Libc Heap

Reading time: 14 minutes

Msingi wa Heap

Heap ni mahali ambapo programu inaweza kuhifadhi data wakati inapoomba data kwa kuita kazi kama malloc, calloc... Aidha, wakati kumbukumbu hii haitahitajika tena inapatikana kwa kuita kazi free.

Kama inavyoonyeshwa, iko tu baada ya ambapo binary inapo load kwenye kumbukumbu (angalia sehemu ya [heap]):

Usambazaji wa Msingi wa Chunk

Wakati data fulani inapoombwa kuhifadhiwa kwenye heap, nafasi fulani ya heap inatengwa kwa ajili yake. Nafasi hii itakuwa ya bin na data iliyohitajika + nafasi ya vichwa vya bin + offset ya ukubwa wa chini wa bin itahifadhiwa kwa chunk. Lengo ni kuhifadhi kumbukumbu kidogo iwezekanavyo bila kufanya iwe ngumu kupata ambapo kila chunk iko. Kwa hili, taarifa za metadata za chunk zinatumika kujua ambapo kila chunk inayotumika/ya bure iko.

Kuna njia tofauti za kuhifadhi nafasi hasa kulingana na bin inayotumika, lakini mbinu ya jumla ni ifuatayo:

  • Programu inaanza kwa kuomba kiasi fulani cha kumbukumbu.
  • Ikiwa katika orodha ya chunks kuna mtu anapatikana mkubwa wa kutosha kutimiza ombi, itatumika
  • Hii inaweza hata kumaanisha kwamba sehemu ya chunk inayopatikana itatumika kwa ombi hili na iliyobaki itaongezwa kwenye orodha ya chunks
  • Ikiwa hakuna chunk inayopatikana katika orodha lakini bado kuna nafasi katika kumbukumbu ya heap iliyotengwa, meneja wa heap anaunda chunk mpya
  • Ikiwa hakuna nafasi ya kutosha ya heap kutenga chunk mpya, meneja wa heap anaomba kernel kuongeza kumbukumbu iliyotengwa kwa heap na kisha kutumia kumbukumbu hii kuunda chunk mpya
  • Ikiwa kila kitu kinashindwa, malloc inarudisha null.

Kumbuka kwamba ikiwa kumbukumbu iliyohitajika inapita kigezo fulani, mmap itatumika kubaini kumbukumbu iliyohitajika.

Arenas

Katika maombi ya multithreaded, meneja wa heap lazima kuzuia hali za mashindano ambazo zinaweza kusababisha ajali. Awali, hii ilifanywa kwa kutumia mutex ya kimataifa kuhakikisha kwamba thread moja tu inaweza kufikia heap kwa wakati mmoja, lakini hii ilisababisha masuala ya utendaji kutokana na kuzuiliwa kwa mutex.

Ili kushughulikia hili, allocator wa heap ptmalloc2 ilianzisha "arenas," ambapo kila arena inafanya kazi kama heap tofauti yenye miundo yake mwenyewe na mutex, ikiruhusu nyuzi nyingi kufanya operesheni za heap bila kuingiliana, mradi tu wanatumia arenas tofauti.

Arena ya "muhimu" ya default inashughulikia operesheni za heap kwa maombi ya nyuzi moja. Wakati nyuzi mpya zinapoongezwa, meneja wa heap anawapa arenas za sekondari ili kupunguza ushindani. Kwanza inajaribu kuunganisha kila nyuzi mpya kwenye arena isiyotumika, ikiumba mpya ikiwa inahitajika, hadi kikomo cha mara 2 ya idadi ya nyuzi za CPU kwa mifumo ya 32-bit na mara 8 kwa mifumo ya 64-bit. Mara kikomo kinapofikiwa, nyuzi lazima zishiriki arenas, na kusababisha ushindani wa uwezekano.

Tofauti na arena kuu, ambayo inapanuka kwa kutumia wito wa mfumo wa brk, arenas za sekondari zinaunda "subheaps" kwa kutumia mmap na mprotect ili kuiga tabia ya heap, ikiruhusu kubadilika katika usimamizi wa kumbukumbu kwa operesheni za multithreaded.

