10 张图 22 段代码，万字长文带你搞懂虚拟内存模型和 malloc 内部原理

's memory through open(2), read(2), and lseek(2).

/proc/[pid]/maps

A  file containing the currently mapped memory regions and their access permissions.

See mmap(2) for some further information about memory mappings.

The format of the file is:

address           perms offset  dev   inode       pathname

00400000-00452000 r-xp 00000000 08:02 173521      /usr/bin/dbus-daemon

00651000-00652000 r--p 00051000 08:02 173521      /usr/bin/dbus-daemon

00652000-00655000 rw-p 00052000 08:02 173521      /usr/bin/dbus-daemon

00e03000-00e24000 rw-p 00000000 00:00 0           [heap]

00e24000-011f7000 rw-p 00000000 00:00 0           [heap]

...

35b1800000-35b1820000 r-xp 00000000 08:02 135522  /usr/lib64/ld-2.15.so

35b1a1f000-35b1a20000 r--p 0001f000 08:02 135522  /usr/lib64/ld-2.15.so

35b1a20000-35b1a21000 rw-p 00020000 08:02 135522  /usr/lib64/ld-2.15.so

35b1a21000-35b1a22000 rw-p 00000000 00:00 0

35b1c00000-35b1dac000 r-xp 00000000 08:02 135870  /usr/lib64/libc-2.15.so

35b1dac000-35b1fac000 ---p 001ac000 08:02 135870  /usr/lib64/libc-2.15.so

35b1fac000-35b1fb0000 r--p 001ac000 08:02 135870  /usr/lib64/libc-2.15.so

35b1fb0000-35b1fb2000 rw-p 001b0000 08:02 135870  /usr/lib64/libc-2.15.so

...

f2c6ff8c000-7f2c7078c000 rw-p 00000000 00:00 0    [stack:986]

...

7fffb2c0d000-7fffb2c2e000 rw-p 00000000 00:00 0   [stack]

7fffb2d48000-7fffb2d49000 r-xp 00000000 00:00 0   [vdso]

The address field is the address space in the process that the mapping occupies.

The perms field is a set of permissions:

r = read

w = write

x = execute

s = shared

p = private (copy on write)

The offset field is the offset into the file/whatever;

dev is the device (major:minor); inode is the inode on that device.   0  indicates

that no inode is associated with the memory region,

as would be the case with BSS (uninitialized data).

The  pathname field will usually be the file that is backing the mapping.

For ELF files, you can easily coordinate with the offset field

by looking at the Offset field in the ELF program headers (readelf -l).

There are additional helpful pseudo-paths:

[stack]

The initial process'

's) stack.

[stack:<tid>] (since Linux 3.4)

A thread'

's heap.

If the pathname field is blank, this is an anonymous mapping as obtained via the mmap(2) function.

There is no easy  way  to  coordinate

this back to a process'

'''

Locates and replaces the first occurrence of a string in the heap

of a process

Usage: ./read_write_heap.py PID search_string replace_by_string

Where:

- PID is the pid of the target process

- search_string is the ASCII string you are looking to overwrite

- replace_by_string is the ASCII string you want to replace

search_string with

'''

'.

obase=16

ibase=16

58+7ffd5ebae118

(standard_in) 3: syntax error

58+7FFD5EBAE118

7FFD5EBAE170

quit

's find out which syscall malloc is using

*

* Return: EXIT_FAILURE if something failed. Otherwise EXIT_SUCCESS

*/

int main(void)

{

void *p;

write(1, "BEFORE MALLOC\n", 14);

p = malloc(1);

write(1, "AFTER MALLOC\n", 13);

printf("%p\n", p);

getchar();

return (EXIT_SUCCESS);

}

编译运行：gcc test.c -o 4

zjucad@zjucad-ONDA-H110-MINI-V3-01:~/wangzhiqiang$ strace ./4

execve("./4", ["./4"], [/* 34 vars */]) = 0

brk(NULL)                               = 0x781000

access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=111450, ...}) = 0

mmap(NULL, 111450, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f37720fa000

close(3)                                = 0

access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f37720f9000

mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3771b27000

mprotect(0x7f3771ce7000, 2097152, PROT_NONE) = 0

mmap(0x7f3771ee7000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7f3771ee7000

mmap(0x7f3771eed000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3771eed000

close(3)                                = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f37720f8000

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f37720f7000

arch_prctl(ARCH_SET_FS, 0x7f37720f8700) = 0

mprotect(0x7f3771ee7000, 16384, PROT_READ) = 0

mprotect(0x600000, 4096, PROT_READ)     = 0

mprotect(0x7f3772116000, 4096, PROT_READ) = 0

munmap(0x7f37720fa000, 111450)          = 0

write(1, "BEFORE MALLOC\n", 14BEFORE MALLOC

)         = 14

brk(NULL)                               = 0x781000

brk(0x7a2000)                           = 0x7a2000

write(1, "AFTER MALLOC\n", 13AFTER MALLOC

)          = 13

fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 3), ...}) = 0

write(1, "0x781010\n", 90x781010

)               = 9

fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 3), ...}) = 0

's data segment (i.e., the program break is the first

location after the end of the uninitialized data segment).  Increasing  the

program  break has the effect of allocating memory to the process; decreas‐

ing the break deallocates memory.

brk() sets the end of the data segment to the value specified by addr, when

that  value  is  reasonable,  the system has enough memory, and the process

does not exceed its maximum data size (see setrlimit(2)).

sbrk() increments the program'

' method as

1061        described in e.g., Knuth or Standish.  (See the paper by Paul

1062        Wilson ftp://ftp.cs.utexas.edu/pub/garbage/allocsrv.ps for a

1063        survey of such techniques.)  Sizes of free chunks are stored both

1064        in the front of each chunk and at the end.  This makes

1065        consolidating fragmented chunks into bigger chunks very fast.  The

1066        size fields also hold bits representing whether chunks are free or

1067        in use.

1068

1069        An allocated chunk looks like this:

1070

1071

1072        chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1073                |             Size of previous chunk, if unallocated (P clear)  |

1074                +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1075                |             Size of chunk, in bytes                     |A|M|P|

1076          mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1077                |             User data starts here...                          .

1078                .                                                               .

1079                .             (malloc_usable_size() bytes)                      .

1080                .                                                               |

1081    nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1082                |             (size of chunk, but used for application data)    |

1083                +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1084                |             Size of next chunk, in bytes                |A|0|1|

1085                +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1086

1087        Where "chunk" is the front of the chunk for the purpose of most of

1088        the malloc code, but "mem" is the pointer that is returned to the

1089        user.  "Nextchunk" is the beginning of the next contiguous chunk.