Rust逆向学习 (7)

Reverse for HashMap


new / insert / get

use std::collections::HashMap;

pub fn main(){
    let mut map: HashMap<u64, u64> = HashMap::new();
    map.insert(1, 2);
    println!("{}", map.get(&1u64).unwrap());


    sub     rsp, 200
    mov     rax, qword ptr [rip + std::collections::hash::map::HashMap<K,V>::new@GOTPCREL]
    lea     rdi, [rsp + 48]
    mov     qword ptr [rsp + 40], rdi
    call    rax
    mov     rdi, qword ptr [rsp + 40]
    mov     rax, qword ptr [rip + std::collections::hash::map::HashMap<K,V,S>::insert@GOTPCREL]
    mov     esi, 1
    mov     edx, 2
    call    rax
    jmp     .LBB157_3


pwndbg> tele 0x7fffffffd910
00:0000│ rax rdi 0x7fffffffd910 —▸ 0x5555555a62d0 ◂— 0xffffffffffffffff
01:0008│         0x7fffffffd918 ◂— 0x0
... ↓            2 skipped
04:0020│         0x7fffffffd930 ◂— 0x419fa2b4be855595
05:0028│         0x7fffffffd938 ◂— 0x944210c733652a9b


pwndbg> tele 0x7fffffffd910
00:0000│  0x7fffffffd910 —▸ 0x5555555bebe0 ◂— 0xffffffffff45ffff
01:0008│  0x7fffffffd918 ◂— 0x3
02:0010│  0x7fffffffd920 ◂— 0x2
03:0018│  0x7fffffffd928 ◂— 0x1
04:0020│  0x7fffffffd930 ◂— 0x419fa2b4be855595
05:0028│  0x7fffffffd938 ◂— 0x944210c733652a9b

pwndbg> tele 0x5555555beb90
00:0000│     0x5555555beb90 ◂— 0x0
01:0008│     0x5555555beb98 ◂— 0x61 /* 'a' */
02:0010│ r9  0x5555555beba0 ◂— 0x0
03:0018│     0x5555555beba8 ◂— 0x0
04:0020│ rcx 0x5555555bebb0 ◂— 0x1
05:0028│     0x5555555bebb8 ◂— 0x2
06:0030│     0x5555555bebc0 ◂— 0x0
07:0038│     0x5555555bebc8 ◂— 0x0
08:0040│     0x5555555bebd0 ◂— 0x0
09:0048│     0x5555555bebd8 ◂— 0x0
0a:0050│ rdi 0x5555555bebe0 ◂— 0xffffffffff45ffff
0b:0058│     0x5555555bebe8 ◂— 0xffffffffffffffff
0c:0060│     0x5555555bebf0 ◂— 0xff45ffff
0d:0068│     0x5555555bebf8 ◂— 0x20411
0e:0070│     0x5555555bec00 ◂— 0x0
0f:0078│     0x5555555bec08 ◂— 0x0

可以看到,0x5555555beb90应该就是与HashMap相关的数据结构,下面的0x20411是top chunk的大小,后面的内容不属于这个chunk。值得注意的是,这个chunk中确实保存了我们插入的数据,后面还有一些由0xFF组成的未知数据结构。这样看来,单插入一个数据看不出来它的具体实现方式,因此这里尝试多插入一些结构,看看内存的变化。


pub struct RandomState {
    k0: u64,
    k1: u64,

impl RandomState {
    #[stable(feature = "hashmap_build_hasher", since = "1.7.0")]
    pub fn new() -> RandomState {
        thread_local!(static KEYS: Cell<(u64, u64)> = {

        KEYS.with(|keys| {
            let (k0, k1) = keys.get();
            keys.set((k0.wrapping_add(1), k1));
            RandomState {
    k0, k1 }



#[stable(since = "1.7.0", feature = "build_hasher")]
pub trait BuildHasher {
    #[stable(since = "1.7.0", feature = "build_hasher")]
    type Hasher: Hasher;

