The Fault Is Not In Our Stars
"The fault, dear Brutus, is not in our stars, But in ourselves, that we are underlings." - Julius Caesar (I, ii, 140-141)
It was all David's fault that I was still up at 1 in the morning, bleary eyed, tired, and starting to get suspicious of mathematics -- and that there was definitely a 'bug' in je_malloc
and the compiler that generated je_malloc
and in LLVM's disassembler, maybe in gdb
, and definitely in Intel's documentation, and probably in pretty much everything.
But let me start from the beginning.
A Tale of Two Disassemblers
It was a dark and stormy night - I was demoing some software to my friend, the eponymous David from the above, at a coffee shop, in May around noon, when this whole mess started. I was showing him this particular feature which allowed me to disassemble an arbitrary symbol name from the command line, and in my hubris, I foolishly showed him the malloc
disassemblies.
Now, there are several malloc
providers on linux. One of these is the fateful libjemalloc.so.1
, whose git repo is here, and with whom our story starts. However, this story doesn't so much involve them as it does their compiled code (not on the dev branch, but the master, at least at the time of this writing), and so we should absolve them of any wrong doing in these matters.
In any event, I had noticed before that my program was piping out errors for libjemalloc.so.1
's malloc
implementation, but since this was a fly by night operation intended to wow David, I hadn't checked into it yet.
But David, being the good, curious human that he is, asked about the errors when he saw them. And that's when it all began -- a nightmarish journey into the seedy underbelly of linux dynamic libraries, broken disassemblers, pernicious debuggers, treacherous compilers and suspicious documentation.
Come join me in my fun-time adventures!
0x66 0x66 0x48 0xe8 0x59 0xcf 0xff 0xff
I'm running Arch Linux, and when I run lldb /usr/lib/libjemalloc.so.1 -o "disass -b -n malloc"
, the last line it disassembles is a call
instruction:
<malloc+1151>66 66 48 e8 59 cf callw 0xcf59
It is exactly here, 1157 bytes in, that lldb
(based on LLVM v3.6) gives up and will disassemble no more. This is unusual, because if you inspect the _DYNAMIC
array, libjemalloc.so.1
reports that its export, malloc
, begins at 0x5f90
, and is exactly 1543 bytes in size (your implementation will vary; in fact, compiling libjemalloc
's master git branch yields a larger malloc
and various examples like this much earlier on in the procedure - but again, this may vary with compiler flags, compilers, distros, and toaster models).
Yet lldb
tells us that the function is 1157 bytes long (because that's where it stops). So where did 386 bytes go? (there's probably an off by one error here, don't judge me)
To fully understand this situtation, we'll need to understand Intel legacy prefix codes, REX prefixes, opcode tables, crazy Intel instruction documentation syntax, signed integers, gdb
, x86-64 mode, and other sordid low-level details.
Prefixes
I haven't finished reading the Intel manual yet (so I'm not an expert), probably be done in a few days, but basically there are 4 groups of legacy prefixes, with 0x66
indicating the so-called "operand-size override prefix". According to their documentation:
The operand-size override prefix allows a program to switch between 16- and 32-bit operand sizes. Either size can be the default; use of the prefix selects the non-default size. 2-2 Vol. 2A
Let me just say here, because I really can't resist, and hopefully maybe there's a good reason for this behavior (but probably not, just the onus of historical cruft), but you know the instruction set is insane when "either size can be the default" and the operand-size override prefix switches to the other. Like, just choose one... and make that the default?
Anyway, 64-bit x86 processors (the only processor kind you should care about anymore) added REX prefixes, which do lots of things in 64-bit mode, but for our purposes, we'll only consider the 0x48
byte, which says "My operand is 64-bits wide". The accompanying documentation says:
Not all instructions require a REX prefix in 64-bit mode. A prefix is necessary only if an instruction references one of the extended registers or uses a 64-bit operand. If a REX prefix is used when it has no meaning, it is ignored. 2-8 Vol. 2A
Importantly, "Only one REX prefix is allowed per instruction."
Confusingly however, when it comes to the legacy prefixes, we're told:
For each instruction, it is only useful to include up to one prefix code from each of the four groups (Groups 1, 2, 3, 4). Groups 1 through 4 may be placed in any order relative to each other. 2-1 Vol. 2A
So... "it is only useful to include up to one". We'll interpret this unambiguous piece of writing to mean we can have as many prefixes as we want.
However, directly above this on the same page, in the instruction diagram, in the prefix section, we're told "Up to four prefixes of 1 byte each", which seems to indicate we can have a max of four prefixes.
At the time of this writing, I've experimented with instruction sequences with multiple prefixes, multiple REXs, etc., but they seem to be ignored. So we'll go with the former interpretation, that we can include as many as we want.
Intel Arcana
With such information firmly in hand, we can now understand 0x66 0x66 0x48 0xe8 0x59 0xcf 0xff 0xff
... or can we? First off, why are there two 0x66
bytes? I have no idea. Secondly, why are they followed by an 0x48
? It seems to say... use a 16-bit width, and then use a 64-bit width, but if we actually look up the instruction (0xe8
) in Intel's one-byte opcode table, it tells us that 0xe8
is a "near CALL^f64" with a Jz
operand, where ^ means superscript.
First we need to look up what an f64
superscript means, to wit:
The operand size is forced to a 64-bit operand size when in 64-bit mode (prefixes that change operand size are ignored for this instruction in 64-bit mode) A-6 Vol. 2C
So the operand size must be 64-bits, or 8 bytes. Our example instruction only has a 4 byte operand/immediate though; but if we consult the instruction's entry in the 64-ia we see that:
In 64-bit mode the relative offset is always a 32-bit immediate value which is sign extended to 64-bits before it is added to the value in the RIP register for the target calculation. Vol. 2A 3-99
Importantly, the documentation does definitely state that prefixes that change operand size are ignored in 64-bit mode for instructions marked with the f64
superscript, of which call
is one.
The only other component is the Jz
operand encoding, which is two parts, the first part, "J", meaning:
The instruction contains a relative offset to be added to the instruction pointer register A-2 Vol. 2C
and the "z":
Word for 16-bit operand-size or doubleword for 32 or 64-bit operand-size A-3 Vol. 2C
In other words, the operand is a signed operand, with either a 16-bit or 64-bit size, depending on whether the operand-size prefix is set?
So what we know seems to be:
- Operand-size prefix is ignored
- Operand-size prefix is not ignored? ("Word for 16-bit operand-size")
- Operand is signed
- Up to 4 legacy prefixes
Don't worry if you're confused and unsure what is correct; everyone seems to be. At the time of this initial writing (about a month ago), neither gdb
nor lldb
correctly disassembled 0x66 0xe8 0x59 0xcf 0xff 0xff
, so we're in good company. Update: both of these bugs have been corrected, thanks to open source process goodness, and the internet.
LLVM
Ok, let's run llvm-mc --disassemble
on the instruction starting 1151 bytes in at libjemalloc
's malloc
to test what we know:
echo "0x66 0x66 0x48 0xe8 0x59 0xcf 0xff 0xff" | llvm-mc --disassemble
.text
callw 53081
<stdin>:1:31: warning: invalid instruction encoding
0x66 0x66 0x48 0xe8 0x59 0xcf 0xff 0xff
^
That didn't seem to work (this was the original error that set all this off).
Maybe it's all those stupid 0x66
that gcc
inserted (also, again, why)? Let's test if multiple 0x66
cause a problem for LLVM's disassembler:
echo "0x66 0x66 0xe8 0x59 0xcf" | llvm-mc --disassemble
.text
callw 53081
So llvm-mc
seems ok with a couple 0x66
's. What about 5 of them?
echo "0x66 0x66 0x66 0x66 0x66 0xe8 0x59 0xcf" | llvm-mc --disassemble
.text
callw 53081
The spec was vague on redundant prefixes, so we'll let this slide (if you actually test multiple 0x66
's against an x86-64 cpu in 64-bit mode it seems to allow it - which just means the silicon that I tested it on allowed it).
But there is something else really wrong here, it looks like llvm-mc
is incorrectly disassembling callw
's immediate.
Here's some C code to illustrate the matter:
//i_saw_the_sign.c
#include<stdio.h>
int main(){
unsigned short unsigned_s = 0xcf59;
short signed_s = 0xcf59;
int signed_i = 0xffffcf59;
int unsigned_i = 0x0000cf59;
printf("unsigned_s: %d\n", unsigned_s);
printf("signed_s: %d\n", signed_s);
printf("signed_i: %d\n", signed_i);
printf("unsigned_i: %d\n", unsigned_i);
/*./sign
unsigned_s: 53081
signed_s: -12455
signed_i: -12455
unsigned_i: 53081
*/
return 0;
}
So, let's be absolutely clear: 0xcf59
interpreted as a signed short (i.e., only 2 bytes in size) is equivalent to 0xffffcf59
interpreted as a signed int (4 bytes in size), which we write in decimal notation as -12455
.
As such, if 0x66 0xe8 0x59 0xcf
is disassembled to callw 53081
then the 16-bit operand 0xcf49
must have been interpreted as an unsigned short or a non-sign extended 4-byte int, i.e., 0x0000cf49
(or similarly, as an 8-byte int), and not the correct signed short or sign-extended 4-byte int, which we write in decimal as -12455
.
So llvm-mc
incorrectly disassembles short immediates in call. As it turns out, it was just a missing case in a switch statement (I love not having pattern matching on closed algebraic data types, because otherwise these kinds of trivial errors are avoided and I can't have fun). It did, however, require a further fix if 0x66
prefixed a call instruction in a 64-bit binary.
But, at least we solved the mystery of libjemalloc.so.1
's malloc
's missing bytes - a bad disassembler. But what does a good disassembler have to say? And what even is a good disassembler? And why on earth was that instruction sequence generated in the first place? Who has the answers to these burning questions?
