all call points, which turns out not to be an
optimization at all. (Inlining it in __malloc_consolidate is fine though.)
*/
static void malloc_init_state(mstate av)
{
int i;
mbinptr bin;
/* Establish circular links for normal bins */
for (i = 1; i < NBINS; ++i) {
bin = bin_at(av,i);
bin->fd = bin->bk = bin;
}
av->top_pad = DEFAULT_TOP_PAD;
av->n_mmaps_max = DEFAULT_MMAP_MAX;
av->mmap_threshold = DEFAULT_MMAP_THRESHOLD;
av->trim_threshold = DEFAULT_TRIM_THRESHOLD;
#if MORECORE_CONTIGUOUS
set_contiguous(av);
#else
set_noncontiguous(av);
#endif
set_max_fast(av, DEFAULT_MXFAST);
av->top = initial_top(av);
av->pagesize = malloc_getpagesize;
}
/*
Initialize a malloc_state struct.
This is called only from within __malloc_consolidate, which needs
be called in the same contexts anyway. It is never called directly
outside of __malloc_consolidate because some optimizing compilers try
to inline it at all call points, which turns out not to be an
optimization at all. (Inlining it in __malloc_consolidate is fine though.)
*/
static void malloc_init_state(mstate av)
{
int i;
mbinptr bin;
/* Establish circular links for normal bins */
for (i = 1; i < NBINS; ++i) {
bin = bin_at(av,i);
bin->fd = bin->bk = bin;
}
av->top_pad = DEFAULT_TOP_PAD;
av->n_mmaps_max = DEFAULT_MMAP_MAX;
av->mmap_threshold = DEFAULT_MMAP_THRESHOLD;
av->trim_threshold = DEFAULT_TRIM_THRESHOLD;
#if MORECORE_CONTIGUOUS
set_contiguous(av);
#else
set_noncontiguous(av);
#endif
set_max_fast(av, DEFAULT_MXFAST);
//av->top = initial_top(av);
init_linked_list(&(av->ustate_list)); //init ustate list
av->pagesize = malloc_getpagesize;
// add new mstate to the mstate list
list_insert_tail(&(get_abstate()->mstate_list), (void *)av);
}
/* libc_hidden_proto(mallinfo) */
struct mallinfo mallinfo(void)
{
mstate av;
struct mallinfo mi;
unsigned int i;
mbinptr b;
mchunkptr p;
size_t avail;
size_t fastavail;
int nblocks;
int nfastblocks;
__MALLOC_LOCK;
av = get_malloc_state();
/* Ensure initialization */
if (av->top == 0) {
__malloc_consolidate(av);
}
check_malloc_state();
/* Account for top */
avail = chunksize(av->top);
nblocks = 1; /* top always exists */
/* traverse fastbins */
nfastblocks = 0;
fastavail = 0;
for (i = 0; i < NFASTBINS; ++i) {
for (p = av->fastbins[i]; p != 0; p = p->fd) {
++nfastblocks;
fastavail += chunksize(p);
}
}
avail += fastavail;
/* traverse regular bins */
for (i = 1; i < NBINS; ++i) {
b = bin_at(av, i);
for (p = last(b); p != b; p = p->bk) {
++nblocks;
avail += chunksize(p);
}
}
mi.smblks = nfastblocks;
mi.ordblks = nblocks;
mi.fordblks = avail;
mi.uordblks = av->sbrked_mem - avail;
mi.arena = av->sbrked_mem;
mi.hblks = av->n_mmaps;
mi.hblkhd = av->mmapped_mem;
mi.fsmblks = fastavail;
mi.keepcost = chunksize(av->top);
mi.usmblks = av->max_total_mem;
__MALLOC_UNLOCK;
return mi;
}
void malloc_init_state(struct malloc_state *av)
{
int i;
mchunkptr bin;
for (i = 1; i < 128; ++i) {
bin = bin_at(av,i);
bin->fd = bin->bk = bin;
}
}
void *
