"The fault, dear Brutus, is not in our stars, But in ourselves, that we are underlings." - Julius Caesar (I, ii, 140-141)

Jutrzenka's morning and evening stars

It was all David's fault that I was still up at 1 in the morning, bleary eyed, tired, and starting to get suspicious of mathematics -- and that there was definitely a 'bug' in je_malloc and the compiler that generated je_malloc and in LLVM's disassembler, maybe in gdb, and definitely in Intel's documentation, and probably in pretty much everything.

But let me start from the beginning.

A Tale of Two Disassemblers

OCaml david code

It was a dark and stormy night - I was demoing some software to my friend, the eponymous David from the above, at a coffee shop, in May around noon, when this whole mess started. I was showing him this particular feature which allowed me to disassemble an arbitrary symbol name from the command line, and in my hubris, I foolishly showed him the malloc disassemblies.

Now, there are several malloc providers on linux. One of these is the fateful libjemalloc.so.1, whose git repo is here, and with whom our story starts. However, this story doesn't so much involve them as it does their compiled code (not on the dev branch, but the master, at least at the time of this writing), and so we should absolve them of any wrong doing in these matters.

In any event, I had noticed before that my program was piping out errors for libjemalloc.so.1's malloc implementation, but since this was a fly by night operation intended to wow David, I hadn't checked into it yet.

But David, being the good, curious human that he is, asked about the errors when he saw them. And that's when it all began -- a nightmarish journey into the seedy underbelly of linux dynamic libraries, broken disassemblers, pernicious debuggers, treacherous compilers and suspicious documentation.

Come join me in my fun-time adventures!

0x66 0x66 0x48 0xe8 0x59 0xcf 0xff 0xff

I'm running Arch Linux, and when I run lldb /usr/lib/libjemalloc.so.1 -o "disass -b -n malloc", the last line it disassembles is a call instruction:

 <malloc+1151>66 66 48 e8 59 cf         callw  0xcf59

It is exactly here, 1157 bytes in, that lldb (based on LLVM v3.6) gives up and will disassemble no more. This is unusual, because if you inspect the _DYNAMIC array, libjemalloc.so.1 reports that its export, malloc, begins at 0x5f90, and is exactly 1543 bytes in size (your implementation will vary; in fact, compiling libjemalloc's master git branch yields a larger malloc and various examples like this much earlier on in the procedure - but again, this may vary with compiler flags, compilers, distros, and toaster models).

Yet lldb tells us that the function is 1157 bytes long (because that's where it stops). So where did 386 bytes go? (there's probably an off by one error here, don't judge me)

To fully understand this situtation, we'll need to understand Intel legacy prefix codes, REX prefixes, opcode tables, crazy Intel instruction documentation syntax, signed integers, gdb, x86-64 mode, and other sordid low-level details.

Prefixes

I haven't finished reading the Intel manual yet (so I'm not an expert), probably be done in a few days, but basically there are 4 groups of legacy prefixes, with 0x66 indicating the so-called "operand-size override prefix". According to their documentation:

The operand-size override prefix allows a program to switch between 16- and 32-bit operand sizes. Either size can be the default; use of the prefix selects the non-default size. 2-2 Vol. 2A

Let me just say here, because I really can't resist, and hopefully maybe there's a good reason for this behavior (but probably not, just the onus of historical cruft), but you know the instruction set is insane when "either size can be the default" and the operand-size override prefix switches to the other. Like, just choose one... and make that the default?

Anyway, 64-bit x86 processors (the only processor kind you should care about anymore) added REX prefixes, which do lots of things in 64-bit mode, but for our purposes, we'll only consider the 0x48 byte, which says "My operand is 64-bits wide". The accompanying documentation says:

Not all instructions require a REX prefix in 64-bit mode. A prefix is necessary only if an instruction references one of the extended registers or uses a 64-bit operand. If a REX prefix is used when it has no meaning, it is ignored. 2-8 Vol. 2A

Importantly, "Only one REX prefix is allowed per instruction."

Confusingly however, when it comes to the legacy prefixes, we're told:

For each instruction, it is only useful to include up to one prefix code from each of the four groups (Groups 1, 2, 3, 4). Groups 1 through 4 may be placed in any order relative to each other. 2-1 Vol. 2A

So... "it is only useful to include up to one". We'll interpret this unambiguous piece of writing to mean we can have as many prefixes as we want.

However, directly above this on the same page, in the instruction diagram, in the prefix section, we're told "Up to four prefixes of 1 byte each", which seems to indicate we can have a max of four prefixes.

At the time of this writing, I've experimented with instruction sequences with multiple prefixes, multiple REXs, etc., but they seem to be ignored. So we'll go with the former interpretation, that we can include as many as we want.

Intel Arcana

With such information firmly in hand, we can now understand 0x66 0x66 0x48 0xe8 0x59 0xcf 0xff 0xff... or can we? First off, why are there two 0x66 bytes? I have no idea. Secondly, why are they followed by an 0x48? It seems to say... use a 16-bit width, and then use a 64-bit width, but if we actually look up the instruction (0xe8) in Intel's one-byte opcode table, it tells us that 0xe8 is a "near CALL^f64" with a Jz operand, where ^ means superscript.

First we need to look up what an f64 superscript means, to wit:

The operand size is forced to a 64-bit operand size when in 64-bit mode (prefixes that change operand size are ignored for this instruction in 64-bit mode) A-6 Vol. 2C

So the operand size must be 64-bits, or 8 bytes. Our example instruction only has a 4 byte operand/immediate though; but if we consult the instruction's entry in the 64-ia we see that:

In 64-bit mode the relative offset is always a 32-bit immediate value which is sign extended to 64-bits before it is added to the value in the RIP register for the target calculation. Vol. 2A 3-99

Importantly, the documentation does definitely state that prefixes that change operand size are ignored in 64-bit mode for instructions marked with the f64 superscript, of which call is one.

The only other component is the Jz operand encoding, which is two parts, the first part, "J", meaning:

The instruction contains a relative offset to be added to the instruction pointer register A-2 Vol. 2C

and the "z":

Word for 16-bit operand-size or doubleword for 32 or 64-bit operand-size A-3 Vol. 2C

In other words, the operand is a signed operand, with either a 16-bit or 64-bit size, depending on whether the operand-size prefix is set?

So what we know seems to be:

  • Operand-size prefix is ignored
  • Operand-size prefix is not ignored? ("Word for 16-bit operand-size")
  • Operand is signed
  • Up to 4 legacy prefixes

Don't worry if you're confused and unsure what is correct; everyone seems to be. At the time of this initial writing (about a month ago), neither gdb nor lldb correctly disassembled 0x66 0xe8 0x59 0xcf 0xff 0xff, so we're in good company. Update: both of these bugs have been corrected, thanks to open source process goodness, and the internet.

LLVM

Ok, let's run llvm-mc --disassemble on the instruction starting 1151 bytes in at libjemalloc's malloc to test what we know:

echo "0x66 0x66 0x48 0xe8 0x59 0xcf 0xff 0xff" | llvm-mc --disassemble
    .text
    callw   53081
<stdin>:1:31: warning: invalid instruction encoding
0x66 0x66 0x48 0xe8 0x59 0xcf 0xff 0xff
                              ^

That didn't seem to work (this was the original error that set all this off).

Maybe it's all those stupid 0x66 that gcc inserted (also, again, why)? Let's test if multiple 0x66 cause a problem for LLVM's disassembler:

 echo "0x66 0x66 0xe8 0x59 0xcf" | llvm-mc --disassemble
    .text
    callw   53081

So llvm-mc seems ok with a couple 0x66's. What about 5 of them?

 echo "0x66 0x66 0x66 0x66 0x66 0xe8 0x59 0xcf" | llvm-mc --disassemble
    .text
    callw   53081

The spec was vague on redundant prefixes, so we'll let this slide (if you actually test multiple 0x66's against an x86-64 cpu in 64-bit mode it seems to allow it - which just means the silicon that I tested it on allowed it).

But there is something else really wrong here, it looks like llvm-mc is incorrectly disassembling callw's immediate.

Here's some C code to illustrate the matter:

//i_saw_the_sign.c

#include<stdio.h>

int main(){

  unsigned short unsigned_s = 0xcf59;
  short signed_s = 0xcf59;
  int signed_i = 0xffffcf59;
  int unsigned_i = 0x0000cf59;

  printf("unsigned_s: %d\n", unsigned_s);  
  printf("signed_s: %d\n", signed_s);
  printf("signed_i: %d\n", signed_i);
  printf("unsigned_i: %d\n", unsigned_i);
  /*./sign
  unsigned_s: 53081
  signed_s: -12455
  signed_i: -12455
  unsigned_i: 53081
  */
  return 0;
}

So, let's be absolutely clear: 0xcf59 interpreted as a signed short (i.e., only 2 bytes in size) is equivalent to 0xffffcf59 interpreted as a signed int (4 bytes in size), which we write in decimal notation as -12455.

As such, if 0x66 0xe8 0x59 0xcf is disassembled to callw 53081 then the 16-bit operand 0xcf49 must have been interpreted as an unsigned short or a non-sign extended 4-byte int, i.e., 0x0000cf49 (or similarly, as an 8-byte int), and not the correct signed short or sign-extended 4-byte int, which we write in decimal as -12455.

So llvm-mc incorrectly disassembles short immediates in call. As it turns out, it was just a missing case in a switch statement (I love not having pattern matching on closed algebraic data types, because otherwise these kinds of trivial errors are avoided and I can't have fun). It did, however, require a further fix if 0x66 prefixed a call instruction in a 64-bit binary.

But, at least we solved the mystery of libjemalloc.so.1's malloc's missing bytes - a bad disassembler. But what does a good disassembler have to say? And what even is a good disassembler? And why on earth was that instruction sequence generated in the first place? Who has the answers to these burning questions?

GCC

Of course we can only bash on LLVM so much, since it's written in C++, so it's not their fault. But at some point we have to ask, why is there an instruction sequence like 0x66 0x66 0x48 0x59 0xcf 0xff 0xff in the compiled binary in the first place? And is this an invalid instruction, or not?

