calloc

原型__libc_calloc (size_t n, size_t elem_size)

开始声明了一堆变量

mstate av;
mchunkptr oldtop, p;
INTERNAL_SIZE_T bytes, sz, csz, oldtopsize;
void *mem;
unsigned long clearsize;
unsigned long nclears;
INTERNAL_SIZE_T *d;

得到申请大小

1	bytes = n * elem_size;

大小检测??

#define HALF_INTERNAL_SIZE_T \
  (((INTERNAL_SIZE_T) 1) << (8 * sizeof (INTERNAL_SIZE_T) / 2))
  if (__builtin_expect ((n | elem_size) >= HALF_INTERNAL_SIZE_T, 0))
    {
      if (elem_size != 0 && bytes / elem_size != n)
        {
          __set_errno (ENOMEM);
          return 0;
        }
    }

hook,定义一个函数指针,值来自__malloc_hook,不为空则调用

void *(*hook) (size_t, const void *) =
  atomic_forced_read (__malloc_hook);
if (__builtin_expect (hook != NULL, 0))
  {
    sz = bytes;
    mem = (*hook)(sz, RETURN_ADDRESS (0));
    if (mem == 0)
      return 0;

    return memset (mem, 0, sz);
  }

一些准备工作

  sz = bytes;

  MAYBE_INIT_TCACHE ();

  if (SINGLE_THREAD_P)
    av = &main_arena;
  else
    arena_get (av, sz);

  if (av)
    {
      /* Check if we hand out the top chunk, in which case there may be no
	 need to clear. */
#if MORECORE_CLEARS
      oldtop = top (av);
      oldtopsize = chunksize (top (av));
# if MORECORE_CLEARS < 2
      /* Only newly allocated memory is guaranteed to be cleared.  */
      if (av == &main_arena &&
	  oldtopsize < mp_.sbrk_base + av->max_system_mem - (char *) oldtop)
	oldtopsize = (mp_.sbrk_base + av->max_system_mem - (char *) oldtop);
# endif
      if (av != &main_arena)
	{
	  heap_info *heap = heap_for_ptr (oldtop);
	  if (oldtopsize < (char *) heap + heap->mprotect_size - (char *) oldtop)
	    oldtopsize = (char *) heap + heap->mprotect_size - (char *) oldtop;
	}
#endif
    }
  else
    {
      /* No usable arenas.  */
      oldtop = 0;
      oldtopsize = 0;
    }

核心依然是__int_malloc

mem = _int_malloc (av, sz);

assert (!mem || chunk_is_mmapped (mem2chunk (mem)) ||
        av == arena_for_chunk (mem2chunk (mem)));

非单线程情况

 if (!SINGLE_THREAD_P)
   {
     if (mem == 0 && av != NULL)
{
  LIBC_PROBE (memory_calloc_retry, 1, sz);
  av = arena_get_retry (av, sz);
  mem = _int_malloc (av, sz);
}

     if (av != NULL)
__libc_lock_unlock (av->mutex);
   }

分配失败

1
2
3

/* Allocation failed even after a retry.  */
 if (mem == 0)
   return 0;

成功之后,如果是mmap

p = mem2chunk (mem);

/* Two optional cases in which clearing not necessary */
if (chunk_is_mmapped (p))
  {
    if (__builtin_expect (perturb_byte, 0))
      return memset (mem, 0, sz);

    return mem;
  }

不然,chunk置零并返回

  csz = chunksize (p);

#if MORECORE_CLEARS
  if (perturb_byte == 0 && (p == oldtop && csz > oldtopsize))
    {
      /* clear only the bytes from non-freshly-sbrked memory */
      csz = oldtopsize;
    }
#endif

