Basic jemalloc command for printing arenas info with bin (#2176)

* Basic jemalloc arenas info command Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * linter Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Hex address Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Added jemalloc to dev setup script and WIP code foor rtree parsing Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Lint changes Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Lint changes 2 Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Removed old commands, added jemalloc related class to generate bins and extent data Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Added RTree class Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Uncommented print lines for testing Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Added mask function from jemalloc Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Added heap command Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * First jemalloc test - experiment Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * some refactoring and tests Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * utilizing debugger-agnostic functions Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * use new api where possible Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Test run pre mypy fixes Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * minor fix for makefile Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Use regex match for address in test find extent Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * minor test change with lowered allocated memory Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Don't hardcode address for ptr in test Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Fix ptr not in breakpoint in test Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Cache oblivious adds 4KiB to allocations Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Corrected size in test Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Remove duplicate extents while parsing rtree Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Skip heap test Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * More explanation Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Added State name to extent info Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Added more comments Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Details about the lookup function Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Fixed double printing issue and some extents missing in heap Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Add check for addr alignment in lookup hard Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Removed prints for testing Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> * Update .devcontainer/devcontainer.json * Move jemalloc.py aglib/heap/jemalloc.py * Update test_heap.py: fix jemalloc support string * Update jemalloc.py: fix mypy issues --------- Signed-off-by: Chirag Aggarwal <thechiragaggarwal@gmail.com> Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
1 year ago · 3ecca0fc1e
parent b84a66f133
commit 3ecca0fc1e
8 changed files with 812 additions and 1 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -55,7 +55,7 @@
        }
    },
    "runArgs": [
-        "--cap-add=SYS_PTRACE"
+        "--cap-add=SYS_PTRACE",
    ],
    "remoteUser": "vscode",
    "workspaceFolder": "/pwndbg",
--- a/pwndbg/aglib/heap/jemalloc.py
+++ b/pwndbg/aglib/heap/jemalloc.py
@ -0,0 +1,551 @@
+from __future__ import annotations
+
+import gdb
+
+import pwndbg.gdblib.info
+import pwndbg.gdblib.memory
+import pwndbg.gdblib.typeinfo
+
+# adapted from jemalloc source 5.3.0
+LG_VADDR = 48
+LG_PAGE = 12
+# https://github.com/jemalloc/jemalloc/blob/a25b9b8ba91881964be3083db349991bbbbf1661/include/jemalloc/internal/jemalloc_internal_types.h#L42
+MALLOCX_ARENA_BITS = 12
+# https://github.com/jemalloc/jemalloc/blob/a25b9b8ba91881964be3083db349991bbbbf1661/include/jemalloc/jemalloc_defs.h.in#L51
+LG_SIZEOF_PTR = 3
+
+RTREE_NHIB = (1 << (LG_SIZEOF_PTR + 3)) - LG_VADDR  # Number of high insignificant bits
+RTREE_NLIB = LG_PAGE  # Number of low insigificant bits
