Memory Allocation

Question 1

Tcache bins

Answer 1

Thread specific.
Stack.
Singly Linked.
Heads are in thread local storage.
It has chunks of fixed size s_i.

Question 2

Arenas

Answer 2

Division of the heap.
Access requires synchronization.
At most, one thread can allocate.
Metadata is stored in a struct malloc_state.

Question 3

Fastbins

Answer 3

Every arena has N_f fastbins of equally sized chunks.
Thread locks the arena when accessing it.
Stack.
Singly Linked.
Heads are found in malloc_state of the arena.
Has chunks of fixed size sf_i.

Question 4

Smallbins

Answer 4

Every arena has N_s smallbins of equally sized chunks.
Queue.
Doubly-Linked.
Heads are found in malloc_state.
Has chunks of fized sizes ss_i.

Question 5

Unsorted Bin

Answer 5

Every arena has one unsorted bin
with chunks of any size.
Queue.
Doubly-Linked.
Head in malloc_state.
Chunks of any size.

Question 6

Large Bins

Answer 6

Every arena has N_l large bins with chunks in a certain size interval.
Stack.
Doubly-Linked list of Doubly-Linked lists of fixed size chunks.
Heads in malloc_state.
Chunk sizes in certain interval.

Question 7

Malloc procedure

Answer 7

Check bins in the following order until we find chunk of exact size and if not, split the next larger chunk:
1. tcache bin
2. fastbin (refill tcache)
3. smallbin (refill tcache)
4. unsorted bin
- exact match (refill tcache)
- sort into small and large bins
5. largebin
6. anybin
7. re-check fastbins
8. top chunk
9. grow arena

Question 8

Free procedure

Answer 8

If chunk fits, push into:
1. tcache bin
2. fastbin
3. unsorted bin (consolidate chunk if possible)
4. if treshold is surpassed, clean up fastbin and shrink arena

Question 9

Invariant

Answer 9

A chunk in the unsorted bin, smallbins or largebins never borders another chunk in those bins or the top chunk.

Question 10

How is the invariant upheld?

Answer 10

By performing consolidation of chunks that are moved into the unsorted bin.

Question 11

Allocated Chunk

Answer 11

.
next chunk
|
v
———————————————————————————————————
prev. size or prev. user data | size | AMP | user data | size | AMP |
———————————————————————————————————
[ metadata = 16 bytes ]

Question 12

Free chunk: unsorted, small, large bin

Answer 12

metadata| fwd.ptr| bkwd.ptr | nxt.size.ptr | prev.size.ptr | size | AMP |
———————————————————————————————————

prev. size or prev. user data | size | AMP |
————————————————————-
[ metadata = 16 bytes ]

*nxt.size.ptr and prev.size.ptr only used for chunks in large bin that are the first in their size

Question 13

Free chunk: tcache, fastbin

Answer 13

    metadata              | next ptr|       tcache key |                   junk              |       --------------------------------------------------------------------------------------------------------- [ metadata = 16 bytes ]

*tcache key only for tcache:
process-wide random cookie used to detect double frees

Question 14

Safe Linking

Answer 14

Next pointer for tcache and fastbins gets xored with the page they are stored before being written into the chunk.

Question 15

Circumvent Safe Linking

Answer 15

Leak a pointer in the program and it can be used to reverse the xor operation.