ptmalloc内存分配器详解<\/h1>

1. ptmalloc基础概念<\/h2>
ptmalloc是glibc中使用的内存分配器，基于dlmalloc实现并进行了优化。它负责管理进程堆内存的分配和释放。<\/p>

1.1 基本分配单位：malloc_chunk<\/h3>

ptmalloc中最基本的分配单位是malloc_chunk<\/code>结构体，包含6个元数据域：<\/p>

struct<\/span> malloc_chunk {
<\/span><\/span>    INTERNAL_SIZE_T mchunk_prev_size;  \/\/ 前一块大小(如果前一块空闲)
<\/span><\/span><\/span><\/span>    INTERNAL_SIZE_T mchunk_size;       \/\/ 当前块大小(包括元数据)
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 以下字段只在块空闲时使用
<\/span><\/span><\/span><\/span>    struct<\/span> malloc_chunk*<\/span> fd;          \/\/ 前向指针(指向链表下一个块)
<\/span><\/span><\/span><\/span>    struct<\/span> malloc_chunk*<\/span> bk;          \/\/ 后向指针(指向链表前一个块)
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 以下字段只在large块空闲时使用
<\/span><\/span><\/span><\/span>    struct<\/span> malloc_chunk*<\/span> fd_nextsize;  \/\/ 指向下一个不同大小的块
<\/span><\/span><\/span><\/span>    struct<\/span> malloc_chunk*<\/span> bk_nextsize;  \/\/ 指向上一个不同大小的块
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>1.2 块类型<\/h3>
ptmalloc中有三种基本类型的块：<\/p>


已分配块(allocated chunk)<\/strong>：<\/p>

前一块大小字段可能被应用程序数据覆盖<\/li>
下一个邻接块的P位会被设置<\/li>
<\/ul>
<\/li>

释放块(freed chunk)<\/strong>：<\/p>

包含完整的元数据<\/li>
下一个邻接块的P位会被清除<\/li>
根据块大小放入不同的bin中<\/li>
<\/ul>
<\/li>

top块(top chunk)<\/strong>：<\/p>

表示arena当前剩余的可用空间<\/li>
当空间不足时会通过brk()或mmap()扩展<\/li>
<\/ul>
<\/li>
<\/ol>
1.3 块状态标志<\/h3>
mchunk_size<\/code>的最后三位用于表示块的状态：<\/p>

A (NON_MAIN_ARENA, 0x4)<\/strong>: 当块来自非主arena时设置<\/li>
M (IS_MMAPPED, 0x2)<\/strong>: 当块通过mmap获取时设置<\/li>
P (PREV_INUSE, 0x1)<\/strong>: 当前一个邻接块在使用中时设置<\/li>
<\/ul>
2. 关键数据结构<\/h2>
2.1 malloc_state<\/h3>
malloc_state<\/code>结构体用于管理堆内存：<\/p>
struct<\/span> malloc_state {
<\/span><\/span>    __libc_lock_define(, mutex);      \/\/ 访问锁
<\/span><\/span><\/span><\/span>    int<\/span> flags;                       \/\/ 标志位
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ Fast bins
<\/span><\/span><\/span><\/span>    mfastbinptr fastbinsY[NFASTBINS]; \/\/ 快速bin数组
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ Base of the topmost chunk
<\/span><\/span><\/span><\/span>    mchunkptr top;                   \/\/ top chunk指针
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ The remainder from the most recent split
<\/span><\/span><\/span><\/span>    mchunkptr last_remainder;        \/\/ 最近分割的剩余部分
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ Normal bins
<\/span><\/span><\/span><\/span>    mchunkptr bins[NBINS *<\/span> 2<\/span> -<\/span> 2<\/span>];   \/\/ 普通bin数组
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ Bitmap of bins
<\/span><\/span><\/span><\/span>    unsigned<\/span> int<\/span> binmap[BINMAPSIZE]; \/\/ bin位图
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ Linked list
<\/span><\/span><\/span><\/span>    struct<\/span> malloc_state *<\/span>next;       \/\/ 下一个arena
<\/span><\/span><\/span><\/span>    struct<\/span> malloc_state *<\/span>next_free;  \/\/ 空闲arena链表
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ Thread count
<\/span><\/span><\/span><\/span>    INTERNAL_SIZE_T attached_threads; \/\/ 附加线程数
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ Memory statistics
<\/span><\/span><\/span><\/span>    INTERNAL_SIZE_T system_mem;      \/\/ 系统分配的内存
<\/span><\/span><\/span><\/span>    INTERNAL_SIZE_T max_system_mem;  \/\/ 最大系统内存
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>2.2 重要宏定义<\/h3>