GCC
Of course we can only bash on LLVM so much, since it's written in C++, so it's not their fault. But at some point we have to ask, why is there an instruction sequence like 0x66 0x66 0x48 0x59 0xcf 0xff 0xff
in the compiled binary in the first place? And is this an invalid instruction, or not?
If we invoke the tried and true gdb
on libjemalloc.so.1
with disas /r malloc
we'll eventually find the following at 1151 bytes in (and gdb doesn't stop until, you guessed it, the correct 1543 bytes later):
0x00007ffff7bad40f <+1151>: 66 66 48 e8 59 cf ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>
gdb
seems to think the instruction is data16 data16 callq 0x7ffff7baa370
(I'm going to turn a blind eye to those double data16
's).
Importantly, I want us to subtract 0x7ffff7baa370
from 0x00007ffff7bad417
(NOTE: the call/jmp offset is always relative to the next instruction, which is 8 bytes later, so 0x00007ffff7bad40f + 0x8
).
The result should be 12455 (in decimal). In other words, the import symbol stub for __tls_get_addr
is 12455 bytes away, in the negative direction, from the callq
instruction. Thus we need to add a relative offset of 0xffffcf59
(-12455) to the instruction pointer to call the imported procedure __tls_get_addr
(if you're curious, it's imported from /usr/lib/ld-2.21.so
at offset 0x124a0
(all offsets my own). I simply did rdr -m -f __tls_get_addr
to get that magical number).
This seems right; gdb
correctly ignores the 0x66
prefix. If however, we were to take lldb
's word for it, we'd be looking for/calling a function 53081 bytes away from 0x00007ffff7bad417
, which puts us at 0x7ffff7bba370
, somewhere inside some random procedure.
So it seems like at this point we can sit back and declare gdb
a "good" disassembler and lldb
a "bad" disassembler, at least in this case --- but in doing so, we'd be wrong.
The bad news is that if you remove the REX prefix, 0x48
, then gdb
will also incorrectly disassemble the call
when a 0x66
is present in 64-bit mode.
If we compile a simple C program like as follows:
// callw.c
//compile with -Wall -Werror -o callw callw.c
//**DO NOT** Compile with optimizations, need the space provided by x++
#include <stdio.h>
//my main was at 0x506 into the resulting binary; yours will be different
int main(){
int x = 0xefbeadde;
// this just to create space for inserting instructions
x++; x++; x++;
printf("x: %x\n", x);
return 0;
}
You can then use that binary to do some hex editing.
If you don't care about the program crashing, then just insert the instruction sequence 66 e8 01 00 00 00
somewhere after where main begins, using your favorite hex editor. Or you can do it carefully so the program doesn't crash; I'll leave that as an exercise. Or just download this binary and scope it out for yourself.
When you're finished, run gdb callw
and break on main; run, and then disassemble using the /r option. You should see something like as follows (I call 0x06
bytes forward, because I don't want the program to crash):
(gdb) disass /r
Dump of assembler code for function main:
0x0000000000400506 <+0>: 55 push %rbp
0x0000000000400507 <+1>: 48 89 e5 mov %rsp,%rbp
0x000000000040050a <+4>: 48 83 ec 10 sub $0x10,%rsp
0x000000000040050e <+8>: c7 45 fc de ad be ef movl $0xefbeadde,-0x4(%rbp)
0x0000000000400515 <+15>: 66 e8 06 00 callw 0x51f
0x0000000000400519 <+19>: 00 00 add %al,(%rax)
0x000000000040051b <+21>: fc cld
0x000000000040051c <+22>: 01 83 45 fc 01 8b add %eax,-0x74fe03bb(%rbx)
0x0000000000400522 <+28>: 45 fc rex.RB cld
0x0000000000400524 <+30>: 89 c6 mov %eax,%esi
0x0000000000400526 <+32>: bf c4 05 40 00 mov $0x4005c4,%edi
0x000000000040052b <+37>: b8 00 00 00 00 mov $0x0,%eax
0x0000000000400530 <+42>: e8 ab fe ff ff callq 0x4003e0 <printf@plt>
0x0000000000400535 <+47>: b8 00 00 00 00 mov $0x0,%eax
0x000000000040053a <+52>: c9 leaveq
0x000000000040053b <+53>: c3 retq
You'll notice gdb
thinks the callw has a 16-bit immediate, and so starts disassembling the extra 2 bytes as a separate instruction (add %al,(%rax)
to be precise).
But if you step through the program, the cpu (I presume, unless there is some black magic going on when trapping with a debugger, which is why I rewrite the binary to not crash) actually jumps a 32-bit value (well technically calls, but you know what I mean), hence demonstrating x86-64 cpus (at least this one, and the others I've tested on) ignore the 0x66
prefix in 64-bit mode, which matches the spec.
We can actually prove whether 0x66 is ignored or not using a special program; see the appendix.
Also, it will also mess up your %rip
qua gdb
if the call lands you in the middle of an instruction.
So... gdb
incorrectly disassembles this kind of corner case too though. I submitted a bug there as well.
Coda
In the end, while the particular details here will soon be untrue, because open source software as high-profile as gdb or llvm gets fixed, what remains interesting to me are two salient, and what I think are lasting object lessons.
- Redundant Independent Verification Is Scientific Verification
- Something Darker
Redundant Independent Verification Is Scientific Verification
There is no such thing as a canonical disassembler, because all disassemblers come from man, and to err is human. As such, the more independent disassemblers we have (independent in the sense of using disjoint codebases for disassembly logic), the closer we are to approaching what the the "ideal disassembler" should produce (for a given architecture).
lldb
and gdb
failed at disassembling real corner cases, and in different ways (and then they got fixed, and this is good). However, had there been a third (or fourth), reliable and independent disassembler, I would argue the likelihood that it too would have failed on the same input is unlikely --- which then gives the researcher better data to act on what the programs are telling them, instead of untangling a mess of reduplicated error. As a result, I would argue that redundant independent verification triangulates the semantics of an instruction set --- and the more we have, the more accurate our analyses will be, and the more confident we can be that disassembly is working correctly.
This is one of the primary reasons I still actively use both gdb
and lldb
: they give me different perspectives on the same objects. Unfortunately, in the x86-64 bit world, they're really the only disjoint disassemblers that are available. disnasm
is broken, and only works with 32 bit modes; similarly objdump
doesn't seem to work, and I believe it's using bdf
anyway, which violates the disjoint codebase requirement.
Something Darker
It is remarkable that in the four most recent editions of the UNIX system programmer’s manual the Bourne shell grammar described in the manual page does not admit the command
who|wc
. This is surely an oversight, but it suggests something darker: nobody really knows what the Bourne shell’s grammar is.
It's also possible that something darker is going on: maybe no one really knows how x86 "works" anymore.
The compiler writers, bless them, read the same spec I read (and am still reading); and it seems ambiguous in some places in ways that it shouldn't be ambiguous. To harp on examples from this post, once again, we are told:
Only one REX prefix is allowed per instruction. -- 2-8 Vol. 2A
But what does this mean? It doesn't #UD if there are two REX prefixes; similarly for legacy prefixes. So what in particular "isn't allowed"? I can do it; I'm not arrested, and neither is my machine, so what purpose does this sentence serve in a "formal" specification of an instruction set?
This may seem pedantic, or alarmist, but what sincerely worries me is that at best this is ambiguous, and at worst it is symptomatic of a substantially less palatable conclusion. I'm not sure which disjunct it is, but neither really make me very happy when contemplating their possibility.
Nevertheless, we can take comfort that all of these problems are our own devising; the fault isn't in some magic dropped from the sky, but lies solely on ourselves, and as such, we can solve them (because we created them), and make them better, either through venerable open source processes, or formal methods, or solutions yet undreamed of.
So that's my happy note. Now it's time for me to get back to computering.
Appendix
Clever Program
We can use a sequence like 0x66 0xe8 0xff 0x7f 0xff 0xff
inserted say somewhere in the middle of a binary approximately 0x10001
bytes long, with a sequence of #UD bytes approximately 32767 bytes away, and a graceful exit sequence approximately -32769 bytes away, to test if the 0x66
prefix was ignored or not.
Why? Because if the immediate is 16 bits, the call will take the 32767 branch and #UD; but if the immediatel is 32 bits, then it is signed, and will take the -32769 branch and gracefully exit.
Clever program is clever.
