glibc 的malloc 使用的是 brk和sbrk系统调用来实现的。
#include<stdio.h>
int main()
{
int *a = malloc(10);
return 0;
}
~
__brk 是glibc对brk系统调用的封装 sbrk是glibc对__brk的封装 最终还是调用了brk系统调用
glibc/misc/sbrk.c
glibc/sysdeps/unix/sysv/linux/x86_64/brk.c
#include <errno.h>
#include <stdint.h>
#include <unistd.h>
#include <libc-internal.h>
/* Defined in brk.c. */
extern void *__curbrk;
extern int __brk (void *addr);
/* Extend the process's data space by INCREMENT.
If INCREMENT is negative, shrink data space by - INCREMENT.
Return start of new space allocated, or -1 for errors. */
void *
__sbrk (intptr_t increment)
{
void *oldbrk;
/* If this is not part of the dynamic library or the library is used
via dynamic loading in a statically linked program update
__curbrk from the kernel's brk value. That way two separate
instances of __brk and __sbrk can share the heap, returning
interleaved pieces of it. */
if (__curbrk == NULL || __libc_multiple_libcs)
if (__brk (0) < 0) /* Initialize the break. */
return (void *) -1;
if (increment == 0)
return __curbrk;
oldbrk = __curbrk;
if (increment > 0
? ((uintptr_t) oldbrk + (uintptr_t) increment < (uintptr_t) oldbrk)
: ((uintptr_t) oldbrk < (uintptr_t) -increment))
{
__set_errno (ENOMEM);
return (void *) -1;
}
// sbrk是对__brk的封装 最终还是调用了brk系统调用
if (__brk (oldbrk + increment) < 0)
return (void *) -1;
return oldbrk;
}
libc_hidden_def (__sbrk)
weak_alias (__sbrk, sbrk)
#include <errno.h>
#include <unistd.h>
#include <sysdep.h>
/* This must be initialized data because commons can't have aliases. */
void *__curbrk = 0;
int
__brk (void *addr)
{
void *newbrk;
//调用brk系统调用 系统调用的返回值是个地址
__curbrk = newbrk = (void *) INLINE_SYSCALL (brk, 1, addr);
if (newbrk < addr)
{
__set_errno (ENOMEM);
return -1;
}
return 0;
}
weak_alias (__brk, brk)
brk系统调用的实现 linux/mm/mmap.c
SYSCALL_DEFINE1(brk, unsigned long, brk)
{
unsigned long retval;
unsigned long newbrk, oldbrk, origbrk;
struct mm_struct *mm = current->mm;
struct vm_area_struct *next;
unsigned long min_brk;
bool populate;
bool downgraded = false;
LIST_HEAD(uf);
if (mmap_write_lock_killable(mm))
return -EINTR;
//进程创建后堆的地址
origbrk = mm->brk;
#ifdef CONFIG_COMPAT_BRK
/*
* CONFIG_COMPAT_BRK can still be overridden by setting
* randomize_va_space to 2, which will still cause mm->start_brk
* to be arbitrarily shifted
*/
if (current->brk_randomized)
min_brk = mm->start_brk;
else
min_brk = mm->end_data;
#else
min_brk = mm->start_brk;堆的起始地址
#endif
if (brk < min_brk)
goto out;
/*
* Check against rlimit here. If this check is done later after the test
* of oldbrk with newbrk then it can escape the test and let the data
* segment grow beyond its set limit the in case where the limit is
* not page aligned -Ram Gupta
*/
if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
mm->end_data, mm->start_data))
goto out;
//newbrk是新地址,oldbrk是以前堆的地址
newbrk = PAGE_ALIGN(brk);
oldbrk = PAGE_ALIGN(mm->brk);
if (oldbrk == newbrk) {
mm->brk = brk;
goto success;
}
/*
* Always allow shrinking brk.
* __do_munmap() may downgrade mmap_lock to read.
*/
//brk <=mm->brk这块是释放内存
if (brk <= mm->brk) {
int ret;
/*
* mm->brk must to be protected by write mmap_lock so update it
* before downgrading mmap_lock. When __do_munmap() fails,
* mm->brk will be restored from origbrk.
*/
mm->brk = brk;
ret = __do_munmap(mm, newbrk, oldbrk-newbrk, &uf, true);
if (ret < 0) {
mm->brk = origbrk;
goto out;
} else if (ret == 1) {
downgraded = true;
}
goto success;
}
/* Check against existing mmap mappings. */
next = find_vma(mm, oldbrk);
if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
goto out;
/* Ok, looks good - let it rip. */
if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)
goto out;
mm->brk = brk;
success:
populate = newbrk > oldbrk && (mm->def_flags & VM_LOCKED) != 0;
if (downgraded)
mmap_read_unlock(mm);
else
mmap_write_unlock(mm);
userfaultfd_unmap_complete(mm, &uf);
if (populate)
mm_populate(oldbrk, newbrk - oldbrk);
return brk;
out:
retval = origbrk;
mmap_write_unlock(mm);
return retval;
}
尝试用brk sbrk申请内存
#include <stdio.h>
#include <unistd.h>
int main() {
int *p2 = sbrk(4);
int *p3 = sbrk(4);
int *p4 = sbrk(4);
printf("p4====%x\n",p4);
// sbrk(-12); // 释放12个字节的内存空间
int *cur = sbrk(0); // 获取sbrk后台的当前位置
printf("====%x\n",cur);
cur = sbrk(4092 + 1);
printf("====%x\n",cur);
cur = sbrk(333);
printf("====%x\n",cur);
while (1);
}
运行
tyrion_shi@silead:~/work/test/test_code/c$ ./a.out
p4====1f43008
====1f65000
====1f65000
====1f65ffd
为什么1f43008 和1f65000中间差了这么多 按理应该只差12个字节才对 去掉printf debug一线
怀疑是printf引起问题
#include<stdio.h>
int main()
{
printf("haha\n");
return 0;
}
怀疑是这块导致