宏定义<\/th>
x86值<\/th>
x86-64值<\/th>
描述<\/th>
<\/tr>
<\/thead>


SIZE_SZ<\/td>
4<\/td>
8<\/td>
size_t的大小<\/td>
<\/tr>

MIN_CHUNK_SIZE<\/td>
16<\/td>
32<\/td>
最小块大小<\/td>
<\/tr>

MALLOC_ALIGNMENT<\/td>
8<\/td>
16<\/td>
内存对齐大小<\/td>
<\/tr>

NBINS<\/td>
128<\/td>
128<\/td>
bin总数<\/td>
<\/tr>

NFASTBINS<\/td>
10<\/td>
10<\/td>
fast bin数量<\/td>
<\/tr>

NSMALLBINS<\/td>
64<\/td>
64<\/td>
small bin数量<\/td>
<\/tr>

SMALLBIN_WIDTH<\/td>
8<\/td>
16<\/td>
small bin宽度<\/td>
<\/tr>

DEFAULT_MXFAST<\/td>
64<\/td>
128<\/td>
默认fast bin最大大小<\/td>
<\/tr>

MAX_FAST_SIZE<\/td>
80<\/td>
160<\/td>
fast bin最大大小<\/td>
<\/tr>

MIN_LARGE_SIZE<\/td>
512<\/td>
1024<\/td>
large bin最小大小<\/td>
<\/tr>
<\/tbody>
<\/table>
3. bin类型与管理<\/h2>
ptmalloc使用四种类型的bin来管理释放的块：<\/p>
3.1 Fast bin<\/h3>


特点<\/strong>：<\/p>

单链表管理<\/li>
块大小 < 0x40 (x86) \/ < 0x80 (x86-64)<\/li>
不合并相邻空闲块(P位不清除)<\/li>
先进后出(FILO)分配策略<\/li>
<\/ul>
<\/li>

示例<\/strong>：<\/p>
<\/li>
<\/ul>
char<\/span> *<\/span>p1 =<\/span> malloc(0x20<\/span>);
<\/span><\/span>char<\/span> *<\/span>p2 =<\/span> malloc(0x20<\/span>);
<\/span><\/span>char<\/span> *<\/span>p3 =<\/span> malloc(0x20<\/span>);
<\/span><\/span>free(p1); free(p2); free(p3);
<\/span><\/span>\/\/ 释放顺序: p1 → p2 → p3
<\/span><\/span><\/span>\/\/ 分配顺序: p3 → p2 → p1
<\/span><\/span><\/span><\/code><\/pre>3.2 Unsorted bin<\/h3>


特点<\/strong>：<\/p>

双链表管理<\/li>
块大小 ≥ 0x40 (x86) \/ ≥ 0x80 (x86-64)<\/li>
是释放大块的第一站<\/li>
分配时会遍历查找合适块<\/li>
<\/ul>
<\/li>

分配策略<\/strong>：<\/p>

如果找到精确匹配的块，直接返回<\/li>
否则将块放入small bin或large bin<\/li>
<\/ol>
<\/li>
<\/ul>
3.3 Small bin<\/h3>


特点<\/strong>：<\/p>

双链表管理<\/li>
块大小 < 0x200 (x86) \/ < 0x400 (x86-64)<\/li>
每个bin管理固定大小的块<\/li>
先进先出(FIFO)分配策略<\/li>
<\/ul>
<\/li>