If we invoke the tried and true gdb on libjemalloc.so.1 with disas /r malloc we'll eventually find the following at 1151 bytes in (and gdb doesn't stop until, you guessed it, the correct 1543 bytes later):

   0x00007ffff7bad40f <+1151>:  66 66 48 e8 59 cf ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>

gdb seems to think the instruction is data16 data16 callq 0x7ffff7baa370 (I'm going to turn a blind eye to those double data16's).

Importantly, I want us to subtract 0x7ffff7baa370 from 0x00007ffff7bad417 (NOTE: the call/jmp offset is always relative to the next instruction, which is 8 bytes later, so 0x00007ffff7bad40f + 0x8).

The result should be 12455 (in decimal). In other words, the import symbol stub for __tls_get_addr is 12455 bytes away, in the negative direction, from the callq instruction. Thus we need to add a relative offset of 0xffffcf59 (-12455) to the instruction pointer to call the imported procedure __tls_get_addr (if you're curious, it's imported from /usr/lib/ld-2.21.so at offset 0x124a0 (all offsets my own). I simply did rdr -m -f __tls_get_addr to get that magical number).

This seems right; gdb correctly ignores the 0x66 prefix. If however, we were to take lldb's word for it, we'd be looking for/calling a function 53081 bytes away from 0x00007ffff7bad417, which puts us at 0x7ffff7bba370, somewhere inside some random procedure.

So it seems like at this point we can sit back and declare gdb a "good" disassembler and lldb a "bad" disassembler, at least in this case --- but in doing so, we'd be wrong.

The bad news is that if you remove the REX prefix, 0x48, then gdb will also incorrectly disassemble the call when a 0x66 is present in 64-bit mode.

If we compile a simple C program like as follows:

// callw.c
//compile with -Wall -Werror -o callw callw.c
//**DO NOT** Compile with optimizations, need the space provided by x++
#include <stdio.h>

//my main was at 0x506 into the resulting binary; yours will be different
int main(){
  int x = 0xefbeadde;
  // this just to create space for inserting instructions
  x++; x++; x++;
  printf("x: %x\n", x);
  return 0;
}

You can then use that binary to do some hex editing.

If you don't care about the program crashing, then just insert the instruction sequence 66 e8 01 00 00 00 somewhere after where main begins, using your favorite hex editor. Or you can do it carefully so the program doesn't crash; I'll leave that as an exercise. Or just download this binary and scope it out for yourself.

When you're finished, run gdb callw and break on main; run, and then disassemble using the /r option. You should see something like as follows (I call 0x06 bytes forward, because I don't want the program to crash):

(gdb) disass /r
Dump of assembler code for function main:
   0x0000000000400506 <+0>: 55  push   %rbp
   0x0000000000400507 <+1>: 48 89 e5    mov    %rsp,%rbp
   0x000000000040050a <+4>: 48 83 ec 10 sub    $0x10,%rsp
   0x000000000040050e <+8>: c7 45 fc de ad be ef    movl   $0xefbeadde,-0x4(%rbp)
   0x0000000000400515 <+15>:    66 e8 06 00 callw  0x51f
   0x0000000000400519 <+19>:    00 00   add    %al,(%rax)
   0x000000000040051b <+21>:    fc  cld    
   0x000000000040051c <+22>:    01 83 45 fc 01 8b   add    %eax,-0x74fe03bb(%rbx)
   0x0000000000400522 <+28>:    45 fc   rex.RB cld 
   0x0000000000400524 <+30>:    89 c6   mov    %eax,%esi
   0x0000000000400526 <+32>:    bf c4 05 40 00  mov    $0x4005c4,%edi
   0x000000000040052b <+37>:    b8 00 00 00 00  mov    $0x0,%eax
   0x0000000000400530 <+42>:    e8 ab fe ff ff  callq  0x4003e0 <printf@plt>
   0x0000000000400535 <+47>:    b8 00 00 00 00  mov    $0x0,%eax
   0x000000000040053a <+52>:    c9  leaveq 
   0x000000000040053b <+53>:    c3  retq   

You'll notice gdb thinks the callw has a 16-bit immediate, and so starts disassembling the extra 2 bytes as a separate instruction (add %al,(%rax) to be precise).

But if you step through the program, the cpu (I presume, unless there is some black magic going on when trapping with a debugger, which is why I rewrite the binary to not crash) actually jumps a 32-bit value (well technically calls, but you know what I mean), hence demonstrating x86-64 cpus (at least this one, and the others I've tested on) ignore the 0x66 prefix in 64-bit mode, which matches the spec.

We can actually prove whether 0x66 is ignored or not using a special program; see the appendix.

Also, it will also mess up your %rip qua gdb if the call lands you in the middle of an instruction.

So... gdb incorrectly disassembles this kind of corner case too though. I submitted a bug there as well.

Coda

In the end, while the particular details here will soon be untrue, because open source software as high-profile as gdb or llvm gets fixed, what remains interesting to me are two salient, and what I think are lasting object lessons.

  • Redundant Independent Verification Is Scientific Verification
  • Something Darker

Redundant Independent Verification Is Scientific Verification

There is no such thing as a canonical disassembler, because all disassemblers come from man, and to err is human. As such, the more independent disassemblers we have (independent in the sense of using disjoint codebases for disassembly logic), the closer we are to approaching what the the "ideal disassembler" should produce (for a given architecture).

lldb and gdb failed at disassembling real corner cases, and in different ways (and then they got fixed, and this is good). However, had there been a third (or fourth), reliable and independent disassembler, I would argue the likelihood that it too would have failed on the same input is unlikely --- which then gives the researcher better data to act on what the programs are telling them, instead of untangling a mess of reduplicated error. As a result, I would argue that redundant independent verification triangulates the semantics of an instruction set --- and the more we have, the more accurate our analyses will be, and the more confident we can be that disassembly is working correctly.

This is one of the primary reasons I still actively use both gdb and lldb: they give me different perspectives on the same objects. Unfortunately, in the x86-64 bit world, they're really the only disjoint disassemblers that are available. disnasm is broken, and only works with 32 bit modes; similarly objdump doesn't seem to work, and I believe it's using bdf anyway, which violates the disjoint codebase requirement.

Something Darker

It is remarkable that in the four most recent editions of the UNIX system programmer’s manual the Bourne shell grammar described in the manual page does not admit the command who|wc. This is surely an oversight, but it suggests something darker: nobody really knows what the Bourne shell’s grammar is.

It's also possible that something darker is going on: maybe no one really knows how x86 "works" anymore.

The compiler writers, bless them, read the same spec I read (and am still reading); and it seems ambiguous in some places in ways that it shouldn't be ambiguous. To harp on examples from this post, once again, we are told:

Only one REX prefix is allowed per instruction. -- 2-8 Vol. 2A

But what does this mean? It doesn't #UD if there are two REX prefixes; similarly for legacy prefixes. So what in particular "isn't allowed"? I can do it; I'm not arrested, and neither is my machine, so what purpose does this sentence serve in a "formal" specification of an instruction set?

This may seem pedantic, or alarmist, but what sincerely worries me is that at best this is ambiguous, and at worst it is symptomatic of a substantially less palatable conclusion. I'm not sure which disjunct it is, but neither really make me very happy when contemplating their possibility.

Nevertheless, we can take comfort that all of these problems are our own devising; the fault isn't in some magic dropped from the sky, but lies solely on ourselves, and as such, we can solve them (because we created them), and make them better, either through venerable open source processes, or formal methods, or solutions yet undreamed of.

So that's my happy note. Now it's time for me to get back to computering.

Appendix

Clever Program

We can use a sequence like 0x66 0xe8 0xff 0x7f 0xff 0xff inserted say somewhere in the middle of a binary approximately 0x10001 bytes long, with a sequence of #UD bytes approximately 32767 bytes away, and a graceful exit sequence approximately -32769 bytes away, to test if the 0x66 prefix was ignored or not.

Why? Because if the immediate is 16 bits, the call will take the 32767 branch and #UD; but if the immediatel is 32 bits, then it is signed, and will take the -32769 branch and gracefully exit.

Clever program is clever.

Various equivalent x86 instructions, 64 and 32-bit architectures

# echo "0x66 0xe8 0x59 0xcf" | bin/llvm-mc --disassemble -show-inst
    .text
    callw   -12455                  # <MCInst #360 CALLpcrel16
                                        #  <MCOperand Imm:-12455>>

# echo "0xe8 0x59 0xcf 0xff 0xff" | bin/llvm-mc --disassemble -show-inst
    .text
    callq   -12455                  # <MCInst #358 CALL64pcrel32
                                        #  <MCOperand Imm:-12455>>

# echo "0xe8 0x59 0xcf 0xff 0xff" | bin/llvm-mc --disassemble -show-inst -arch=x86
    .text
    calll   -12455                  # <MCInst #361 CALLpcrel32
                                        #  <MCOperand Imm:-12455>>

# echo "0x66 0xe8 0x59 0xcf" | bin/llvm-mc --disassemble -show-inst -arch=x86
    .text
    callw   -12455                  # <MCInst #360 CALLpcrel16
                                        #  <MCOperand Imm:-12455>>