__malloc_get_state (void)
{
struct malloc_save_state *ms;
int i;
mbinptr b;
ms = (struct malloc_save_state *) __libc_malloc (sizeof (*ms));
if (!ms)
return 0;
(void) mutex_lock (&main_arena.mutex);
malloc_consolidate (&main_arena);
ms->magic = MALLOC_STATE_MAGIC;
ms->version = MALLOC_STATE_VERSION;
ms->av[0] = 0;
ms->av[1] = 0; /* used to be binblocks, now no longer used */
ms->av[2] = top (&main_arena);
ms->av[3] = 0; /* used to be undefined */
for (i = 1; i < NBINS; i++)
{
b = bin_at (&main_arena, i);
if (first (b) == b)
ms->av[2 * i + 2] = ms->av[2 * i + 3] = 0; /* empty bin */
else
{
ms->av[2 * i + 2] = first (b);
ms->av[2 * i + 3] = last (b);
}
}
ms->sbrk_base = mp_.sbrk_base;
ms->sbrked_mem_bytes = main_arena.system_mem;
ms->trim_threshold = mp_.trim_threshold;
ms->top_pad = mp_.top_pad;
ms->n_mmaps_max = mp_.n_mmaps_max;
ms->mmap_threshold = mp_.mmap_threshold;
ms->check_action = check_action;
ms->max_sbrked_mem = main_arena.max_system_mem;
ms->max_total_mem = 0;
ms->n_mmaps = mp_.n_mmaps;
ms->max_n_mmaps = mp_.max_n_mmaps;
ms->mmapped_mem = mp_.mmapped_mem;
ms->max_mmapped_mem = mp_.max_mmapped_mem;
ms->using_malloc_checking = using_malloc_checking;
ms->max_fast = get_max_fast ();
ms->arena_test = mp_.arena_test;
ms->arena_max = mp_.arena_max;
ms->narenas = narenas;
(void) mutex_unlock (&main_arena.mutex);
return (void *) ms;
}
/*
------------------------------ pos_test_function ------------------------------
*/
void
pos_print_free_chunks(char *name)
{
struct malloc_state * av;
mbinptr bin;
mchunkptr p;
int i;
av = (struct malloc_state *)pos_lookup_mstate(name);
if (av == NULL || !have_init_key(av)) {
printf("\n Can't print free chunks.\n");
return;
}
printf("\n ******************** Free chunks of `%s` ************************\n", name);
printf(" * 1. Fast bins(0~7)\n");
for (i=0; i< NFASTBINS ; i++) {
p = (mchunkptr)fastbin(av, i);
while (p!=0) {
printf(" * [%3d] addr=0x%lX, size=%lu", i, (unsigned long int)p, (unsigned long int)chunksize(p));
if (chunk_is_first(p)) printf("(F)\n");
else if (chunk_is_last(p)) printf("(L)\n");
else printf("(M)\n");
p = p->fd;
}
}
printf(" * 2. Unsorted(1) / Small(2~63) / Large(64~128) bins\n");
for (i=1; i < NBINS; i++) {
bin = bin_at(av,i);
p = bin->fd;
while (p != bin) {
printf(" * [%3d] addr=0x%lX, size=%lu", i, (unsigned long int)p, (unsigned long int)chunksize(p));
if (chunk_is_first(p)) printf("(F)\n");
else if (chunk_is_last(p)) printf("(L)\n");
else printf("(M)\n");
p = p->fd;
}
}
printf(" ***********************************************************************\n");
}
//static void
void
pos_malloc_init_state(char *name, mstate av)
{
mchunkptr first_chunk;
unsigned long first_size;
mchunkptr last_chunk;
unsigned long last_size;
mchunkptr bck;
mchunkptr fwd;
int i;
mbinptr bin;
// init mutex key
pthread_mutex_init( &av->mutex,NULL ) ;
// initialize malloc_state
#if CONSISTENCY == 1
set_init_key_log(name, av);
#else
set_init_key(av);
#endif
// Below codes don't need logging.