+RTREE_NSB = LG_VADDR - RTREE_NLIB  # Number of significant bits
+
+# Number of levels in radix tree
+if RTREE_NSB <= 10:
+    RTREE_HEIGHT = 1
+elif RTREE_NSB <= 36:
+    RTREE_HEIGHT = 2
+elif RTREE_NSB <= 52:
+    RTREE_HEIGHT = 3
+else:
+    raise ValueError("Unsupported number of significant virtual address bits")
+
+
+# TODO: RTREE_LEAF_COMPACT should be enabled otherwise rtree_leaf_elm_s would change
+
+# TODO: Move to relevant place
+# https://github.com/jemalloc/jemalloc/blob/a25b9b8ba91881964be3083db349991bbbbf1661/include/jemalloc/internal/edata.h#L145
+
+
+def mask(current_field_width, current_field_shift):
+    return ((1 << current_field_width) - 1) << current_field_shift
+
+
+# For size class related explanation and calculations, refer to https://github.com/jemalloc/jemalloc/blob/a25b9b8ba91881964be3083db349991bbbbf1661/include/jemalloc/internal/sc.h#L8
+
+LG_QUANTUM = 4  # LG_QUANTUM ensures correct platform alignment and necessary to ensure we never return improperly aligned memory
+
+SC_LG_TINY_MIN = 3
+SC_NTINY = (
+    LG_QUANTUM - SC_LG_TINY_MIN
+)  # Number of tiny size classes for alloations smaller than (1 << LG_QUANTUM)
+
+# Size classes
+SC_LG_NGROUP = 2  # Number of size classes group
+SC_NGROUP = (
+    1 << SC_LG_NGROUP
+)  # Number of size classes in each group, equally spaced in the range, so that * each one covers allocations for base / SC_NGROUP possible allocation sizes
+SC_NPSEUDO = SC_NGROUP
+SC_PTR_BITS = (1 << LG_SIZEOF_PTR) * 8
+SC_LG_BASE_MAX = SC_PTR_BITS - 2
+SC_LG_FIRST_REGULAR_BASE = LG_QUANTUM + SC_LG_NGROUP
+SC_NREGULAR = SC_NGROUP * (SC_LG_BASE_MAX - SC_LG_FIRST_REGULAR_BASE + 1) - 1
+
+SC_NSIZES = SC_NTINY + SC_NPSEUDO + SC_NREGULAR
+
+SC_LG_SLAB_MAXREGS = LG_PAGE - SC_LG_TINY_MIN
+
+
+# Source: https://github.com/jemalloc/jemalloc/blob/dev/include/jemalloc/internal/bit_util.h#L400-L419
+def lg_floor_1(x):
+    return 0
+
+
+def lg_floor_2(x):
+    return lg_floor_1(x) if x < (1 << 1) else 1 + lg_floor_1(x >> 1)
+
+
+def lg_floor_4(x):
+    return lg_floor_2(x) if x < (1 << 2) else 2 + lg_floor_2(x >> 2)
+
+
+def lg_floor_8(x):
+    return lg_floor_4(x) if x < (1 << 4) else 4 + lg_floor_4(x >> 4)
+
+
+def lg_floor_16(x):
+    return lg_floor_8(x) if x < (1 << 8) else 8 + lg_floor_8(x >> 8)
+
+
+def lg_floor_32(x):
+    return lg_floor_16(x) if x < (1 << 16) else 16 + lg_floor_16(x >> 16)
+
+
+def lg_floor_64(x):
+    return lg_floor_32(x) if x < (1 << 32) else 32 + lg_floor_32(x >> 32)
+
+
+def lg_floor(x):
+    return lg_floor_32(x) if LG_SIZEOF_PTR == 2 else lg_floor_64(x)
+
+
+def lg_ceil(x):
+    return lg_floor(x) + (0 if (x & (x - 1)) == 0 else 1)
+
+
+# Arena width and mask definitions
+EDATA_BITS_ARENA_WIDTH = MALLOCX_ARENA_BITS
+EDATA_BITS_ARENA_SHIFT = 0
+EDATA_BITS_ARENA_MASK = mask(EDATA_BITS_ARENA_WIDTH, EDATA_BITS_ARENA_SHIFT)
+
+# Slab width and mask definitions
+EDATA_BITS_SLAB_WIDTH = 1
+EDATA_BITS_SLAB_SHIFT = EDATA_BITS_ARENA_WIDTH + EDATA_BITS_ARENA_SHIFT
+EDATA_BITS_SLAB_MASK = mask(EDATA_BITS_SLAB_WIDTH, EDATA_BITS_SLAB_SHIFT)
+
+# Committed width and mask definitions
+EDATA_BITS_COMMITTED_WIDTH = 1
+EDATA_BITS_COMMITTED_SHIFT = EDATA_BITS_SLAB_WIDTH + EDATA_BITS_SLAB_SHIFT
+EDATA_BITS_COMMITTED_MASK = mask(EDATA_BITS_COMMITTED_WIDTH, EDATA_BITS_COMMITTED_SHIFT)
+
+# PAI width and mask definitions
+EDATA_BITS_PAI_WIDTH = 1
+EDATA_BITS_PAI_SHIFT = EDATA_BITS_COMMITTED_WIDTH + EDATA_BITS_COMMITTED_SHIFT
+EDATA_BITS_PAI_MASK = mask(EDATA_BITS_PAI_WIDTH, EDATA_BITS_PAI_SHIFT)
+
+# Zeroed width and mask definitions
+EDATA_BITS_ZEROED_WIDTH = 1
+EDATA_BITS_ZEROED_SHIFT = EDATA_BITS_PAI_WIDTH + EDATA_BITS_PAI_SHIFT
+EDATA_BITS_ZEROED_MASK = mask(EDATA_BITS_ZEROED_WIDTH, EDATA_BITS_ZEROED_SHIFT)
+
+# Guarded width and mask definitions
+EDATA_BITS_GUARDED_WIDTH = 1
+EDATA_BITS_GUARDED_SHIFT = EDATA_BITS_ZEROED_WIDTH + EDATA_BITS_ZEROED_SHIFT
+EDATA_BITS_GUARDED_MASK = mask(EDATA_BITS_GUARDED_WIDTH, EDATA_BITS_GUARDED_SHIFT)
+
+# State width and mask definitions
+EDATA_BITS_STATE_WIDTH = 3
+EDATA_BITS_STATE_SHIFT = EDATA_BITS_GUARDED_WIDTH + EDATA_BITS_GUARDED_SHIFT
+EDATA_BITS_STATE_MASK = mask(EDATA_BITS_STATE_WIDTH, EDATA_BITS_STATE_SHIFT)
+
+EDATA_BITS_SZIND_WIDTH = lg_ceil(SC_NSIZES)