示例<\/strong>：<\/p>
<\/li>
<\/ul>
char<\/span> *<\/span>p1 =<\/span> malloc(0xa0<\/span>);
<\/span><\/span>char<\/span> *<\/span>p2 =<\/span> malloc(0x30<\/span>);
<\/span><\/span>char<\/span> *<\/span>p3 =<\/span> malloc(0xa0<\/span>);
<\/span><\/span>free(p1); free(p3);
<\/span><\/span>\/\/ 释放顺序: p1 → p3
<\/span><\/span><\/span>\/\/ 分配顺序: p1 → p3
<\/span><\/span><\/span><\/code><\/pre>3.4 Large bin<\/h3>


特点<\/strong>：<\/p>

双链表管理<\/li>
块大小 ≥ 0x200 (x86) \/ ≥ 0x400 (x86-64)<\/li>
每个bin管理一个大小范围的块<\/li>
使用fd_nextsize和bk_nextsize维护大小排序<\/li>
最佳适配分配策略<\/li>
<\/ul>
<\/li>

分配策略<\/strong>：

查找比请求大小大的最小块进行分配<\/p>
<\/li>
<\/ul>
4. 分配流程<\/h2>
ptmalloc的分配流程如下：<\/p>

大小转换<\/strong>：将请求大小转换为实际分配大小<\/li>
fast bin查找<\/strong>：如果大小≤global_max_fast，尝试fast bin<\/li>
small bin查找<\/strong>：如果大小在small bin范围内，尝试small bin<\/li>
malloc_consolidate<\/strong>：如果small bin未找到，合并fast bin到unsorted bin<\/li>
unsorted bin遍历<\/strong>：

查找精确匹配的块<\/li>
否则将块放入small\/large bin<\/li>
<\/ul>
<\/li>
large bin查找<\/strong>：使用最佳适配算法查找合适块<\/li>
top chunk分割<\/strong>：如果以上都失败，分割top chunk<\/li>
系统调用<\/strong>：如果top chunk不足，调用brk\/mmap扩展堆<\/li>
<\/ol>
4.1 malloc_consolidate<\/h3>
malloc_consolidate<\/code>函数用于合并fast bin中的块：<\/p>

