heap - 9 - _int_free 源码及其部分分析

字数统计: 1.4k   |   阅读时长≈ 7 分钟

__int_free —— 核心内存释放函数

所有的分析都以注释的形式添加进源代码中,方便阅读

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299

static void
_int_free (mstate av, mchunkptr p, int have_lock)
{
  INTERNAL_SIZE_T size;        /* its size */
  mfastbinptr *fb;             /* associated fastbin */
  mchunkptr nextchunk;         /* next contiguous chunk */
  INTERNAL_SIZE_T nextsize;    /* its size */
  int nextinuse;               /* true if nextchunk is used */
  INTERNAL_SIZE_T prevsize;    /* size of previous contiguous chunk */
  mchunkptr bck;               /* misc temp for linking */
  mchunkptr fwd;               /* misc temp for linking */

  const char *errstr = NULL;
  int locked = 0;

  size = chunksize (p);

  /* Little security check which won't hurt performance: the
     allocator never wrapps around at the end of the address space.
     Therefore we can exclude some size values which might appear
     here by accident or by "design" from some intruder.  */

  // 如果当前chunk的大小异常大,或者地址不是按 2SIZE_SZ 对齐,则报错退出
  if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)
      || __builtin_expect (misaligned_chunk (p), 0))
  {
    errstr = "free(): invalid pointer";
  errout:
    if (!have_lock && locked)
      (void) mutex_unlock (&av->mutex);
    malloc_printerr (check_action, errstr, chunk2mem (p), av);
    return;
  }
  /* We know that each chunk is at least MINSIZE bytes in size or a
     multiple of MALLOC_ALIGNMENT.  */

  // 检查一下chunk size是否比最小chunk size还要小,或者是否没有对齐内存
  if (__glibc_unlikely (size < MINSIZE || !aligned_OK (size)))
  {
    errstr = "free(): invalid size";
    goto errout;
  }

  // 进行一系列的检查
  check_inuse_chunk(av, p);

  /*
    If eligible, place chunk on a fastbin so it can be found
    and used quickly in malloc.
  */

  // 如果当前chunk的大小满足fastbin的要求,则放入fastbin
  if ((unsigned long)(size) <= (unsigned long)(get_max_fast ())

#if TRIM_FASTBINS
        /*
        If TRIM_FASTBINS set, don't place chunks
        bordering top into fastbins
        */
        // 如果TRIM_FASTBINS设置了,就不能把与top chunk相邻的chunk放入fastbin里
      && (chunk_at_offset(p, size) != av->top)
#endif
      )
  {

    // 判断下一个chunk的大小是否异常小或者异常大
    if (__builtin_expect (chunk_at_offset (p, size)->size <= 2 * SIZE_SZ, 0)
      || __builtin_expect (chunksize (chunk_at_offset (p, size)) >= av->system_mem, 0))
    {
      /* We might not have a lock at this point and concurrent modifications
        of system_mem might have let to a false positive.  Redo the test
        after getting the lock.  */
      if (have_lock
        || ({ assert (locked == 0);
        mutex_lock(&av->mutex);
        locked = 1;
        chunk_at_offset (p, size)->size <= 2 * SIZE_SZ
          || chunksize (chunk_at_offset (p, size)) >= av->system_mem;
          }))
      {
        errstr = "free(): invalid next size (fast)";
        goto errout;
      }
      if (! have_lock)
      {
        (void)mutex_unlock(&av->mutex);
        locked = 0;
      }
    }

    // 如果相关标志设置了,则初始化当前chunk的内存
    free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);

    set_fastchunks(av);
    unsigned int idx = fastbin_index(size);
    fb = &fastbin (av, idx);

    /* Atomically link P to its fastbin: P->FD = *FB; *FB = P;  */
    // 将当前fast free chunk放入fast bin里
    mchunkptr old = *fb, old2;
    unsigned int old_idx = ~0u;
    do
    {
      /* Check that the top of the bin is not the record we are going to add
          (i.e., double free).  */

      // 判断fastbin的头chunk是否就是我们将要free的chunk,以防止正常用户的double free(hacker另说)
      if (__builtin_expect (old == p, 0))
      {
        errstr = "double free or corruption (fasttop)";
        goto errout;
      }
      /* Check that size of fastbin chunk at the top is the same as
          size of the chunk that we are adding.  We can dereference OLD
          only if we have the lock, otherwise it might have already been
          deallocated.  See use of OLD_IDX below for the actual check.  */
      if (have_lock && old != NULL)
        old_idx = fastbin_index(chunksize(old));
      p->fd = old2 = old;
    }
    while ((old = catomic_compare_and_exchange_val_rel (fb, p, old2)) != old2);

    // 如果实际放入的fastbin index与预期的不同,则error
    if (have_lock && old != NULL && __builtin_expect (old_idx != idx, 0))
    {
      errstr = "invalid fastbin entry (free)";
      goto errout;
    }
  }

  /*
    Consolidate other non-mmapped chunks as they arrive.
  */
  // 如果当前chunk不是fast bin,并且也不是mmap来的
  else if (!chunk_is_mmapped(p))
  {
    if (! have_lock)
    {
      (void)mutex_lock(&av->mutex);
      locked = 1;
    }

    nextchunk = chunk_at_offset(p, size);