    #[stable(since = "1.7.0", feature = "build_hasher")]
    fn build_hasher(&self) -> Self::Hasher;

    #[stable(feature = "build_hasher_simple_hash_one", since = "1.71.0")]
    fn hash_one<T: Hash>(&self, x: T) -> u64
        Self: Sized,
        Self::Hasher: Hasher,
        let mut hasher = self.build_hasher();
        x.hash(&mut hasher);

#[stable(feature = "hashmap_build_hasher", since = "1.7.0")]
impl BuildHasher for RandomState {
    type Hasher = DefaultHasher;
    fn build_hasher(&self) -> DefaultHasher {
        DefaultHasher(SipHasher13::new_with_keys(self.k0, self.k1))





pub fn insert(&mut self, k: K, v: V) -> Option<V> {
    let hash = make_hash::<K, S>(&self.hash_builder, &k);
    let hasher = make_hasher::<_, V, S>(&self.hash_builder);
    match self
        .find_or_find_insert_slot(hash, equivalent_key(&k), hasher)
        Ok(bucket) => Some(mem::replace(unsafe {
    &mut bucket.as_mut().1 }, v)),
        Err(slot) => {
            unsafe {
                self.table.insert_in_slot(hash, slot, (k, v));


pub fn find_or_find_insert_slot(
    &mut self,
    hash: u64,
    mut eq: impl FnMut(&T) -> bool,
    hasher: impl Fn(&T) -> u64,
) -> Result<Bucket<T>, InsertSlot> {
    self.reserve(1, hasher);

    unsafe {
        match self
            .find_or_find_insert_slot_inner(hash, &mut |index| eq(self.bucket(index).as_ref()))
            // SAFETY: See explanation above.
            Ok(index) => Ok(self.bucket(index)),
            Err(slot) => Err(slot),

unsafe fn find_or_find_insert_slot_inner(
    hash: u64,
    eq: &mut dyn FnMut(usize) -> bool,
) -> Result<usize, InsertSlot> {
    let mut insert_slot = None;

    let h2_hash = h2(hash);
    let mut probe_seq = self.probe_seq(hash);

    loop {
        let group = unsafe {
    Group::load(self.ctrl(probe_seq.pos)) };

        for bit in group.match_byte(h2_hash) {
            let index = (probe_seq.pos + bit) & self.bucket_mask;

            if likely(eq(index)) {
                return Ok(index);

        if likely(insert_slot.is_none()) {
            insert_slot = self.find_insert_slot_in_group(&group, &probe_seq);

        if likely(group.match_empty().any_bit_set()) {
            unsafe {
                return Err(self.fix_insert_slot(insert_slot.unwrap_unchecked()));



fn h2(hash: u64) -> u8 {
    // Grab the top 7 bits of the hash. While the hash is normally a full 64-bit
    // value, some hash functions (such as FxHash) produce a usize result
    // instead, which means that the top 32 bits are 0 on 32-bit platforms.
    // So we use MIN_HASH_LEN constant to handle this.
    let top7 = hash >> (MIN_HASH_LEN * 8 - 7);
    (top7 & 0x7f) as u8 // truncation

破案了,这里获取了hash的最高7位,经过调试证实,堆空间中一串0xFF中间掺杂的其他数据就是这些Hash值的最高7位。通过这个方法名,实际上已经可以在网上找到这个HashMap的算法了——Swiss Tables。经过简单了解后发现,它与Rust中的实现高度吻合。这是一种较新的高效HashMap算法,需要保存Key和Value本身,通过若干个16字节大小的桶进行索引。具体的算法实现可见传送门,下面也将进行简单介绍。

Swiss Tables

Data Structure

这个算法包含两个最为重要的数据结构,第一是若干个Group,每一个Group都是一个长度固定为16的数组,所有元素均为键值对,这里称每一个数组项为桶(Bucket)。第二是控制字节(Control Bytes)数组,对于每一个Group中的每一个元素,都有一个1字节的控制字节,因此控制字节数组的字节数量等于Group数量乘以16。