Various equivalent x86 instructions, 64 and 32-bit architectures
# echo "0x66 0xe8 0x59 0xcf" | bin/llvm-mc --disassemble -show-inst
.text
callw -12455 # <MCInst #360 CALLpcrel16
# <MCOperand Imm:-12455>>
# echo "0xe8 0x59 0xcf 0xff 0xff" | bin/llvm-mc --disassemble -show-inst
.text
callq -12455 # <MCInst #358 CALL64pcrel32
# <MCOperand Imm:-12455>>
# echo "0xe8 0x59 0xcf 0xff 0xff" | bin/llvm-mc --disassemble -show-inst -arch=x86
.text
calll -12455 # <MCInst #361 CALLpcrel32
# <MCOperand Imm:-12455>>
# echo "0x66 0xe8 0x59 0xcf" | bin/llvm-mc --disassemble -show-inst -arch=x86
.text
callw -12455 # <MCInst #360 CALLpcrel16
# <MCOperand Imm:-12455>>
LLDB libjemalloc
malloc
(lldb) disass -b -n malloc
<malloc>41 57 pushq %r15
<malloc+2>b8 01 00 00 00 movl $0x1, %eax
<malloc+7>41 56 pushq %r14
<malloc+9>41 55 pushq %r13
<malloc+11>41 54 pushq %r12
<malloc+13>55 pushq %rbp
<malloc+14>53 pushq %rbx
<malloc+15>48 89 fb movq %rdi, %rbx
<malloc+18>48 83 ec 18 subq $0x18, %rsp
<malloc+22>48 85 ff testq %rdi, %rdi
<malloc+25>48 0f 44 d8 cmoveq %rax, %rbx
<malloc+29>80 3d 1c c3 22 00 00 cmpb $0x0, 0x22c31c(%rip) ; libjemalloc.so.1..bss + 111
<malloc+36>0f 84 3e 01 00 00 je 0x60f8 ; malloc + 360
<malloc+42>48 83 3d ce c2 22 00 00 cmpq $0x0, 0x22c2ce(%rip) ; libjemalloc.so.1..bss + 47
<malloc+50>74 1a je 0x5fde ; malloc + 78
<malloc+52>64 48 8b 04 25 00 00 00 00 movq %fs:0x0, %rax
<malloc+61>48 03 05 f4 bf 22 00 addq 0x22bff4(%rip), %rax ; libjemalloc.so.1..got + 88
<malloc+68>48 83 38 00 cmpq $0x0, (%rax)
<malloc+72>0f 84 1a 04 00 00 je 0x63f8 ; malloc + 1128
<malloc+78>48 81 fb 00 0e 00 00 cmpq $0xe00, %rbx
<malloc+85>0f 87 8d 00 00 00 ja 0x6078 ; malloc + 232
<malloc+91>48 8d 15 8e 2c 02 00 leaq 0x22c8e(%rip), %rdx ; libjemalloc.so.1..rodata + 768
<malloc+98>48 8d 43 ff leaq -0x1(%rbx), %rax
<malloc+102>4c 8d 2d 63 c8 22 00 leaq 0x22c863(%rip), %r13
<malloc+109>48 c1 e8 03 shrq $0x3, %rax
<malloc+113>44 0f b6 34 02 movzbl (%rdx,%rax), %r14d
<malloc+118>41 0f b6 c6 movzbl %r14b, %eax
<malloc+122>48 8d 14 40 leaq (%rax,%rax,2), %rdx
<malloc+126>48 8d 04 90 leaq (%rax,%rdx,4), %rax
<malloc+130>49 8b 6c c5 00 movq (%r13,%rax,8), %rbp
<malloc+135>48 8d 05 ea d3 22 00 leaq 0x22d3ea(%rip), %rax
<malloc+142>48 3b 18 cmpq (%rax), %rbx
<malloc+145>0f 87 05 01 00 00 ja 0x612c ; malloc + 412
<malloc+151>64 48 8b 04 25 00 00 00 00 movq %fs:0x0, %rax
<malloc+160>48 03 05 99 bf 22 00 addq 0x22bf99(%rip), %rax ; libjemalloc.so.1..got + 96
<malloc+167>48 8b 38 movq (%rax), %rdi
<malloc+170>48 83 ff 03 cmpq $0x3, %rdi
<malloc+174>0f 87 24 01 00 00 ja 0x6168 ; malloc + 472
<malloc+180>48 83 ff 01 cmpq $0x1, %rdi
<malloc+184>0f 84 22 04 00 00 je 0x6470 ; malloc + 1248
<malloc+190>48 85 ff testq %rdi, %rdi
<malloc+193>0f 84 b0 03 00 00 je 0x6407 ; malloc + 1143
<malloc+199>48 83 ff 03 cmpq $0x3, %rdi
<malloc+203>0f 84 35 04 00 00 je 0x6496 ; malloc + 1286
<malloc+209>48 83 ff 02 cmpq $0x2, %rdi
<malloc+213>0f 84 05 04 00 00 je 0x6470 ; malloc + 1248
<malloc+219>49 89 ff movq %rdi, %r15
<malloc+222>e9 01 01 00 00 jmp 0x6174 ; malloc + 484
<malloc+227>0f 1f 44 00 00 nopl (%rax,%rax)
<malloc+232>48 8d 05 89 d3 22 00 leaq 0x22d389(%rip), %rax
<malloc+239>48 3b 18 cmpq (%rax), %rbx
<malloc+242>0f 87 90 00 00 00 ja 0x6118 ; malloc + 392
<malloc+248>48 8d 05 09 d4 22 00 leaq 0x22d409(%rip), %rax
<malloc+255>48 8d ab ff 0f 00 00 leaq 0xfff(%rbx), %rbp
<malloc+262>48 81 e5 00 f0 ff ff andq $-0x1000, %rbp
<malloc+269>48 3b 18 cmpq (%rax), %rbx
<malloc+272>0f 87 3a 02 00 00 ja 0x62e0 ; malloc + 848
<malloc+278>64 48 8b 04 25 00 00 00 00 movq %fs:0x0, %rax
<malloc+287>48 03 05 1a bf 22 00 addq 0x22bf1a(%rip), %rax ; libjemalloc.so.1..got + 96
<malloc+294>48 8b 38 movq (%rax), %rdi
<malloc+297>48 83 ff 03 cmpq $0x3, %rdi
<malloc+301>0f 87 55 01 00 00 ja 0x6218 ; malloc + 648
<malloc+307>48 83 ff 01 cmpq $0x1, %rdi
<malloc+311>0f 84 13 02 00 00 je 0x62e0 ; malloc + 848
<malloc+317>48 85 ff testq %rdi, %rdi
<malloc+320>0f 84 17 04 00 00 je 0x64ed ; malloc + 1373
<malloc+326>48 83 ff 03 cmpq $0x3, %rdi
<malloc+330>0f 84 b3 01 00 00 je 0x6293 ; malloc + 771
<malloc+336>48 83 ff 02 cmpq $0x2, %rdi
<malloc+340>0f 84 f6 01 00 00 je 0x62e0 ; malloc + 848
<malloc+346>49 89 fd movq %rdi, %r13
<malloc+349>e9 32 01 00 00 jmp 0x6224 ; malloc + 660
<malloc+354>66 0f 1f 44 00 00 nopw (%rax,%rax)
<malloc+360>e8 63 e7 ff ff callq 0x4860 ; ???
<malloc+365>84 c0 testb %al, %al
<malloc+367>90 nop
<malloc+368>0f 84 b4 fe ff ff je 0x5fba ; malloc + 42
<malloc+374>e8 05 d1 ff ff callq 0x3210 ; symbol stub for: __errno_location
<malloc+379>31 db xorl %ebx, %ebx
<malloc+381>c7 00 0c 00 00 00 movl $0xc, (%rax)
<malloc+387>eb 3d jmp 0x6152 ; malloc + 450
<malloc+389>0f 1f 00 nopl (%rax)
<malloc+392>48 8d 05 f9 d2 22 00 leaq 0x22d2f9(%rip), %rax
<malloc+399>48 8b 00 movq (%rax), %rax
<malloc+402>48 8d 2c 03 leaq (%rbx,%rax), %rbp
<malloc+406>48 f7 d0 notq %rax
<malloc+409>48 21 c5 andq %rax, %rbp
<malloc+412>31 ff xorl %edi, %edi
<malloc+414>e8 1d 6c 01 00 callq 0x1cd50 ; ???
<malloc+419>48 89 df movq %rbx, %rdi
<malloc+422>89 c2 movl %eax, %edx
<malloc+424>31 f6 xorl %esi, %esi
<malloc+426>e8 a1 65 01 00 callq 0x1c6e0 ; ???
<malloc+431>48 89 c3 movq %rax, %rbx
<malloc+434>48 85 db testq %rbx, %rbx
<malloc+437>74 bf je 0x6106 ; malloc + 374
<malloc+439>48 8b 05 3a be 22 00 movq 0x22be3a(%rip), %rax ; libjemalloc.so.1..got + 24
<malloc+446>64 48 01 28 addq %rbp, %fs:(%rax)
<malloc+450>48 83 c4 18 addq $0x18, %rsp
<malloc+454>48 89 d8 movq %rbx, %rax
<malloc+457>5b popq %rbx
<malloc+458>5d popq %rbp
<malloc+459>41 5c popq %r12
<malloc+461>41 5d popq %r13
<malloc+463>41 5e popq %r14
<malloc+465>41 5f popq %r15
<malloc+467>c3 retq
<malloc+468>0f 1f 40 00 nopl (%rax)
<malloc+472>49 89 ff movq %rdi, %r15
<malloc+475>4d 85 ff testq %r15, %r15
<malloc+478>0f 84 fc 02 00 00 je 0x6470 ; malloc + 1248
<malloc+484>49 8d 46 01 leaq 0x1(%r14), %rax
<malloc+488>48 c1 e0 05 shlq $0x5, %rax
<malloc+492>4d 8d 64 07 08 leaq 0x8(%r15,%rax), %r12
<malloc+497>4b 8d 04 76 leaq (%r14,%r14,2), %rax
<malloc+501>49 8d 04 86 leaq (%r14,%rax,4), %rax
<malloc+505>49 8b 4c c5 00 movq (%r13,%rax,8), %rcx
<malloc+510>41 8b 44 24 10 movl 0x10(%r12), %eax
<malloc+515>85 c0 testl %eax, %eax
<malloc+517>0f 85 75 01 00 00 jne 0x6310 ; malloc + 896
<malloc+523>41 c7 44 24 08 ff ff ff ff movl $0xffffffff, 0x8(%r12)
<malloc+532>4c 89 f2 movq %r14, %rdx
<malloc+535>4c 89 e6 movq %r12, %rsi
<malloc+538>4c 89 ff movq %r15, %rdi
<malloc+541>48 89 4c 24 08 movq %rcx, 0x8(%rsp)
<malloc+546>e8 39 04 02 00 callq 0x265f0 ; ???