检查前一个邻接块是否空闲：

如果空闲，合并到前一个块<\/li>
<\/ul>
<\/li>
检查下一个邻接块是否是top chunk：

如果是，合并到top chunk<\/li>
否则检查下一个邻接块是否空闲：

如果空闲，合并到当前块<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
将合并后的块放入unsorted bin<\/li>
<\/ol>
4.2 关键分配函数<\/h3>
void<\/span>*<\/span> __libc_malloc<\/span>(size_t bytes) {
<\/span><\/span>    \/\/ 1. 大小转换
<\/span><\/span><\/span><\/span>    checked_request2size(bytes, nb);
<\/span><\/span>    
<\/span><\/span>    \/\/ 2. fast bin尝试
<\/span><\/span><\/span><\/span>    if<\/span> (nb <=<\/span> get_max_fast()) {
<\/span><\/span>        idx =<\/span> fastbin_index(nb);
<\/span><\/span>        victim =<\/span> fastbin(av, idx);
<\/span><\/span>        if<\/span> (victim !=<\/span> NULL) {
<\/span><\/span>            \/\/ 检查fast bin是否损坏
<\/span><\/span><\/span><\/span>            if<\/span> (__builtin_expect(fastbin_index(chunksize(victim)) !=<\/span> idx, 0<\/span>))
<\/span><\/span>                malloc_printerr("malloc(): memory corruption (fast)"<\/span>);
<\/span><\/span>            \/\/ 返回分配的内存
<\/span><\/span><\/span><\/span>            return<\/span> chunk2mem(victim);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 3. small bin尝试
<\/span><\/span><\/span><\/span>    if<\/span> (in_smallbin_range(nb)) {
<\/span><\/span>        idx =<\/span> smallbin_index(nb);
<\/span><\/span>        bin =<\/span> bin_at(av, idx);
<\/span><\/span>        if<\/span> ((victim =<\/span> last(bin)) !=<\/span> bin) {
<\/span><\/span>            \/\/ 检查small bin链表是否损坏
<\/span><\/span><\/span><\/span>            if<\/span> (victim ==<\/span> 0<\/span>) malloc_consolidate(av);
<\/span><\/span>            else<\/span> if<\/span> (__glibc_unlikely(bck-><\/span>fd !=<\/span> victim))
<\/span><\/span>                malloc_printerr("malloc(): smallbin double linked list corrupted"<\/span>);
<\/span><\/span>            \/\/ 返回分配的内存
<\/span><\/span><\/span><\/span>            return<\/span> chunk2mem(victim);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 4. unsorted bin遍历
<\/span><\/span><\/span><\/span>    while<\/span> ((victim =<\/span> unsorted_chunks(av)-><\/span>bk) !=<\/span> unsorted_chunks(av)) {
<\/span><\/span>        \/\/ 检查大小是否合法
<\/span><\/span><\/span><\/span>        if<\/span> (__builtin_expect(chunksize_nomask(victim) <=<\/span> 2<\/span> *<\/span> SIZE_SZ, 0<\/span>) ||<\/span>
<\/span><\/span>            __builtin_expect(chunksize_nomask(victim) ><\/span> av-><\/span>system_mem, 0<\/span>))
<\/span><\/span>            malloc_printerr("malloc(): memory corruption"<\/span>);
<\/span><\/span>        
<\/span><\/span>        size =<\/span> chunksize(victim);
<\/span><\/span>        
<\/span><\/span>        \/\/ 精确匹配检查
<\/span><\/span><\/span><\/span>        if<\/span> (size ==<\/span> nb) {
<\/span><\/span>            \/\/ 返回精确匹配的块
<\/span><\/span><\/span><\/span>            return<\/span> chunk2mem(victim);
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        \/\/ 放入small\/large bin
<\/span><\/span><\/span><\/span>        if<\/span> (in_smallbin_range(size)) {
<\/span><\/span>            \/\/ 放入small bin
<\/span><\/span><\/span><\/span>        } else<\/span> {
<\/span><\/span>            \/\/ 放入large bin
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 5. large bin查找
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>in_smallbin_range(nb)) {
<\/span><\/span>        \/\/ 最佳适配算法查找
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 6. top chunk分割
<\/span><\/span><\/span><\/span>    victim =<\/span> av-><\/span>top;
<\/span><\/span>    size =<\/span> chunksize(victim);
<\/span><\/span>    if<\/span> ((unsigned<\/span> long<\/span>)(size) >=<\/span> (unsigned<\/span> long<\/span>)(nb +<\/span> MINSIZE)) {
<\/span><\/span>        \/\/ 分割top chunk
<\/span><\/span><\/span><\/span>        remainder_size =<\/span> size -<\/span> nb;
<\/span><\/span>        remainder =<\/span> chunk_at_offset(victim, nb);
<\/span><\/span>        av-><\/span>top =<\/span> remainder;
<\/span><\/span>        \/\/ 返回分配的内存
<\/span><\/span><\/span><\/span>        return<\/span> chunk2mem(victim);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 7. 系统调用扩展堆
<\/span><\/span><\/span><\/span>    void<\/span> *<\/span>p =<\/span> sysmalloc(nb, av);
<\/span><\/span>    return<\/span> p;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 安全机制<\/h2>
ptmalloc包含多种安全检查：<\/p>

fast bin检查<\/strong>：验证fast bin中的块大小是否正确<\/li>
small bin检查<\/strong>：验证small bin的双向链表是否损坏<\/li>
unsorted bin检查<\/strong>：验证块大小是否合法<\/li>
large bin检查<\/strong>：验证large bin的排序是否正确<\/li>
top chunk检查<\/strong>：验证top chunk大小是否合法<\/li>
<\/ol>
当检测到错误时，会调用malloc_printerr<\/code>输出错误信息并终止程序。<\/p>
6. 总结<\/h2>
ptmalloc是一个复杂的内存分配器，其核心特点包括：<\/p>

使用chunk作为基本管理单位，包含丰富的元数据<\/li>
通过四种bin管理空闲内存，针对不同大小优化分配效率<\/li>
采用多阶段分配策略，平衡速度和内存利用率<\/li>
包含严格的安全检查，防止内存破坏<\/li>
支持多线程环境，每个线程有自己的arena<\/li>
<\/ol>
理解ptmalloc的内部机制对于分析堆相关漏洞和进行堆利用至关重要。<\/p>

