简体繁体 English

使用malloc进行堆内存探索

[英]Heap memory exploration with malloc

原文 2016-07-18 18:25:48 0 2 c/ malloc/ heap-memory

I've written a program that takes 3 number in input: 我编写了一个程序，输入了3个数字：

1. The size of memory to allocate in the heap with malloc() 使用malloc()在堆中分配的内存大小
1. Two int value 两个int值

If q is an unsigned char pointer it gives q[i]=b from q[min] to q[max] . 如果q是一个unsigned char指针，它将给出q[i]=b从q[min]到q[max] 。

I thought that the heap was divided in pages and that the first call to malloc() would have given a pointer to the first byte of the page of my process. 我以为堆被分成了几页，并且对malloc()的第一次调用将给出一个指向我进程页面的第一个字节的指针。 So why if try to get q[-1] my process is not killed? 那么，为什么要获得q[-1]却没有被杀死呢？

Then I've tried with another pointer p and I noticed that between the two pointers there is a distance of 32byte, why they are not adjacent? 然后我尝试了另一个指针p ，我发现两个指针之间的距离为32byte，为什么它们不相邻？

The last thing I notice is that both in p[-8]=q[-40(-32-8)] and q[-8] there is the number 33 00100001 (all the other bytes are setted to 0), it means anything? 我注意到的最后一件事是，在p[-8]=q[-40(-32-8)]和q[-8]存在数字33 00100001 （所有其他字节均设置为0），什么意思？

Thank you! 谢谢！

2 个解决方案

I thought that the heap was divided in pages and that the first call to malloc would have given a pointer to the first byte of the page of my process. 我以为堆被分成了几页，对malloc的第一个调用将给出一个指向我进程页面的第一个字节的指针。 So why if try to get q[-1] my process is not killed? 那么，为什么要获得q [-1]却没有被杀死呢？

Most likely because your malloc implementation stores something there. 最有可能是因为您的malloc实现在那里存储了一些东西。 Possibly the size of the block. 可能是块的大小。

Then I've tried with another pointer p and I noticed that between the two pointers there is a distance of 32byte, why they are not adjacents? 然后我尝试了另一个指针p，我注意到两个指针之间的距离为32byte，为什么它们不是相邻的？

Same reason. 相同的原因。 Your implementation probably stores the size of the block in the block just before the address it returns. 您的实现可能会在返回地址之前将块的大小存储在块中。

The last thing I notice is that both in p[-8]=q[-40(-32-8)] and q[-8] there is the number 33 (00100001), it means anything? 我注意到的最后一件事是，在p [-8] = q [-40（-32-8）]和q [-8]中都存在数字33（00100001），这意味着什么？

It probably means something to your malloc implementation. 这可能对您的malloc实现malloc 。 But you can't really tell what without looking at the implementation. 但是，如果不查看实现，您将无法真正分辨出什么。

The standard library uses the heap before calling main so anything you do won't be on a clean heap. 标准库在调用main之前使用堆，因此您所做的任何事情都不会放在干净的堆上。
The heap implementation usually uses about 2 pointer at the starting of an allocation, and the total size is usually aligned to 2 pointers. 堆实现通常在分配开始时使用大约2个指针，并且总大小通常与2个指针对齐。
The heap implementation usually uses a lot of bytes at the start of each system allocation, it can sometimes be close to page size. 堆实现通常在每个系统分配的开始使用很多字节，有时可能接近页面大小。
The heap is allocated in chunks much bigger than a page, on Windows it is at least 16 pages. 堆以比页面大得多的块分配，在Windows上至少为16页。
The heap can be adjacent to other allocations, on Linux it appeares right after the main executable so underflowing it won't crash. 堆可以与其他分配相邻，在Linux上，堆显示在主可执行文件之后，因此，下溢不会崩溃。