<malloc+551>48 85 c0 testq %rax, %rax
<malloc+554>48 89 c3 movq %rax, %rbx
<malloc+557>48 8b 4c 24 08 movq 0x8(%rsp), %rcx
<malloc+562>0f 84 3e ff ff ff je 0x6106 ; malloc + 374
<malloc+568>0f 1f 84 00 00 00 00 00 nopl (%rax,%rax)
<malloc+576>80 3d c1 c0 22 00 00 cmpb $0x0, 0x22c0c1(%rip) ; libjemalloc.so.1..bss + 55
<malloc+583>0f 85 d3 01 00 00 jne 0x63b0 ; malloc + 1056
<malloc+589>80 3d a4 c0 22 00 00 cmpb $0x0, 0x22c0a4(%rip) ; libjemalloc.so.1..bss + 39
<malloc+596>0f 85 e6 01 00 00 jne 0x63d0 ; malloc + 1088
<malloc+602>41 8b 47 20 movl 0x20(%r15), %eax
<malloc+606>49 83 04 24 01 addq $0x1, (%r12)
<malloc+611>83 c0 01 addl $0x1, %eax
<malloc+614>3d 25 01 00 00 cmpl $0x125, %eax
<malloc+619>41 89 47 20 movl %eax, 0x20(%r15)
<malloc+623>0f 85 42 ff ff ff jne 0x6147 ; malloc + 439
<malloc+629>4c 89 ff movq %r15, %rdi
<malloc+632>e8 63 08 02 00 callq 0x26a70 ; ???
<malloc+637>e9 35 ff ff ff jmp 0x6147 ; malloc + 439
<malloc+642>66 0f 1f 44 00 00 nopw (%rax,%rax)
<malloc+648>49 89 fd movq %rdi, %r13
<malloc+651>4d 85 ed testq %r13, %r13
<malloc+654>0f 84 bc 00 00 00 je 0x62e0 ; malloc + 848
<malloc+660>48 89 e8 movq %rbp, %rax
<malloc+663>48 c1 e8 0c shrq $0xc, %rax
<malloc+667>48 83 c0 1c addq $0x1c, %rax
<malloc+671>48 c1 e0 05 shlq $0x5, %rax
<malloc+675>4d 8d 64 05 08 leaq 0x8(%r13,%rax), %r12
<malloc+680>41 8b 44 24 10 movl 0x10(%r12), %eax
<malloc+685>85 c0 testl %eax, %eax
<malloc+687>0f 85 fb 00 00 00 jne 0x6340 ; malloc + 944
<malloc+693>41 c7 44 24 08 ff ff ff ff movl $0xffffffff, 0x8(%r12)
<malloc+702>49 8b 7d 18 movq 0x18(%r13), %rdi
<malloc+706>31 d2 xorl %edx, %edx
<malloc+708>48 89 ee movq %rbp, %rsi
<malloc+711>e8 54 77 00 00 callq 0xd9b0 ; ???
<malloc+716>48 85 c0 testq %rax, %rax
<malloc+719>48 89 c3 movq %rax, %rbx
<malloc+722>0f 84 9e fe ff ff je 0x6106 ; malloc + 374
<malloc+728>0f 1f 84 00 00 00 00 00 nopl (%rax,%rax)
<malloc+736>41 8b 45 20 movl 0x20(%r13), %eax
<malloc+740>83 c0 01 addl $0x1, %eax
<malloc+743>3d 25 01 00 00 cmpl $0x125, %eax
<malloc+748>41 89 45 20 movl %eax, 0x20(%r13)
<malloc+752>0f 85 c1 fe ff ff jne 0x6147 ; malloc + 439
<malloc+758>4c 89 ef movq %r13, %rdi
<malloc+761>e8 e2 07 02 00 callq 0x26a70 ; ???
<malloc+766>e9 b4 fe ff ff jmp 0x6147 ; malloc + 439
<malloc+771>48 8d 0d 36 26 02 00 leaq 0x22636(%rip), %rcx ; ???
<malloc+778>48 39 0d 4f bd 22 00 cmpq %rcx, 0x22bd4f(%rip) ; libjemalloc.so.1..got + 128
<malloc+785>48 c7 00 02 00 00 00 movq $0x2, (%rax)
<malloc+792>74 36 je 0x62e0 ; malloc + 848
<malloc+794>48 89 c6 movq %rax, %rsi
<malloc+797>48 8d 05 f4 d1 22 00 leaq 0x22d1f4(%rip), %rax
<malloc+804>8b 38 movl (%rax), %edi
<malloc+806>e8 15 d0 ff ff callq 0x32d0 ; symbol stub for: pthread_setspecific
<malloc+811>85 c0 testl %eax, %eax
<malloc+813>74 21 je 0x62e0 ; malloc + 848
<malloc+815>48 8d 3d d2 27 02 00 leaq 0x227d2(%rip), %rdi ; libjemalloc.so.1..rodata + 280
<malloc+822>e8 05 11 02 00 callq 0x273d0 ; ???
<malloc+827>80 3d c7 bf 22 00 00 cmpb $0x0, 0x22bfc7(%rip) ; libjemalloc.so.1..bss + 56
<malloc+834>0f 85 ff 01 00 00 jne 0x64d7 ; malloc + 1351
<malloc+840>0f 1f 84 00 00 00 00 00 nopl (%rax,%rax)
<malloc+848>48 8b 05 d9 bc 22 00 movq 0x22bcd9(%rip), %rax ; libjemalloc.so.1..got + 80
<malloc+855>64 48 8b 38 movq %fs:(%rax), %rdi
<malloc+859>48 85 ff testq %rdi, %rdi
<malloc+862>0f 84 ec 01 00 00 je 0x64e0 ; malloc + 1360
<malloc+868>48 89 de movq %rbx, %rsi
<malloc+871>31 d2 xorl %edx, %edx
<malloc+873>e8 b2 76 00 00 callq 0xd9b0 ; ???
<malloc+878>48 89 c3 movq %rax, %rbx
<malloc+881>e9 3c fe ff ff jmp 0x6142 ; malloc + 434
<malloc+886>66 2e 0f 1f 84 00 00 00 00 00 nopw %cs:(%rax,%rax)
<malloc+896>83 e8 01 subl $0x1, %eax
<malloc+899>41 3b 44 24 08 cmpl 0x8(%r12), %eax
<malloc+904>41 89 44 24 10 movl %eax, 0x10(%r12)
<malloc+909>7d 05 jge 0x6324 ; malloc + 916
<malloc+911>41 89 44 24 08 movl %eax, 0x8(%r12)
<malloc+916>49 8b 54 24 18 movq 0x18(%r12), %rdx
<malloc+921>48 8b 1c c2 movq (%rdx,%rax,8), %rbx
<malloc+925>48 85 db testq %rbx, %rbx
<malloc+928>0f 85 9a fe ff ff jne 0x61d0 ; malloc + 576
<malloc+934>e9 69 fe ff ff jmp 0x61a4 ; malloc + 532
<malloc+939>0f 1f 44 00 00 nopl (%rax,%rax)
<malloc+944>83 e8 01 subl $0x1, %eax
<malloc+947>41 3b 44 24 08 cmpl 0x8(%r12), %eax
<malloc+952>41 89 44 24 10 movl %eax, 0x10(%r12)
<malloc+957>0f 8c 95 00 00 00 jl 0x63e8 ; malloc + 1112
<malloc+963>49 8b 54 24 18 movq 0x18(%r12), %rdx
<malloc+968>48 8b 1c c2 movq (%rdx,%rax,8), %rbx
<malloc+972>48 85 db testq %rbx, %rbx
<malloc+975>0f 84 e9 fe ff ff je 0x624e ; malloc + 702
<malloc+981>80 3d 2c bf 22 00 00 cmpb $0x0, 0x22bf2c(%rip) ; libjemalloc.so.1..bss + 55
<malloc+988>74 22 je 0x6390 ; malloc + 1024
<malloc+990>48 89 ea movq %rbp, %rdx
<malloc+993>be a5 00 00 00 movl $0xa5, %esi
<malloc+998>48 89 df movq %rbx, %rdi
<malloc+1001>e8 92 cf ff ff callq 0x3310 ; symbol stub for: memset
<malloc+1006>49 83 04 24 01 addq $0x1, (%r12)
<malloc+1011>e9 e8 fe ff ff jmp 0x6270 ; malloc + 736
<malloc+1016>0f 1f 84 00 00 00 00 00 nopl (%rax,%rax)
<malloc+1024>80 3d f1 be 22 00 00 cmpb $0x0, 0x22bef1(%rip) ; libjemalloc.so.1..bss + 39
<malloc+1031>74 e5 je 0x637e ; malloc + 1006
<malloc+1033>48 89 ea movq %rbp, %rdx
<malloc+1036>31 f6 xorl %esi, %esi
<malloc+1038>48 89 df movq %rbx, %rdi
<malloc+1041>e8 6a cf ff ff callq 0x3310 ; symbol stub for: memset
<malloc+1046>eb d6 jmp 0x637e ; malloc + 1006
<malloc+1048>0f 1f 84 00 00 00 00 00 nopl (%rax,%rax)
<malloc+1056>4b 8d 04 76 leaq (%r14,%r14,2), %rax
<malloc+1060>31 d2 xorl %edx, %edx
<malloc+1062>48 89 df movq %rbx, %rdi
<malloc+1065>49 8d 04 86 leaq (%r14,%rax,4), %rax
<malloc+1069>49 8d 74 c5 00 leaq (%r13,%rax,8), %rsi
<malloc+1074>e8 b9 72 00 00 callq 0xd680 ; ???