那么这里就出现了一个问题:如果57位只是用来确定应该保存在哪个组,那么应该如何确定保存到组中的哪个桶呢?实际上这个问题根本不需要考虑,因为Swiss Tables充分考虑了现代CPU浮点数架构的性能优化,对于一个组,它的控制字节一共16字节,正好是一个浮点寄存器的大小,在实际实现的时候可以通过使用浮点数指令来进行加速,无论元素被保存到一个组中的哪个桶,都能够在固定的时间完成对一组的查找下面通过查找来简单说明。

如果需要查找某个Key,首先计算Hash值,随后获取高7位与其应该保存到的组的索引值,为方便说明,假设高7位为0x18。下面首先要完成的工作是尝试匹配高7字节,即在这个桶的16字节中尝试找到一个字节的值为0x18。找到之后还需要进一步比较Key值是否真的相等,因为7字节的空间很小容易发生碰撞。如果没有匹配到,需要判断这个组是否已经填满。因为Swiss Tables的插入规则中包含这样一条:当目标组已满时,需要判断该组的下一个组是否全满,如果不是则保存到下一个组,如果是则继续向下查找。也就是说,在查找的时候如果发现目标组已经填满且组中没有找到Key,则还需要向下查找下面的组,直到查找到Key或检测到某个组不是全满为止。




从上面的分析可以看出,Swiss Tables在插入时遵循线性探测规则。根据上面所述的规则,我们能够基本完成对HashMap的插入、删除与查询操作。




千言万语都说明,我们需要一个正确的高效的扩容算法。但很可惜的是,扩容算法的解释在网络中几乎没有,针对Swiss Tables的介绍大多是针对前面三种操作以及分析其查询效率为什么高。那么下面,我们将通过实际的试验验证Rust中HashMap的扩容策略。

首先,我们需要明确Rust HashMap在什么时候扩容。通过查看Rust源码发现了这样一个方法:

fn bucket_mask_to_capacity(bucket_mask: usize) -> usize {
    if bucket_mask < 8 {
        // For tables with 1/2/4/8 buckets, we always reserve one empty slot.
        // Keep in mind that the bucket mask is one less than the bucket count.
    } else {
        // For larger tables we reserve 12.5% of the slots as empty.
        ((bucket_mask + 1) / 8) * 7

从注释中可以看出,对于桶数量为1/2/4/8的HashMap,Rust总是保留一个空的桶,而更大的HashMap则保留1/8的桶为空。这一点可以通过反复调用HashMap的capacity方法找到端倪。当我们一个个插入数据的时候,输出的capacity去重后是这样一个序列:3, 7, 14(16x7÷8), 28(32x7÷8), 56(64x7÷8), …。

接下来,这里重点探究一下Rust HashMap在扩容前后数据位置的变化情况。笔者本来是想通过直接搜索源码查找相关代码的,但找了半天无功而返,因此只得寻求动态调试的帮助。结果很简单就找到了,但是不知道为什么,调试显示的行与实际行不同。下面找到了一个resize,但是看不懂:

unsafe fn resize(
    &mut self,
    capacity: usize,
    hasher: impl Fn(&T) -> u64,
    fallibility: Fallibility,
) -> Result<(), TryReserveError> {
    // SAFETY:
    // 1. The caller of this function guarantees that `capacity >= self.table.items`.
    // 2. We know for sure that `alloc` and `layout` matches the [`Allocator`] and
    //    [`TableLayout`] that were used to allocate this table.
    // 3. The caller ensures that the control bytes of the `RawTableInner`
    //    are already initialized.
        &|table, index| hasher(table.bucket::<T>(index).as_ref()),

unsafe fn resize_inner<A>(
    &mut self,
    alloc: &A,
    capacity: usize,
    hasher: &dyn Fn(&mut Self, usize) -> u64,
    fallibility: Fallibility,
    layout: TableLayout,
) -> Result<(), TryReserveError>
    A: Allocator,
    // SAFETY: We know for sure that `alloc` and `layout` matches the [`Allocator`] and [`TableLayout`]
    // that were used to allocate this table.
    let mut new_table = self.prepare_resize(alloc, layout, capacity, fallibility)?;