宏定义<\/th>	x86值<\/th>	x86-64值<\/th>	描述<\/th> <\/tr> <\/thead>
SIZE_SZ<\/td>	4<\/td>	8<\/td>	size_t的大小<\/td> <\/tr>
MIN_CHUNK_SIZE<\/td>	16<\/td>	32<\/td>	最小块大小<\/td> <\/tr>
MALLOC_ALIGNMENT<\/td>	8<\/td>	16<\/td>	内存对齐大小<\/td> <\/tr>
NBINS<\/td>	128<\/td>	128<\/td>	bin总数<\/td> <\/tr>
NFASTBINS<\/td>	10<\/td>	10<\/td>	fast bin数量<\/td> <\/tr>
NSMALLBINS<\/td>	64<\/td>	64<\/td>	small bin数量<\/td> <\/tr>
SMALLBIN_WIDTH<\/td>	8<\/td>	16<\/td>	small bin宽度<\/td> <\/tr>
DEFAULT_MXFAST<\/td>	64<\/td>	128<\/td>	默认fast bin最大大小<\/td> <\/tr>
MAX_FAST_SIZE<\/td>	80<\/td>	160<\/td>	fast bin最大大小<\/td> <\/tr>
MIN_LARGE_SIZE<\/td>	512<\/td>	1024<\/td>	large bin最小大小<\/td> <\/tr> <\/tbody> <\/table> 3. bin类型与管理<\/h2> ptmalloc使用四种类型的bin来管理释放的块：<\/p> 3.1 Fast bin<\/h3> 特点<\/strong>：<\/p> 单链表管理<\/li> 块大小 < 0x40 (x86) \/ < 0x80 (x86-64)<\/li> 不合并相邻空闲块(P位不清除)<\/li> 先进后出(FILO)分配策略<\/li> <\/ul> <\/li> 示例<\/strong>：<\/p> <\/li> <\/ul> char<\/span> <\/span>p1 =<\/span> malloc(0x20<\/span>); <\/span><\/span>char<\/span> <\/span>p2 =<\/span> malloc(0x20<\/span>); <\/span><\/span>char<\/span> <\/span>p3 =<\/span> malloc(0x20<\/span>); <\/span><\/span>free(p1); free(p2); free(p3); <\/span><\/span>\/\/ 释放顺序: p1 → p2 → p3 <\/span><\/span><\/span>\/\/ 分配顺序: p3 → p2 → p1 <\/span><\/span><\/span><\/code><\/pre>3.2 Unsorted bin<\/h3> 特点<\/strong>：<\/p> 双链表管理<\/li> 块大小 ≥ 0x40 (x86) \/ ≥ 0x80 (x86-64)<\/li> 是释放大块的第一站<\/li> 分配时会遍历查找合适块<\/li> <\/ul> <\/li> 分配策略<\/strong>：<\/p> 如果找到精确匹配的块，直接返回<\/li> 否则将块放入small bin或large bin<\/li> <\/ol> <\/li> <\/ul> 3.3 Small bin<\/h3> 特点<\/strong>：<\/p> 双链表管理<\/li> 块大小 < 0x200 (x86) \/ < 0x400 (x86-64)<\/li> 每个bin管理固定大小的块<\/li> 先进先出(FIFO)分配策略<\/li> <\/ul> <\/li> 示例<\/strong>：<\/p> <\/li> <\/ul> char<\/span> <\/span>p1 =<\/span> malloc(0xa0<\/span>); <\/span><\/span>char<\/span> <\/span>p2 =<\/span> malloc(0x30<\/span>); <\/span><\/span>char<\/span> <\/span>p3 =<\/span> malloc(0xa0<\/span>); <\/span><\/span>free(p1); free(p3); <\/span><\/span>\/\/ 释放顺序: p1 → p3 <\/span><\/span><\/span>\/\/ 分配顺序: p1 → p3 <\/span><\/span><\/span><\/code><\/pre>3.4 Large bin<\/h3> 特点<\/strong>：<\/p> 双链表管理<\/li> 块大小 ≥ 0x200 (x86) \/ ≥ 0x400 (x86-64)<\/li> 每个bin管理一个大小范围的块<\/li> 使用fd_nextsize和bk_nextsize维护大小排序<\/li> 最佳适配分配策略<\/li> <\/ul> <\/li> 分配策略<\/strong>：查找比请求大小大的最小块进行分配<\/p> <\/li> <\/ul> 4. 