Subheaps

Subheaps hutumikia kama akiba ya kumbukumbu kwa arenas za sekondari katika maombi ya multithreaded, ikiruhusu kukua na kusimamia maeneo yao ya heap tofauti na heap kuu. Hapa kuna jinsi subheaps zinavyotofautiana na heap ya awali na jinsi zinavyofanya kazi:

  1. Heap ya Awali vs. Subheaps:
  • Heap ya awali iko moja kwa moja baada ya binary ya programu katika kumbukumbu, na inapanuka kwa kutumia wito wa mfumo wa sbrk.
  • Subheaps, zinazotumiwa na arenas za sekondari, zinaundwa kupitia mmap, wito wa mfumo unaoelekeza eneo fulani la kumbukumbu.
  1. Hifadhi ya Kumbukumbu kwa kutumia mmap:
  • Wakati meneja wa heap anaunda subheap, anahifadhi block kubwa ya kumbukumbu kupitia mmap. Hifadhi hii haitoi kumbukumbu mara moja; inateua tu eneo ambalo michakato mingine ya mfumo au usambazaji haipaswi kutumia.
  • Kwa kawaida, ukubwa uliotengwa kwa subheap ni 1 MB kwa michakato ya 32-bit na 64 MB kwa michakato ya 64-bit.
  1. Upanuzi wa Polepole kwa kutumia mprotect:
  • Eneo la kumbukumbu lililotengwa awali linapewa alama kama PROT_NONE, ikionyesha kwamba kernel haitahitaji kutenga kumbukumbu halisi kwa nafasi hii bado.
  • Ili "kukua" subheap, meneja wa heap anatumia mprotect kubadilisha ruhusa za ukurasa kutoka PROT_NONE hadi PROT_READ | PROT_WRITE, ikimhimiza kernel kutenga kumbukumbu halisi kwa anwani zilizotengwa hapo awali. Njia hii ya hatua kwa hatua inaruhusu subheap kupanuka kadri inavyohitajika.
  • Mara subheap yote itakapokamilika, meneja wa heap anaunda subheap mpya ili kuendelea na usambazaji.

heap_info

Struktura hii inatenga taarifa muhimu za heap. Aidha, kumbukumbu ya heap inaweza kuwa si ya mfululizo baada ya usambazaji zaidi, struktura hii pia itahifadhi taarifa hiyo.

c
// From https://github.com/bminor/glibc/blob/a07e000e82cb71238259e674529c37c12dc7d423/malloc/arena.c#L837

typedef struct _heap_info
{
mstate ar_ptr; /* Arena for this heap. */
struct _heap_info *prev; /* Previous heap. */
size_t size;   /* Current size in bytes. */
size_t mprotect_size; /* Size in bytes that has been mprotected
PROT_READ|PROT_WRITE.  */
size_t pagesize; /* Page size used when allocating the arena.  */
/* Make sure the following data is properly aligned, particularly
that sizeof (heap_info) + 2 * SIZE_SZ is a multiple of
MALLOC_ALIGNMENT. */
char pad[-3 * SIZE_SZ & MALLOC_ALIGN_MASK];
} heap_info;

malloc_state

Kila heap (main arena au maeneo mengine ya nyuzi) ina malloc_state structure.
Ni muhimu kutambua kwamba main arena malloc_state structure ni kigezo cha kimataifa katika libc (hivyo iko katika nafasi ya kumbukumbu ya libc).
Katika kesi ya malloc_state structures za heaps za nyuzi, zinapatikana ndani ya "heap" ya nyuzi husika.

Kuna mambo kadhaa ya kuvutia ya kuzingatia kutoka kwa muundo huu (ona msimbo wa C hapa chini):

  • __libc_lock_define (, mutex); Ipo kuhakikisha kwamba muundo huu kutoka kwa heap unafikiwa na nyuzi 1 kwa wakati

  • Bendera:

#define NONCONTIGUOUS_BIT (2U)

#define contiguous(M) (((M)->flags & NONCONTIGUOUS_BIT) == 0) #define noncontiguous(M) (((M)->flags & NONCONTIGUOUS_BIT) != 0) #define set_noncontiguous(M) ((M)->flags |= NONCONTIGUOUS_BIT) #define set_contiguous(M) ((M)->flags &= ~NONCONTIGUOUS_BIT)