    // SAFETY: We know for sure that RawTableInner will outlive the
    // returned `FullBucketsIndices` iterator, and the caller of this
    // function ensures that the control bytes are properly initialized.
    for full_byte_index in self.full_buckets_indices() {
        // This may panic.
        let hash = hasher(self, full_byte_index);

        // SAFETY:
        // We can use a simpler version of insert() here since:
        // 1. There are no DELETED entries.
        // 2. We know there is enough space in the table.
        // 3. All elements are unique.
        // 4. The caller of this function guarantees that `capacity > 0`
        //    so `new_table` must already have some allocated memory.
        // 5. We set `growth_left` and `items` fields of the new table
        //    after the loop.
        // 6. We insert into the table, at the returned index, the data
        //    matching the given hash immediately after calling this function.
        let (new_index, _) = new_table.prepare_insert_slot(hash);

        // SAFETY:
        // * `src` is valid for reads of `layout.size` bytes, since the
        //   table is alive and the `full_byte_index` is guaranteed to be
        //   within bounds (see `FullBucketsIndices::next_impl`);
        // * `dst` is valid for writes of `layout.size` bytes, since the
        //   caller ensures that `table_layout` matches the [`TableLayout`]
        //   that was used to allocate old table and we have the `new_index`
        //   returned by `prepare_insert_slot`.
        // * Both `src` and `dst` are properly aligned.
        // * Both `src` and `dst` point to different region of memory.
            self.bucket_ptr(full_byte_index, layout.size),
            new_table.bucket_ptr(new_index, layout.size),

    // The hash function didn't panic, so we can safely set the
    // `growth_left` and `items` fields of the new table.
    new_table.growth_left -= self.items;
    new_table.items = self.items;

    // We successfully copied all elements without panicking. Now replace
    // self with the new table. The old table will have its memory freed but
    // the items will not be dropped (since they have been moved into the
    // new table).
    // SAFETY: The caller ensures that `table_layout` matches the [`TableLayout`]
    // that was used to allocate this table.
    mem::swap(self, &mut new_table);



Inserted 1, hash = 33bd1e335a4e43f0, h2 = 19, map capacity = 3
Inserted 3, hash = 56303fd171416940, h2 = 2b, map capacity = 3
Inserted 15, hash = cde8088c422f9d0, h2 = 6, map capacity = 3
Inserted 22, hash = 411807d47ecb5b61, h2 = 20, map capacity = 7
Inserted 23, hash = bbf28bf43ce33881, h2 = 5d, map capacity = 7
Inserted 45, hash = 217bed8f242fc391, h2 = 10, map capacity = 7
Inserted 46, hash = d97613d73c3edd81, h2 = 6c, map capacity = 7
Inserted 48, hash = ec9ec7fbb5226711, h2 = 76, map capacity = e
Inserted 53, hash = ea21590131a0aad0, h2 = 75, map capacity = e
Inserted 55, hash = 6e28ebd650236d51, h2 = 37, map capacity = e
Inserted 59, hash = 263478baaf15b7f1, h2 = 13, map capacity = e
Inserted 60, hash = 2aebb2b8fdb4f070, h2 = 15, map capacity = e
Inserted 73, hash = 163193d2c2c5b7c1, h2 = b, map capacity = e
Inserted 78, hash = a8f5a0a55cea2e21, h2 = 54, map capacity = e
Inserted 85, hash = dbe1512d01714890, h2 = 6d, map capacity = 1c
Inserted 87, hash = 1159a3327874fea1, h2 = 8, map capacity = 1c