for (i=1; i < NBINS; i++) {
bin = bin_at(av,i);
bin->fd = bin->bk = bin;
}
//set_max_fast(DEFAULT_MXFAST);
clear_fastchunks(av);
for (i=0; i< NFASTBINS ; i++) {
av->fastbinsY[i] = 0;
}
// first chunk
first_chunk = chunk_at_offset(av, sizeof(struct malloc_state));
first_size = (PAGESIZE - sizeof(struct malloc_state) - 2*SIZE_SZ)/2; // 956
//#if CONSISTENCY == 1
//first_size = (128*1024-1)*4096 + 960; //536867776
//first_size = request2size(first_size); // 536867792
//#else
first_size = 960;
//#endif
//insert_to_unsorted(av, first_chunk, bck, fwd, first_size);
set_head(first_chunk, first_size | FIRST_CHUNK | PREV_INUSE);
set_foot(first_chunk, first_size);
clear_inuse_bit_at_offset(first_chunk, first_size);
// last_chunk
last_chunk = chunk_at_offset(first_chunk, first_size);
//last_size = first_size;
//#if CONSISTENCY == 1
////last_size = (128*1024)*4096 + 944; // 536867760
//last_size = (256*1024)*4096 - first_size - 2*SIZE_SZ;
//last_size = request2size(last_size); // 536874032
//#else
// last_size = 988;
last_size = 1800;
//#endif
insert_to_unsorted(av, last_chunk, bck, fwd, last_size);
set_head(last_chunk, last_size | LAST_CHUNK | PREV_INUSE);
set_foot(last_chunk, last_size);
clear_inuse_bit_at_offset(last_chunk, last_size);
av->last_remainder = 0;
for (i=0; i<BINMAPSIZE; i++) {
av->binmap[i] = 0;
}
av->system_mem = PAGESIZE;
av -> prime_obj = NULL;
}
static Void_t*
pos_int_malloc(char *name, mstate av, size_t bytes)
{
INTERNAL_SIZE_T nb;
unsigned int idx;
mbinptr bin;
mchunkptr victim;
INTERNAL_SIZE_T size;
int victim_index;
mchunkptr remainder;
unsigned long remainder_size;
unsigned int block;
unsigned int bit;
unsigned int map;
mchunkptr fwd;
mchunkptr bck;
//const char *errstr = NULL;
size_t pagemask = PAGESIZE - 1;
//16바이트 단위로 정렬
checked_request2size(bytes, nb);
#if MALLOC_DEBUG == 1
printf("before fastbin\n") ;
#endif
// 1. fast bin (<=144)
// 1. fast bin (<=144)
/* if ((unsigned long)(nb) <= (unsigned long)(get_max_fast())) {
idx = fastbin_index(nb);
// printf("idx = %d\n" , idx) ;
mfastbinptr* fb = &fastbin(av, idx);
victim = *fb;
if (victim != 0) {
if (fastbin_index (chunksize (victim)) != idx) {
errstr = "malloc(): memory corruption (fast)";
errout:
malloc_printerr (check_action, errstr, chunk2mem (victim));
}
#if CONSISTENCY == 1
POS_WRITE_VAUE(name, (unsigned long *)fb, (unsigned long)victim->fd);
#else
*fb = victim->fd;
#endif
void *p = chunk2mem(victim);
return p;
}
}
*/
// 2. small bin (<=1008)
if (in_smallbin_range(nb)) {
#if MALLOC_DEBUG == 1
printf("inside smallbin if\n") ;
#endif
idx = smallbin_index(nb);
bin = bin_at(av,idx);
victim = last(bin);
if ( victim != bin && victim != NULL ) {
bck = victim->bk;
/* if (bck->fd != victim) {
errstr = "malloc(): smallbin double linked list corrupted";
goto errout;
}*/
#if CONSISTENCY == 1
set_inuse_bit_at_offset_log(name, victim, nb);
POS_WRITE_VAUE(name, (unsigned long *)&bin->bk, (unsigned long)bck);
POS_WRITE_VAUE(name, (unsigned long *)&bin->fd, (unsigned long)bin);
#else
set_inuse_bit_at_offset(victim, nb);
bin->bk = bck;
bck->fd = bin;
#endif
void *p = chunk2mem(victim);
return p;
}
}
else {
idx = largebin_index(nb);
if (have_fastchunks(av)) {
pos_malloc_consolidate(name, av);
}
}
#if MALLOC_DEBUG==1
printf("before unsorted bin\n") ;
#endif
for(;;) {
int iters = 0;
// 3. unsorted bin
while ((victim = unsorted_chunks(av)->bk) != unsorted_chunks(av)) {
bck = victim->bk;
/*if (victim->size <= 2 * SIZE_SZ || victim->size > av->system_mem)
malloc_printerr (check_action, "malloc(): memory corruption", chunk2mem (victim));*/
size = chunksize(victim);
if (in_smallbin_range(nb) &&
bck == unsorted_chunks(av) &&
victim == av->last_remainder &&
(unsigned long)(size) > (unsigned long)(nb + MINSIZE)) {
remainder_size = size - nb;
remainder = chunk_at_offset(victim, nb);
#if CONSISTENCY == 1
POS_WRITE_VAUE(name, (unsigned long *)&unsorted_chunks(av)->bk, (unsigned long)remainder);
POS_WRITE_VAUE(name, (unsigned long *)&unsorted_chunks(av)->fd, (unsigned long)remainder);
POS_WRITE_VAUE(name, (unsigned long *)&av->last_remainder, (unsigned long)remainder);
#else
unsorted_chunks(av)->bk = unsorted_chunks(av)->fd = remainder;
av->last_remainder = remainder;
#endif
remainder->bk = remainder->fd = unsorted_chunks(av);
if (!in_smallbin_range(remainder_size)) {
remainder->fd_nextsize = NULL;
remainder->bk_nextsize = NULL;
}
// Remainder dosen't need logging...