<malloc+1079>e9 1e fe ff ff jmp 0x61ea ; malloc + 602
<malloc+1084>0f 1f 40 00 nopl (%rax)
<malloc+1088>48 89 ca movq %rcx, %rdx
<malloc+1091>31 f6 xorl %esi, %esi
<malloc+1093>48 89 df movq %rbx, %rdi
<malloc+1096>e8 33 cf ff ff callq 0x3310 ; symbol stub for: memset
<malloc+1101>e9 08 fe ff ff jmp 0x61ea ; malloc + 602
<malloc+1106>66 0f 1f 44 00 00 nopw (%rax,%rax)
<malloc+1112>41 89 44 24 08 movl %eax, 0x8(%r12)
<malloc+1117>e9 61 ff ff ff jmp 0x6353 ; malloc + 963
<malloc+1122>66 0f 1f 44 00 00 nopw (%rax,%rax)
<malloc+1128>bf 0a 00 00 00 movl $0xa, %edi
<malloc+1133>e8 be bf 01 00 callq 0x223c0 ; ???
<malloc+1138>e9 d7 fb ff ff jmp 0x5fde ; malloc + 78
<malloc+1143>66 48 8d 3d c9 bb 22 00 leaq 0x22bbc9(%rip), %rdi ; libjemalloc.so.1..got + 104
<malloc+1151>66 66 48 e8 59 cf callw 0xcf59
GDB
(gdb) disass /r
Dump of assembler code for function malloc:
0x00007ffff7bacf90 <+0>: 41 57 push %r15
0x00007ffff7bacf92 <+2>: b8 01 00 00 00 mov $0x1,%eax
0x00007ffff7bacf97 <+7>: 41 56 push %r14
0x00007ffff7bacf99 <+9>: 41 55 push %r13
0x00007ffff7bacf9b <+11>: 41 54 push %r12
0x00007ffff7bacf9d <+13>: 55 push %rbp
0x00007ffff7bacf9e <+14>: 53 push %rbx
0x00007ffff7bacf9f <+15>: 48 89 fb mov %rdi,%rbx
0x00007ffff7bacfa2 <+18>: 48 83 ec 18 sub $0x18,%rsp
0x00007ffff7bacfa6 <+22>: 48 85 ff test %rdi,%rdi
0x00007ffff7bacfa9 <+25>: 48 0f 44 d8 cmove %rax,%rbx
0x00007ffff7bacfad <+29>: 80 3d 1c c3 22 00 00 cmpb $0x0,0x22c31c(%rip) # 0x7ffff7dd92d0
0x00007ffff7bacfb4 <+36>: 0f 84 3e 01 00 00 je 0x7ffff7bad0f8 <malloc+360>
0x00007ffff7bacfba <+42>: 48 83 3d ce c2 22 00 00 cmpq $0x0,0x22c2ce(%rip) # 0x7ffff7dd9290
0x00007ffff7bacfc2 <+50>: 74 1a je 0x7ffff7bacfde <malloc+78>
0x00007ffff7bacfc4 <+52>: 64 48 8b 04 25 00 00 00 00 mov %fs:0x0,%rax
0x00007ffff7bacfcd <+61>: 48 03 05 f4 bf 22 00 add 0x22bff4(%rip),%rax # 0x7ffff7dd8fc8
0x00007ffff7bacfd4 <+68>: 48 83 38 00 cmpq $0x0,(%rax)
0x00007ffff7bacfd8 <+72>: 0f 84 1a 04 00 00 je 0x7ffff7bad3f8 <malloc+1128>
0x00007ffff7bacfde <+78>: 48 81 fb 00 0e 00 00 cmp $0xe00,%rbx
0x00007ffff7bacfe5 <+85>: 0f 87 8d 00 00 00 ja 0x7ffff7bad078 <malloc+232>
0x00007ffff7bacfeb <+91>: 48 8d 15 8e 2c 02 00 lea 0x22c8e(%rip),%rdx # 0x7ffff7bcfc80
0x00007ffff7bacff2 <+98>: 48 8d 43 ff lea -0x1(%rbx),%rax
0x00007ffff7bacff6 <+102>: 4c 8d 2d 63 c8 22 00 lea 0x22c863(%rip),%r13 # 0x7ffff7dd9860
0x00007ffff7bacffd <+109>: 48 c1 e8 03 shr $0x3,%rax
0x00007ffff7bad001 <+113>: 44 0f b6 34 02 movzbl (%rdx,%rax,1),%r14d
0x00007ffff7bad006 <+118>: 41 0f b6 c6 movzbl %r14b,%eax
0x00007ffff7bad00a <+122>: 48 8d 14 40 lea (%rax,%rax,2),%rdx
0x00007ffff7bad00e <+126>: 48 8d 04 90 lea (%rax,%rdx,4),%rax
0x00007ffff7bad012 <+130>: 49 8b 6c c5 00 mov 0x0(%r13,%rax,8),%rbp
0x00007ffff7bad017 <+135>: 48 8d 05 ea d3 22 00 lea 0x22d3ea(%rip),%rax # 0x7ffff7dda408
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad01e <+142>: 48 3b 18 cmp (%rax),%rbx
0x00007ffff7bad021 <+145>: 0f 87 05 01 00 00 ja 0x7ffff7bad12c <malloc+412>
0x00007ffff7bad027 <+151>: 64 48 8b 04 25 00 00 00 00 mov %fs:0x0,%rax
0x00007ffff7bad030 <+160>: 48 03 05 99 bf 22 00 add 0x22bf99(%rip),%rax # 0x7ffff7dd8fd0
0x00007ffff7bad037 <+167>: 48 8b 38 mov (%rax),%rdi
0x00007ffff7bad03a <+170>: 48 83 ff 03 cmp $0x3,%rdi
0x00007ffff7bad03e <+174>: 0f 87 24 01 00 00 ja 0x7ffff7bad168 <malloc+472>
0x00007ffff7bad044 <+180>: 48 83 ff 01 cmp $0x1,%rdi
0x00007ffff7bad048 <+184>: 0f 84 22 04 00 00 je 0x7ffff7bad470 <malloc+1248>
0x00007ffff7bad04e <+190>: 48 85 ff test %rdi,%rdi
0x00007ffff7bad051 <+193>: 0f 84 b0 03 00 00 je 0x7ffff7bad407 <malloc+1143>
0x00007ffff7bad057 <+199>: 48 83 ff 03 cmp $0x3,%rdi
0x00007ffff7bad05b <+203>: 0f 84 35 04 00 00 je 0x7ffff7bad496 <malloc+1286>
0x00007ffff7bad061 <+209>: 48 83 ff 02 cmp $0x2,%rdi
0x00007ffff7bad065 <+213>: 0f 84 05 04 00 00 je 0x7ffff7bad470 <malloc+1248>
0x00007ffff7bad06b <+219>: 49 89 ff mov %rdi,%r15
0x00007ffff7bad06e <+222>: e9 01 01 00 00 jmpq 0x7ffff7bad174 <malloc+484>
0x00007ffff7bad073 <+227>: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0x00007ffff7bad078 <+232>: 48 8d 05 89 d3 22 00 lea 0x22d389(%rip),%rax # 0x7ffff7dda408
0x00007ffff7bad07f <+239>: 48 3b 18 cmp (%rax),%rbx
0x00007ffff7bad082 <+242>: 0f 87 90 00 00 00 ja 0x7ffff7bad118 <malloc+392>
0x00007ffff7bad088 <+248>: 48 8d 05 09 d4 22 00 lea 0x22d409(%rip),%rax # 0x7ffff7dda498
0x00007ffff7bad08f <+255>: 48 8d ab ff 0f 00 00 lea 0xfff(%rbx),%rbp
0x00007ffff7bad096 <+262>: 48 81 e5 00 f0 ff ff and $0xfffffffffffff000,%rbp
0x00007ffff7bad09d <+269>: 48 3b 18 cmp (%rax),%rbx
0x00007ffff7bad0a0 <+272>: 0f 87 3a 02 00 00 ja 0x7ffff7bad2e0 <malloc+848>
0x00007ffff7bad0a6 <+278>: 64 48 8b 04 25 00 00 00 00 mov %fs:0x0,%rax
0x00007ffff7bad0af <+287>: 48 03 05 1a bf 22 00 add 0x22bf1a(%rip),%rax # 0x7ffff7dd8fd0
0x00007ffff7bad0b6 <+294>: 48 8b 38 mov (%rax),%rdi
0x00007ffff7bad0b9 <+297>: 48 83 ff 03 cmp $0x3,%rdi
0x00007ffff7bad0bd <+301>: 0f 87 55 01 00 00 ja 0x7ffff7bad218 <malloc+648>
0x00007ffff7bad0c3 <+307>: 48 83 ff 01 cmp $0x1,%rdi
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad0c7 <+311>: 0f 84 13 02 00 00 je 0x7ffff7bad2e0 <malloc+848>
0x00007ffff7bad0cd <+317>: 48 85 ff test %rdi,%rdi
0x00007ffff7bad0d0 <+320>: 0f 84 17 04 00 00 je 0x7ffff7bad4ed <malloc+1373>
0x00007ffff7bad0d6 <+326>: 48 83 ff 03 cmp $0x3,%rdi
0x00007ffff7bad0da <+330>: 0f 84 b3 01 00 00 je 0x7ffff7bad293 <malloc+771>
0x00007ffff7bad0e0 <+336>: 48 83 ff 02 cmp $0x2,%rdi
0x00007ffff7bad0e4 <+340>: 0f 84 f6 01 00 00 je 0x7ffff7bad2e0 <malloc+848>
0x00007ffff7bad0ea <+346>: 49 89 fd mov %rdi,%r13
0x00007ffff7bad0ed <+349>: e9 32 01 00 00 jmpq 0x7ffff7bad224 <malloc+660>
0x00007ffff7bad0f2 <+354>: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
0x00007ffff7bad0f8 <+360>: e8 63 e7 ff ff callq 0x7ffff7bab860