分配流程<\/h2> ptmalloc的分配流程如下：<\/p> 大小转换<\/strong>：将请求大小转换为实际分配大小<\/li> fast bin查找<\/strong>：如果大小≤global_max_fast，尝试fast bin<\/li> small bin查找<\/strong>：如果大小在small bin范围内，尝试small bin<\/li> malloc_consolidate<\/strong>：如果small bin未找到，合并fast bin到unsorted bin<\/li> unsorted bin遍历<\/strong>：查找精确匹配的块<\/li> 否则将块放入small\/large bin<\/li> <\/ul> <\/li> large bin查找<\/strong>：使用最佳适配算法查找合适块<\/li> top chunk分割<\/strong>：如果以上都失败，分割top chunk<\/li> 系统调用<\/strong>：如果top chunk不足，调用brk\/mmap扩展堆<\/li> <\/ol> 4.1 malloc_consolidate<\/h3> malloc_consolidate<\/code>函数用于合并fast bin中的块：<\/p> 检查前一个邻接块是否空闲：如果空闲，合并到前一个块<\/li> <\/ul> <\/li> 检查下一个邻接块是否是top chunk：如果是，合并到top chunk<\/li> 否则检查下一个邻接块是否空闲：如果空闲，合并到当前块<\/li> <\/ul> <\/li> <\/ul> <\/li> 将合并后的块放入unsorted bin<\/li> <\/ol> 4.2 关键分配函数<\/h3> void<\/span><\/span> __libc_malloc<\/span>(size_t bytes) { <\/span><\/span> \/\/ 1. 大小转换 <\/span><\/span><\/span><\/span> checked_request2size(bytes, nb); <\/span><\/span> <\/span><\/span> \/\/ 2. fast bin尝试 <\/span><\/span><\/span><\/span> if<\/span> (nb <=<\/span> get_max_fast()) { <\/span><\/span> idx =<\/span> fastbin_index(nb); <\/span><\/span> victim =<\/span> fastbin(av, idx); <\/span><\/span> if<\/span> (victim !=<\/span> NULL) { <\/span><\/span> \/\/ 检查fast bin是否损坏 <\/span><\/span><\/span><\/span> if<\/span> (__builtin_expect(fastbin_index(chunksize(victim)) !=<\/span> idx, 0<\/span>)) <\/span><\/span> malloc_printerr("malloc(): memory corruption (fast)"<\/span>); <\/span><\/span> \/\/ 返回分配的内存 <\/span><\/span><\/span><\/span> return<\/span> chunk2mem(victim); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 3. small bin尝试 <\/span><\/span><\/span><\/span> if<\/span> (in_smallbin_range(nb)) { <\/span><\/span> idx =<\/span> smallbin_index(nb); <\/span><\/span> bin =<\/span> bin_at(av, idx); <\/span><\/span> if<\/span> ((victim =<\/span> last(bin)) !=<\/span> bin) { <\/span><\/span> \/\/ 检查small bin链表是否损坏 <\/span><\/span><\/span><\/span> if<\/span> (victim ==<\/span> 0<\/span>) malloc_consolidate(av); <\/span><\/span> else<\/span> if<\/span> (__glibc_unlikely(bck-><\/span>fd !=<\/span> victim)) <\/span><\/span> malloc_printerr("malloc(): smallbin double linked list corrupted"<\/span>); <\/span><\/span> \/\/ 返回分配的内存 <\/span><\/span><\/span><\/span> return<\/span> chunk2mem(victim); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 4. unsorted bin遍历 <\/span><\/span><\/span><\/span> while<\/span> ((victim =<\/span> unsorted_chunks(av)-><\/span>bk) !