- `mchunkptr bins[NBINS * 2 - 2];` ina **viungo** kwa **chunks za kwanza na za mwisho** za **bins** ndogo, kubwa na zisizo na mpangilio (the -2 ni kwa sababu index 0 haitumiki)
- Kwa hivyo, **chunk ya kwanza** ya bins hizi itakuwa na **kiungo cha nyuma kwa muundo huu** na **chunk ya mwisho** ya bins hizi itakuwa na **kiungo cha mbele** kwa muundo huu. Ambayo kimsingi inamaanisha kwamba ikiwa unaweza **kuvuja anwani hizi katika main arena** utakuwa na kiungo kwa muundo katika **libc**.
- Struktura `struct malloc_state *next;` na `struct malloc_state *next_free;` ni orodha zilizounganishwa za maeneo
- Chunk ya `top` ni "chunk" ya mwisho, ambayo kimsingi ni **nafasi yote iliyobaki ya heap**. Mara chunk ya juu inapokuwa "bila", heap imetumika kabisa na inahitaji kuomba nafasi zaidi.
- Chunk ya `last reminder` inatokana na hali ambapo chunk ya ukubwa sahihi haitapatikana na kwa hivyo chunk kubwa inakatwa, sehemu ya kiungo iliyobaki inawekwa hapa.

// From https://github.com/bminor/glibc/blob/a07e000e82cb71238259e674529c37c12dc7d423/malloc/malloc.c#L1812

struct malloc_state { /* Serialize access. */ __libc_lock_define (, mutex);

/* Flags (formerly in max_fast). */ int flags;

/* Set if the fastbin chunks contain recently inserted free blocks. / / Note this is a bool but not all targets support atomics on booleans. */ int have_fastchunks;

/* Fastbins */ mfastbinptr fastbinsY[NFASTBINS];

/* Base of the topmost chunk -- not otherwise kept in a bin */ mchunkptr top;

/* The remainder from the most recent split of a small request */ mchunkptr last_remainder;

/* Normal bins packed as described above */ mchunkptr bins[NBINS * 2 - 2];

/* Bitmap of bins */ unsigned int binmap[BINMAPSIZE];

/* Linked list */ struct malloc_state *next;

/* Linked list for free arenas. Access to this field is serialized by free_list_lock in arena.c. */ struct malloc_state *next_free;

/* Number of threads attached to this arena. 0 if the arena is on the free list. Access to this field is serialized by free_list_lock in arena.c. */ INTERNAL_SIZE_T attached_threads;

/* Memory allocated from the system in this arena. */ INTERNAL_SIZE_T system_mem; INTERNAL_SIZE_T max_system_mem; };

### malloc_chunk

Muundo huu unawakilisha kipande maalum cha kumbukumbu. Nyanja mbalimbali zina maana tofauti kwa vipande vilivyotolewa na visivyotolewa.

// https://github.com/bminor/glibc/blob/master/malloc/malloc.c struct malloc_chunk { INTERNAL_SIZE_T mchunk_prev_size; /* Size of previous chunk, if it is free. / INTERNAL_SIZE_T mchunk_size; / Size in bytes, including overhead. / struct malloc_chunk fd; /* double links -- used only if this chunk is free. / struct malloc_chunk bk; /* Only used for large blocks: pointer to next larger size. / struct malloc_chunk fd_nextsize; /* double links -- used only if this chunk is free. / struct malloc_chunk bk_nextsize; };

typedef struct malloc_chunk* mchunkptr;

Kama ilivyotajwa hapo awali, vipande hivi pia vina metadata, ambayo inawakilishwa vizuri katika picha hii:

<figure><img src="../../images/image (1242).png" alt=""><figcaption><p><a href="https://azeria-labs.com/wp-content/uploads/2019/03/chunk-allocated-CS.png">https://azeria-labs.com/wp-content/uploads/2019/03/chunk-allocated-CS.png</a></p></figcaption></figure>

Metadata kwa kawaida ni 0x08B ikionyesha ukubwa wa sasa wa kipande kwa kutumia bits 3 za mwisho kuonyesha:

- `A`: Ikiwa 1 inatoka kwenye subheap, ikiwa 0 iko kwenye arena kuu
- `M`: Ikiwa 1, kipande hiki ni sehemu ya nafasi iliyotolewa na mmap na si sehemu ya heap
- `P`: Ikiwa 1, kipande cha awali kinatumika

Kisha, nafasi ya data ya mtumiaji, na hatimaye 0x08B kuonyesha ukubwa wa kipande cha awali wakati kipande kinapatikana (au kuhifadhi data ya mtumiaji wakati inatolewa).

