Excuse the ads! We need some help to keep our site up.
애플리케이션이 fastbin에 포함되는 메모리들을 중복으로 해제를 요청할 경우 할당자는 해당 chunk들을 list에 중복으로 배치됩니다.
중복으로 등록된 chunk와 동일한 크기의 메모리 할당을 여러번 요청하면, 할당자는 해당 chunk의 포인터를 중복으로 리턴합니다.
#include <stdio.h> #include <stdlib.h> int main() { int *buf1 = malloc(112); int *buf2 = malloc(112); int *buf3 = malloc(112); free(buf1); free(buf2); free(buf1); int *buf4 = malloc(112); int *buf5 = malloc(112); int *buf6 = malloc(112); } |
0x4005b7에서 fastbin에 배치된 메모리가 또 배치되는 것을 확인합니다.
0x4005c6, 0x4005d4, 0x4005e2에서는 malloc()에서 반환된 pointer를 확인합니다.
lazenca0x0@ubuntu:~/Book/2.fast_dup$ gcc -o fast_dup fast_dup.c lazenca0x0@ubuntu:~/Book/2.fast_dup$ gdb -q ./fast_dup Reading symbols from ./fast_dup...(no debugging symbols found)...done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x0000000000400566 <+0>: push rbp 0x0000000000400567 <+1>: mov rbp,rsp 0x000000000040056a <+4>: sub rsp,0x30 0x000000000040056e <+8>: mov edi,0x70 0x0000000000400573 <+13>: call 0x400450 <malloc@plt> 0x0000000000400578 <+18>: mov QWORD PTR [rbp-0x30],rax 0x000000000040057c <+22>: mov edi,0x70 0x0000000000400581 <+27>: call 0x400450 <malloc@plt> 0x0000000000400586 <+32>: mov QWORD PTR [rbp-0x28],rax 0x000000000040058a <+36>: mov edi,0x70 0x000000000040058f <+41>: call 0x400450 <malloc@plt> 0x0000000000400594 <+46>: mov QWORD PTR [rbp-0x20],rax 0x0000000000400598 <+50>: mov rax,QWORD PTR [rbp-0x30] 0x000000000040059c <+54>: mov rdi,rax 0x000000000040059f <+57>: call 0x400430 <free@plt> 0x00000000004005a4 <+62>: mov rax,QWORD PTR [rbp-0x28] 0x00000000004005a8 <+66>: mov rdi,rax 0x00000000004005ab <+69>: call 0x400430 <free@plt> 0x00000000004005b0 <+74>: mov rax,QWORD PTR [rbp-0x30] 0x00000000004005b4 <+78>: mov rdi,rax 0x00000000004005b7 <+81>: call 0x400430 <free@plt> 0x00000000004005bc <+86>: mov edi,0x70 0x00000000004005c1 <+91>: call 0x400450 <malloc@plt> 0x00000000004005c6 <+96>: mov QWORD PTR [rbp-0x18],rax 0x00000000004005ca <+100>: mov edi,0x70 0x00000000004005cf <+105>: call 0x400450 <malloc@plt> 0x00000000004005d4 <+110>: mov QWORD PTR [rbp-0x10],rax 0x00000000004005d8 <+114>: mov edi,0x70 0x00000000004005dd <+119>: call 0x400450 <malloc@plt> 0x00000000004005e2 <+124>: mov QWORD PTR [rbp-0x8],rax 0x00000000004005e6 <+128>: mov eax,0x0 0x00000000004005eb <+133>: leave 0x00000000004005ec <+134>: ret End of assembler dump. gdb-peda$ b *0x00000000004005b7 Breakpoint 1 at 0x4005b7 gdb-peda$ b *0x00000000004005c6 Breakpoint 2 at 0x4005c6 gdb-peda$ b *0x4005d4 Breakpoint 3 at 0x4005d4 gdb-peda$ b *0x00000000004005e2 Breakpoint 4 at 0x4005e2 gdb-peda$ |
gdb-peda$ r Starting program: /home/lazenca0x0/Book/2.fast_dup/fast_dup Breakpoint 1, 0x00000000004005b7 in main () gdb-peda$ p main_arena.fastbinsY[6] $1 = (mfastbinptr) 0x602080 gdb-peda$ x/4gx 0x602080 0x602080: 0x0000000000000000 0x0000000000000081 0x602090: 0x0000000000602000 0x0000000000000000 gdb-peda$ x/4gx 0x0000000000602000 0x602000: 0x0000000000000000 0x0000000000000081 0x602010: 0x0000000000000000 0x0000000000000000 gdb-peda$ ni 0x00000000004005bc in main () gdb-peda$ x/4gx 0x0000000000602000 0x602000: 0x0000000000000000 0x0000000000000081 0x602010: 0x0000000000602080 0x0000000000000000 gdb-peda$ p main_arena.fastbinsY[6] $2 = (mfastbinptr) 0x602000 gdb-peda$ |
malloc()에 112byte를 요청하면 fastbinsY[6]의 상단에 있는 메모리(0x602010)가 재할당됩니다.
fastbinsY[6]의 상단에는 다음 메모리(0x602080)가 배치됩니다.
마지막 요청에서는 첫 재할당된 메모리(0x602010)와 같은 메모리(0x602010)가 재할당됩니다.
gdb-peda$ c Continuing. Breakpoint 2, 0x00000000004005c6 in main () gdb-peda$ i r rax rax 0x602010 0x602010 gdb-peda$ p main_arena.fastbinsY[6] $3 = (mfastbinptr) 0x602080 gdb-peda$ c Continuing. Breakpoint 3, 0x00000000004005d4 in main () gdb-peda$ p main_arena.fastbinsY[6] $5 = (mfastbinptr) 0x602000 gdb-peda$ i r rax rax 0x602090 0x602090 gdb-peda$ Breakpoint 4, 0x00000000004005e2 in main () gdb-peda$ i r rax rax 0x602010 0x602010 gdb-peda$ p main_arena.fastbinsY[6] $4 = (mfastbinptr) 0x602080 gdb-peda$ |