LLDB libjemalloc malloc

(lldb) disass -b -n malloc
 <malloc>41 57                          pushq  %r15
 <malloc+2>b8 01 00 00 00                 movl   $0x1, %eax
 <malloc+7>41 56                          pushq  %r14
 <malloc+9>41 55                          pushq  %r13
 <malloc+11>41 54                          pushq  %r12
 <malloc+13>55                             pushq  %rbp
 <malloc+14>53                             pushq  %rbx
 <malloc+15>48 89 fb                       movq   %rdi, %rbx
 <malloc+18>48 83 ec 18                    subq   $0x18, %rsp
 <malloc+22>48 85 ff                       testq  %rdi, %rdi
 <malloc+25>48 0f 44 d8                    cmoveq %rax, %rbx
 <malloc+29>80 3d 1c c3 22 00 00           cmpb   $0x0, 0x22c31c(%rip)      ; libjemalloc.so.1..bss + 111
 <malloc+36>0f 84 3e 01 00 00              je     0x60f8                    ; malloc + 360
 <malloc+42>48 83 3d ce c2 22 00 00        cmpq   $0x0, 0x22c2ce(%rip)      ; libjemalloc.so.1..bss + 47
 <malloc+50>74 1a                          je     0x5fde                    ; malloc + 78
 <malloc+52>64 48 8b 04 25 00 00 00 00     movq   %fs:0x0, %rax
 <malloc+61>48 03 05 f4 bf 22 00           addq   0x22bff4(%rip), %rax      ; libjemalloc.so.1..got + 88
 <malloc+68>48 83 38 00                    cmpq   $0x0, (%rax)
 <malloc+72>0f 84 1a 04 00 00              je     0x63f8                    ; malloc + 1128
 <malloc+78>48 81 fb 00 0e 00 00           cmpq   $0xe00, %rbx
 <malloc+85>0f 87 8d 00 00 00              ja     0x6078                    ; malloc + 232
 <malloc+91>48 8d 15 8e 2c 02 00           leaq   0x22c8e(%rip), %rdx       ; libjemalloc.so.1..rodata + 768
 <malloc+98>48 8d 43 ff                    leaq   -0x1(%rbx), %rax
 <malloc+102>4c 8d 2d 63 c8 22 00           leaq   0x22c863(%rip), %r13
 <malloc+109>48 c1 e8 03                    shrq   $0x3, %rax
 <malloc+113>44 0f b6 34 02                 movzbl (%rdx,%rax), %r14d
 <malloc+118>41 0f b6 c6                    movzbl %r14b, %eax
 <malloc+122>48 8d 14 40                    leaq   (%rax,%rax,2), %rdx
 <malloc+126>48 8d 04 90                    leaq   (%rax,%rdx,4), %rax
 <malloc+130>49 8b 6c c5 00                 movq   (%r13,%rax,8), %rbp
 <malloc+135>48 8d 05 ea d3 22 00           leaq   0x22d3ea(%rip), %rax
 <malloc+142>48 3b 18                       cmpq   (%rax), %rbx
 <malloc+145>0f 87 05 01 00 00              ja     0x612c                    ; malloc + 412
 <malloc+151>64 48 8b 04 25 00 00 00 00     movq   %fs:0x0, %rax
 <malloc+160>48 03 05 99 bf 22 00           addq   0x22bf99(%rip), %rax      ; libjemalloc.so.1..got + 96
 <malloc+167>48 8b 38                       movq   (%rax), %rdi
 <malloc+170>48 83 ff 03                    cmpq   $0x3, %rdi
 <malloc+174>0f 87 24 01 00 00              ja     0x6168                    ; malloc + 472
 <malloc+180>48 83 ff 01                    cmpq   $0x1, %rdi
 <malloc+184>0f 84 22 04 00 00              je     0x6470                    ; malloc + 1248
 <malloc+190>48 85 ff                       testq  %rdi, %rdi
 <malloc+193>0f 84 b0 03 00 00              je     0x6407                    ; malloc + 1143
 <malloc+199>48 83 ff 03                    cmpq   $0x3, %rdi
 <malloc+203>0f 84 35 04 00 00              je     0x6496                    ; malloc + 1286
 <malloc+209>48 83 ff 02                    cmpq   $0x2, %rdi
 <malloc+213>0f 84 05 04 00 00              je     0x6470                    ; malloc + 1248
 <malloc+219>49 89 ff                       movq   %rdi, %r15
 <malloc+222>e9 01 01 00 00                 jmp    0x6174                    ; malloc + 484
 <malloc+227>0f 1f 44 00 00                 nopl   (%rax,%rax)
 <malloc+232>48 8d 05 89 d3 22 00           leaq   0x22d389(%rip), %rax
 <malloc+239>48 3b 18                       cmpq   (%rax), %rbx
 <malloc+242>0f 87 90 00 00 00              ja     0x6118                    ; malloc + 392
 <malloc+248>48 8d 05 09 d4 22 00           leaq   0x22d409(%rip), %rax
 <malloc+255>48 8d ab ff 0f 00 00           leaq   0xfff(%rbx), %rbp
 <malloc+262>48 81 e5 00 f0 ff ff           andq   $-0x1000, %rbp
 <malloc+269>48 3b 18                       cmpq   (%rax), %rbx
 <malloc+272>0f 87 3a 02 00 00              ja     0x62e0                    ; malloc + 848
 <malloc+278>64 48 8b 04 25 00 00 00 00     movq   %fs:0x0, %rax
 <malloc+287>48 03 05 1a bf 22 00           addq   0x22bf1a(%rip), %rax      ; libjemalloc.so.1..got + 96
 <malloc+294>48 8b 38                       movq   (%rax), %rdi
 <malloc+297>48 83 ff 03                    cmpq   $0x3, %rdi
 <malloc+301>0f 87 55 01 00 00              ja     0x6218                    ; malloc + 648
 <malloc+307>48 83 ff 01                    cmpq   $0x1, %rdi
 <malloc+311>0f 84 13 02 00 00              je     0x62e0                    ; malloc + 848
 <malloc+317>48 85 ff                       testq  %rdi, %rdi
 <malloc+320>0f 84 17 04 00 00              je     0x64ed                    ; malloc + 1373
 <malloc+326>48 83 ff 03                    cmpq   $0x3, %rdi
 <malloc+330>0f 84 b3 01 00 00              je     0x6293                    ; malloc + 771
 <malloc+336>48 83 ff 02                    cmpq   $0x2, %rdi
 <malloc+340>0f 84 f6 01 00 00              je     0x62e0                    ; malloc + 848
 <malloc+346>49 89 fd                       movq   %rdi, %r13
 <malloc+349>e9 32 01 00 00                 jmp    0x6224                    ; malloc + 660
 <malloc+354>66 0f 1f 44 00 00              nopw   (%rax,%rax)
 <malloc+360>e8 63 e7 ff ff                 callq  0x4860                    ; ???
 <malloc+365>84 c0                          testb  %al, %al
 <malloc+367>90                             nop    
 <malloc+368>0f 84 b4 fe ff ff              je     0x5fba                    ; malloc + 42
 <malloc+374>e8 05 d1 ff ff                 callq  0x3210                    ; symbol stub for: __errno_location
 <malloc+379>31 db                          xorl   %ebx, %ebx
 <malloc+381>c7 00 0c 00 00 00              movl   $0xc, (%rax)
 <malloc+387>eb 3d                          jmp    0x6152                    ; malloc + 450
 <malloc+389>0f 1f 00                       nopl   (%rax)
 <malloc+392>48 8d 05 f9 d2 22 00           leaq   0x22d2f9(%rip), %rax
 <malloc+399>48 8b 00                       movq   (%rax), %rax
 <malloc+402>48 8d 2c 03                    leaq   (%rbx,%rax), %rbp
 <malloc+406>48 f7 d0                       notq   %rax
 <malloc+409>48 21 c5                       andq   %rax, %rbp
 <malloc+412>31 ff                          xorl   %edi, %edi
 <malloc+414>e8 1d 6c 01 00                 callq  0x1cd50                   ; ???
 <malloc+419>48 89 df                       movq   %rbx, %rdi
 <malloc+422>89 c2                          movl   %eax, %edx
 <malloc+424>31 f6                          xorl   %esi, %esi
 <malloc+426>e8 a1 65 01 00                 callq  0x1c6e0                   ; ???
 <malloc+431>48 89 c3                       movq   %rax, %rbx
 <malloc+434>48 85 db                       testq  %rbx, %rbx
 <malloc+437>74 bf                          je     0x6106                    ; malloc + 374
 <malloc+439>48 8b 05 3a be 22 00           movq   0x22be3a(%rip), %rax      ; libjemalloc.so.1..got + 24
 <malloc+446>64 48 01 28                    addq   %rbp, %fs:(%rax)
 <malloc+450>48 83 c4 18                    addq   $0x18, %rsp
 <malloc+454>48 89 d8                       movq   %rbx, %rax
 <malloc+457>5b                             popq   %rbx
 <malloc+458>5d                             popq   %rbp
 <malloc+459>41 5c                          popq   %r12
 <malloc+461>41 5d                          popq   %r13
 <malloc+463>41 5e                          popq   %r14
 <malloc+465>41 5f                          popq   %r15
 <malloc+467>c3                             retq   
 <malloc+468>0f 1f 40 00                    nopl   (%rax)
 <malloc+472>49 89 ff                       movq   %rdi, %r15
 <malloc+475>4d 85 ff                       testq  %r15, %r15
 <malloc+478>0f 84 fc 02 00 00              je     0x6470                    ; malloc + 1248
 <malloc+484>49 8d 46 01                    leaq   0x1(%r14), %rax
 <malloc+488>48 c1 e0 05                    shlq   $0x5, %rax
 <malloc+492>4d 8d 64 07 08                 leaq   0x8(%r15,%rax), %r12
 <malloc+497>4b 8d 04 76                    leaq   (%r14,%r14,2), %rax
 <malloc+501>49 8d 04 86                    leaq   (%r14,%rax,4), %rax
 <malloc+505>49 8b 4c c5 00                 movq   (%r13,%rax,8), %rcx
 <malloc+510>41 8b 44 24 10                 movl   0x10(%r12), %eax
 <malloc+515>85 c0                          testl  %eax, %eax
 <malloc+517>0f 85 75 01 00 00              jne    0x6310                    ; malloc + 896
 <malloc+523>41 c7 44 24 08 ff ff ff ff     movl   $0xffffffff, 0x8(%r12)
 <malloc+532>4c 89 f2                       movq   %r14, %rdx
 <malloc+535>4c 89 e6                       movq   %r12, %rsi
 <malloc+538>4c 89 ff                       movq   %r15, %rdi
 <malloc+541>48 89 4c 24 08                 movq   %rcx, 0x8(%rsp)
 <malloc+546>e8 39 04 02 00                 callq  0x265f0                   ; ???
 <malloc+551>48 85 c0                       testq  %rax, %rax
 <malloc+554>48 89 c3                       movq   %rax, %rbx
 <malloc+557>48 8b 4c 24 08                 movq   0x8(%rsp), %rcx
 <malloc+562>0f 84 3e ff ff ff              je     0x6106                    ; malloc + 374
 <malloc+568>0f 1f 84 00 00 00 00 00        nopl   (%rax,%rax)