+EDATA_BITS_SZIND_SHIFT = EDATA_BITS_STATE_WIDTH + EDATA_BITS_STATE_SHIFT
+EDATA_BITS_SZIND_MASK = mask(EDATA_BITS_SZIND_WIDTH, EDATA_BITS_SZIND_SHIFT)
+
+# Nfree width and mask definitions
+EDATA_BITS_NFREE_WIDTH = SC_LG_SLAB_MAXREGS + 1
+EDATA_BITS_NFREE_SHIFT = EDATA_BITS_SZIND_WIDTH + EDATA_BITS_SZIND_SHIFT
+EDATA_BITS_NFREE_MASK = mask(EDATA_BITS_NFREE_WIDTH, EDATA_BITS_NFREE_SHIFT)
+
+# Binshard width and mask definitions
+EDATA_BITS_BINSHARD_WIDTH = 6
+EDATA_BITS_BINSHARD_SHIFT = EDATA_BITS_NFREE_WIDTH + EDATA_BITS_NFREE_SHIFT
+EDATA_BITS_BINSHARD_MASK = mask(EDATA_BITS_BINSHARD_WIDTH, EDATA_BITS_BINSHARD_SHIFT)
+
+# Is head width and mask definitions
+EDATA_BITS_IS_HEAD_WIDTH = 1
+EDATA_BITS_IS_HEAD_SHIFT = EDATA_BITS_BINSHARD_WIDTH + EDATA_BITS_BINSHARD_SHIFT
+EDATA_BITS_IS_HEAD_MASK = mask(EDATA_BITS_IS_HEAD_WIDTH, EDATA_BITS_IS_HEAD_SHIFT)
+
+# In RTree, Each level distinguishes a certain number of bits from the key, which helps in narrowing down the search space
+# bits: how many bits have been used at that particular level (Number of key bits distinguished by this level)
+# cumbits: how many bits in total have been used up to that level (Cumulative number of key bits distinguished by traversing to corresponding tree level)
+rtree_levels = [
+    # for height == 1
+    [{"bits": RTREE_NSB, "cumbits": RTREE_NHIB + RTREE_NSB}],
+    # for height == 2
+    [
+        {"bits": RTREE_NSB // 2, "cumbits": RTREE_NHIB + RTREE_NSB // 2},
+        {"bits": RTREE_NSB // 2 + RTREE_NSB % 2, "cumbits": RTREE_NHIB + RTREE_NSB},
+    ],
+    # for height == 3
+    [
+        {"bits": RTREE_NSB // 3, "cumbits": RTREE_NHIB + RTREE_NSB // 3},
+        {
+            "bits": RTREE_NSB // 3 + RTREE_NSB % 3 // 2,
+            "cumbits": RTREE_NHIB + RTREE_NSB // 3 * 2 + RTREE_NSB % 3 // 2,
+        },
+        {
+            "bits": RTREE_NSB // 3 + RTREE_NSB % 3 - RTREE_NSB % 3 // 2,
+            "cumbits": RTREE_NHIB + RTREE_NSB,
+        },
+    ],
+]
+
+
+class RTree:
+    """
+    RTree is used by jemalloc to keep track of extents that are allocated by jemalloc.
+    Since extent data is not stored in a doubly linked list, rtree is used to find the extent belonging to a pointer that is being freed.
+    Implementation of rtree is similar to Linux Radix tree: https://lwn.net/Articles/175432/
+    """
+
+    # TODO: Check rtee_ctx cache in
+    # tsd_nominal_tsds.qlh_first.cant_access_tsd_items_directly_use_a_getter_or_setter_rtree_ctx.cache
+    def __init__(self, addr: int) -> None:
+        self._addr = addr
+
+        rtree_s = pwndbg.gdblib.typeinfo.load("struct rtree_s")
+        # self._Value = pwndbg.gdblib.memory.poi(emap_s, self._addr)
+
+        # self._Value = pwndbg.gdblib.memory.fetch_struct_as_dictionary(
+        #     "rtree_s", self._addr, include_only_fields={"root"}
+        # )
+        self._Value = gdb.Value(self._addr).cast(rtree_s.pointer()).dereference()
+
+        self._extents = None
+
+    @staticmethod
+    def get_rtree() -> RTree:
+        try:
+            addr = pwndbg.gdblib.info.address("je_arena_emap_global")
+            if addr is None:
+                return None
+
+        except gdb.MemoryError:
+            return None
+
+        return RTree(addr)
+
+    @property
+    def root(self):
+        return self._Value["root"]
+
+    # from include/jemalloc/internal/rtree.h
+    # converted implementation of rtree_leafkey
+    def __rtree_leaf_maskbits(self, level):
+        ptrbits = 1 << (LG_SIZEOF_PTR + 3)
+        # print("ptrbits: ", ptrbits, bin(ptrbits))
+        cumbits = (
+            rtree_levels[RTREE_HEIGHT - 1][level - 1]["cumbits"]
+            - rtree_levels[RTREE_HEIGHT - 1][level - 1]["bits"]
+        )
+        # print("cumbits: ", cumbits, bin(cumbits))
+        return ptrbits - cumbits
+
+    # Can be used to lookup key quickly in cache
+    def __rtree_leafkey(self, key, level):
+        mask = ~((1 << self.__rtree_leaf_maskbits(level)) - 1)
+        # print("mask: ", mask, bin(mask))
+        return key & mask
+
+    def __subkey(self, key, level):
+        """
+        Return a portion of the key that is used to find the node/leaf in the rtree at a specific level.