if (chunk_is_last(victim))
set_head(remainder, remainder_size | LAST_CHUNK | PREV_INUSE);
else
set_head(remainder, remainder_size | PREV_INUSE);
// set PREV_INUSE flag..
#if CONSISTENCY == 1
if (chunk_is_first(victim)) {
set_head_log(name, victim, nb | FIRST_CHUNK | PREV_INUSE);
} else {
set_head_log(name, victim, nb | PREV_INUSE);
}
set_foot_log(name, remainder, remainder_size);
#else
if (chunk_is_first(victim))
set_head(victim, nb | FIRST_CHUNK | PREV_INUSE);
else
set_head(victim, nb | PREV_INUSE);
set_foot(remainder, remainder_size);
#endif
void *p = chunk2mem(victim);
return p;
}
#if CONSISTENCY == 1
POS_WRITE_VAUE(name, (unsigned long *)&unsorted_chunks(av)->bk, (unsigned long)bck);
POS_WRITE_VAUE(name, (unsigned long *)&bck->fd, (unsigned long)unsorted_chunks(av));
#else
unsorted_chunks(av)->bk = bck;
bck->fd = unsorted_chunks(av);
#endif
if (size == nb) {
#if CONSISTENCY == 1
set_inuse_bit_at_offset_log(name, victim, size);
#else
set_inuse_bit_at_offset(victim, size);
#endif
void *p = chunk2mem(victim);
return p;
}
if (in_smallbin_range(size)) {
victim_index = smallbin_index(size);
bck = bin_at(av, victim_index);
fwd = bck->fd;
}
else {
victim_index = largebin_index(size);
bck = bin_at(av, victim_index);
fwd = bck->fd;
if (fwd != bck) {
size |= PREV_INUSE; //In order not to use chunksize()
if ((unsigned long)(size) < (unsigned long)(bck->bk->size)) {
fwd = bck;
bck = bck->bk;
// Current victim was in the unsorted bin that fd_nextsize dosen't need.. so, we don't leave log.. (We don't leave log for fd_nextsize below..)
victim->fd_nextsize = fwd->fd;
victim->bk_nextsize = fwd->fd->bk_nextsize;
#if CONSISTENCY == 1
POS_WRITE_VAUE(name, (unsigned long *)&fwd->fd->bk_nextsize, (unsigned long)victim);
POS_WRITE_VAUE(name, (unsigned long *)&victim->bk_nextsize->fd_nextsize, (unsigned long)victim);
#else
fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim;
#endif
}
else {
while ((unsigned long) size < fwd->size) {
fwd = fwd->fd_nextsize;
}
if ((unsigned long) size == (unsigned long) fwd->size)
fwd = fwd->fd;
else {
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
#if CONSISTENCY == 1
POS_WRITE_VAUE(name, (unsigned long *)&fwd->bk_nextsize, (unsigned long)victim);
POS_WRITE_VAUE(name, (unsigned long *)&victim->bk_nextsize->fd_nextsize, (unsigned long)victim);
#else
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
#endif
}
bck = fwd->bk;
}
}
else
victim->fd_nextsize = victim->bk_nextsize = victim;
}
#if CONSISTENCY == 1
mark_bin_log(name, av, victim_index);
POS_WRITE_VAUE(name, (unsigned long *)&victim->bk, (unsigned long)bck);
POS_WRITE_VAUE(name, (unsigned long *)&victim->fd, (unsigned long)fwd);
POS_WRITE_VAUE(name, (unsigned long *)&fwd->bk, (unsigned long)victim);
POS_WRITE_VAUE(name, (unsigned long *)&bck->fd, (unsigned long)victim);