 <malloc+576>80 3d c1 c0 22 00 00           cmpb   $0x0, 0x22c0c1(%rip)      ; libjemalloc.so.1..bss + 55
 <malloc+583>0f 85 d3 01 00 00              jne    0x63b0                    ; malloc + 1056
 <malloc+589>80 3d a4 c0 22 00 00           cmpb   $0x0, 0x22c0a4(%rip)      ; libjemalloc.so.1..bss + 39
 <malloc+596>0f 85 e6 01 00 00              jne    0x63d0                    ; malloc + 1088
 <malloc+602>41 8b 47 20                    movl   0x20(%r15), %eax
 <malloc+606>49 83 04 24 01                 addq   $0x1, (%r12)
 <malloc+611>83 c0 01                       addl   $0x1, %eax
 <malloc+614>3d 25 01 00 00                 cmpl   $0x125, %eax
 <malloc+619>41 89 47 20                    movl   %eax, 0x20(%r15)
 <malloc+623>0f 85 42 ff ff ff              jne    0x6147                    ; malloc + 439
 <malloc+629>4c 89 ff                       movq   %r15, %rdi
 <malloc+632>e8 63 08 02 00                 callq  0x26a70                   ; ???
 <malloc+637>e9 35 ff ff ff                 jmp    0x6147                    ; malloc + 439
 <malloc+642>66 0f 1f 44 00 00              nopw   (%rax,%rax)
 <malloc+648>49 89 fd                       movq   %rdi, %r13
 <malloc+651>4d 85 ed                       testq  %r13, %r13
 <malloc+654>0f 84 bc 00 00 00              je     0x62e0                    ; malloc + 848
 <malloc+660>48 89 e8                       movq   %rbp, %rax
 <malloc+663>48 c1 e8 0c                    shrq   $0xc, %rax
 <malloc+667>48 83 c0 1c                    addq   $0x1c, %rax
 <malloc+671>48 c1 e0 05                    shlq   $0x5, %rax
 <malloc+675>4d 8d 64 05 08                 leaq   0x8(%r13,%rax), %r12
 <malloc+680>41 8b 44 24 10                 movl   0x10(%r12), %eax
 <malloc+685>85 c0                          testl  %eax, %eax
 <malloc+687>0f 85 fb 00 00 00              jne    0x6340                    ; malloc + 944
 <malloc+693>41 c7 44 24 08 ff ff ff ff     movl   $0xffffffff, 0x8(%r12)
 <malloc+702>49 8b 7d 18                    movq   0x18(%r13), %rdi
 <malloc+706>31 d2                          xorl   %edx, %edx
 <malloc+708>48 89 ee                       movq   %rbp, %rsi
 <malloc+711>e8 54 77 00 00                 callq  0xd9b0                    ; ???
 <malloc+716>48 85 c0                       testq  %rax, %rax
 <malloc+719>48 89 c3                       movq   %rax, %rbx
 <malloc+722>0f 84 9e fe ff ff              je     0x6106                    ; malloc + 374
 <malloc+728>0f 1f 84 00 00 00 00 00        nopl   (%rax,%rax)
 <malloc+736>41 8b 45 20                    movl   0x20(%r13), %eax
 <malloc+740>83 c0 01                       addl   $0x1, %eax
 <malloc+743>3d 25 01 00 00                 cmpl   $0x125, %eax
 <malloc+748>41 89 45 20                    movl   %eax, 0x20(%r13)
 <malloc+752>0f 85 c1 fe ff ff              jne    0x6147                    ; malloc + 439
 <malloc+758>4c 89 ef                       movq   %r13, %rdi
 <malloc+761>e8 e2 07 02 00                 callq  0x26a70                   ; ???
 <malloc+766>e9 b4 fe ff ff                 jmp    0x6147                    ; malloc + 439
 <malloc+771>48 8d 0d 36 26 02 00           leaq   0x22636(%rip), %rcx       ; ???
 <malloc+778>48 39 0d 4f bd 22 00           cmpq   %rcx, 0x22bd4f(%rip)      ; libjemalloc.so.1..got + 128
 <malloc+785>48 c7 00 02 00 00 00           movq   $0x2, (%rax)
 <malloc+792>74 36                          je     0x62e0                    ; malloc + 848
 <malloc+794>48 89 c6                       movq   %rax, %rsi
 <malloc+797>48 8d 05 f4 d1 22 00           leaq   0x22d1f4(%rip), %rax
 <malloc+804>8b 38                          movl   (%rax), %edi
 <malloc+806>e8 15 d0 ff ff                 callq  0x32d0                    ; symbol stub for: pthread_setspecific
 <malloc+811>85 c0                          testl  %eax, %eax
 <malloc+813>74 21                          je     0x62e0                    ; malloc + 848
 <malloc+815>48 8d 3d d2 27 02 00           leaq   0x227d2(%rip), %rdi       ; libjemalloc.so.1..rodata + 280
 <malloc+822>e8 05 11 02 00                 callq  0x273d0                   ; ???
 <malloc+827>80 3d c7 bf 22 00 00           cmpb   $0x0, 0x22bfc7(%rip)      ; libjemalloc.so.1..bss + 56
 <malloc+834>0f 85 ff 01 00 00              jne    0x64d7                    ; malloc + 1351
 <malloc+840>0f 1f 84 00 00 00 00 00        nopl   (%rax,%rax)
 <malloc+848>48 8b 05 d9 bc 22 00           movq   0x22bcd9(%rip), %rax      ; libjemalloc.so.1..got + 80
 <malloc+855>64 48 8b 38                    movq   %fs:(%rax), %rdi
 <malloc+859>48 85 ff                       testq  %rdi, %rdi
 <malloc+862>0f 84 ec 01 00 00              je     0x64e0                    ; malloc + 1360
 <malloc+868>48 89 de                       movq   %rbx, %rsi
 <malloc+871>31 d2                          xorl   %edx, %edx
 <malloc+873>e8 b2 76 00 00                 callq  0xd9b0                    ; ???
 <malloc+878>48 89 c3                       movq   %rax, %rbx
 <malloc+881>e9 3c fe ff ff                 jmp    0x6142                    ; malloc + 434
 <malloc+886>66 2e 0f 1f 84 00 00 00 00 00  nopw   %cs:(%rax,%rax)
 <malloc+896>83 e8 01                       subl   $0x1, %eax
 <malloc+899>41 3b 44 24 08                 cmpl   0x8(%r12), %eax
 <malloc+904>41 89 44 24 10                 movl   %eax, 0x10(%r12)
 <malloc+909>7d 05                          jge    0x6324                    ; malloc + 916
 <malloc+911>41 89 44 24 08                 movl   %eax, 0x8(%r12)
 <malloc+916>49 8b 54 24 18                 movq   0x18(%r12), %rdx
 <malloc+921>48 8b 1c c2                    movq   (%rdx,%rax,8), %rbx
 <malloc+925>48 85 db                       testq  %rbx, %rbx
 <malloc+928>0f 85 9a fe ff ff              jne    0x61d0                    ; malloc + 576
 <malloc+934>e9 69 fe ff ff                 jmp    0x61a4                    ; malloc + 532
 <malloc+939>0f 1f 44 00 00                 nopl   (%rax,%rax)
 <malloc+944>83 e8 01                       subl   $0x1, %eax
 <malloc+947>41 3b 44 24 08                 cmpl   0x8(%r12), %eax
 <malloc+952>41 89 44 24 10                 movl   %eax, 0x10(%r12)
 <malloc+957>0f 8c 95 00 00 00              jl     0x63e8                    ; malloc + 1112
 <malloc+963>49 8b 54 24 18                 movq   0x18(%r12), %rdx
 <malloc+968>48 8b 1c c2                    movq   (%rdx,%rax,8), %rbx
 <malloc+972>48 85 db                       testq  %rbx, %rbx
 <malloc+975>0f 84 e9 fe ff ff              je     0x624e                    ; malloc + 702
 <malloc+981>80 3d 2c bf 22 00 00           cmpb   $0x0, 0x22bf2c(%rip)      ; libjemalloc.so.1..bss + 55
 <malloc+988>74 22                          je     0x6390                    ; malloc + 1024
 <malloc+990>48 89 ea                       movq   %rbp, %rdx
 <malloc+993>be a5 00 00 00                 movl   $0xa5, %esi
 <malloc+998>48 89 df                       movq   %rbx, %rdi
 <malloc+1001>e8 92 cf ff ff                 callq  0x3310                    ; symbol stub for: memset
 <malloc+1006>49 83 04 24 01                 addq   $0x1, (%r12)
 <malloc+1011>e9 e8 fe ff ff                 jmp    0x6270                    ; malloc + 736
 <malloc+1016>0f 1f 84 00 00 00 00 00        nopl   (%rax,%rax)
 <malloc+1024>80 3d f1 be 22 00 00           cmpb   $0x0, 0x22bef1(%rip)      ; libjemalloc.so.1..bss + 39
 <malloc+1031>74 e5                          je     0x637e                    ; malloc + 1006
 <malloc+1033>48 89 ea                       movq   %rbp, %rdx
 <malloc+1036>31 f6                          xorl   %esi, %esi
 <malloc+1038>48 89 df                       movq   %rbx, %rdi
 <malloc+1041>e8 6a cf ff ff                 callq  0x3310                    ; symbol stub for: memset
 <malloc+1046>eb d6                          jmp    0x637e                    ; malloc + 1006
 <malloc+1048>0f 1f 84 00 00 00 00 00        nopl   (%rax,%rax)
 <malloc+1056>4b 8d 04 76                    leaq   (%r14,%r14,2), %rax
 <malloc+1060>31 d2                          xorl   %edx, %edx
 <malloc+1062>48 89 df                       movq   %rbx, %rdi
 <malloc+1065>49 8d 04 86                    leaq   (%r14,%rax,4), %rax
 <malloc+1069>49 8d 74 c5 00                 leaq   (%r13,%rax,8), %rsi
 <malloc+1074>e8 b9 72 00 00                 callq  0xd680                    ; ???
 <malloc+1079>e9 1e fe ff ff                 jmp    0x61ea                    ; malloc + 602
 <malloc+1084>0f 1f 40 00                    nopl   (%rax)
 <malloc+1088>48 89 ca                       movq   %rcx, %rdx
 <malloc+1091>31 f6                          xorl   %esi, %esi
 <malloc+1093>48 89 df                       movq   %rbx, %rdi
 <malloc+1096>e8 33 cf ff ff                 callq  0x3310                    ; symbol stub for: memset
 <malloc+1101>e9 08 fe ff ff                 jmp    0x61ea                    ; malloc + 602
 <malloc+1106>66 0f 1f 44 00 00              nopw   (%rax,%rax)
 <malloc+1112>41 89 44 24 08                 movl   %eax, 0x8(%r12)
 <malloc+1117>e9 61 ff ff ff                 jmp    0x6353                    ; malloc + 963
 <malloc+1122>66 0f 1f 44 00 00              nopw   (%rax,%rax)
 <malloc+1128>bf 0a 00 00 00                 movl   $0xa, %edi
 <malloc+1133>e8 be bf 01 00                 callq  0x223c0                   ; ???
 <malloc+1138>e9 d7 fb ff ff                 jmp    0x5fde                    ; malloc + 78
 <malloc+1143>66 48 8d 3d c9 bb 22 00        leaq   0x22bbc9(%rip), %rdi      ; libjemalloc.so.1..got + 104
 <malloc+1151>66 66 48 e8 59 cf              callw  0xcf59