+        Source: https://github.com/jemalloc/jemalloc/blob/5b72ac098abce464add567869d082f2097bd59a2/include/jemalloc/internal/rtree.h#L161
+        """
+
+        ptrbits = 1 << (LG_SIZEOF_PTR + 3)
+        cumbits = rtree_levels[RTREE_HEIGHT - 1][level - 1]["cumbits"]
+        shiftbits = ptrbits - cumbits
+        maskbits = rtree_levels[RTREE_HEIGHT - 1][level - 1]["bits"]
+        mask = (1 << maskbits) - 1
+
+        return (key >> shiftbits) & mask
+
+    @staticmethod
+    def __alignment_addr2base(addr, alignment=64):
+        return addr - (addr - (addr & (~(alignment - 1))))
+
+    def lookup_hard(self, key):
+        """
+        Lookup the key in the rtree and return the value.
+
+        How it works:
+        - Jemalloc stores the extent address in the rtree as a node and to find a specific node we need a address key.
+        """
+        rtree_node_elm_s = pwndbg.gdblib.typeinfo.load("struct rtree_node_elm_s")
+        rtree_leaf_elm_s = pwndbg.gdblib.typeinfo.load("struct rtree_leaf_elm_s")
+
+        # Credits: 盏一's jegdb
+
+        # For subkey 0
+        subkey = self.__subkey(key, 1)
+
+        addr = int(self.root.address) + subkey * rtree_node_elm_s.sizeof
+        node = pwndbg.gdblib.memory.fetch_struct_as_dictionary("rtree_node_elm_s", addr)
+
+        child_repr: int = node["child"]["repr"]  # type: ignore[index]
+
+        # on node element, child contains the bits with which we can find another node or leaf element
+        if child_repr == 0:
+            return None
+
+        # For subkey 1
+        subkey = self.__subkey(key, 2)
+        addr = child_repr + subkey * rtree_leaf_elm_s.sizeof
+        leaf = pwndbg.gdblib.memory.fetch_struct_as_dictionary("rtree_leaf_elm_s", addr)
+
+        # On leaf element, le_bits contains the virtual memory address bits so we can use it to find the extent address
+        val: int = leaf["le_bits"]["repr"]  # type: ignore[index]
+        if val == 0:
+            return None
+
+        # In this function, we are trying to find the extent address given the address of memory block
+        # that this extent is managing (which is represented by edata->e_addr in the extent structure)
+
+        # e_addr is 64 bits but
+        # e_addr is also page (4096) aligned which means last 12 bits are zero and therefore unused
+        # In rtree, each layer can be accessed using bits 0-16, 17-33 and 34-51
+        # When height of rtree is 3, level 1 can be accessed using bits 0-16, and so on for level 2 and 3
+        # When the height is 2, 0-15 bits are unused and level 1 can be accessed using bits 16-33 and level 2 using 34-51
+
+        ls = (val << RTREE_NHIB) & ((2**64) - 1)
+        ptr = ((ls >> RTREE_NHIB) >> 1) << 1
+
+        if ptr == 0:
+            return None
+
+        # return Extent(ptr)
+        extent = Extent(ptr)
+        if extent.size == 0:
+            ptr = RTree.__alignment_addr2base(ptr)
+            extent_tmp = Extent(ptr)
+            if extent_tmp.size != 0:
+                return extent_tmp
+
+        return extent
+
+    @property
+    def extents(self):
+        # NOTE: Generating whole extents list is slow as it requires parsing whole rtree
+
+        if self._extents is None:  # TODO: handling cache on extents changes
+            self._extents = []
+            try:
+                root = self.root
+                last_addr = None
+                extent_addresses = []
+
+                rtree_node_elm_s = pwndbg.gdblib.typeinfo.load("struct rtree_node_elm_s")
+                rtree_leaf_elm_s = pwndbg.gdblib.typeinfo.load("struct rtree_leaf_elm_s")
+
+                max_subkeys = 1 << rtree_levels[RTREE_HEIGHT - 1][0]["bits"]
+                # print("max_subkeys: ", max_subkeys)
+
+                for i in range(max_subkeys):
+                    node_address = int(root.address) + i * rtree_node_elm_s.sizeof
+                    # node = pwndbg.gdblib.memory.poi(rtree_node_elm_s, node)
+                    fetched_struct = pwndbg.gdblib.memory.get_typed_pointer_value(
+                        rtree_node_elm_s, node_address
+                    )
+                    node = pwndbg.gdblib.memory.pack_struct_into_dictionary(fetched_struct)
+
+                    leaf0: int = node["child"]["repr"]  # type: ignore[index]
+                    if leaf0 == 0:
+                        continue
+
+                    # print(hex(leaf0))
+                    # print("leaf0: ", leaf0)
+
+                    # level 1
+                    for j in range(max_subkeys):
+                        leaf_address = leaf0 + j * rtree_leaf_elm_s.sizeof
+                        # leaf = pwndbg.gdblib.memory.poi(rtree_leaf_elm_s, leaf)
+                        fetched_struct = pwndbg.gdblib.memory.get_typed_pointer_value(
+                            rtree_leaf_elm_s, leaf_address
+                        )
+                        leaf = pwndbg.gdblib.memory.pack_struct_into_dictionary(fetched_struct)
+
+                        if (val := int(leaf["le_bits"]["repr"])) == 0:  # type: ignore[index, arg-type]
+                            continue
+
+                        # print("leaf: ", hex(leaf_address))
+                        # print(j, leaf)