=<\/span> unsorted_chunks(av)) { <\/span><\/span> \/\/ 检查大小是否合法 <\/span><\/span><\/span><\/span> if<\/span> (__builtin_expect(chunksize_nomask(victim) <=<\/span> 2<\/span> <\/span> SIZE_SZ, 0<\/span>) \|\|<\/span> <\/span><\/span> __builtin_expect(chunksize_nomask(victim) ><\/span> av-><\/span>system_mem, 0<\/span>)) <\/span><\/span> malloc_printerr("malloc(): memory corruption"<\/span>); <\/span><\/span> <\/span><\/span> size =<\/span> chunksize(victim); <\/span><\/span> <\/span><\/span> \/\/ 精确匹配检查 <\/span><\/span><\/span><\/span> if<\/span> (size ==<\/span> nb) { <\/span><\/span> \/\/ 返回精确匹配的块 <\/span><\/span><\/span><\/span> return<\/span> chunk2mem(victim); <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 放入small\/large bin <\/span><\/span><\/span><\/span> if<\/span> (in_smallbin_range(size)) { <\/span><\/span> \/\/ 放入small bin <\/span><\/span><\/span><\/span> } else<\/span> { <\/span><\/span> \/\/ 放入large bin <\/span><\/span><\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 5. large bin查找 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>in_smallbin_range(nb)) { <\/span><\/span> \/\/ 最佳适配算法查找 <\/span><\/span><\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 6. top chunk分割 <\/span><\/span><\/span><\/span> victim =<\/span> av-><\/span>top; <\/span><\/span> size =<\/span> chunksize(victim); <\/span><\/span> if<\/span> ((unsigned<\/span> long<\/span>)(size) >=<\/span> (unsigned<\/span> long<\/span>)(nb +<\/span> MINSIZE)) { <\/span><\/span> \/\/ 分割top chunk <\/span><\/span><\/span><\/span> remainder_size =<\/span> size -<\/span> nb; <\/span><\/span> remainder =<\/span> chunk_at_offset(victim, nb); <\/span><\/span> av-><\/span>top =<\/span> remainder; <\/span><\/span> \/\/ 返回分配的内存 <\/span><\/span><\/span><\/span> return<\/span> chunk2mem(victim); <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 7. 系统调用扩展堆 <\/span><\/span><\/span><\/span> void<\/span> *<\/span>p =<\/span> sysmalloc(nb, av); <\/span><\/span> return<\/span> p; <\/span><\/span>} <\/span><\/span><\/code><\/pre>5. 安全机制<\/h2> ptmalloc包含多种安全检查：<\/p> fast bin检查<\/strong>：验证fast bin中的块大小是否正确<\/li> small bin检查<\/strong>：验证small bin的双向链表是否损坏<\/li> unsorted bin检查<\/strong>：验证块大小是否合法<\/li> large bin检查<\/strong>：验证large bin的排序是否正确<\/li> top chunk检查<\/strong>：验证top chunk大小是否合法<\/li> <\/ol> 当检测到错误时，会调用malloc_printerr<\/code>输出错误信息并终止程序。<\/p> 6. 总结<\/h2> ptmalloc是一个复杂的内存分配器，其核心特点包括：<\/p> 使用chunk作为基本管理单位，包含丰富的元数据<\/li> 通过四种bin管理空闲内存，针对不同大小优化分配效率<\/li> 采用多阶段分配策略，平衡速度和内存利用率<\/li> 包含严格的安全检查，防止内存破坏<\/li> 支持多线程环境，每个线程有自己的arena<\/li> <\/ol> 理解ptmalloc的内部机制对于分析堆相关漏洞和进行堆利用至关重要。<\/p>

ptmalloc内存分配器详解<\/h1>

1. ptmalloc基础概念<\/h2> ptmalloc是glibc中使用的内存分配器，基于dlmalloc实现并进行了优化。它负责管理进程堆内存的分配和释放。<\/p>

2. 关键数据结构<\/h2>

3. bin类型与管理<\/h2> ptmalloc使用四种类型的bin来管理释放的块：<\/p>

1. ptmalloc基础概念<\/h2>
ptmalloc是glibc中使用的内存分配器，基于dlmalloc实现并进行了优化。它负责管理进程堆内存的分配和释放。<\/p>

3. bin类型与管理<\/h2>
ptmalloc使用四种类型的bin来管理释放的块：<\/p>