GDB

(gdb) disass /r
Dump of assembler code for function malloc:
   0x00007ffff7bacf90 <+0>: 41 57   push   %r15
   0x00007ffff7bacf92 <+2>: b8 01 00 00 00  mov    $0x1,%eax
   0x00007ffff7bacf97 <+7>: 41 56   push   %r14
   0x00007ffff7bacf99 <+9>: 41 55   push   %r13
   0x00007ffff7bacf9b <+11>:    41 54   push   %r12
   0x00007ffff7bacf9d <+13>:    55  push   %rbp
   0x00007ffff7bacf9e <+14>:    53  push   %rbx
   0x00007ffff7bacf9f <+15>:    48 89 fb    mov    %rdi,%rbx
   0x00007ffff7bacfa2 <+18>:    48 83 ec 18 sub    $0x18,%rsp
   0x00007ffff7bacfa6 <+22>:    48 85 ff    test   %rdi,%rdi
   0x00007ffff7bacfa9 <+25>:    48 0f 44 d8 cmove  %rax,%rbx
   0x00007ffff7bacfad <+29>:    80 3d 1c c3 22 00 00    cmpb   $0x0,0x22c31c(%rip)        # 0x7ffff7dd92d0
   0x00007ffff7bacfb4 <+36>:    0f 84 3e 01 00 00   je     0x7ffff7bad0f8 <malloc+360>
   0x00007ffff7bacfba <+42>:    48 83 3d ce c2 22 00 00 cmpq   $0x0,0x22c2ce(%rip)        # 0x7ffff7dd9290
   0x00007ffff7bacfc2 <+50>:    74 1a   je     0x7ffff7bacfde <malloc+78>
   0x00007ffff7bacfc4 <+52>:    64 48 8b 04 25 00 00 00 00  mov    %fs:0x0,%rax
   0x00007ffff7bacfcd <+61>:    48 03 05 f4 bf 22 00    add    0x22bff4(%rip),%rax        # 0x7ffff7dd8fc8
   0x00007ffff7bacfd4 <+68>:    48 83 38 00 cmpq   $0x0,(%rax)
   0x00007ffff7bacfd8 <+72>:    0f 84 1a 04 00 00   je     0x7ffff7bad3f8 <malloc+1128>
   0x00007ffff7bacfde <+78>:    48 81 fb 00 0e 00 00    cmp    $0xe00,%rbx
   0x00007ffff7bacfe5 <+85>:    0f 87 8d 00 00 00   ja     0x7ffff7bad078 <malloc+232>
   0x00007ffff7bacfeb <+91>:    48 8d 15 8e 2c 02 00    lea    0x22c8e(%rip),%rdx        # 0x7ffff7bcfc80
   0x00007ffff7bacff2 <+98>:    48 8d 43 ff lea    -0x1(%rbx),%rax
   0x00007ffff7bacff6 <+102>:   4c 8d 2d 63 c8 22 00    lea    0x22c863(%rip),%r13        # 0x7ffff7dd9860
   0x00007ffff7bacffd <+109>:   48 c1 e8 03 shr    $0x3,%rax
   0x00007ffff7bad001 <+113>:   44 0f b6 34 02  movzbl (%rdx,%rax,1),%r14d
   0x00007ffff7bad006 <+118>:   41 0f b6 c6 movzbl %r14b,%eax
   0x00007ffff7bad00a <+122>:   48 8d 14 40 lea    (%rax,%rax,2),%rdx
   0x00007ffff7bad00e <+126>:   48 8d 04 90 lea    (%rax,%rdx,4),%rax
   0x00007ffff7bad012 <+130>:   49 8b 6c c5 00  mov    0x0(%r13,%rax,8),%rbp
   0x00007ffff7bad017 <+135>:   48 8d 05 ea d3 22 00    lea    0x22d3ea(%rip),%rax        # 0x7ffff7dda408
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad01e <+142>:   48 3b 18    cmp    (%rax),%rbx
   0x00007ffff7bad021 <+145>:   0f 87 05 01 00 00   ja     0x7ffff7bad12c <malloc+412>
   0x00007ffff7bad027 <+151>:   64 48 8b 04 25 00 00 00 00  mov    %fs:0x0,%rax
   0x00007ffff7bad030 <+160>:   48 03 05 99 bf 22 00    add    0x22bf99(%rip),%rax        # 0x7ffff7dd8fd0
   0x00007ffff7bad037 <+167>:   48 8b 38    mov    (%rax),%rdi
   0x00007ffff7bad03a <+170>:   48 83 ff 03 cmp    $0x3,%rdi
   0x00007ffff7bad03e <+174>:   0f 87 24 01 00 00   ja     0x7ffff7bad168 <malloc+472>
   0x00007ffff7bad044 <+180>:   48 83 ff 01 cmp    $0x1,%rdi
   0x00007ffff7bad048 <+184>:   0f 84 22 04 00 00   je     0x7ffff7bad470 <malloc+1248>
   0x00007ffff7bad04e <+190>:   48 85 ff    test   %rdi,%rdi
   0x00007ffff7bad051 <+193>:   0f 84 b0 03 00 00   je     0x7ffff7bad407 <malloc+1143>
   0x00007ffff7bad057 <+199>:   48 83 ff 03 cmp    $0x3,%rdi
   0x00007ffff7bad05b <+203>:   0f 84 35 04 00 00   je     0x7ffff7bad496 <malloc+1286>
   0x00007ffff7bad061 <+209>:   48 83 ff 02 cmp    $0x2,%rdi
   0x00007ffff7bad065 <+213>:   0f 84 05 04 00 00   je     0x7ffff7bad470 <malloc+1248>
   0x00007ffff7bad06b <+219>:   49 89 ff    mov    %rdi,%r15
   0x00007ffff7bad06e <+222>:   e9 01 01 00 00  jmpq   0x7ffff7bad174 <malloc+484>
   0x00007ffff7bad073 <+227>:   0f 1f 44 00 00  nopl   0x0(%rax,%rax,1)
   0x00007ffff7bad078 <+232>:   48 8d 05 89 d3 22 00    lea    0x22d389(%rip),%rax        # 0x7ffff7dda408
   0x00007ffff7bad07f <+239>:   48 3b 18    cmp    (%rax),%rbx
   0x00007ffff7bad082 <+242>:   0f 87 90 00 00 00   ja     0x7ffff7bad118 <malloc+392>
   0x00007ffff7bad088 <+248>:   48 8d 05 09 d4 22 00    lea    0x22d409(%rip),%rax        # 0x7ffff7dda498
   0x00007ffff7bad08f <+255>:   48 8d ab ff 0f 00 00    lea    0xfff(%rbx),%rbp
   0x00007ffff7bad096 <+262>:   48 81 e5 00 f0 ff ff    and    $0xfffffffffffff000,%rbp
   0x00007ffff7bad09d <+269>:   48 3b 18    cmp    (%rax),%rbx
   0x00007ffff7bad0a0 <+272>:   0f 87 3a 02 00 00   ja     0x7ffff7bad2e0 <malloc+848>
   0x00007ffff7bad0a6 <+278>:   64 48 8b 04 25 00 00 00 00  mov    %fs:0x0,%rax
   0x00007ffff7bad0af <+287>:   48 03 05 1a bf 22 00    add    0x22bf1a(%rip),%rax        # 0x7ffff7dd8fd0
   0x00007ffff7bad0b6 <+294>:   48 8b 38    mov    (%rax),%rdi
   0x00007ffff7bad0b9 <+297>:   48 83 ff 03 cmp    $0x3,%rdi
   0x00007ffff7bad0bd <+301>:   0f 87 55 01 00 00   ja     0x7ffff7bad218 <malloc+648>
   0x00007ffff7bad0c3 <+307>:   48 83 ff 01 cmp    $0x1,%rdi
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad0c7 <+311>:   0f 84 13 02 00 00   je     0x7ffff7bad2e0 <malloc+848>
   0x00007ffff7bad0cd <+317>:   48 85 ff    test   %rdi,%rdi
   0x00007ffff7bad0d0 <+320>:   0f 84 17 04 00 00   je     0x7ffff7bad4ed <malloc+1373>
   0x00007ffff7bad0d6 <+326>:   48 83 ff 03 cmp    $0x3,%rdi
   0x00007ffff7bad0da <+330>:   0f 84 b3 01 00 00   je     0x7ffff7bad293 <malloc+771>
   0x00007ffff7bad0e0 <+336>:   48 83 ff 02 cmp    $0x2,%rdi
   0x00007ffff7bad0e4 <+340>:   0f 84 f6 01 00 00   je     0x7ffff7bad2e0 <malloc+848>
   0x00007ffff7bad0ea <+346>:   49 89 fd    mov    %rdi,%r13
   0x00007ffff7bad0ed <+349>:   e9 32 01 00 00  jmpq   0x7ffff7bad224 <malloc+660>
   0x00007ffff7bad0f2 <+354>:   66 0f 1f 44 00 00   nopw   0x0(%rax,%rax,1)
   0x00007ffff7bad0f8 <+360>:   e8 63 e7 ff ff  callq  0x7ffff7bab860
   0x00007ffff7bad0fd <+365>:   84 c0   test   %al,%al
   0x00007ffff7bad0ff <+367>:   90  nop
   0x00007ffff7bad100 <+368>:   0f 84 b4 fe ff ff   je     0x7ffff7bacfba <malloc+42>
   0x00007ffff7bad106 <+374>:   e8 05 d1 ff ff  callq  0x7ffff7baa210 <__errno_location@plt>
   0x00007ffff7bad10b <+379>:   31 db   xor    %ebx,%ebx
   0x00007ffff7bad10d <+381>:   c7 00 0c 00 00 00   movl   $0xc,(%rax)
   0x00007ffff7bad113 <+387>:   eb 3d   jmp    0x7ffff7bad152 <malloc+450>
   0x00007ffff7bad115 <+389>:   0f 1f 00    nopl   (%rax)
   0x00007ffff7bad118 <+392>:   48 8d 05 f9 d2 22 00    lea    0x22d2f9(%rip),%rax        # 0x7ffff7dda418