+
+                        ls = (val << RTREE_NHIB) & ((2**64) - 1)
+                        ptr = ((ls >> RTREE_NHIB) >> 1) << 1
+
+                        if ptr == 0 or ptr == last_addr:
+                            continue
+
+                        last_addr = ptr
+
+                        extent = Extent(ptr)
+
+                        if extent.extent_address in extent_addresses:
+                            continue
+
+                        extent_addresses.append(extent.extent_address)
+
+                        # during initializations, addresses may get some alignment
+                        # lets check if size makes sense, otherwise do page alignment and check if again
+                        # TODO: better way to do this
+                        extent_tmp = extent
+                        if extent.size == 0:
+                            ptr = RTree.__alignment_addr2base(int(ptr))
+                            extent_tmp = Extent(ptr)
+                            if extent_tmp.size != 0:
+                                self._extents.append(extent_tmp)
+                                continue
+
+                        self._extents.append(extent_tmp)
+
+            except gdb.MemoryError:
+                pass
+
+        return self._extents
+
+
+class Arena:
+    """
+    Some notes:
+    - Huge allocation should not come from arena 0
+    """
+
+    def __init__(self, addr: int) -> None:
+        self._addr = addr
+
+        self._Value = pwndbg.gdblib.memory.fetch_struct_as_dictionary("arena_s", self._addr)
+
+        self._nbins = None
+        self._slabs = None
+        self._bins = None
+
+    @property
+    def slabs(self):
+        if self._bins is None:
+            self._bins = []
+            try:
+                # TODO: verify this variable
+                self._nbins = gdb.parse_and_eval("nbins_total").cast(
+                    gdb.lookup_type("unsigned int")
+                )
+
+                bins_addr = int(self._Value["bins"]["address"])  # type: ignore[index, arg-type]
+                bin_s = pwndbg.gdblib.typeinfo.load("struct bin_s")
+                for i in range(self._nbins):
+                    current_bin_addr = int(bins_addr) + i * bin_s.sizeof
+                    bin = pwndbg.gdblib.memory.poi(bin_s, current_bin_addr)
+                    self._slabs.append(bin)
+
+            except gdb.MemoryError:
+                pass
+
+        return self._slabs
+
+
+class Extent:
+    """
+    Concept of extent (edata) is similar to chunk in glibc malloc but allocation algorithm differs a lot.
+    - Extents are used to manage memory blocks (including jemalloc metadata) where extents sizes can vary but each block is always a multiple of the page size.
+    - jemalloc will either allocate one large class request or multiple small class request (called slab) depending on request size.
+    - Unlike chunks in glibc malloc, extents are not doubly linked list but are managed using rtree.
+    - This tree is mostly used during deallocation to find the extent belonging to a pointer that is being freed.
+    - Extents are also not stored as a header structure but externally (therefore extent metadata and actually mapped data may be very far apart).
+    """
+
+    def __init__(self, addr: int) -> None:
+        self._addr = addr
+
+        # fetch_struct_as_dictionary does not support union currently
+        edata_s = pwndbg.gdblib.typeinfo.load("struct edata_s")
+        self._Value = gdb.Value(self._addr).cast(edata_s.pointer()).dereference()
+
+        self._bitfields = None
+
+    @property
+    def size(self):
+        """
+        May be larger in case of large size class allocation when cache_oblivious is enabled.
+        """
+        # return self._Value["e_size_esn"]
+        return (int(self._Value["e_size_esn"]) >> LG_PAGE) << LG_PAGE
+
+    @property
+    def extent_address(self):
+        """
+        Address of the extent data structure (not the actual memory).
+        """
+        return self._addr
+
+    @property
+    def allocated_address(self):
+        """
+        Starting address of allocated memory
+        cache-oblivious large allocation alignment:
+            When a large class allocation is made, jemalloc selects the closest size class that can fit the request and allocates that size + 4 KiB (0x1000).
+            However, the pointer returned to user is randomized between the 'base' and 'base + 4 KiB' (0x1000) range.
+            Source code: https://github.com/jemalloc/jemalloc/blob/a25b9b8ba91881964be3083db349991bbbbf1661/include/jemalloc/internal/arena_inlines_b.h#L505
+        """
+        return self._Value["e_addr"]
+
+    @property
+    def bsize(self):
+        return self._Value["e_bsize"]
+
+    @property
+    def bits(self):
+        return self._Value["e_bits"]
+
+    @property
+    def bitfields(self):
+        """
+        Extract bitfields
+
+        arena_ind: Arena from which this extent came, or all 1 bits if unassociated.
+        slab: The slab flag indicates whether the extent is used for a slab of small regions. This helps differentiate small size classes, and it indicates whether interior pointers can be looked up via iealloc().