#else
mark_bin(av, victim_index);
victim->bk = bck;
victim->fd = fwd;
fwd->bk = victim;
bck->fd = victim;
#endif
#define MAX_ITERS 10000
if (++iters >= MAX_ITERS)
break;
}
#if MALLOC_DEBUG == 1
printf("before large bin\n") ;
#endif
// 4. large bin (1024<=)
if (!in_smallbin_range(nb)) {
bin = bin_at(av, idx);
#if MALLOC_DEBUG
printf(" bin = [%p]\n " ,bin ) ;
#endif
if ((victim = first(bin)) != bin &&
(unsigned long)(victim->size) >= (unsigned long)(nb)) {
victim = victim->bk_nextsize;
while (((unsigned long)(size = chunksize(victim)) < (unsigned long)(nb)))
victim = victim->bk_nextsize;
//if (victim != last(bin) && victim->size == victim->fd->size)
if (victim != last(bin) && chunksize(victim) == chunksize(victim->fd))
victim = victim->fd;
remainder_size = size - nb;
#if CONSISTENCY == 1
unlink_log(name, victim, bck, fwd);
#else
unlink(victim, bck, fwd);
#endif
if (remainder_size < MINSIZE) {
#if CONSISTENCY == 1
set_inuse_bit_at_offset_log(name, victim, size);
#else
set_inuse_bit_at_offset(victim, size);
#endif
}
else {
remainder = chunk_at_offset(victim, nb);
#if CONSISTENCY == 1
insert_to_unsorted_log(name, av, remainder, bck, fwd, remainder_size);
#else
insert_to_unsorted(av, remainder, bck, fwd, remainder_size);
#endif
// Remainder dosen't need logging...
if (chunk_is_last(victim))
set_head(remainder, remainder_size | LAST_CHUNK | PREV_INUSE);
else
set_head(remainder, remainder_size | PREV_INUSE);
// set PREV_INUSE flag..
#if CONSISTENCY == 1
if (chunk_is_first(victim)) {
set_head_log(name, victim, nb | FIRST_CHUNK | PREV_INUSE);
} else {
set_head_log(name, victim, nb | PREV_INUSE);
}
set_foot_log(name, remainder, remainder_size);
#else
if (chunk_is_first(victim))
set_head(victim, nb | FIRST_CHUNK | PREV_INUSE);
else
set_head(victim, nb | PREV_INUSE);
set_foot(remainder, remainder_size);
#endif
}
void *p = chunk2mem(victim);
return p;
}
}
++idx;
bin = bin_at(av,idx);
block = idx2block(idx);
map = av->binmap[block];
bit = idx2bit(idx);
#if MALLOC_DEBUG == 1
printf("DDD\n") ;
#endif
for (;;) {
if (bit > map || bit == 0) {
do {
if (++block >= BINMAPSIZE){
goto new_alloc;
}
} while ( (map = av->binmap[block]) == 0);
bin = bin_at(av, (block << BINMAPSHIFT));
bit = 1;
}
while ((bit & map) == 0) {
bin = next_bin(bin);
bit <<= 1;
}
#if MALLOC_DEBUG == 1
printf("before victim\n") ;
#endif
victim = last(bin);
if (victim == bin) {
#if MALLOC_DEBUG == 1
printf("victim == bin\n") ;
#endif
#if CONSISTENCY == 1
POS_WRITE_VAUE(name, (unsigned long *)&av->binmap[block], (unsigned long)(map &~bit));
#else
av->binmap[block] = map &= ~bit;
#endif
bin = next_bin(bin);
bit <<= 1;
}
else {
#if MALLOC_DEBUG == 1
printf("victim != bin\n") ;
#endif
size = chunksize(victim);
remainder_size = size - nb;
#if CONSISTENCY == 1
unlink_log(name, victim, bck, fwd);
#else