Zaidi ya hayo, wakati inapatikana, data ya mtumiaji inatumika pia kubeba data fulani:

- **`fd`**: Kielekezi kwa kipande kinachofuata
- **`bk`**: Kielekezi kwa kipande cha awali
- **`fd_nextsize`**: Kielekezi kwa kipande cha kwanza katika orodha ambacho ni kidogo kuliko yenyewe
- **`bk_nextsize`:** Kielekezi kwa kipande cha kwanza katika orodha ambacho ni kikubwa kuliko yenyewe

<figure><img src="../../images/image (1243).png" alt=""><figcaption><p><a href="https://azeria-labs.com/wp-content/uploads/2019/03/chunk-allocated-CS.png">https://azeria-labs.com/wp-content/uploads/2019/03/chunk-allocated-CS.png</a></p></figcaption></figure>

<div class="mdbook-alerts mdbook-alerts-note">
<p class="mdbook-alerts-title">
  <span class="mdbook-alerts-icon"></span>
  note
</p>


Tambua jinsi kuunganisha orodha kwa njia hii kunazuia haja ya kuwa na array ambapo kila kipande kimoja kinarekodiwa.

</div>


### Kielekezi za Kipande

Wakati malloc inatumika, kielekezi kwa maudhui ambayo yanaweza kuandikwa kinarejeshwa (karibu baada ya vichwa), hata hivyo, wakati wa kusimamia vipande, inahitajika kielekezi kwa mwanzo wa vichwa (metadata).\
Kwa ajili ya mabadiliko haya, kazi hizi zinatumika:

// https://github.com/bminor/glibc/blob/master/malloc/malloc.c

/* Convert a chunk address to a user mem pointer without correcting the tag. / #define chunk2mem(p) ((void)((char*)(p) + CHUNK_HDR_SZ))

/* Convert a user mem pointer to a chunk address and extract the right tag. / #define mem2chunk(mem) ((mchunkptr)tag_at (((char)(mem) - CHUNK_HDR_SZ)))

/* The smallest possible chunk */ #define MIN_CHUNK_SIZE (offsetof(struct malloc_chunk, fd_nextsize))

/* The smallest size we can malloc is an aligned minimal chunk */

#define MINSIZE
(unsigned long)(((MIN_CHUNK_SIZE+MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK))

### Mwelekeo & ukubwa mdogo

Pointer kwa chunk na `0x0f` lazima iwe 0.

// From https://github.com/bminor/glibc/blob/a07e000e82cb71238259e674529c37c12dc7d423/sysdeps/generic/malloc-size.h#L61 #define MALLOC_ALIGN_MASK (MALLOC_ALIGNMENT - 1)

// https://github.com/bminor/glibc/blob/a07e000e82cb71238259e674529c37c12dc7d423/sysdeps/i386/malloc-alignment.h #define MALLOC_ALIGNMENT 16

// https://github.com/bminor/glibc/blob/master/malloc/malloc.c /* Check if m has acceptable alignment */ #define aligned_OK(m) (((unsigned long)(m) & MALLOC_ALIGN_MASK) == 0)

#define misaligned_chunk(p)
((uintptr_t)(MALLOC_ALIGNMENT == CHUNK_HDR_SZ ? (p) : chunk2mem (p))
& MALLOC_ALIGN_MASK)

/* pad request bytes into a usable size -- internal version / / Note: This must be a macro that evaluates to a compile time constant if passed a literal constant. */ #define request2size(req)
(((req) + SIZE_SZ + MALLOC_ALIGN_MASK < MINSIZE) ?
MINSIZE :
((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)

/* Check if REQ overflows when padded and aligned and if the resulting value is less than PTRDIFF_T. Returns the requested size or MINSIZE in case the value is less than MINSIZE, or 0 if any of the previous checks fail. */ static inline size_t checked_request2size (size_t req) __nonnull (1) { if (__glibc_unlikely (req > PTRDIFF_MAX)) return 0;

/* When using tagged memory, we cannot share the end of the user block with the header for the next chunk, so ensure that we allocate blocks that are rounded up to the granule size. Take care not to overflow from close to MAX_SIZE_T to a small number. Ideally, this would be part of request2size(), but that must be a macro that produces a compile time constant if passed a constant literal. / if (__glibc_unlikely (mtag_enabled)) { / Ensure this is not evaluated if !mtag_enabled, see gcc PR 99551. */ asm ("");

req = (req + (__MTAG_GRANULE_SIZE - 1)) & ~(size_t)(__MTAG_GRANULE_SIZE - 1); }

return request2size (req); }

Kumbuka kwamba kwa kuhesabu nafasi yote inayohitajika, `SIZE_SZ` inaongezwa mara moja tu kwa sababu uwanja wa `prev_size` unaweza kutumika kuhifadhi data, hivyo basi kichwa cha awali pekee kinahitajika.

