Windows heap Manager

In terms of Windows heap, Microsoft has not published technical details, but some good information has been released after research by more than N cool people in the community. I have been studying windows heap recently, but I understand it a little bit. I am deeply aware of the lack of information and send out the connections of good articles in this aspect.

Windows heap management: http://www.longene.org/forum/viewtopic.php? F = 6 & t = 352

Code Analysis: wine heapallocate function: http://blog.csdn.net/hongmy525/archive/2009/04/09/4058360.aspx

Heap Overflow and Its Utilization in Windows: http://www.xfocus.net/articles/200205/397.html

0-day security: software vulnerability analysis technology (book ). The heap information mentioned in the book "Matt heap research" and "Heap" feng shui ": http://bbs.pediy.com/showthread.php? T = 63755

The new, malloc, and heapcreate functions ultimately call the rtlallocateheap function. Therefore, you can study rtlallocateheap. For details, refer to the open-source operating system reactos code (DLLs/NTDLL/heap. C ).

Windows heap manager front end Allocator (FEA)

FEA cocould be look aside list (LAl) FEA or low fragmentation (LF) FEA on Windows.

Lal is used on all pre-Vista Windows. it is a 128-entry table recording free heap memory blocks. each entry points to a singly-linked list of free heap memory blocks of the same size, where the sizes are 16 for Entry 1, 24 for entry 2 ,..., And 1024 for entry 127. Entry 0 is not used.

FEA is the first handling layer when a memory allocation request is already ed. If FEA finds a matching free block, the block is returned to caller. Otherwise, the request is passed to bea below.

Back End Allocator (BEA)

Bea is also a 128-entry table recording free heap memory blocks. each try in BEA points to a doubly-linked list of free heap memory blocks. entry 2 is for 16-byte free block, entry 3 for 24 ,..., And Entry 127 for 1016-byte free blocks. entry 1 is not used. entry 0 is special; it has a list of free blocks of 1024 + bytes, and they are sorted by ascending in size. we can see, both Lal and Bea are optimized to deal with small memory allocations faster.

BEA also has a bitmap, where each bit represents whether the corresponding entry has free blocks at all. this is to know faster without checking the actual lists. bea always maintain the bitmap to be up-to-date.

Heap blocks

The memory block that is returned to application is the user accessible part of a heap block. A heap block actually also has a preallocation metadata block and a postallocation metadata block. heap blocks are next to each other linearly in a heap segment. given any heap block, you can walk all the heap blocks in the same heap segment using the metadata.

Heap segments

A heap segment is large chunk of memory allocated from the lower-level Virtual Memory Manager. The heap manager keeps a list of up to 64 heap segments.

When Bea cannot satisfy a request, it tries to allocate a new heap segment. when allocating a new heap segment, the heap manager basically callvirtualalloc (mem_reserve) to allocate a big chunk of virtual address block. the new heap segment size doubles that of the last one. if this fails, the size is already CED to its half. this repeats until it succeeds or the size is too small (64-byte ).

When the heap segment is allocated, the heap manager commits the leading portion with virtualalloc (mem_commit) to satisfy the caller request. Further requests on the heap segment incur commits on the uncommitted portion of it.

In the end, all heap blocks are on the committed portion of one of the heap segments. The heap block can be in one of the following States:

1. In use by application. This heap block is not recorded in the Lal or Bea table/lists.
2. Free (in LAl). The free heap block is recorded in LAl only. Bea sees it as busy (I. e., in use by application ).
3. Free (in BEA). The free heap block is recorded in BEA only.

Heap coalescing

Over the time, with a lot of allocations and freeing, the heap may fragment, meaning there are a lot of small allocations here and there in the heap segment, but the no single free heap block is big enough to serve next request. heap coalescing is an approach to help fighting this.

When an application frees a heap block to a heap segment, its two neighbor heap blocks are also checked. if at least one of them is free, the blocks are merged to create a larger Free block. bea's free lists and bitmap are also updated to reflect the change.

User allocation of heap memory

1. If Lal has a matching free block, it is removed and returned to the user; otherwise go to next step.
2. The heap Manager checks the request.
   1. If BEA has a matching free block, the heap block is marked as "busy", then removed from the Free List and returned to the user; bitmap is updated if necessary.
   2. If BEA has a larger (2x size) Free block available, it is split into two. one is put into a free list; the other is marked "busy" and returned to the user; the larger block is removed from the Free List. bitmap is updated if necessary.
   3. If the heap segment has enough uncommitted portion, a new heap block is committed, marked as "busy" and returned to the user; bitmap is updated if necessary.
   4. It tries to allocate a new heap segment, then commit a heap block, mark it as "busy" and return to the user. bitmap is updated if necessary.
   5. If all the above fail, it returns an error (out of memory ).

User freeing heap memory

1. If Lal has a matching entry, the heap block is added to the corresponding entry's Free List; otherwise go to the next step.
2. The heap Manager checks the neighboring heap blocks in the heap segment.
   1. If any of them is free, coalescing is saved med to merge them into a larger heap block: ). remove them from free lists; B ). add new large block to a free list or Lal; c ). update heap block metadata to "free ".
   2. If no coalescing is possible, the block is put into the Free List or Lal, and heap block metadata is updated to "free ".

Reference
Advanced Windows debugging, Addison-Wesley