Please enable JavaScript.
Coggle requires JavaScript to display documents.
Heap Techniques - Coggle Diagram
Heap Techniques
-
Heap Chunk
-
Inline metadata, size's metadata of minimum chuck (24bytes) is 0x21 = 33bytes (24 bytes data and 8 bytes metadata and lsb is not used to represent chunk size but is prev_inuse flag)
Top-chunk in higher address and unuse. In many libc, top-chunk is not subject to integrity check and can be modified
Chunk sizes increase in increments of 16 bytes, so the next size up from a 0x20 chunk is a 0x30 chunk, then a 0x40 chunk etc
Arenas
-
-
Fastbins
There are 10 fastbins per arena, each responsible for holding free chunks with sizes 0x20 through 0xb0. a 0x20 fastbin only holds free chunks with size 0x20, etc.
Although only 7 of these fastbins are available under default conditions, the mallopt() function can be used to change this number by modifying the global_max_fast variable
The head of each fastbin resides in its arena, although the links between subsequent chunks in that bin are stored inline. The first quadword of a chunk’s user data is repurposed as a forward pointer (fd) when it is linked into a fastbin. A null fd indicates the last chunk in a fastbin
Fastbins are last-in, first-out (LIFO) structures, freeing a chunk into a fastbin links it into the head of that fastbin. Likewise, requesting chunks of a size that match a non-empty fastbin will result in allocating the chunk at the head of that fastbin
Top
From malloc.c: a top chunk is “the topmost available chunk, i.e. the one bordering the end of available memory”. After a new arena is initialised a top chunk always exists and there is only ever one per arena. Requests are only serviced from a top chunk when they can’t be serviced from any other bins in the same arena
When a top chunk is too small to service a request below the mmap threshold, malloc attempts to grow the heap that the top chunk resides on via the sysmalloc() function then extend the top chunk.
-
-
-
-
-
-