unlink(victim, bck, fwd);
#endif
#if MALLOC_DEBUG == 1
printf("unlink\n") ;
#endif
if (remainder_size < MINSIZE) {
#if CONSISTENCY == 1
set_inuse_bit_at_offset_log(name, victim, size);
#else
#if MALLOC_DEBUG == 1
printf("D\n") ;
printf("victim : %p\n", victim) ;
printf("size: %d\n" ,size) ;
#endif
set_inuse_bit_at_offset(victim, size);
#endif
}
else {
#if MALLOC_DEBUG == 1
printf("remainder\n") ;
#endif
remainder = chunk_at_offset(victim, nb);
#if CONSISTENCY == 1
insert_to_unsorted_log(name, av, remainder, bck, fwd, remainder_size);
#else
#if MALLOC_DEBUG == 1
printf("av=%p\n",av) ;
printf("%p %p %p\n", remainder , bck , fwd);
printf("%d\n" , remainder_size) ;
#endif
insert_to_unsorted(av, remainder, bck, fwd, remainder_size);
#endif
#if MALLOC_DEBUG == 1
printf("%p %p %p\n", remainder , bck , fwd);
printf("s\n") ;
#endif
if (in_smallbin_range(nb)) {
#if CONSISTENCY == 1
POS_WRITE_VAUE(name, (unsigned long *)&av->last_remainder, (unsigned long)remainder);
#else
av->last_remainder = remainder;
#endif
}
#if MALLOC_DEBUG == 1
printf("s\n") ;
#endif
if (chunk_is_last(victim))
set_head(remainder, remainder_size | LAST_CHUNK | PREV_INUSE);
else
set_head(remainder, remainder_size | PREV_INUSE);
// set PREV_INUSE flag..
#if CONSISTENCY == 1
if (chunk_is_first(victim)) {
set_head_log(name, victim, nb | FIRST_CHUNK | PREV_INUSE);
} else {
set_head_log(name, victim, nb | PREV_INUSE);
}
#if MALLOC_DEBUG == 1
printf("s\n") ;
#endif
set_foot_log(name, remainder, remainder_size);
#else
if (chunk_is_first(victim))
set_head(victim, nb | FIRST_CHUNK | PREV_INUSE);
else
set_head(victim, nb | PREV_INUSE);
set_foot(remainder, remainder_size);
#endif
}
#if MALLOC_DEBUG == 1
printf("s\n") ;
#endif
void *p = chunk2mem(victim);
return p;
}
}
new_alloc:
#if MALLOC_DEBUG == 1
printf("before newallocation\n");
#endif
// 6. new allocation
size = (nb + MINSIZE +2*SIZE_SZ + pagemask) & ~pagemask;
size += DEFAULT_PAD;
//char* mm = (char*)(SEG_ALLOC(0, size, PROT_READ|PROT_WRITE, MAP_PRIVATE));
char *mm = (char *)pos_seg_alloc(name, size);
memset(mm , 0 , size);
#if MALLOC_DEBUG == 1
printf(" mm = %p\n" , mm) ;
#endif
#if CONSISTENCY == 1
pos_log_insert_malloc_free(name, (unsigned long)mm, size);
#endif
//if (mm != MAP_FAILED) {
if (mm != (char *)0) {
#if CONSISTENCY == 1
POS_WRITE_VAUE(name, (unsigned long *)&av->system_mem, (unsigned long)(av->system_mem+size));
#else
av->system_mem += size;
#endif
// printf("D!\n") ;
mchunkptr p;
p = (mchunkptr)mm;
remainder_size = size - nb - 2*SIZE_SZ;
remainder = chunk_at_offset(p, nb);
#if CONSISTENCY == 1
insert_to_unsorted_log(name, av, remainder, bck, fwd, remainder_size);
#else
insert_to_unsorted(av, remainder, bck, fwd, remainder_size);
#endif
/*if (in_smallbin_range(nb))
av->last_remainder = remainder;*/
// set PREV_INUSE flag..