   0x00007ffff7bad11f <+399>:   48 8b 00    mov    (%rax),%rax
   0x00007ffff7bad122 <+402>:   48 8d 2c 03 lea    (%rbx,%rax,1),%rbp
   0x00007ffff7bad126 <+406>:   48 f7 d0    not    %rax
   0x00007ffff7bad129 <+409>:   48 21 c5    and    %rax,%rbp
   0x00007ffff7bad12c <+412>:   31 ff   xor    %edi,%edi
   0x00007ffff7bad12e <+414>:   e8 1d 6c 01 00  callq  0x7ffff7bc3d50
   0x00007ffff7bad133 <+419>:   48 89 df    mov    %rbx,%rdi
   0x00007ffff7bad136 <+422>:   89 c2   mov    %eax,%edx
   0x00007ffff7bad138 <+424>:   31 f6   xor    %esi,%esi
   0x00007ffff7bad13a <+426>:   e8 a1 65 01 00  callq  0x7ffff7bc36e0
   0x00007ffff7bad13f <+431>:   48 89 c3    mov    %rax,%rbx
   0x00007ffff7bad142 <+434>:   48 85 db    test   %rbx,%rbx
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad145 <+437>:   74 bf   je     0x7ffff7bad106 <malloc+374>
   0x00007ffff7bad147 <+439>:   48 8b 05 3a be 22 00    mov    0x22be3a(%rip),%rax        # 0x7ffff7dd8f88
   0x00007ffff7bad14e <+446>:   64 48 01 28 add    %rbp,%fs:(%rax)
   0x00007ffff7bad152 <+450>:   48 83 c4 18 add    $0x18,%rsp
   0x00007ffff7bad156 <+454>:   48 89 d8    mov    %rbx,%rax
   0x00007ffff7bad159 <+457>:   5b  pop    %rbx
   0x00007ffff7bad15a <+458>:   5d  pop    %rbp
   0x00007ffff7bad15b <+459>:   41 5c   pop    %r12
   0x00007ffff7bad15d <+461>:   41 5d   pop    %r13
   0x00007ffff7bad15f <+463>:   41 5e   pop    %r14
   0x00007ffff7bad161 <+465>:   41 5f   pop    %r15
   0x00007ffff7bad163 <+467>:   c3  retq   
   0x00007ffff7bad164 <+468>:   0f 1f 40 00 nopl   0x0(%rax)
   0x00007ffff7bad168 <+472>:   49 89 ff    mov    %rdi,%r15
   0x00007ffff7bad16b <+475>:   4d 85 ff    test   %r15,%r15
   0x00007ffff7bad16e <+478>:   0f 84 fc 02 00 00   je     0x7ffff7bad470 <malloc+1248>
   0x00007ffff7bad174 <+484>:   49 8d 46 01 lea    0x1(%r14),%rax
   0x00007ffff7bad178 <+488>:   48 c1 e0 05 shl    $0x5,%rax
   0x00007ffff7bad17c <+492>:   4d 8d 64 07 08  lea    0x8(%r15,%rax,1),%r12
   0x00007ffff7bad181 <+497>:   4b 8d 04 76 lea    (%r14,%r14,2),%rax
   0x00007ffff7bad185 <+501>:   49 8d 04 86 lea    (%r14,%rax,4),%rax
   0x00007ffff7bad189 <+505>:   49 8b 4c c5 00  mov    0x0(%r13,%rax,8),%rcx
   0x00007ffff7bad18e <+510>:   41 8b 44 24 10  mov    0x10(%r12),%eax
   0x00007ffff7bad193 <+515>:   85 c0   test   %eax,%eax
   0x00007ffff7bad195 <+517>:   0f 85 75 01 00 00   jne    0x7ffff7bad310 <malloc+896>
   0x00007ffff7bad19b <+523>:   41 c7 44 24 08 ff ff ff ff  movl   $0xffffffff,0x8(%r12)
   0x00007ffff7bad1a4 <+532>:   4c 89 f2    mov    %r14,%rdx
   0x00007ffff7bad1a7 <+535>:   4c 89 e6    mov    %r12,%rsi
   0x00007ffff7bad1aa <+538>:   4c 89 ff    mov    %r15,%rdi
   0x00007ffff7bad1ad <+541>:   48 89 4c 24 08  mov    %rcx,0x8(%rsp)
   0x00007ffff7bad1b2 <+546>:   e8 39 04 02 00  callq  0x7ffff7bcd5f0
   0x00007ffff7bad1b7 <+551>:   48 85 c0    test   %rax,%rax
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad1ba <+554>:   48 89 c3    mov    %rax,%rbx
   0x00007ffff7bad1bd <+557>:   48 8b 4c 24 08  mov    0x8(%rsp),%rcx
   0x00007ffff7bad1c2 <+562>:   0f 84 3e ff ff ff   je     0x7ffff7bad106 <malloc+374>
   0x00007ffff7bad1c8 <+568>:   0f 1f 84 00 00 00 00 00 nopl   0x0(%rax,%rax,1)
   0x00007ffff7bad1d0 <+576>:   80 3d c1 c0 22 00 00    cmpb   $0x0,0x22c0c1(%rip)        # 0x7ffff7dd9298
   0x00007ffff7bad1d7 <+583>:   0f 85 d3 01 00 00   jne    0x7ffff7bad3b0 <malloc+1056>
   0x00007ffff7bad1dd <+589>:   80 3d a4 c0 22 00 00    cmpb   $0x0,0x22c0a4(%rip)        # 0x7ffff7dd9288
   0x00007ffff7bad1e4 <+596>:   0f 85 e6 01 00 00   jne    0x7ffff7bad3d0 <malloc+1088>
   0x00007ffff7bad1ea <+602>:   41 8b 47 20 mov    0x20(%r15),%eax
   0x00007ffff7bad1ee <+606>:   49 83 04 24 01  addq   $0x1,(%r12)
   0x00007ffff7bad1f3 <+611>:   83 c0 01    add    $0x1,%eax
   0x00007ffff7bad1f6 <+614>:   3d 25 01 00 00  cmp    $0x125,%eax
   0x00007ffff7bad1fb <+619>:   41 89 47 20 mov    %eax,0x20(%r15)
   0x00007ffff7bad1ff <+623>:   0f 85 42 ff ff ff   jne    0x7ffff7bad147 <malloc+439>
   0x00007ffff7bad205 <+629>:   4c 89 ff    mov    %r15,%rdi
   0x00007ffff7bad208 <+632>:   e8 63 08 02 00  callq  0x7ffff7bcda70
   0x00007ffff7bad20d <+637>:   e9 35 ff ff ff  jmpq   0x7ffff7bad147 <malloc+439>
   0x00007ffff7bad212 <+642>:   66 0f 1f 44 00 00   nopw   0x0(%rax,%rax,1)
   0x00007ffff7bad218 <+648>:   49 89 fd    mov    %rdi,%r13
   0x00007ffff7bad21b <+651>:   4d 85 ed    test   %r13,%r13
   0x00007ffff7bad21e <+654>:   0f 84 bc 00 00 00   je     0x7ffff7bad2e0 <malloc+848>
   0x00007ffff7bad224 <+660>:   48 89 e8    mov    %rbp,%rax
   0x00007ffff7bad227 <+663>:   48 c1 e8 0c shr    $0xc,%rax
   0x00007ffff7bad22b <+667>:   48 83 c0 1c add    $0x1c,%rax
   0x00007ffff7bad22f <+671>:   48 c1 e0 05 shl    $0x5,%rax
   0x00007ffff7bad233 <+675>:   4d 8d 64 05 08  lea    0x8(%r13,%rax,1),%r12
   0x00007ffff7bad238 <+680>:   41 8b 44 24 10  mov    0x10(%r12),%eax
   0x00007ffff7bad23d <+685>:   85 c0   test   %eax,%eax
   0x00007ffff7bad23f <+687>:   0f 85 fb 00 00 00   jne    0x7ffff7bad340 <malloc+944>
   0x00007ffff7bad245 <+693>:   41 c7 44 24 08 ff ff ff ff  movl   $0xffffffff,0x8(%r12)
   0x00007ffff7bad24e <+702>:   49 8b 7d 18 mov    0x18(%r13),%rdi
   0x00007ffff7bad252 <+706>:   31 d2   xor    %edx,%edx
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad254 <+708>:   48 89 ee    mov    %rbp,%rsi
   0x00007ffff7bad257 <+711>:   e8 54 77 00 00  callq  0x7ffff7bb49b0
   0x00007ffff7bad25c <+716>:   48 85 c0    test   %rax,%rax
   0x00007ffff7bad25f <+719>:   48 89 c3    mov    %rax,%rbx
   0x00007ffff7bad262 <+722>:   0f 84 9e fe ff ff   je     0x7ffff7bad106 <malloc+374>
   0x00007ffff7bad268 <+728>:   0f 1f 84 00 00 00 00 00 nopl   0x0(%rax,%rax,1)
   0x00007ffff7bad270 <+736>:   41 8b 45 20 mov    0x20(%r13),%eax
   0x00007ffff7bad274 <+740>:   83 c0 01    add    $0x1,%eax
   0x00007ffff7bad277 <+743>:   3d 25 01 00 00  cmp    $0x125,%eax
   0x00007ffff7bad27c <+748>:   41 89 45 20 mov    %eax,0x20(%r13)
   0x00007ffff7bad280 <+752>:   0f 85 c1 fe ff ff   jne    0x7ffff7bad147 <malloc+439>
   0x00007ffff7bad286 <+758>:   4c 89 ef    mov    %r13,%rdi
   0x00007ffff7bad289 <+761>:   e8 e2 07 02 00  callq  0x7ffff7bcda70
   0x00007ffff7bad28e <+766>:   e9 b4 fe ff ff  jmpq   0x7ffff7bad147 <malloc+439>
   0x00007ffff7bad293 <+771>:   48 8d 0d 36 26 02 00    lea    0x22636(%rip),%rcx        # 0x7ffff7bcf8d0