+        committed: The committed flag indicates whether physical memory is committed to the extent, whether explicitly or implicitly as on a system that overcommits and satisfies physical memory needs on demand via soft page faults.
+        pai: The pai flag is an extent_pai_t.
+        zeroed: The zeroed flag is used by extent recycling code to track whether memory is zero-filled.
+        guarded: The guarded flag is used by the sanitizer to track whether the extent has page guards around it.
+        state: The state flag is an extent_state_t.
+        szind: The szind flag indicates usable size class index for allocations residing in this extent, regardless of whether the extent is a slab. Extent size and usable size often differ even for non-slabs, either due to sz_large_pad or promotion of sampled small regions.
+        nfree: Number of free regions in slab.
+        bin_shard: The shard of the bin from which this extent came.
+        """
+
+        if self._bitfields is None:
+            self._bitfields = {
+                "arena_ind": (self.bits & EDATA_BITS_ARENA_MASK) >> EDATA_BITS_ARENA_SHIFT,
+                "slab": (self.bits & EDATA_BITS_SLAB_MASK) >> EDATA_BITS_SLAB_SHIFT,
+                "committed": (self.bits & EDATA_BITS_COMMITTED_MASK) >> EDATA_BITS_COMMITTED_SHIFT,
+                "pai": (self.bits & EDATA_BITS_PAI_MASK) >> EDATA_BITS_PAI_SHIFT,
+                "zeroed": (self.bits & EDATA_BITS_ZEROED_MASK) >> EDATA_BITS_ZEROED_SHIFT,
+                "guarded": (self.bits & EDATA_BITS_GUARDED_MASK) >> EDATA_BITS_GUARDED_SHIFT,
+                "state": (self.bits & EDATA_BITS_STATE_MASK) >> EDATA_BITS_STATE_SHIFT,
+                "szind": (self.bits & EDATA_BITS_SZIND_MASK) >> EDATA_BITS_SZIND_SHIFT,
+                "nfree": (self.bits & EDATA_BITS_NFREE_MASK) >> EDATA_BITS_NFREE_SHIFT,
+                "bin_shard": (self.bits & EDATA_BITS_BINSHARD_MASK) >> EDATA_BITS_BINSHARD_SHIFT,
+            }
+
+        return self._bitfields
+
+    @property
+    def state_name(self):
+        state_mapping = ["Active", "Dirty", "Muzzy", "Retained"]
+
+        return state_mapping[self.bitfields["state"]]
+
+    @property
+    def has_slab(self):
+        """
+        Returns True if the extent is used for small size classes.
+        Reference for size in Table 1 at https://jemalloc.net/jemalloc.3.html
+        At time of writing, allocations <= 0x3800 are considered as small allocations and has slabs.
+        """
+        return self.bitfields["slab"] != 0
+
+    @property
+    def is_free(self):
+        """
+        Returns True if the extent is free.
+        """
+        pass
+
+    @property
+    def pai(self):
+        """
+        Page Allocator Interface
+        """
+        if self.bitfields["pai"] == 0:
+            return "PAC"  # Page for extent
+        return "HPA"  # Huge Page
--- a/pwndbg/commands/heap.py
+++ b/pwndbg/commands/heap.py
@ -11,6 +11,7 @@ from tabulate import tabulate

 import pwndbg
 import pwndbg.aglib.heap
+import pwndbg.aglib.heap.jemalloc as jemalloc
 import pwndbg.aglib.memory
 import pwndbg.aglib.proc
 import pwndbg.aglib.typeinfo
@ -1569,3 +1570,76 @@ def heap_config(filter_pattern: str) -> None:
            "Some config values (e.g. main_arena) will be used only when resolve-heap-via-heuristic is `auto` or `force`"
        )
    )
+
+
+# Jemalloc
+
+parser = argparse.ArgumentParser(
+    description="Returns extent information for pointer address allocated by jemalloc"
+)
+parser.add_argument("addr", type=int, help="Address of the allocated memory location")
+
+
+@pwndbg.commands.ArgparsedCommand(parser, category=CommandCategory.HEAP)
+def jemalloc_find_extent(addr) -> None:
+    print(C.banner("Jemalloc find extent"))
+    print("This command was tested only for jemalloc 5.3.0 and does not support lower versions")
+    print()
+
+    addr = int(addr)
+
+    rtree = jemalloc.RTree.get_rtree()
+    extent = rtree.lookup_hard(addr)
+
+    # print pointer address first, then extent address then extent information
+    print(f"Pointer Address: {hex(addr)}")
+    print(f"Extent Address: {hex(extent.extent_address)}")
+    print()
+
+    jemalloc_extent_info(extent.extent_address, header=False)
+
+
+parser = argparse.ArgumentParser(description="Prints extent information for the given address")
+parser.add_argument("addr", type=int, help="Address of the extent metadata")
+parser.add_argument(
+    "-v", "--verbose", action="store_true", help="Print all chunk fields, even unused ones."