0x00007ffff7bad0fd <+365>: 84 c0 test %al,%al
0x00007ffff7bad0ff <+367>: 90 nop
0x00007ffff7bad100 <+368>: 0f 84 b4 fe ff ff je 0x7ffff7bacfba <malloc+42>
0x00007ffff7bad106 <+374>: e8 05 d1 ff ff callq 0x7ffff7baa210 <__errno_location@plt>
0x00007ffff7bad10b <+379>: 31 db xor %ebx,%ebx
0x00007ffff7bad10d <+381>: c7 00 0c 00 00 00 movl $0xc,(%rax)
0x00007ffff7bad113 <+387>: eb 3d jmp 0x7ffff7bad152 <malloc+450>
0x00007ffff7bad115 <+389>: 0f 1f 00 nopl (%rax)
0x00007ffff7bad118 <+392>: 48 8d 05 f9 d2 22 00 lea 0x22d2f9(%rip),%rax # 0x7ffff7dda418
0x00007ffff7bad11f <+399>: 48 8b 00 mov (%rax),%rax
0x00007ffff7bad122 <+402>: 48 8d 2c 03 lea (%rbx,%rax,1),%rbp
0x00007ffff7bad126 <+406>: 48 f7 d0 not %rax
0x00007ffff7bad129 <+409>: 48 21 c5 and %rax,%rbp
0x00007ffff7bad12c <+412>: 31 ff xor %edi,%edi
0x00007ffff7bad12e <+414>: e8 1d 6c 01 00 callq 0x7ffff7bc3d50
0x00007ffff7bad133 <+419>: 48 89 df mov %rbx,%rdi
0x00007ffff7bad136 <+422>: 89 c2 mov %eax,%edx
0x00007ffff7bad138 <+424>: 31 f6 xor %esi,%esi
0x00007ffff7bad13a <+426>: e8 a1 65 01 00 callq 0x7ffff7bc36e0
0x00007ffff7bad13f <+431>: 48 89 c3 mov %rax,%rbx
0x00007ffff7bad142 <+434>: 48 85 db test %rbx,%rbx
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad145 <+437>: 74 bf je 0x7ffff7bad106 <malloc+374>
0x00007ffff7bad147 <+439>: 48 8b 05 3a be 22 00 mov 0x22be3a(%rip),%rax # 0x7ffff7dd8f88
0x00007ffff7bad14e <+446>: 64 48 01 28 add %rbp,%fs:(%rax)
0x00007ffff7bad152 <+450>: 48 83 c4 18 add $0x18,%rsp
0x00007ffff7bad156 <+454>: 48 89 d8 mov %rbx,%rax
0x00007ffff7bad159 <+457>: 5b pop %rbx
0x00007ffff7bad15a <+458>: 5d pop %rbp
0x00007ffff7bad15b <+459>: 41 5c pop %r12
0x00007ffff7bad15d <+461>: 41 5d pop %r13
0x00007ffff7bad15f <+463>: 41 5e pop %r14
0x00007ffff7bad161 <+465>: 41 5f pop %r15
0x00007ffff7bad163 <+467>: c3 retq
0x00007ffff7bad164 <+468>: 0f 1f 40 00 nopl 0x0(%rax)
0x00007ffff7bad168 <+472>: 49 89 ff mov %rdi,%r15
0x00007ffff7bad16b <+475>: 4d 85 ff test %r15,%r15
0x00007ffff7bad16e <+478>: 0f 84 fc 02 00 00 je 0x7ffff7bad470 <malloc+1248>
0x00007ffff7bad174 <+484>: 49 8d 46 01 lea 0x1(%r14),%rax
0x00007ffff7bad178 <+488>: 48 c1 e0 05 shl $0x5,%rax
0x00007ffff7bad17c <+492>: 4d 8d 64 07 08 lea 0x8(%r15,%rax,1),%r12
0x00007ffff7bad181 <+497>: 4b 8d 04 76 lea (%r14,%r14,2),%rax
0x00007ffff7bad185 <+501>: 49 8d 04 86 lea (%r14,%rax,4),%rax
0x00007ffff7bad189 <+505>: 49 8b 4c c5 00 mov 0x0(%r13,%rax,8),%rcx
0x00007ffff7bad18e <+510>: 41 8b 44 24 10 mov 0x10(%r12),%eax
0x00007ffff7bad193 <+515>: 85 c0 test %eax,%eax
0x00007ffff7bad195 <+517>: 0f 85 75 01 00 00 jne 0x7ffff7bad310 <malloc+896>
0x00007ffff7bad19b <+523>: 41 c7 44 24 08 ff ff ff ff movl $0xffffffff,0x8(%r12)
0x00007ffff7bad1a4 <+532>: 4c 89 f2 mov %r14,%rdx
0x00007ffff7bad1a7 <+535>: 4c 89 e6 mov %r12,%rsi
0x00007ffff7bad1aa <+538>: 4c 89 ff mov %r15,%rdi
0x00007ffff7bad1ad <+541>: 48 89 4c 24 08 mov %rcx,0x8(%rsp)
0x00007ffff7bad1b2 <+546>: e8 39 04 02 00 callq 0x7ffff7bcd5f0
0x00007ffff7bad1b7 <+551>: 48 85 c0 test %rax,%rax
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad1ba <+554>: 48 89 c3 mov %rax,%rbx
0x00007ffff7bad1bd <+557>: 48 8b 4c 24 08 mov 0x8(%rsp),%rcx
0x00007ffff7bad1c2 <+562>: 0f 84 3e ff ff ff je 0x7ffff7bad106 <malloc+374>
0x00007ffff7bad1c8 <+568>: 0f 1f 84 00 00 00 00 00 nopl 0x0(%rax,%rax,1)
0x00007ffff7bad1d0 <+576>: 80 3d c1 c0 22 00 00 cmpb $0x0,0x22c0c1(%rip) # 0x7ffff7dd9298
0x00007ffff7bad1d7 <+583>: 0f 85 d3 01 00 00 jne 0x7ffff7bad3b0 <malloc+1056>
0x00007ffff7bad1dd <+589>: 80 3d a4 c0 22 00 00 cmpb $0x0,0x22c0a4(%rip) # 0x7ffff7dd9288
0x00007ffff7bad1e4 <+596>: 0f 85 e6 01 00 00 jne 0x7ffff7bad3d0 <malloc+1088>
0x00007ffff7bad1ea <+602>: 41 8b 47 20 mov 0x20(%r15),%eax
0x00007ffff7bad1ee <+606>: 49 83 04 24 01 addq $0x1,(%r12)
0x00007ffff7bad1f3 <+611>: 83 c0 01 add $0x1,%eax
0x00007ffff7bad1f6 <+614>: 3d 25 01 00 00 cmp $0x125,%eax
0x00007ffff7bad1fb <+619>: 41 89 47 20 mov %eax,0x20(%r15)
0x00007ffff7bad1ff <+623>: 0f 85 42 ff ff ff jne 0x7ffff7bad147 <malloc+439>
0x00007ffff7bad205 <+629>: 4c 89 ff mov %r15,%rdi
0x00007ffff7bad208 <+632>: e8 63 08 02 00 callq 0x7ffff7bcda70
0x00007ffff7bad20d <+637>: e9 35 ff ff ff jmpq 0x7ffff7bad147 <malloc+439>
0x00007ffff7bad212 <+642>: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
0x00007ffff7bad218 <+648>: 49 89 fd mov %rdi,%r13
0x00007ffff7bad21b <+651>: 4d 85 ed test %r13,%r13
0x00007ffff7bad21e <+654>: 0f 84 bc 00 00 00 je 0x7ffff7bad2e0 <malloc+848>
0x00007ffff7bad224 <+660>: 48 89 e8 mov %rbp,%rax
0x00007ffff7bad227 <+663>: 48 c1 e8 0c shr $0xc,%rax
0x00007ffff7bad22b <+667>: 48 83 c0 1c add $0x1c,%rax
0x00007ffff7bad22f <+671>: 48 c1 e0 05 shl $0x5,%rax
0x00007ffff7bad233 <+675>: 4d 8d 64 05 08 lea 0x8(%r13,%rax,1),%r12
0x00007ffff7bad238 <+680>: 41 8b 44 24 10 mov 0x10(%r12),%eax
0x00007ffff7bad23d <+685>: 85 c0 test %eax,%eax
0x00007ffff7bad23f <+687>: 0f 85 fb 00 00 00 jne 0x7ffff7bad340 <malloc+944>
0x00007ffff7bad245 <+693>: 41 c7 44 24 08 ff ff ff ff movl $0xffffffff,0x8(%r12)
0x00007ffff7bad24e <+702>: 49 8b 7d 18 mov 0x18(%r13),%rdi
0x00007ffff7bad252 <+706>: 31 d2 xor %edx,%edx
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad254 <+708>: 48 89 ee mov %rbp,%rsi
0x00007ffff7bad257 <+711>: e8 54 77 00 00 callq 0x7ffff7bb49b0
0x00007ffff7bad25c <+716>: 48 85 c0 test %rax,%rax
0x00007ffff7bad25f <+719>: 48 89 c3 mov %rax,%rbx
0x00007ffff7bad262 <+722>: 0f 84 9e fe ff ff je 0x7ffff7bad106 <malloc+374>
0x00007ffff7bad268 <+728>: 0f 1f 84 00 00 00 00 00 nopl 0x0(%rax,%rax,1)
0x00007ffff7bad270 <+736>: 41 8b 45 20 mov 0x20(%r13),%eax
0x00007ffff7bad274 <+740>: 83 c0 01 add $0x1,%eax
0x00007ffff7bad277 <+743>: 3d 25 01 00 00 cmp $0x125,%eax
0x00007ffff7bad27c <+748>: 41 89 45 20 mov %eax,0x20(%r13)
0x00007ffff7bad280 <+752>: 0f 85 c1 fe ff ff jne 0x7ffff7bad147 <malloc+439>