   0x00007ffff7bad29a <+778>:   48 39 0d 4f bd 22 00    cmp    %rcx,0x22bd4f(%rip)        # 0x7ffff7dd8ff0
   0x00007ffff7bad2a1 <+785>:   48 c7 00 02 00 00 00    movq   $0x2,(%rax)
   0x00007ffff7bad2a8 <+792>:   74 36   je     0x7ffff7bad2e0 <malloc+848>
   0x00007ffff7bad2aa <+794>:   48 89 c6    mov    %rax,%rsi
   0x00007ffff7bad2ad <+797>:   48 8d 05 f4 d1 22 00    lea    0x22d1f4(%rip),%rax        # 0x7ffff7dda4a8
   0x00007ffff7bad2b4 <+804>:   8b 38   mov    (%rax),%edi
   0x00007ffff7bad2b6 <+806>:   e8 15 d0 ff ff  callq  0x7ffff7baa2d0 <pthread_setspecific@plt>
   0x00007ffff7bad2bb <+811>:   85 c0   test   %eax,%eax
   0x00007ffff7bad2bd <+813>:   74 21   je     0x7ffff7bad2e0 <malloc+848>
   0x00007ffff7bad2bf <+815>:   48 8d 3d d2 27 02 00    lea    0x227d2(%rip),%rdi        # 0x7ffff7bcfa98
   0x00007ffff7bad2c6 <+822>:   e8 05 11 02 00  callq  0x7ffff7bce3d0
   0x00007ffff7bad2cb <+827>:   80 3d c7 bf 22 00 00    cmpb   $0x0,0x22bfc7(%rip)        # 0x7ffff7dd9299
   0x00007ffff7bad2d2 <+834>:   0f 85 ff 01 00 00   jne    0x7ffff7bad4d7 <malloc+1351>
   0x00007ffff7bad2d8 <+840>:   0f 1f 84 00 00 00 00 00 nopl   0x0(%rax,%rax,1)
   0x00007ffff7bad2e0 <+848>:   48 8b 05 d9 bc 22 00    mov    0x22bcd9(%rip),%rax        # 0x7ffff7dd8fc0
   0x00007ffff7bad2e7 <+855>:   64 48 8b 38 mov    %fs:(%rax),%rdi
   0x00007ffff7bad2eb <+859>:   48 85 ff    test   %rdi,%rdi
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad2ee <+862>:   0f 84 ec 01 00 00   je     0x7ffff7bad4e0 <malloc+1360>
   0x00007ffff7bad2f4 <+868>:   48 89 de    mov    %rbx,%rsi
   0x00007ffff7bad2f7 <+871>:   31 d2   xor    %edx,%edx
   0x00007ffff7bad2f9 <+873>:   e8 b2 76 00 00  callq  0x7ffff7bb49b0
   0x00007ffff7bad2fe <+878>:   48 89 c3    mov    %rax,%rbx
   0x00007ffff7bad301 <+881>:   e9 3c fe ff ff  jmpq   0x7ffff7bad142 <malloc+434>
   0x00007ffff7bad306 <+886>:   66 2e 0f 1f 84 00 00 00 00 00   nopw   %cs:0x0(%rax,%rax,1)
   0x00007ffff7bad310 <+896>:   83 e8 01    sub    $0x1,%eax
   0x00007ffff7bad313 <+899>:   41 3b 44 24 08  cmp    0x8(%r12),%eax
   0x00007ffff7bad318 <+904>:   41 89 44 24 10  mov    %eax,0x10(%r12)
   0x00007ffff7bad31d <+909>:   7d 05   jge    0x7ffff7bad324 <malloc+916>
   0x00007ffff7bad31f <+911>:   41 89 44 24 08  mov    %eax,0x8(%r12)
   0x00007ffff7bad324 <+916>:   49 8b 54 24 18  mov    0x18(%r12),%rdx
   0x00007ffff7bad329 <+921>:   48 8b 1c c2 mov    (%rdx,%rax,8),%rbx
   0x00007ffff7bad32d <+925>:   48 85 db    test   %rbx,%rbx
   0x00007ffff7bad330 <+928>:   0f 85 9a fe ff ff   jne    0x7ffff7bad1d0 <malloc+576>
   0x00007ffff7bad336 <+934>:   e9 69 fe ff ff  jmpq   0x7ffff7bad1a4 <malloc+532>
   0x00007ffff7bad33b <+939>:   0f 1f 44 00 00  nopl   0x0(%rax,%rax,1)
   0x00007ffff7bad340 <+944>:   83 e8 01    sub    $0x1,%eax
   0x00007ffff7bad343 <+947>:   41 3b 44 24 08  cmp    0x8(%r12),%eax
   0x00007ffff7bad348 <+952>:   41 89 44 24 10  mov    %eax,0x10(%r12)
   0x00007ffff7bad34d <+957>:   0f 8c 95 00 00 00   jl     0x7ffff7bad3e8 <malloc+1112>
   0x00007ffff7bad353 <+963>:   49 8b 54 24 18  mov    0x18(%r12),%rdx
   0x00007ffff7bad358 <+968>:   48 8b 1c c2 mov    (%rdx,%rax,8),%rbx
   0x00007ffff7bad35c <+972>:   48 85 db    test   %rbx,%rbx
   0x00007ffff7bad35f <+975>:   0f 84 e9 fe ff ff   je     0x7ffff7bad24e <malloc+702>
   0x00007ffff7bad365 <+981>:   80 3d 2c bf 22 00 00    cmpb   $0x0,0x22bf2c(%rip)        # 0x7ffff7dd9298
   0x00007ffff7bad36c <+988>:   74 22   je     0x7ffff7bad390 <malloc+1024>
   0x00007ffff7bad36e <+990>:   48 89 ea    mov    %rbp,%rdx
   0x00007ffff7bad371 <+993>:   be a5 00 00 00  mov    $0xa5,%esi
   0x00007ffff7bad376 <+998>:   48 89 df    mov    %rbx,%rdi
   0x00007ffff7bad379 <+1001>:  e8 92 cf ff ff  callq  0x7ffff7baa310 <memset@plt>
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad37e <+1006>:  49 83 04 24 01  addq   $0x1,(%r12)
   0x00007ffff7bad383 <+1011>:  e9 e8 fe ff ff  jmpq   0x7ffff7bad270 <malloc+736>
   0x00007ffff7bad388 <+1016>:  0f 1f 84 00 00 00 00 00 nopl   0x0(%rax,%rax,1)
   0x00007ffff7bad390 <+1024>:  80 3d f1 be 22 00 00    cmpb   $0x0,0x22bef1(%rip)        # 0x7ffff7dd9288
   0x00007ffff7bad397 <+1031>:  74 e5   je     0x7ffff7bad37e <malloc+1006>
   0x00007ffff7bad399 <+1033>:  48 89 ea    mov    %rbp,%rdx
   0x00007ffff7bad39c <+1036>:  31 f6   xor    %esi,%esi
   0x00007ffff7bad39e <+1038>:  48 89 df    mov    %rbx,%rdi
   0x00007ffff7bad3a1 <+1041>:  e8 6a cf ff ff  callq  0x7ffff7baa310 <memset@plt>
   0x00007ffff7bad3a6 <+1046>:  eb d6   jmp    0x7ffff7bad37e <malloc+1006>
   0x00007ffff7bad3a8 <+1048>:  0f 1f 84 00 00 00 00 00 nopl   0x0(%rax,%rax,1)
   0x00007ffff7bad3b0 <+1056>:  4b 8d 04 76 lea    (%r14,%r14,2),%rax
   0x00007ffff7bad3b4 <+1060>:  31 d2   xor    %edx,%edx
   0x00007ffff7bad3b6 <+1062>:  48 89 df    mov    %rbx,%rdi
   0x00007ffff7bad3b9 <+1065>:  49 8d 04 86 lea    (%r14,%rax,4),%rax
   0x00007ffff7bad3bd <+1069>:  49 8d 74 c5 00  lea    0x0(%r13,%rax,8),%rsi
   0x00007ffff7bad3c2 <+1074>:  e8 b9 72 00 00  callq  0x7ffff7bb4680
   0x00007ffff7bad3c7 <+1079>:  e9 1e fe ff ff  jmpq   0x7ffff7bad1ea <malloc+602>
   0x00007ffff7bad3cc <+1084>:  0f 1f 40 00 nopl   0x0(%rax)
   0x00007ffff7bad3d0 <+1088>:  48 89 ca    mov    %rcx,%rdx
   0x00007ffff7bad3d3 <+1091>:  31 f6   xor    %esi,%esi
   0x00007ffff7bad3d5 <+1093>:  48 89 df    mov    %rbx,%rdi
   0x00007ffff7bad3d8 <+1096>:  e8 33 cf ff ff  callq  0x7ffff7baa310 <memset@plt>
   0x00007ffff7bad3dd <+1101>:  e9 08 fe ff ff  jmpq   0x7ffff7bad1ea <malloc+602>
   0x00007ffff7bad3e2 <+1106>:  66 0f 1f 44 00 00   nopw   0x0(%rax,%rax,1)
   0x00007ffff7bad3e8 <+1112>:  41 89 44 24 08  mov    %eax,0x8(%r12)
   0x00007ffff7bad3ed <+1117>:  e9 61 ff ff ff  jmpq   0x7ffff7bad353 <malloc+963>
   0x00007ffff7bad3f2 <+1122>:  66 0f 1f 44 00 00   nopw   0x0(%rax,%rax,1)
   0x00007ffff7bad3f8 <+1128>:  bf 0a 00 00 00  mov    $0xa,%edi
   0x00007ffff7bad3fd <+1133>:  e8 be bf 01 00  callq  0x7ffff7bc93c0
   0x00007ffff7bad402 <+1138>:  e9 d7 fb ff ff  jmpq   0x7ffff7bacfde <malloc+78>
   0x00007ffff7bad407 <+1143>:  66 48 8d 3d c9 bb 22 00 data16 lea 0x22bbc9(%rip),%rdi        # 0x7ffff7dd8fd8
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad40f <+1151>:  66 66 48 e8 59 cf ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>
=> 0x00007ffff7bad417 <+1159>:  8b 10   mov    (%rax),%edx
