brk sbrk malloc关系

glibc 的malloc 使用的是 brk和sbrk系统调用来实现的。

#include<stdio.h>
int main()
{
    int *a = malloc(10);
    return 0;
}
~

__brk 是glibc对brk系统调用的封装 sbrk是glibc对__brk的封装 最终还是调用了brk系统调用

glibc/misc/sbrk.c

glibc/sysdeps/unix/sysv/linux/x86_64/brk.c

#include <errno.h>
#include <stdint.h>
#include <unistd.h>
#include <libc-internal.h>

/* Defined in brk.c.  */
extern void *__curbrk;
extern int __brk (void *addr);

/* Extend the process's data space by INCREMENT.
   If INCREMENT is negative, shrink data space by - INCREMENT.
   Return start of new space allocated, or -1 for errors.  */


void *
__sbrk (intptr_t increment)
{
  void *oldbrk;

  /* If this is not part of the dynamic library or the library is used
     via dynamic loading in a statically linked program update
     __curbrk from the kernel's brk value.  That way two separate
     instances of __brk and __sbrk can share the heap, returning
     interleaved pieces of it.  */
  if (__curbrk == NULL || __libc_multiple_libcs)
    if (__brk (0) < 0)      /* Initialize the break.  */
      return (void *) -1;

  if (increment == 0)
    return __curbrk;

  oldbrk = __curbrk;
  if (increment > 0
      ? ((uintptr_t) oldbrk + (uintptr_t) increment < (uintptr_t) oldbrk)
      : ((uintptr_t) oldbrk < (uintptr_t) -increment))
    {
      __set_errno (ENOMEM);
      return (void *) -1;
    }
// sbrk是对__brk的封装 最终还是调用了brk系统调用
  if (__brk (oldbrk + increment) < 0)
    return (void *) -1;

  return oldbrk;
}
libc_hidden_def (__sbrk)
weak_alias (__sbrk, sbrk)

#include <errno.h>
#include <unistd.h>
#include <sysdep.h>

/* This must be initialized data because commons can't have aliases.  */
void *__curbrk = 0;

int
__brk (void *addr)
{
  void *newbrk;
//调用brk系统调用 系统调用的返回值是个地址 
  __curbrk = newbrk = (void *) INLINE_SYSCALL (brk, 1, addr);

  if (newbrk < addr)
    {
      __set_errno (ENOMEM);
      return -1;
    }

  return 0;
}
weak_alias (__brk, brk)

 brk系统调用的实现 linux/mm/mmap.c

SYSCALL_DEFINE1(brk, unsigned long, brk)
{
	unsigned long retval;
	unsigned long newbrk, oldbrk, origbrk;
	struct mm_struct *mm = current->mm;
	struct vm_area_struct *next;
	unsigned long min_brk;
	bool populate;
	bool downgraded = false;
	LIST_HEAD(uf);

	if (mmap_write_lock_killable(mm))
		return -EINTR;
//进程创建后堆的地址
	origbrk = mm->brk;

#ifdef CONFIG_COMPAT_BRK
	/*
	 * CONFIG_COMPAT_BRK can still be overridden by setting
	 * randomize_va_space to 2, which will still cause mm->start_brk
	 * to be arbitrarily shifted
	 */
	if (current->brk_randomized)
		min_brk = mm->start_brk;
	else
		min_brk = mm->end_data;
#else
	min_brk = mm->start_brk;堆的起始地址
#endif
	if (brk < min_brk)
		goto out;

	/*
	 * Check against rlimit here. If this check is done later after the test
	 * of oldbrk with newbrk then it can escape the test and let the data
	 * segment grow beyond its set limit the in case where the limit is
	 * not page aligned -Ram Gupta
	 */
	if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
			      mm->end_data, mm->start_data))
		goto out;
//newbrk是新地址，oldbrk是以前堆的地址
	newbrk = PAGE_ALIGN(brk);
	oldbrk = PAGE_ALIGN(mm->brk);
	if (oldbrk == newbrk) {
		mm->brk = brk;
		goto success;
	}

	/*
	 * Always allow shrinking brk.
	 * __do_munmap() may downgrade mmap_lock to read.
	 */
//brk <=mm->brk这块是释放内存
	if (brk <= mm->brk) {
		int ret;

		/*
		 * mm->brk must to be protected by write mmap_lock so update it
		 * before downgrading mmap_lock. When __do_munmap() fails,
		 * mm->brk will be restored from origbrk.
		 */
		mm->brk = brk;
		ret = __do_munmap(mm, newbrk, oldbrk-newbrk, &uf, true);
		if (ret < 0) {
			mm->brk = origbrk;
			goto out;
		} else if (ret == 1) {
			downgraded = true;
		}
		goto success;
	}

	/* Check against existing mmap mappings. */
	next = find_vma(mm, oldbrk);
	if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
		goto out;

	/* Ok, looks good - let it rip. */
	if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)
		goto out;
	mm->brk = brk;

success:
	populate = newbrk > oldbrk && (mm->def_flags & VM_LOCKED) != 0;
	if (downgraded)
		mmap_read_unlock(mm);
	else
		mmap_write_unlock(mm);
	userfaultfd_unmap_complete(mm, &uf);
	if (populate)
		mm_populate(oldbrk, newbrk - oldbrk);
	return brk;

out:
	retval = origbrk;
	mmap_write_unlock(mm);
	return retval;
}

尝试用brk sbrk申请内存

#include <stdio.h>
#include <unistd.h>

int main() {
    int *p2 = sbrk(4);
    int *p3 = sbrk(4);
    int *p4 = sbrk(4);
    printf("p4====%x\n",p4);

//  sbrk(-12); // 释放12个字节的内存空间

    int *cur = sbrk(0); // 获取sbrk后台的当前位置

    printf("====%x\n",cur);
    cur = sbrk(4092 + 1);
    printf("====%x\n",cur);
    cur = sbrk(333);
    printf("====%x\n",cur);
    while (1);
}

 运行

 tyrion_shi@silead:~/work/test/test_code/c$ ./a.out
p4====1f43008
====1f65000
====1f65000
====1f65ffd

 为什么1f43008 和1f65000中间差了这么多 按理应该只差12个字节才对 去掉printf debug一线

怀疑是printf引起问题

#include<stdio.h>
int main()
{
    printf("haha\n");
    return 0;
}

怀疑是这块导致