0x00007ffff7bad286 <+758>: 4c 89 ef mov %r13,%rdi
0x00007ffff7bad289 <+761>: e8 e2 07 02 00 callq 0x7ffff7bcda70
0x00007ffff7bad28e <+766>: e9 b4 fe ff ff jmpq 0x7ffff7bad147 <malloc+439>
0x00007ffff7bad293 <+771>: 48 8d 0d 36 26 02 00 lea 0x22636(%rip),%rcx # 0x7ffff7bcf8d0
0x00007ffff7bad29a <+778>: 48 39 0d 4f bd 22 00 cmp %rcx,0x22bd4f(%rip) # 0x7ffff7dd8ff0
0x00007ffff7bad2a1 <+785>: 48 c7 00 02 00 00 00 movq $0x2,(%rax)
0x00007ffff7bad2a8 <+792>: 74 36 je 0x7ffff7bad2e0 <malloc+848>
0x00007ffff7bad2aa <+794>: 48 89 c6 mov %rax,%rsi
0x00007ffff7bad2ad <+797>: 48 8d 05 f4 d1 22 00 lea 0x22d1f4(%rip),%rax # 0x7ffff7dda4a8
0x00007ffff7bad2b4 <+804>: 8b 38 mov (%rax),%edi
0x00007ffff7bad2b6 <+806>: e8 15 d0 ff ff callq 0x7ffff7baa2d0 <pthread_setspecific@plt>
0x00007ffff7bad2bb <+811>: 85 c0 test %eax,%eax
0x00007ffff7bad2bd <+813>: 74 21 je 0x7ffff7bad2e0 <malloc+848>
0x00007ffff7bad2bf <+815>: 48 8d 3d d2 27 02 00 lea 0x227d2(%rip),%rdi # 0x7ffff7bcfa98
0x00007ffff7bad2c6 <+822>: e8 05 11 02 00 callq 0x7ffff7bce3d0
0x00007ffff7bad2cb <+827>: 80 3d c7 bf 22 00 00 cmpb $0x0,0x22bfc7(%rip) # 0x7ffff7dd9299
0x00007ffff7bad2d2 <+834>: 0f 85 ff 01 00 00 jne 0x7ffff7bad4d7 <malloc+1351>
0x00007ffff7bad2d8 <+840>: 0f 1f 84 00 00 00 00 00 nopl 0x0(%rax,%rax,1)
0x00007ffff7bad2e0 <+848>: 48 8b 05 d9 bc 22 00 mov 0x22bcd9(%rip),%rax # 0x7ffff7dd8fc0
0x00007ffff7bad2e7 <+855>: 64 48 8b 38 mov %fs:(%rax),%rdi
0x00007ffff7bad2eb <+859>: 48 85 ff test %rdi,%rdi
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad2ee <+862>: 0f 84 ec 01 00 00 je 0x7ffff7bad4e0 <malloc+1360>
0x00007ffff7bad2f4 <+868>: 48 89 de mov %rbx,%rsi
0x00007ffff7bad2f7 <+871>: 31 d2 xor %edx,%edx
0x00007ffff7bad2f9 <+873>: e8 b2 76 00 00 callq 0x7ffff7bb49b0
0x00007ffff7bad2fe <+878>: 48 89 c3 mov %rax,%rbx
0x00007ffff7bad301 <+881>: e9 3c fe ff ff jmpq 0x7ffff7bad142 <malloc+434>
0x00007ffff7bad306 <+886>: 66 2e 0f 1f 84 00 00 00 00 00 nopw %cs:0x0(%rax,%rax,1)
0x00007ffff7bad310 <+896>: 83 e8 01 sub $0x1,%eax
0x00007ffff7bad313 <+899>: 41 3b 44 24 08 cmp 0x8(%r12),%eax
0x00007ffff7bad318 <+904>: 41 89 44 24 10 mov %eax,0x10(%r12)
0x00007ffff7bad31d <+909>: 7d 05 jge 0x7ffff7bad324 <malloc+916>
0x00007ffff7bad31f <+911>: 41 89 44 24 08 mov %eax,0x8(%r12)
0x00007ffff7bad324 <+916>: 49 8b 54 24 18 mov 0x18(%r12),%rdx
0x00007ffff7bad329 <+921>: 48 8b 1c c2 mov (%rdx,%rax,8),%rbx
0x00007ffff7bad32d <+925>: 48 85 db test %rbx,%rbx
0x00007ffff7bad330 <+928>: 0f 85 9a fe ff ff jne 0x7ffff7bad1d0 <malloc+576>
0x00007ffff7bad336 <+934>: e9 69 fe ff ff jmpq 0x7ffff7bad1a4 <malloc+532>
0x00007ffff7bad33b <+939>: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0x00007ffff7bad340 <+944>: 83 e8 01 sub $0x1,%eax
0x00007ffff7bad343 <+947>: 41 3b 44 24 08 cmp 0x8(%r12),%eax
0x00007ffff7bad348 <+952>: 41 89 44 24 10 mov %eax,0x10(%r12)
0x00007ffff7bad34d <+957>: 0f 8c 95 00 00 00 jl 0x7ffff7bad3e8 <malloc+1112>
0x00007ffff7bad353 <+963>: 49 8b 54 24 18 mov 0x18(%r12),%rdx
0x00007ffff7bad358 <+968>: 48 8b 1c c2 mov (%rdx,%rax,8),%rbx
0x00007ffff7bad35c <+972>: 48 85 db test %rbx,%rbx
0x00007ffff7bad35f <+975>: 0f 84 e9 fe ff ff je 0x7ffff7bad24e <malloc+702>
0x00007ffff7bad365 <+981>: 80 3d 2c bf 22 00 00 cmpb $0x0,0x22bf2c(%rip) # 0x7ffff7dd9298
0x00007ffff7bad36c <+988>: 74 22 je 0x7ffff7bad390 <malloc+1024>
0x00007ffff7bad36e <+990>: 48 89 ea mov %rbp,%rdx
0x00007ffff7bad371 <+993>: be a5 00 00 00 mov $0xa5,%esi
0x00007ffff7bad376 <+998>: 48 89 df mov %rbx,%rdi
0x00007ffff7bad379 <+1001>: e8 92 cf ff ff callq 0x7ffff7baa310 <memset@plt>
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad37e <+1006>: 49 83 04 24 01 addq $0x1,(%r12)
0x00007ffff7bad383 <+1011>: e9 e8 fe ff ff jmpq 0x7ffff7bad270 <malloc+736>
0x00007ffff7bad388 <+1016>: 0f 1f 84 00 00 00 00 00 nopl 0x0(%rax,%rax,1)
0x00007ffff7bad390 <+1024>: 80 3d f1 be 22 00 00 cmpb $0x0,0x22bef1(%rip) # 0x7ffff7dd9288
0x00007ffff7bad397 <+1031>: 74 e5 je 0x7ffff7bad37e <malloc+1006>
0x00007ffff7bad399 <+1033>: 48 89 ea mov %rbp,%rdx
0x00007ffff7bad39c <+1036>: 31 f6 xor %esi,%esi
0x00007ffff7bad39e <+1038>: 48 89 df mov %rbx,%rdi
0x00007ffff7bad3a1 <+1041>: e8 6a cf ff ff callq 0x7ffff7baa310 <memset@plt>
0x00007ffff7bad3a6 <+1046>: eb d6 jmp 0x7ffff7bad37e <malloc+1006>
0x00007ffff7bad3a8 <+1048>: 0f 1f 84 00 00 00 00 00 nopl 0x0(%rax,%rax,1)
0x00007ffff7bad3b0 <+1056>: 4b 8d 04 76 lea (%r14,%r14,2),%rax
0x00007ffff7bad3b4 <+1060>: 31 d2 xor %edx,%edx
0x00007ffff7bad3b6 <+1062>: 48 89 df mov %rbx,%rdi
0x00007ffff7bad3b9 <+1065>: 49 8d 04 86 lea (%r14,%rax,4),%rax
0x00007ffff7bad3bd <+1069>: 49 8d 74 c5 00 lea 0x0(%r13,%rax,8),%rsi
0x00007ffff7bad3c2 <+1074>: e8 b9 72 00 00 callq 0x7ffff7bb4680
0x00007ffff7bad3c7 <+1079>: e9 1e fe ff ff jmpq 0x7ffff7bad1ea <malloc+602>
0x00007ffff7bad3cc <+1084>: 0f 1f 40 00 nopl 0x0(%rax)
0x00007ffff7bad3d0 <+1088>: 48 89 ca mov %rcx,%rdx
0x00007ffff7bad3d3 <+1091>: 31 f6 xor %esi,%esi
0x00007ffff7bad3d5 <+1093>: 48 89 df mov %rbx,%rdi
0x00007ffff7bad3d8 <+1096>: e8 33 cf ff ff callq 0x7ffff7baa310 <memset@plt>
0x00007ffff7bad3dd <+1101>: e9 08 fe ff ff jmpq 0x7ffff7bad1ea <malloc+602>
0x00007ffff7bad3e2 <+1106>: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
0x00007ffff7bad3e8 <+1112>: 41 89 44 24 08 mov %eax,0x8(%r12)
0x00007ffff7bad3ed <+1117>: e9 61 ff ff ff jmpq 0x7ffff7bad353 <malloc+963>
0x00007ffff7bad3f2 <+1122>: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
0x00007ffff7bad3f8 <+1128>: bf 0a 00 00 00 mov $0xa,%edi
0x00007ffff7bad3fd <+1133>: e8 be bf 01 00 callq 0x7ffff7bc93c0
0x00007ffff7bad402 <+1138>: e9 d7 fb ff ff jmpq 0x7ffff7bacfde <malloc+78>
0x00007ffff7bad407 <+1143>: 66 48 8d 3d c9 bb 22 00 data16 lea 0x22bbc9(%rip),%rdi # 0x7ffff7dd8fd8