  /* Unroll clear of <= 36 bytes (72 if 8byte sizes).  We know that
     contents have an odd number of INTERNAL_SIZE_T-sized words;
     minimally 3.  */
  d = (INTERNAL_SIZE_T *) mem;
  clearsize = csz - SIZE_SZ;
  nclears = clearsize / sizeof (INTERNAL_SIZE_T);
  assert (nclears >= 3);

  if (nclears > 9)
    return memset (d, 0, clearsize);

  else
    {
      *(d + 0) = 0;
      *(d + 1) = 0;
      *(d + 2) = 0;
      if (nclears > 4)
        {
          *(d + 3) = 0;
          *(d + 4) = 0;
          if (nclears > 6)
            {
              *(d + 5) = 0;
              *(d + 6) = 0;
              if (nclears > 8)
                {
                  *(d + 7) = 0;
                  *(d + 8) = 0;
                }
            }
        }
    }

  return mem;
}

注意

calloc与malloc的核心都是__int_malloc

而这其实并没有什么太大的差别

比较大的不同两点:

calloc会将返回的chunk的mem全部置零
__libc_calloc函数并不使用tcache

realloc

原型为void __libc_realloc (void oldmem, size_t bytes)

#if REALLOC_ZERO_BYTES_FREES
  if (bytes == 0 && oldmem != NULL)
    {
      __libc_free (oldmem); return 0;
    }
#endif

首先如果bytes为0,且oldmem存在,将其free并返回

1 2	if (oldmem == 0) return __libc_malloc (bytes);

如果oldmem为null,那么改为调用__libc_malloc

 if (bytes <= usable)
   {
     size_t difference = usable - bytes;
     if ((unsigned long) difference < 2 * sizeof (INTERNAL_SIZE_T)
  || (chunk_is_mmapped (oldp) && difference <= GLRO (dl_pagesize)))
return oldmem;
   }

如果申请大小小于已使用大小,且差距小于2*size_t直接返回旧oldmem

#if HAVE_MREMAP
      newp = mremap_chunk (oldp, nb);
      if (newp)
	{
	  void *newmem = chunk2mem_tag (newp);
	  /* Give the new block a different tag.  This helps to ensure
	     that stale handles to the previous mapping are not
	     reused.  There's a performance hit for both us and the
	     caller for doing this, so we might want to
	     reconsider.  */
	  return tag_new_usable (newmem);
	}
#endif
      /* Note the extra SIZE_SZ overhead. */
      if (oldsize - SIZE_SZ >= nb)
        return oldmem;                         /* do nothing */

      /* Must alloc, copy, free. */
      newmem = __libc_malloc (bytes);
      if (newmem == 0)
        return 0;              /* propagate failure */

      memcpy (newmem, oldmem, oldsize - CHUNK_HDR_SZ);
      munmap_chunk (oldp);
      return newmem;
    }

原先的chunk是mmap分配的

newmem使用__libc_malloc分配,并使用memcpy函数将oldmem中的数据转移到newmem

并munmap原先的chunk

if (SINGLE_THREAD_P)
  {
    newp = _int_realloc (ar_ptr, oldp, oldsize, nb);
    assert (!newp || chunk_is_mmapped (mem2chunk (newp)) ||
     ar_ptr == arena_for_chunk (mem2chunk (newp)));

    return newp;
  }

__libc_lock_lock (ar_ptr->mutex);

newp = _int_realloc (ar_ptr, oldp, oldsize, nb);

__libc_lock_unlock (ar_ptr->mutex);
assert (!newp || chunk_is_mmapped (mem2chunk (newp)) ||
        ar_ptr == arena_for_chunk (mem2chunk (newp)));

if (newp == NULL)
  {
    /* Try harder to allocate memory in other arenas.  */
    LIBC_PROBE (memory_realloc_retry, 2, bytes, oldmem);
    newp = __libc_malloc (bytes);
    if (newp != NULL)
      {
 size_t sz = memsize (oldp);
 memcpy (newp, oldmem, sz);
 (void) tag_region (chunk2mem (oldp), sz);
        _int_free (ar_ptr, oldp, 0);
      }
  }

return newp;

如果以上条件都不满足

则调用_int_realloc函数进行分配

至于_int_realloc的函数暂时不做分析

注意

realloc在ctf中出现较少