--- title: libc-2.27 realloc description: Tracing source code tags: libc-2.27 lang: zh_tw --- # libc-2.27 realloc ```c __libc_realloc (void *oldmem, size_t bytes) { mstate ar_ptr; INTERNAL_SIZE_T nb; /* padded request size */ void *newp; /* chunk to return */ void *(*hook) (void *, size_t, const void *) = atomic_forced_read (__realloc_hook); if (__builtin_expect (hook != NULL, 0)) return (*hook)(oldmem, bytes, RETURN_ADDRESS (0)); #if REALLOC_ZERO_BYTES_FREES if (bytes == 0 && oldmem != NULL) { __libc_free (oldmem); return 0; } #endif /* realloc of null is supposed to be same as malloc */ if (oldmem == 0) return __libc_malloc (bytes); ``` 1. 若 `__realloc_hook` 有值則會先執行此 hook 2. 若 `bytes == 0 && oldmem != NULL` 則形同使用 `__libc_free(oldmem)` 3. 若 `oldmem == 0` 則形同使用 `__libc_malloc(bytes)` ```c /* chunk corresponding to oldmem */ const mchunkptr oldp = mem2chunk (oldmem); /* its size */ const INTERNAL_SIZE_T oldsize = chunksize (oldp); if (chunk_is_mmapped (oldp)) ar_ptr = NULL; else { MAYBE_INIT_TCACHE (); ar_ptr = arena_for_chunk (oldp); } ``` 根據 chunk 的 mmap flag 來決定 ar_ptr 平常的 use case 是走下面, ar_ptr 最後會得到 main_arena 的位址 ```c /* Little security check which won't hurt performance: the allocator never wrapps around at the end of the address space. Therefore we can exclude some size values which might appear here by accident or by "design" from some intruder. We need to bypass this check for dumped fake mmap chunks from the old main arena because the new malloc may provide additional alignment. */ if ((__builtin_expect ((uintptr_t) oldp > (uintptr_t) -oldsize, 0) || __builtin_expect (misaligned_chunk (oldp), 0)) && !DUMPED_MAIN_ARENA_CHUNK (oldp)) malloc_printerr ("realloc(): invalid pointer"); ``` 1. 檢查 oldp > -oldsize 2. 檢查 oldp 是否有對齊記憶體, 也就是是否滿足 `oldp & 0xf == 0` 3. DUMPED_MAIN_ARENA_CHUNK 先不追 ```c checked_request2size (bytes, nb); if (chunk_is_mmapped (oldp)) { /* If this is a faked mmapped chunk from the dumped main arena, always make a copy (and do not free the old chunk). */ if (DUMPED_MAIN_ARENA_CHUNK (oldp)) { /* Must alloc, copy, free. */ void *newmem = __libc_malloc (bytes); if (newmem == 0) return NULL; /* Copy as many bytes as are available from the old chunk and fit into the new size. NB: The overhead for faked mmapped chunks is only SIZE_SZ, not 2 * SIZE_SZ as for regular mmapped chunks. */ if (bytes > oldsize - SIZE_SZ) bytes = oldsize - SIZE_SZ; memcpy (newmem, oldmem, bytes); return newmem; } void *newmem; #if HAVE_MREMAP newp = mremap_chunk (oldp, nb); if (newp) return chunk2mem (newp); #endif /* Note the extra SIZE_SZ overhead. */ if (oldsize - SIZE_SZ >= nb) return oldmem; /* do nothing */ /* Must alloc, copy, free. */ newmem = __libc_malloc (bytes); if (newmem == 0) return 0; /* propagate failure */ memcpy (newmem, oldmem, oldsize - 2 * SIZE_SZ); munmap_chunk (oldp); return newmem; } ```