Memory allocation

In C, and in the runtimes that underpin higher-level languages (Java, Python, JavaScript, etc.), memory is requested with malloc and returned with free:

malloc returns a pointer — a number identifying a specific byte in memory (typically written in hexadecimal). free takes that same pointer and marks the memory as available again. These two functions are how almost all programs manage heap memory, even when the programmer never writes a line of C.

The smallest unit allocators work with is the byte. Memory can be thought of as a long sequence of numbered bytes. Each byte has an address — a number that uniquely identifies it. malloc(4) allocates 4 contiguous bytes and returns the address of the first one.

A naive allocator could simply advance a pointer marking the end of used memory each time malloc is called. This is extremely fast, but free becomes a no-op: without tracking individual allocations, there is no safe way to return memory. Memory consumed is memory lost — a memory leak. Such a bump allocator is useful only for programs with a known, fixed memory footprint.

A general-purpose allocator needs two data structures:

On malloc(n), the allocator scans the free list for a block large enough to satisfy the request, records the new allocation, and shrinks the free list entry accordingly. On free(ptr), it looks up the matching allocation, removes it from the allocation list, and returns the region to the free list.

Even with coalescing, fragmentation remains a fundamental challenge. Consider a sequence of alternating allocations and frees of different sizes — the free list may end up with several small non-contiguous blocks that individually cannot satisfy a larger request, even though the total free memory is sufficient.

Fragmentation cannot be solved by compacting (moving allocations to close the gaps), because malloc has already handed out byte addresses. Moving an allocation would invalidate pointers that the calling program holds, silently corrupting it.

Two common strategies to reduce fragmentation:

Rather than maintaining a separate allocation list and free list in reserved memory, many allocators store bookkeeping information inline, in a header immediately before each block. A typical layout:

This makes malloc and free simpler and faster:

Storing the block size at both ends — the seemingly wasteful duplication — is what makes bidirectional traversal (and therefore coalescing) possible without a separate data structure. Allocators using this layout are called boundary tag allocators.

Because bookkeeping data lives in memory alongside user data, bugs that overwrite memory past the end of an allocation (buffer overrun) or access memory after it has been freed (use-after-free) can corrupt the allocator’s own data structures. The consequences range from immediate crashes to delayed failures to exploitable security vulnerabilities.

Some allocators write a known "magic" value into the bookkeeping area so they can detect corruption early (at the cost of one extra byte per allocation). This guard-value checking is typically disabled in production and enabled only when debugging.

Memory-safe languages such as Rust address this class of bug at the language level, making such mistakes impossible to express rather than relying on runtime detection.

This document covers the basics of heap allocation. Related topics not addressed here include: