Ok, with a good build, I see the following: (gdb) print arenas[0] $1 = (arena_t *) 0xf58d2040 (gdb) print &arenas[0] $2 = (arena_t **) 0xf58d2000 Inside arena_malloc: (gdb) print arena $3 = (arena_t *) 0xf58d2040 Yay \o/ And: (gdb) info registers eax 0xf59d3870 -174245776 ecx 0x3 3 edx 0xfffffffc -4 ebx 0x80548e8 134564072 esp 0xffffd484 0xffffd484 ebp 0xffffd4dc 0xffffd4dc esi 0x160 352 edi 0xf58d2040 -175300544 eip 0x804f0af 0x804f0af eflags 0x282 [ SF IF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 And the interesting bit of malloc disassembled: 0x0804f010 <+0>: push %ebp 0x0804f011 <+1>: mov %esp,%ebp 0x0804f013 <+3>: sub $0x58,%esp 0x0804f016 <+6>: mov %ebx,-0xc(%ebp) 0x0804f019 <+9>: call 0x8049853 <__i686.get_pc_thunk.bx> 0x0804f01e <+14>: add $0x58ca,%ebx 0x0804f024 <+20>: mov %esi,-0x8(%ebp) 0x0804f027 <+23>: mov 0x8(%ebp),%esi 0x0804f02a <+26>: mov %edi,-0x4(%ebp) 0x0804f02d <+29>: cmpb $0x0,0x1230(%ebx) 0x0804f034 <+36>: je 0x804f068 0x0804f036 <+38>: test %esi,%esi 0x0804f038 <+40>: jne 0x804f03e 0x0804f03a <+42>: mov $0x1,%si 0x0804f03e <+46>: cmp 0x194(%ebx),%esi 0x0804f044 <+52>: jbe 0x804f090 0x0804f046 <+54>: mov %esi,%eax 0x0804f048 <+56>: call 0x804e5f0 0x0804f04d <+61>: mov %eax,%esi 0x0804f04f <+63>: test %esi,%esi 0x0804f051 <+65>: je 0x804f071 0x0804f053 <+67>: mov %esi,%eax 0x0804f055 <+69>: mov -0xc(%ebp),%ebx 0x0804f058 <+72>: mov -0x8(%ebp),%esi 0x0804f05b <+75>: mov -0x4(%ebp),%edi 0x0804f05e <+78>: mov %ebp,%esp 0x0804f060 <+80>: pop %ebp 0x0804f061 <+81>: ret 0x0804f062 <+82>: lea 0x0(%esi),%esi 0x0804f068 <+88>: call 0x804cee0 0x0804f06d <+93>: test %al,%al 0x0804f06f <+95>: je 0x804f036 0x0804f071 <+97>: call 0x804929c <__errno_location@plt> 0x0804f076 <+102>: xor %esi,%esi 0x0804f078 <+104>: movl $0xc,(%eax) 0x0804f07e <+110>: mov %esi,%eax 0x0804f080 <+112>: mov -0xc(%ebp),%ebx 0x0804f083 <+115>: mov -0x8(%ebp),%esi 0x0804f086 <+118>: mov -0x4(%ebp),%edi 0x0804f089 <+121>: mov %ebp,%esp 0x0804f08b <+123>: pop %ebp 0x0804f08c <+124>: ret 0x0804f08d <+125>: lea 0x0(%esi),%esi 0x0804f090 <+128>: mov %gs:0x0,%eax 0x0804f096 <+134>: nop 0x0804f097 <+135>: lea 0x0(%esi,%eiz,1),%esi 0x0804f09b <+139>: lea 0xfffffffc,%edx 0x0804f0a1 <+145>: mov %edx,-0x1c(%ebp) 0x0804f0a4 <+148>: mov (%edx,%eax,1),%edi 0x0804f0a7 <+151>: test %edi,%edi 0x0804f0a9 <+153>: je 0x804f2e0 0x0804f0af <+159>: cmp 0x120c(%ebx),%esi 0x0804f0b5 <+165>: ja 0x804f220 0x0804f0bb <+171>: cmp 0x1204(%ebx),%esi 0x0804f0c1 <+177>: jae 0x804f1d8 0x0804f0c7 <+183>: sub $0x1,%esi 0x0804f0ca <+186>: xor %ecx,%ecx 0x0804f0cc <+188>: mov %esi,%edx 0x0804f0ce <+190>: shr %edx 0x0804f0d0 <+192>: or %esi,%edx 0x0804f0d2 <+194>: mov %edx,%eax 0x0804f0d4 <+196>: shr $0x2,%eax 0x0804f0d7 <+199>: or %edx,%eax 0x0804f0d9 <+201>: mov %eax,%edx 0x0804f0db <+203>: shr $0x4,%edx 0x0804f0de <+206>: or %eax,%edx 0x0804f0e0 <+208>: mov %edx,%eax 0x0804f0e2 <+210>: shr $0x8,%eax 0x0804f0e5 <+213>: or %edx,%eax 0x0804f0e7 <+215>: mov %eax,%esi 0x0804f0e9 <+217>: shr $0x10,%esi 0x0804f0ec <+220>: or %eax,%esi 0x0804f0ee <+222>: add $0x1,%esi 0x0804f0f1 <+225>: mov %esi,%eax 0x0804f0f3 <+227>: shr $0x2,%eax 0x0804f0f6 <+230>: bsf %eax,%eax 0x0804f0f9 <+233>: sete %cl 0x0804f0fc <+236>: neg %ecx 0x0804f0fe <+238>: or %ecx,%eax 0x0804f100 <+240>: add $0x1,%eax 0x0804f103 <+243>: cmp $0x1,%esi 0x0804f106 <+246>: lea (%eax,%eax,8),%eax 0x0804f109 <+249>: lea 0x94(%edi,%eax,8),%eax 0x0804f110 <+256>: mov %esi,-0x24(%ebp) 0x0804f113 <+259>: mov %eax,-0x1c(%ebp) 0x0804f116 <+262>: jbe 0x804f3c8 0x0804f11c <+268>: mov %edi,(%esp) 0x0804f11f <+271>: call 0x804934c Note that the previously suspicious intruction sequence before now looks like this: 0x0804f090 <+128>: mov %gs:0x0,%eax 0x0804f09b <+139>: lea 0xfffffffc,%edx 0x0804f0a4 <+148>: mov (%edx,%eax,1),%edi ...with eax=0xf59d3870 and edx=0xfffffffc, this is loading the contents of 0xf59d386c in to edi, and: (gdb) print *0xf59d386c $5 = -175300544 (which is 0xf58d2040 - ie, the valid pointer we expect in arena_malloc) /me pops champagne cork