+)
+
+
+@pwndbg.commands.ArgparsedCommand(parser, category=CommandCategory.HEAP)
+def jemalloc_extent_info(addr, verbose=False, header=True) -> None:
+    if header:
+        print(C.banner("Jemalloc extent info"))
+        print("This command was tested only for jemalloc 5.3.0 and does not support lower versions")
+        print()
+
+    extent = jemalloc.Extent(int(addr))
+
+    print(f"Allocated Address: {hex(extent.allocated_address)}")
+    print(f"Extent Address: {hex(extent.extent_address)}")
+
+    print(f"Size: {hex(extent.size)}")
+    print(f"Small class: {extent.has_slab}")
+
+    print(f"State: {extent.state_name}")
+
+    if verbose:
+        for bit, val in extent.bitfields.items():
+            print(bit, val)
+
+
+parser = argparse.ArgumentParser(description="Prints all extents information")
+
+
+@pwndbg.commands.ArgparsedCommand(parser, category=CommandCategory.HEAP)
+def jemalloc_heap() -> None:
+    print(C.banner("Jemalloc heap"))
+    print("This command was tested only for jemalloc 5.3.0 and does not support lower versions")
+    print()
+
+    rtree = jemalloc.RTree.get_rtree()
+    extents = rtree.extents
+    for extent in extents:
+        # TODO: refactor so not create copies
+        jemalloc_extent_info(extent.extent_address, header=False)
+        print()
--- a/setup-dev.sh
+++ b/setup-dev.sh
@ -183,6 +183,33 @@ install_dnf() {
    download_zig_binary
 }

+install_jemalloc() {
+
+    # Install jemalloc version 5.3.0
+    JEMALLOC_TAR_URL="https://github.com/jemalloc/jemalloc/releases/download/5.3.0/jemalloc-5.3.0.tar.bz2"
+    JEMALLOC_TAR_SHA256="2db82d1e7119df3e71b7640219b6dfe84789bc0537983c3b7ac4f7189aecfeaa"
+    curl --location --output /tmp/jemalloc-5.3.0.tar.bz2 "${JEMALLOC_TAR_URL}"
+    ACTUAL_SHA256=$(sha256sum /tmp/jemalloc-5.3.0.tar.bz2 | cut -d' ' -f1)
+    if [ "${ACTUAL_SHA256}" != "${JEMALLOC_TAR_SHA256}" ]; then
+        echo "Jemalloc binary checksum mismatch"
+        echo "Expected: ${JEMALLOC_TAR_SHA256}"
+        echo "Actual: ${ACTUAL_SHA256}"
+        exit 1
+    fi
+
+    tar -C /tmp -xf /tmp/jemalloc-5.3.0.tar.bz2
+
+    # TODO: autoconf needs to be installed with script as well?
+
+    pushd /tmp/jemalloc-5.3.0
+    ./configure
+    make
+    sudo make install
+    popd
+    echo "Jemalloc installed"
+
+}
+
 if linux; then
    distro=$(
        . /etc/os-release
@ -220,6 +247,7 @@ if linux; then
            ;;
    esac

+    install_jemalloc
    if [[ -z "${PWNDBG_VENV_PATH}" ]]; then
        PWNDBG_VENV_PATH="./.venv"
    fi
--- a/tests/gdb-tests/tests/binaries/heap_jemalloc_extent_info.c
+++ b/tests/gdb-tests/tests/binaries/heap_jemalloc_extent_info.c
@ -0,0 +1,17 @@
+#include <stdlib.h>
+#include <jemalloc/jemalloc.h>
+
+void break_here(void) {}
+
+char *ptr = NULL;
+
+int main(void)
+{
+
+    ptr = (char *)malloc(2 * sizeof(char));
+    ptr[0] = 'A';
+    ptr[1] = 'B';
+    
+    break_here();
+
+}
--- a/tests/gdb-tests/tests/binaries/heap_jemalloc_heap.c
+++ b/tests/gdb-tests/tests/binaries/heap_jemalloc_heap.c
@ -0,0 +1,21 @@
+#include <stdlib.h>
+#include <jemalloc/jemalloc.h>
+
+void break_here(void) {}
+
+int main(void)
+{
+
+    // Allocate a small memory
+    char *ptr = (char *)malloc(2 * sizeof(char));
+    ptr[0] = 'A';
+    ptr[1] = 'B';
+
+    // allocate non small class size memory
+    char *ptr2 = (char *)malloc(30 * 1024);
+    ptr2[0] = 'A';
+    ptr2[1] = 'B';
+    
+    break_here();
+
+}
--- a/tests/gdb-tests/tests/binaries/makefile
+++ b/tests/gdb-tests/tests/binaries/makefile
@ -93,6 +93,15 @@ heap_malloc_chunk.out: heap_malloc_chunk.c
 	@echo "[+] Building heap_malloc_chunk.out"
 	${CC} -g -O0 -Wno-nonnull -Wno-unused-result -o heap_malloc_chunk.out heap_malloc_chunk.c -pthread -lpthread

+heap_jemalloc_extent_info.out: heap_jemalloc_extent_info.c
+	@echo "[+] Building heap_jemalloc_extent_info.out"
+	${CC} -g -O0 -Wno-nonnull -Wno-unused-result -o heap_jemalloc_extent_info.out heap_jemalloc_extent_info.c -lpthread /usr/local/lib/libjemalloc.a -lm -lstdc++ -pthread -ldl
+
+heap_jemalloc_heap.out: heap_jemalloc_heap.c
+	@echo "[+] Building heap_jemalloc_heap.out"