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad40f <+1151>: 66 66 48 e8 59 cf ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>
=> 0x00007ffff7bad417 <+1159>: 8b 10 mov (%rax),%edx
0x00007ffff7bad419 <+1161>: 83 fa 02 cmp $0x2,%edx
0x00007ffff7bad41c <+1164>: 75 0c jne 0x7ffff7bad42a <malloc+1178>
0x00007ffff7bad41e <+1166>: 48 8d 15 23 be 22 00 lea 0x22be23(%rip),%rdx # 0x7ffff7dd9248
0x00007ffff7bad425 <+1173>: 0f b6 12 movzbl (%rdx),%edx
0x00007ffff7bad428 <+1176>: 89 10 mov %edx,(%rax)
0x00007ffff7bad42a <+1178>: 85 d2 test %edx,%edx
0x00007ffff7bad42c <+1180>: 0f 85 2e 01 00 00 jne 0x7ffff7bad560 <malloc+1488>
0x00007ffff7bad432 <+1186>: 66 48 8d 3d 9e bb 22 00 data16 lea 0x22bb9e(%rip),%rdi # 0x7ffff7dd8fd8
0x00007ffff7bad43a <+1194>: 66 66 48 e8 2e cf ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>
0x00007ffff7bad442 <+1202>: c7 00 00 00 00 00 movl $0x0,(%rax)
0x00007ffff7bad448 <+1208>: 64 48 8b 04 25 00 00 00 00 mov %fs:0x0,%rax
0x00007ffff7bad451 <+1217>: 48 03 05 78 bb 22 00 add 0x22bb78(%rip),%rax # 0x7ffff7dd8fd0
0x00007ffff7bad458 <+1224>: 48 8d 0d 71 24 02 00 lea 0x22471(%rip),%rcx # 0x7ffff7bcf8d0
0x00007ffff7bad45f <+1231>: 48 39 0d 8a bb 22 00 cmp %rcx,0x22bb8a(%rip) # 0x7ffff7dd8ff0
0x00007ffff7bad466 <+1238>: 48 c7 00 01 00 00 00 movq $0x1,(%rax)
0x00007ffff7bad46d <+1245>: 75 3e jne 0x7ffff7bad4ad <malloc+1309>
0x00007ffff7bad46f <+1247>: 90 nop
0x00007ffff7bad470 <+1248>: 48 8b 05 49 bb 22 00 mov 0x22bb49(%rip),%rax # 0x7ffff7dd8fc0
0x00007ffff7bad477 <+1255>: 64 48 8b 38 mov %fs:(%rax),%rdi
0x00007ffff7bad47b <+1259>: 48 85 ff test %rdi,%rdi
0x00007ffff7bad47e <+1262>: 0f 84 06 01 00 00 je 0x7ffff7bad58a <malloc+1530>
0x00007ffff7bad484 <+1268>: 48 89 de mov %rbx,%rsi
0x00007ffff7bad487 <+1271>: 31 d2 xor %edx,%edx
0x00007ffff7bad489 <+1273>: e8 a2 72 00 00 callq 0x7ffff7bb4730
0x00007ffff7bad48e <+1278>: 48 89 c3 mov %rax,%rbx
0x00007ffff7bad491 <+1281>: e9 ac fc ff ff jmpq 0x7ffff7bad142 <malloc+434>
0x00007ffff7bad496 <+1286>: 48 8d 0d 33 24 02 00 lea 0x22433(%rip),%rcx # 0x7ffff7bcf8d0
0x00007ffff7bad49d <+1293>: 48 39 0d 4c bb 22 00 cmp %rcx,0x22bb4c(%rip) # 0x7ffff7dd8ff0
0x00007ffff7bad4a4 <+1300>: 48 c7 00 02 00 00 00 movq $0x2,(%rax)
0x00007ffff7bad4ab <+1307>: 74 c3 je 0x7ffff7bad470 <malloc+1248>
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad4ad <+1309>: 48 89 c6 mov %rax,%rsi
0x00007ffff7bad4b0 <+1312>: 48 8d 05 f1 cf 22 00 lea 0x22cff1(%rip),%rax # 0x7ffff7dda4a8
0x00007ffff7bad4b7 <+1319>: 8b 38 mov (%rax),%edi
0x00007ffff7bad4b9 <+1321>: e8 12 ce ff ff callq 0x7ffff7baa2d0 <pthread_setspecific@plt>
0x00007ffff7bad4be <+1326>: 85 c0 test %eax,%eax
0x00007ffff7bad4c0 <+1328>: 74 ae je 0x7ffff7bad470 <malloc+1248>
0x00007ffff7bad4c2 <+1330>: 48 8d 3d cf 25 02 00 lea 0x225cf(%rip),%rdi # 0x7ffff7bcfa98
0x00007ffff7bad4c9 <+1337>: e8 02 0f 02 00 callq 0x7ffff7bce3d0
0x00007ffff7bad4ce <+1342>: 80 3d c4 bd 22 00 00 cmpb $0x0,0x22bdc4(%rip) # 0x7ffff7dd9299
0x00007ffff7bad4d5 <+1349>: 74 99 je 0x7ffff7bad470 <malloc+1248>
0x00007ffff7bad4d7 <+1351>: e8 24 cd ff ff callq 0x7ffff7baa200 <abort@plt>
0x00007ffff7bad4dc <+1356>: 0f 1f 40 00 nopl 0x0(%rax)
0x00007ffff7bad4e0 <+1360>: e8 ab e6 ff ff callq 0x7ffff7babb90
0x00007ffff7bad4e5 <+1365>: 48 89 c7 mov %rax,%rdi
0x00007ffff7bad4e8 <+1368>: e9 07 fe ff ff jmpq 0x7ffff7bad2f4 <malloc+868>
0x00007ffff7bad4ed <+1373>: 0f 1f 00 nopl (%rax)
0x00007ffff7bad4f0 <+1376>: 66 48 8d 3d e0 ba 22 00 data16 lea 0x22bae0(%rip),%rdi # 0x7ffff7dd8fd8
0x00007ffff7bad4f8 <+1384>: 66 66 48 e8 70 ce ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>
0x00007ffff7bad500 <+1392>: 8b 10 mov (%rax),%edx
0x00007ffff7bad502 <+1394>: 83 fa 02 cmp $0x2,%edx
0x00007ffff7bad505 <+1397>: 75 0c jne 0x7ffff7bad513 <malloc+1411>
0x00007ffff7bad507 <+1399>: 48 8d 15 3a bd 22 00 lea 0x22bd3a(%rip),%rdx # 0x7ffff7dd9248
0x00007ffff7bad50e <+1406>: 0f b6 12 movzbl (%rdx),%edx
0x00007ffff7bad511 <+1409>: 89 10 mov %edx,(%rax)
0x00007ffff7bad513 <+1411>: 85 d2 test %edx,%edx
0x00007ffff7bad515 <+1413>: 75 5e jne 0x7ffff7bad575 <malloc+1509>
0x00007ffff7bad517 <+1415>: 66 48 8d 3d b9 ba 22 00 data16 lea 0x22bab9(%rip),%rdi # 0x7ffff7dd8fd8
0x00007ffff7bad51f <+1423>: 66 66 48 e8 49 ce ff ff data16 data16 callq 0x7ffff7baa370 <__tls_get_addr@plt>
0x00007ffff7bad527 <+1431>: c7 00 00 00 00 00 movl $0x0,(%rax)
0x00007ffff7bad52d <+1437>: 64 48 8b 04 25 00 00 00 00 mov %fs:0x0,%rax
0x00007ffff7bad536 <+1446>: 48 03 05 93 ba 22 00 add 0x22ba93(%rip),%rax # 0x7ffff7dd8fd0
0x00007ffff7bad53d <+1453>: 48 8d 0d 8c 23 02 00 lea 0x2238c(%rip),%rcx # 0x7ffff7bcf8d0
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bad544 <+1460>: 48 39 0d a5 ba 22 00 cmp %rcx,0x22baa5(%rip) # 0x7ffff7dd8ff0
0x00007ffff7bad54b <+1467>: 48 c7 00 01 00 00 00 movq $0x1,(%rax)
0x00007ffff7bad552 <+1474>: 0f 85 52 fd ff ff jne 0x7ffff7bad2aa <malloc+794>
0x00007ffff7bad558 <+1480>: e9 83 fd ff ff jmpq 0x7ffff7bad2e0 <malloc+848>
0x00007ffff7bad55d <+1485>: 0f 1f 00 nopl (%rax)
0x00007ffff7bad560 <+1488>: e8 8b e7 ff ff callq 0x7ffff7babcf0
0x00007ffff7bad565 <+1493>: 48 89 c7 mov %rax,%rdi
0x00007ffff7bad568 <+1496>: e8 23 06 02 00 callq 0x7ffff7bcdb90
0x00007ffff7bad56d <+1501>: 49 89 c7 mov %rax,%r15
0x00007ffff7bad570 <+1504>: e9 f6 fb ff ff jmpq 0x7ffff7bad16b <malloc+475>
0x00007ffff7bad575 <+1509>: e8 76 e7 ff ff callq 0x7ffff7babcf0
0x00007ffff7bad57a <+1514>: 48 89 c7 mov %rax,%rdi
0x00007ffff7bad57d <+1517>: e8 0e 06 02 00 callq 0x7ffff7bcdb90
0x00007ffff7bad582 <+1522>: 49 89 c5 mov %rax,%r13
0x00007ffff7bad585 <+1525>: e9 91 fc ff ff jmpq 0x7ffff7bad21b <malloc+651>
0x00007ffff7bad58a <+1530>: e8 01 e6 ff ff callq 0x7ffff7babb90
0x00007ffff7bad58f <+1535>: 48 89 c7 mov %rax,%rdi
0x00007ffff7bad592 <+1538>: e9 ed fe ff ff jmpq 0x7ffff7bad484 <malloc+1268>
End of assembler dump.