堆中的检查

申请的大小

REQUEST_OUT_OF_RANGE(req) ：((unsigned long) (req) >= (unsigned long) (INTERNAL_SIZE_T)(-2 * MINSIZE))

__set_errno(ENOMEM)

fastbin_index(chunksize(victim)) != idx

malloc(): memory corruption (fast)

unsorted bin chunk 大小

chunksize_nomask (victim) <= 2 * SIZE_SZ || chunksize_nomask (victim) av->system_mem

malloc(): memory corruption

top chunk size

(unsigned long) (size) >= (unsigned long) (nb + MINSIZE)

方可进入

chunk size 标记位

chunk_is_mmapped (p)

方可进入

释放chunk位置

(uintptr_t) p > (uintptr_t) -size || misaligned_chunk(p)

free(): invalid pointer

释放chunk的大小

size < MINSIZE || !aligned_OK(size)

free(): invalid size

释放chunk的下一个chunk大小

chunksize_nomask(chunk_at_offset(p, size)) <= 2 * SIZE_SZ， chunksize(chunk_at_offset(p, size)) >= av->system_mem

free(): invalid next size (fast)

释放 chunk对应链表的第一个chunk

fb = &fastbin(av, idx)，old= *fb， old == p

double free or corruption (fasttop)

fastbin索引

old != NULL && old_idx != idx

invalid fastbin entry (free)

释放chunk位置

p == av->top

double free or corruption (top)

next chunk 位置

contiguous (av) && (char *) nextchunk >= ((char *) av->top + chunksize(av->top))

double free or corruption (out)

next chunk 大小

chunksize_nomask (nextchunk) <= 2 * SIZE_SZ || nextsize >= av->system_mem

free(): invalid next size (normal)

size vs prev_size

chunksize(P) != prev_size (next_chunk(P))

corrupted size vs. prev_size

Fd, bk 双向链表检查

FD->bk != P || BK->fd != P

corrupted double-linked list

nextsize 双向链表

P->fd_nextsize->bk_nextsize != P || P->bk_nextsize->fd_nextsize != P

corrupted double-linked list (not small)