### Pata data ya Chunk na badilisha metadata

Hizi kazi zinafanya kazi kwa kupokea kiashiria kwa chunk na ni muhimu kuangalia/kweka metadata:

- Angalia bendera za chunk

// From https://github.com/bminor/glibc/blob/master/malloc/malloc.c

/* size field is or'ed with PREV_INUSE when previous adjacent chunk in use */ #define PREV_INUSE 0x1

/* extract inuse bit of previous chunk */ #define prev_inuse(p) ((p)->mchunk_size & PREV_INUSE)

/* size field is or'ed with IS_MMAPPED if the chunk was obtained with mmap() */ #define IS_MMAPPED 0x2

/* check for mmap()'ed chunk */ #define chunk_is_mmapped(p) ((p)->mchunk_size & IS_MMAPPED)

/* size field is or'ed with NON_MAIN_ARENA if the chunk was obtained from a non-main arena. This is only set immediately before handing the chunk to the user, if necessary. */ #define NON_MAIN_ARENA 0x4

/* Check for chunk from main arena. */ #define chunk_main_arena(p) (((p)->mchunk_size & NON_MAIN_ARENA) == 0)

/* Mark a chunk as not being on the main arena. */ #define set_non_main_arena(p) ((p)->mchunk_size |= NON_MAIN_ARENA)

- Sizes na viashiria kwa vipande vingine

/* Bits to mask off when extracting size

Note: IS_MMAPPED is intentionally not masked off from size field in macros for which mmapped chunks should never be seen. This should cause helpful core dumps to occur if it is tried by accident by people extending or adapting this malloc. */ #define SIZE_BITS (PREV_INUSE | IS_MMAPPED | NON_MAIN_ARENA)

/* Get size, ignoring use bits */ #define chunksize(p) (chunksize_nomask (p) & ~(SIZE_BITS))

/* Like chunksize, but do not mask SIZE_BITS. */ #define chunksize_nomask(p) ((p)->mchunk_size)

/* Ptr to next physical malloc_chunk. */ #define next_chunk(p) ((mchunkptr) (((char *) (p)) + chunksize (p)))

/* Size of the chunk below P. Only valid if !prev_inuse (P). */ #define prev_size(p) ((p)->mchunk_prev_size)

/* Set the size of the chunk below P. Only valid if !prev_inuse (P). */ #define set_prev_size(p, sz) ((p)->mchunk_prev_size = (sz))

/* Ptr to previous physical malloc_chunk. Only valid if !prev_inuse (P). */ #define prev_chunk(p) ((mchunkptr) (((char *) (p)) - prev_size (p)))

/* Treat space at ptr + offset as a chunk */ #define chunk_at_offset(p, s) ((mchunkptr) (((char *) (p)) + (s)))

- Insue bit

/* extract p's inuse bit */ #define inuse(p)
((((mchunkptr) (((char *) (p)) + chunksize (p)))->mchunk_size) & PREV_INUSE)

/* set/clear chunk as being inuse without otherwise disturbing */ #define set_inuse(p)
((mchunkptr) (((char *) (p)) + chunksize (p)))->mchunk_size |= PREV_INUSE

#define clear_inuse(p)
((mchunkptr) (((char *) (p)) + chunksize (p)))->mchunk_size &= ~(PREV_INUSE)

/* check/set/clear inuse bits in known places */ #define inuse_bit_at_offset(p, s)
(((mchunkptr) (((char *) (p)) + (s)))->mchunk_size & PREV_INUSE)

#define set_inuse_bit_at_offset(p, s)
(((mchunkptr) (((char *) (p)) + (s)))->mchunk_size |= PREV_INUSE)

#define clear_inuse_bit_at_offset(p, s)
(((mchunkptr) (((char *) (p)) + (s)))->mchunk_size &= ~(PREV_INUSE))

- Weka kichwa na mguu (wakati nambari za sehemu zinatumika)