    /* Lightweight tests: check whether the block is already the
       top block.  */
    // 判断当前chunk是否top chunk
    if (__glibc_unlikely (p == av->top))
    {
      errstr = "double free or corruption (top)";
      goto errout;
    }
    /* Or whether the next chunk is beyond the boundaries of the arena.  */
    // 判断下一个chunk的地址是否超出top chunk
    if (__builtin_expect (contiguous (av)
      && (char *) nextchunk
      >= ((char *) av->top + chunksize(av->top)), 0))
    {
      errstr = "double free or corruption (out)";
      goto errout;
    }
    /* Or whether the block is actually not marked used.  */
    // 判断当前chunk是否是inuse的
    if (__glibc_unlikely (!prev_inuse(nextchunk)))
    {
      errstr = "double free or corruption (!prev)";
      goto errout;
    }

    // 判断下一个chunk的大小是否异常大或者异常小
    nextsize = chunksize(nextchunk);
    if (__builtin_expect (nextchunk->size <= 2 * SIZE_SZ, 0)
      || __builtin_expect (nextsize >= av->system_mem, 0))
    {
      errstr = "free(): invalid next size (normal)";
      goto errout;
    }

    free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);

    /* consolidate backward */
    // 如果上一个内存相邻的chunk是free chunk,则于其合并
    // 注意:由于fast chunk的prev_inuse始终为1,所以fast_chunk不会被合并
    if (!prev_inuse(p)) {
      prevsize = p->prev_size;
      size += prevsize;
      p = chunk_at_offset(p, -((long) prevsize));
      unlink(av, p, bck, fwd);
    }

    // 如果下一个chunk不为top chunk,则清除下一个chunk的prev_inuse位
    if (nextchunk != av->top) {
      /* get and clear inuse bit */
      nextinuse = inuse_bit_at_offset(nextchunk, nextsize);
      // 如果下一个内存相邻的chunk为free chunk,则与其合并
      /* consolidate forward */
      if (!nextinuse)
      {
        unlink(av, nextchunk, bck, fwd);
        size += nextsize;
      } else
      clear_inuse_bit_at_offset(nextchunk, 0);

      /*
      Place the chunk in unsorted chunk list. Chunks are
      not placed into regular bins until after they have
      been given one chance to be used in malloc.
      */
      // 把当前chunk 无论大小,全部放进unsorted bin里
      bck = unsorted_chunks(av);
      fwd = bck->fd;
      if (__glibc_unlikely (fwd->bk != bck))
      {
        errstr = "free(): corrupted unsorted chunks";
        goto errout;
      }
      p->fd = fwd;
      p->bk = bck;
      if (!in_smallbin_range(size))
      {
        p->fd_nextsize = NULL;
        p->bk_nextsize = NULL;
      }
      bck->fd = p;
      fwd->bk = p;

      set_head(p, size | PREV_INUSE);
      set_foot(p, size);

      check_free_chunk(av, p);
    }

    /*
      If the chunk borders the current high end of memory,
      consolidate into top
    */
    // 如果下一个chunk是top chunk,则直接与top chunk合并,不再放入unsorted bin里
    else
    {
      size += nextsize;
      set_head(p, size | PREV_INUSE);
      av->top = p;
      check_chunk(av, p);
    }

    /*
      If freeing a large space, consolidate possibly-surrounding
      chunks. Then, if the total unused topmost memory exceeds trim
      threshold, ask malloc_trim to reduce top.

      Unless max_fast is 0, we don't know if there are fastbins
      bordering top, so we cannot tell for sure whether threshold
      has been reached unless fastbins are consolidated.  But we
      don't want to consolidate on each free.  As a compromise,
      consolidation is performed if FASTBIN_CONSOLIDATION_THRESHOLD
      is reached.
    */

    // 在完成之前的chunk合并后,如果当前chunk的size非常大,那就来一次(可能有的)内存整合,并返还多余的内存给操作系统
    if ((unsigned long)(size) >= FASTBIN_CONSOLIDATION_THRESHOLD)
    {
      if (have_fastchunks(av))
        malloc_consolidate(av);

      if (av == &main_arena)
      {
  #ifndef MORECORE_CANNOT_TRIM
        if ((unsigned long)(chunksize(av->top)) >=
            (unsigned long)(mp_.trim_threshold))
          systrim(mp_.top_pad, av);
  #endif
      }
      else
      {
        /* Always try heap_trim(), even if the top chunk is not
          large, because the corresponding heap might go away.  */
        heap_info *heap = heap_for_ptr(top(av));

        assert(heap->ar_ptr == av);
        heap_trim(heap, mp_.top_pad);
      }
    }

    if (! have_lock)
    {
      assert (locked);
      (void)mutex_unlock(&av->mutex);
    }
  }
  /*
    If the chunk was allocated via mmap, release via munmap().
  */

  // 如果当前chunk是通过mmap来的,则munmap
  else {
    munmap_chunk (p);
  }
}
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2020-2024 Kiprey
  • 访问人数: | 浏览次数:

请我喝杯咖啡吧~