+	${CC} -g -O0 -Wno-nonnull -Wno-unused-result -o heap_jemalloc_heap.out heap_jemalloc_heap.c -lpthread /usr/local/lib/libjemalloc.a -lm -lstdc++ -pthread -ldl
+
+
 multiple_threads.out: multiple_threads.c
 	@echo "[+] Building multiple_threads.out"
 	${CC} -g -O0 -o multiple_threads.out multiple_threads.c -pthread -lpthread
--- a/tests/gdb-tests/tests/heap/test_heap.py
+++ b/tests/gdb-tests/tests/heap/test_heap.py
@ -1,5 +1,7 @@
 from __future__ import annotations

+import re
+
 import gdb
 import pytest

@ -505,3 +507,112 @@ def test_heuristic_fail_gracefully(start_binary, is_multi_threaded):
        _test_heuristic_fail_gracefully("global_max_fast")
        _test_heuristic_fail_gracefully("thread_cache")
        _test_heuristic_fail_gracefully("thread_arena")
+
+
+##
+# Jemalloc Tests
+##
+HEAP_JEMALLOC_EXTENT_INFO = tests.binaries.get("heap_jemalloc_extent_info.out")
+HEAP_JEMALLOC_HEAP = tests.binaries.get("heap_jemalloc_heap.out")
+re_match_valid_address = r"0x7ffff[0-9a-fA-F]{6,9}"
+
+
+def test_jemalloc_find_extent(start_binary):
+    start_binary(HEAP_JEMALLOC_EXTENT_INFO)
+    gdb.execute("break break_here")
+    gdb.execute("continue")
+
+    # run jemalloc extent_info command
+    result = gdb.execute("jemalloc_find_extent ptr", to_string=True).splitlines()
+
+    expected_output = [
+        "Jemalloc find extent",
+        "This command was tested only for jemalloc 5.3.0 and does not support lower versions",
+        "",
+        r"Pointer Address: " + re_match_valid_address,
+        r"Extent Address: " + re_match_valid_address,
+        "",
+        r"Allocated Address: " + re_match_valid_address,
+        r"Extent Address: " + re_match_valid_address,
+        "Size: 0x1000",
+        "Small class: True",
+    ]
+
+    for i in range(len(expected_output)):
+        assert re.match(expected_output[i], result[i])
+
+
+def test_jemalloc_extent_info(start_binary):
+    start_binary(HEAP_JEMALLOC_EXTENT_INFO)
+    gdb.execute("break break_here")
+    gdb.execute("continue")
+
+    EXPECTED_EXTENT_ADDRESS = 0x7FFFF7A16580
+
+    # run jemalloc extent_info command
+    result = gdb.execute(
+        f"jemalloc_extent_info {EXPECTED_EXTENT_ADDRESS}", to_string=True
+    ).splitlines()
+
+    expected_output = [
+        "Jemalloc extent info",
+        "This command was tested only for jemalloc 5.3.0 and does not support lower versions",
+        "",
+        r"Allocated Address: " + re_match_valid_address,
+        r"Extent Address: " + re_match_valid_address,
+        "Size: 0x1000",
+        "Small class: True",
+    ]
+
+    for i in range(len(expected_output)):
+        assert re.match(expected_output[i], result[i])
+
+
+@pytest.mark.skip(reason="Output is resulting in duplicate extents")
+def test_jemalloc_heap(start_binary):
+    start_binary(HEAP_JEMALLOC_HEAP)
+    gdb.execute("break break_here")
+    gdb.execute("continue")
+
+    # run jemalloc extent_info command
+    result = gdb.execute("jemalloc_heap", to_string=True).splitlines()
+
+    expected_output = [
+        "Jemalloc heap",
+        "This command was tested only for jemalloc 5.3.0 and does not support lower versions",
+    ]
+
+    expected_output += [
+        "",
+        "Allocated Address: " + re_match_valid_address,
+        r"Extent Address: " + re_match_valid_address,
+        "Size: 0x401000",
+        "Small class: False",
+    ]
+
+    expected_output += [
+        "",
+        "Allocated Address: " + re_match_valid_address,
+        r"Extent Address: " + re_match_valid_address,
+        "Size: 0x8000",
+        "Small class: False",
+    ]
+
+    expected_output += [
+        "",
+        "Allocated Address: " + re_match_valid_address,
+        r"Extent Address: " + re_match_valid_address,
+        "Size: 0x8000",
+        "Small class: False",
+    ]
+
+    expected_output += [
+        "",
+        "Allocated Address: " + re_match_valid_address,
+        r"Extent Address: " + re_match_valid_address,
+        "Size: 0x1f7000",
+        "Small class: False",
+    ]
+
+    for i in range(len(expected_output)):
+        assert re.match(expected_output[i], result[i])