22:0110│  0x5555555bdf40 ◂— 0x1513377576100619
23:0118│  0x5555555bdf48 ◂— 0xffffffffffffff6d
24:0120│  0x5555555bdf50 ◂— 0xff08540b6c5d202b
25:0128│  0x5555555bdf58 ◂— 0xffffffffffffffff

0011 0011 1011 1101 0001 1110 0011 0011 0101 1010 0100 1110 0100 0011 1111 0000
0000 1100 1101 1110 1000 0000 1000 1000 1100 0100 0010 0010 1111 1001 1101 0000
0010 0001 0111 1011 1110 1101 1000 1111 0010 0100 0010 1111 1100 0011 1001 0001
1110 1100 1001 1110 1100 0111 1111 1011 1011 0101 0010 0010 0110 0111 0001 0001
1110 1010 0010 0001 0101 1001 0000 0001 0011 0001 1010 0000 1010 1010 1101 0000
0110 1110 0010 1000 1110 1011 1101 0110 0101 0000 0010 0011 0110 1101 0101 0001
0010 0110 0011 0100 0111 1000 1011 1010 1010 1111 0001 0101 1011 0111 1111 0001
0010 1010 1110 1011 1011 0010 1011 1000 1111 1101 1011 0100 1111 0000 0111 0000
1101 1011 1110 0001 0101 0001 0010 1101 0000 0001 0111 0001 0100 1000 1001 0000

0101 0110 0011 0000 0011 1111 1101 0001 0111 0001 0100 0001 0110 1001 0100 0000
0100 0001 0001 1000 0000 0111 1101 0100 0111 1110 1100 1011 0101 1011 0110 0001
1011 1011 1111 0010 1000 1011 1111 0100 0011 1100 1110 0011 0011 1000 1000 0001
1101 1001 0111 0110 0001 0011 1101 0111 0011 1100 0011 1110 1101 1101 1000 0001
0001 0110 0011 0001 1001 0011 1101 0010 1100 0010 1100 0101 1011 0111 1100 0001
1010 1000 1111 0101 1010 0000 1010 0101 0101 1100 1110 1010 0010 1110 0010 0001
0001 0001 0101 1001 1010 0011 0011 0010 0111 1000 0111 0100 1111 1110 1010 0001




use std::collections::HashMap;
use std::hash::{
   BuildHasher, Hash, Hasher};

pub fn main() {
    let rs = std::collections::hash_map::RandomState::new();
    let mut map: HashMap<u64, u64> = HashMap::with_hasher(rs);
    let mut ctr = [0;4];
    for i in 0..1000u64 {
        let mut hasher = map.hasher().build_hasher();
        i.hash(&mut hasher);
        let hash = hasher.finish();
        if ctr[(hash as usize >> 4) & 3] == 13 {
    continue }
        if ctr[0] + ctr[1] + ctr[2] + ctr[3] == 13 * 4 {
    break }
        let h2 = hash >> 57;
        map.insert(i, i);
        println!("Inserted {i:<02}, hash = {hash:<064b}, h1(suspected) = {:x}, h2 = {:x}, map capacity = {:x}",
                 (hash >> 4) & 3, h2, map.capacity());
        ctr[(hash as usize >> 4) & 3] += 1;





  • 对于Rust,其HashMap的底层实现是SwissTable,这是一种高效的HashMap算法。
  • Rust在HashMap中使用的默认Hash算法是SipHash算法。
  • Rust会保证所有组至少留出1/8的空闲空间,如果下一次添加数据打破了这一规则,Rust将对组进行扩充。
  • Rust将Hash去掉最低4位和最高7位,剩余的值作为组的索引值,其值对组数取模后的值即为一个键值对应该被保存的组号。如果组满则实行线性规则在后面的组中插入。
  • Rust在初始化HashMap时使用两个随机数作为Hash算法的参数,这使得相同的键值对在不同的HashMap中计算的Hash值也不同。
  • Rust的HashMap其余规则与SwissTable定义的规则没有什么太大的区别。