//#if CONSISTENCY == 1
//#elseif
set_head(p, nb | FIRST_CHUNK | PREV_INUSE);
set_head(remainder, remainder_size | LAST_CHUNK | PREV_INUSE);
set_foot(remainder, remainder_size);
clear_inuse_bit_at_offset(remainder, remainder_size);
//#endif
//return p;
return chunk2mem(p);
}
else
return 0;
}
}
/* The Shellcoder's Handbook: Discovering and Exploiting Security Holes Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta, Riley Hassell Publisher: John Wiley & Sons ISBN: 0764544683 Chapter 5: Heap Overflows Code Snippet #1 Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com */ bin = bin_at(av, idx); for (victim = last(bin); victim != bin; victim = victim->bk) { size = chunksize(victim); if ((unsigned long)(size) >= (unsigned long)(nb)) { remainder_size = size - nb; unlink(victim, bck, fwd); /* Exhaust */ if (remainder_size < MINSIZE) { set_inuse_bit_at_offset(victim, size); if (av != &main_arena) victim->size |= NON_MAIN_ARENA; check_malloced_chunk(av, victim, nb);
int
__malloc_set_state(void* msptr)
{
struct malloc_save_state* ms = (struct malloc_save_state*)msptr;
size_t i;
mbinptr b;
disallow_malloc_check = 1;
ptmalloc_init();
if(ms->magic != MALLOC_STATE_MAGIC) return -1;
/* Must fail if the major version is too high. */
if((ms->version & ~0xffl) > (MALLOC_STATE_VERSION & ~0xffl)) return -2;
(void)mutex_lock(&main_arena.mutex);
/* There are no fastchunks. */
clear_fastchunks(&main_arena);
if (ms->version >= 4)
set_max_fast(ms->max_fast);
else
set_max_fast(64); /* 64 used to be the value we always used. */
for (i=0; i<NFASTBINS; ++i)
fastbin (&main_arena, i) = 0;
for (i=0; i<BINMAPSIZE; ++i)
main_arena.binmap[i] = 0;
top(&main_arena) = ms->av[2];
main_arena.last_remainder = 0;
for(i=1; i<NBINS; i++) {
b = bin_at(&main_arena, i);
if(ms->av[2*i+2] == 0) {
assert(ms->av[2*i+3] == 0);
first(b) = last(b) = b;
} else {
if(ms->version >= 3 &&
(i<NSMALLBINS || (largebin_index(chunksize(ms->av[2*i+2]))==i &&
largebin_index(chunksize(ms->av[2*i+3]))==i))) {
first(b) = ms->av[2*i+2];
last(b) = ms->av[2*i+3];
/* Make sure the links to the bins within the heap are correct. */
first(b)->bk = b;
last(b)->fd = b;
/* Set bit in binblocks. */
mark_bin(&main_arena, i);
} else {
/* Oops, index computation from chunksize must have changed.
Link the whole list into unsorted_chunks. */
first(b) = last(b) = b;
b = unsorted_chunks(&main_arena);
ms->av[2*i+2]->bk = b;
ms->av[2*i+3]->fd = b->fd;
b->fd->bk = ms->av[2*i+3];
b->fd = ms->av[2*i+2];
}
}
}
if (ms->version < 3) {
/* Clear fd_nextsize and bk_nextsize fields. */
b = unsorted_chunks(&main_arena)->fd;
while (b != unsorted_chunks(&main_arena)) {
if (!in_smallbin_range(chunksize(b))) {
b->fd_nextsize = NULL;
b->bk_nextsize = NULL;
}
b = b->fd;
}
}
mp_.sbrk_base = ms->sbrk_base;
main_arena.system_mem = ms->sbrked_mem_bytes;
mp_.trim_threshold = ms->trim_threshold;
mp_.top_pad = ms->top_pad;
mp_.n_mmaps_max = ms->n_mmaps_max;
mp_.mmap_threshold = ms->mmap_threshold;
check_action = ms->check_action;
main_arena.max_system_mem = ms->max_sbrked_mem;
mp_.n_mmaps = ms->n_mmaps;
mp_.max_n_mmaps = ms->max_n_mmaps;
mp_.mmapped_mem = ms->mmapped_mem;
mp_.max_mmapped_mem = ms->max_mmapped_mem;
/* add version-dependent code here */
if (ms->version >= 1) {
/* Check whether it is safe to enable malloc checking, or whether
it is necessary to disable it. */
if (ms->using_malloc_checking && !using_malloc_checking &&
!disallow_malloc_check)
__malloc_check_init ();
else if (!ms->using_malloc_checking && using_malloc_checking) {
__malloc_hook = NULL;
__free_hook = NULL;
__realloc_hook = NULL;
__memalign_hook = NULL;
using_malloc_checking = 0;
}
}
if (ms->version >= 4) {
#ifdef PER_THREAD
mp_.arena_test = ms->arena_test;
mp_.arena_max = ms->arena_max;
narenas = ms->narenas;
#endif
}
check_malloc_state(&main_arena);
(void)mutex_unlock(&main_arena.mutex);
return 0;
}