   0x00007ffff7bad419 <+1161>:  83 fa 02    cmp    $0x2,%edx
   0x00007ffff7bad41c <+1164>:  75 0c   jne    0x7ffff7bad42a <malloc+1178>
   0x00007ffff7bad41e <+1166>:  48 8d 15 23 be 22 00    lea    0x22be23(%rip),%rdx        # 0x7ffff7dd9248
   0x00007ffff7bad425 <+1173>:  0f b6 12    movzbl (%rdx),%edx
   0x00007ffff7bad428 <+1176>:  89 10   mov    %edx,(%rax)
   0x00007ffff7bad42a <+1178>:  85 d2   test   %edx,%edx
   0x00007ffff7bad42c <+1180>:  0f 85 2e 01 00 00   jne    0x7ffff7bad560 <malloc+1488>
   0x00007ffff7bad432 <+1186>:  66 48 8d 3d 9e bb 22 00 data16 lea 0x22bb9e(%rip),%rdi        # 0x7ffff7dd8fd8
   0x00007ffff7bad43a <+1194>:  66 66 48 e8 2e cf ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>
   0x00007ffff7bad442 <+1202>:  c7 00 00 00 00 00   movl   $0x0,(%rax)
   0x00007ffff7bad448 <+1208>:  64 48 8b 04 25 00 00 00 00  mov    %fs:0x0,%rax
   0x00007ffff7bad451 <+1217>:  48 03 05 78 bb 22 00    add    0x22bb78(%rip),%rax        # 0x7ffff7dd8fd0
   0x00007ffff7bad458 <+1224>:  48 8d 0d 71 24 02 00    lea    0x22471(%rip),%rcx        # 0x7ffff7bcf8d0
   0x00007ffff7bad45f <+1231>:  48 39 0d 8a bb 22 00    cmp    %rcx,0x22bb8a(%rip)        # 0x7ffff7dd8ff0
   0x00007ffff7bad466 <+1238>:  48 c7 00 01 00 00 00    movq   $0x1,(%rax)
   0x00007ffff7bad46d <+1245>:  75 3e   jne    0x7ffff7bad4ad <malloc+1309>
   0x00007ffff7bad46f <+1247>:  90  nop
   0x00007ffff7bad470 <+1248>:  48 8b 05 49 bb 22 00    mov    0x22bb49(%rip),%rax        # 0x7ffff7dd8fc0
   0x00007ffff7bad477 <+1255>:  64 48 8b 38 mov    %fs:(%rax),%rdi
   0x00007ffff7bad47b <+1259>:  48 85 ff    test   %rdi,%rdi
   0x00007ffff7bad47e <+1262>:  0f 84 06 01 00 00   je     0x7ffff7bad58a <malloc+1530>
   0x00007ffff7bad484 <+1268>:  48 89 de    mov    %rbx,%rsi
   0x00007ffff7bad487 <+1271>:  31 d2   xor    %edx,%edx
   0x00007ffff7bad489 <+1273>:  e8 a2 72 00 00  callq  0x7ffff7bb4730
   0x00007ffff7bad48e <+1278>:  48 89 c3    mov    %rax,%rbx
   0x00007ffff7bad491 <+1281>:  e9 ac fc ff ff  jmpq   0x7ffff7bad142 <malloc+434>
   0x00007ffff7bad496 <+1286>:  48 8d 0d 33 24 02 00    lea    0x22433(%rip),%rcx        # 0x7ffff7bcf8d0
   0x00007ffff7bad49d <+1293>:  48 39 0d 4c bb 22 00    cmp    %rcx,0x22bb4c(%rip)        # 0x7ffff7dd8ff0
   0x00007ffff7bad4a4 <+1300>:  48 c7 00 02 00 00 00    movq   $0x2,(%rax)
   0x00007ffff7bad4ab <+1307>:  74 c3   je     0x7ffff7bad470 <malloc+1248>
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad4ad <+1309>:  48 89 c6    mov    %rax,%rsi
   0x00007ffff7bad4b0 <+1312>:  48 8d 05 f1 cf 22 00    lea    0x22cff1(%rip),%rax        # 0x7ffff7dda4a8
   0x00007ffff7bad4b7 <+1319>:  8b 38   mov    (%rax),%edi
   0x00007ffff7bad4b9 <+1321>:  e8 12 ce ff ff  callq  0x7ffff7baa2d0 <pthread_setspecific@plt>
   0x00007ffff7bad4be <+1326>:  85 c0   test   %eax,%eax
   0x00007ffff7bad4c0 <+1328>:  74 ae   je     0x7ffff7bad470 <malloc+1248>
   0x00007ffff7bad4c2 <+1330>:  48 8d 3d cf 25 02 00    lea    0x225cf(%rip),%rdi        # 0x7ffff7bcfa98
   0x00007ffff7bad4c9 <+1337>:  e8 02 0f 02 00  callq  0x7ffff7bce3d0
   0x00007ffff7bad4ce <+1342>:  80 3d c4 bd 22 00 00    cmpb   $0x0,0x22bdc4(%rip)        # 0x7ffff7dd9299
   0x00007ffff7bad4d5 <+1349>:  74 99   je     0x7ffff7bad470 <malloc+1248>
   0x00007ffff7bad4d7 <+1351>:  e8 24 cd ff ff  callq  0x7ffff7baa200 <abort@plt>
   0x00007ffff7bad4dc <+1356>:  0f 1f 40 00 nopl   0x0(%rax)
   0x00007ffff7bad4e0 <+1360>:  e8 ab e6 ff ff  callq  0x7ffff7babb90
   0x00007ffff7bad4e5 <+1365>:  48 89 c7    mov    %rax,%rdi
   0x00007ffff7bad4e8 <+1368>:  e9 07 fe ff ff  jmpq   0x7ffff7bad2f4 <malloc+868>
   0x00007ffff7bad4ed <+1373>:  0f 1f 00    nopl   (%rax)
   0x00007ffff7bad4f0 <+1376>:  66 48 8d 3d e0 ba 22 00 data16 lea 0x22bae0(%rip),%rdi        # 0x7ffff7dd8fd8
   0x00007ffff7bad4f8 <+1384>:  66 66 48 e8 70 ce ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>
   0x00007ffff7bad500 <+1392>:  8b 10   mov    (%rax),%edx
   0x00007ffff7bad502 <+1394>:  83 fa 02    cmp    $0x2,%edx
   0x00007ffff7bad505 <+1397>:  75 0c   jne    0x7ffff7bad513 <malloc+1411>
   0x00007ffff7bad507 <+1399>:  48 8d 15 3a bd 22 00    lea    0x22bd3a(%rip),%rdx        # 0x7ffff7dd9248
   0x00007ffff7bad50e <+1406>:  0f b6 12    movzbl (%rdx),%edx
   0x00007ffff7bad511 <+1409>:  89 10   mov    %edx,(%rax)
   0x00007ffff7bad513 <+1411>:  85 d2   test   %edx,%edx
   0x00007ffff7bad515 <+1413>:  75 5e   jne    0x7ffff7bad575 <malloc+1509>
   0x00007ffff7bad517 <+1415>:  66 48 8d 3d b9 ba 22 00 data16 lea 0x22bab9(%rip),%rdi        # 0x7ffff7dd8fd8
   0x00007ffff7bad51f <+1423>:  66 66 48 e8 49 ce ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>
   0x00007ffff7bad527 <+1431>:  c7 00 00 00 00 00   movl   $0x0,(%rax)
   0x00007ffff7bad52d <+1437>:  64 48 8b 04 25 00 00 00 00  mov    %fs:0x0,%rax
   0x00007ffff7bad536 <+1446>:  48 03 05 93 ba 22 00    add    0x22ba93(%rip),%rax        # 0x7ffff7dd8fd0
   0x00007ffff7bad53d <+1453>:  48 8d 0d 8c 23 02 00    lea    0x2238c(%rip),%rcx        # 0x7ffff7bcf8d0
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bad544 <+1460>:  48 39 0d a5 ba 22 00    cmp    %rcx,0x22baa5(%rip)        # 0x7ffff7dd8ff0
   0x00007ffff7bad54b <+1467>:  48 c7 00 01 00 00 00    movq   $0x1,(%rax)
   0x00007ffff7bad552 <+1474>:  0f 85 52 fd ff ff   jne    0x7ffff7bad2aa <malloc+794>
   0x00007ffff7bad558 <+1480>:  e9 83 fd ff ff  jmpq   0x7ffff7bad2e0 <malloc+848>
   0x00007ffff7bad55d <+1485>:  0f 1f 00    nopl   (%rax)
   0x00007ffff7bad560 <+1488>:  e8 8b e7 ff ff  callq  0x7ffff7babcf0
   0x00007ffff7bad565 <+1493>:  48 89 c7    mov    %rax,%rdi
   0x00007ffff7bad568 <+1496>:  e8 23 06 02 00  callq  0x7ffff7bcdb90
   0x00007ffff7bad56d <+1501>:  49 89 c7    mov    %rax,%r15
   0x00007ffff7bad570 <+1504>:  e9 f6 fb ff ff  jmpq   0x7ffff7bad16b <malloc+475>
   0x00007ffff7bad575 <+1509>:  e8 76 e7 ff ff  callq  0x7ffff7babcf0
   0x00007ffff7bad57a <+1514>:  48 89 c7    mov    %rax,%rdi
   0x00007ffff7bad57d <+1517>:  e8 0e 06 02 00  callq  0x7ffff7bcdb90
   0x00007ffff7bad582 <+1522>:  49 89 c5    mov    %rax,%r13
   0x00007ffff7bad585 <+1525>:  e9 91 fc ff ff  jmpq   0x7ffff7bad21b <malloc+651>
   0x00007ffff7bad58a <+1530>:  e8 01 e6 ff ff  callq  0x7ffff7babb90
   0x00007ffff7bad58f <+1535>:  48 89 c7    mov    %rax,%rdi
   0x00007ffff7bad592 <+1538>:  e9 ed fe ff ff  jmpq   0x7ffff7bad484 <malloc+1268>
End of assembler dump.