/* Set size at head, without disturbing its use bit */ #define set_head_size(p, s) ((p)->mchunk_size = (((p)->mchunk_size & SIZE_BITS) | (s)))

/* Set size/use field */ #define set_head(p, s) ((p)->mchunk_size = (s))

/* Set size at footer (only when chunk is not in use) */ #define set_foot(p, s) (((mchunkptr) ((char *) (p) + (s)))->mchunk_prev_size = (s))

- Pata ukubwa wa data halisi inayoweza kutumika ndani ya kipande

#pragma GCC poison mchunk_size #pragma GCC poison mchunk_prev_size

/* This is the size of the real usable data in the chunk. Not valid for dumped heap chunks. */ #define memsize(p)
(__MTAG_GRANULE_SIZE > SIZE_SZ && __glibc_unlikely (mtag_enabled) ?
chunksize (p) - CHUNK_HDR_SZ :
chunksize (p) - CHUNK_HDR_SZ + (chunk_is_mmapped (p) ? 0 : SIZE_SZ))

/* If memory tagging is enabled the layout changes to accommodate the granule size, this is wasteful for small allocations so not done by default. Both the chunk header and user data has to be granule aligned. */ _Static_assert (__MTAG_GRANULE_SIZE <= CHUNK_HDR_SZ, "memory tagging is not supported with large granule.");

static __always_inline void * tag_new_usable (void *ptr) { if (__glibc_unlikely (mtag_enabled) && ptr) { mchunkptr cp = mem2chunk(ptr); ptr = __libc_mtag_tag_region (__libc_mtag_new_tag (ptr), memsize (cp)); } return ptr; }

## Mifano

### Mfano wa Haraka wa Heap

Mfano wa haraka wa heap kutoka [https://guyinatuxedo.github.io/25-heap/index.html](https://guyinatuxedo.github.io/25-heap/index.html) lakini katika arm64:

#include <stdio.h> #include <stdlib.h> #include <string.h>

void main(void) { char *ptr; ptr = malloc(0x10); strcpy(ptr, "panda"); }

Weka breakpoint mwishoni mwa kazi kuu na tuone ni wapi taarifa zilihifadhiwa:

<figure><img src="../../images/image (1239).png" alt=""><figcaption></figcaption></figure>

Inawezekana kuona kwamba mfuatano panda ulihifadhiwa kwenye `0xaaaaaaac12a0` (ambayo ilikuwa anwani iliyotolewa kama jibu na malloc ndani ya `x0`). Kuangalia 0x10 bytes kabla inawezekana kuona kwamba `0x0` inawakilisha kwamba **kipande cha awali hakijatumika** (urefu 0) na kwamba urefu wa kipande hiki ni `0x21`.

Nafasi za ziada zilizohifadhiwa (0x21-0x10=0x11) zinatokana na **vichwa vilivyoongezwa** (0x10) na 0x1 haimaanishi kwamba ilihifadhiwa 0x21B bali bits tatu za mwisho za urefu wa kichwa cha sasa zina maana maalum. Kwa kuwa urefu daima umewekwa sawa na byte 16 (katika mashine za 64bits), bits hizi kwa kweli hazitakuwa zitatumika na nambari ya urefu.

0x1: Previous in Use - Specifies that the chunk before it in memory is in use 0x2: Is MMAPPED - Specifies that the chunk was obtained with mmap() 0x4: Non Main Arena - Specifies that the chunk was obtained from outside of the main arena

### Mfano wa Multithreading

<details>

<summary>Multithread</summary>

#include <stdio.h> #include <stdlib.h> #include <pthread.h> #include <unistd.h> #include <sys/types.h>

void* threadFuncMalloc(void* arg) { printf("Hello from thread 1\n"); char* addr = (char*) malloc(1000); printf("After malloc and before free in thread 1\n"); free(addr); printf("After free in thread 1\n"); }

void* threadFuncNoMalloc(void* arg) { printf("Hello from thread 2\n"); }

int main() { pthread_t t1; void* s; int ret; char* addr;

printf("Before creating thread 1\n"); getchar(); ret = pthread_create(&t1, NULL, threadFuncMalloc, NULL); getchar();

printf("Before creating thread 2\n"); ret = pthread_create(&t1, NULL, threadFuncNoMalloc, NULL);

printf("Before exit\n"); getchar();

return 0; }