> If I am interpreting this correctly, realloc could be used to groom/shape > the heap such that future allocations are less random and more predictable?
Traditionally the word "heap" refers to the zone of allocations in a sbrk allocator, meaning things are packed tightly together in a known space, and ordering of the objects inside that produces very low variability. I recommend against using the word heap, especially when today we are using large-address space systems. Additionally I think this phrasing forgets there are many many objects in play, not just the ones being realloc'd. Those objects disrupt the available space by being allocated and freed. Object allocation isn't entirely controlled by the (small) malloc cache. I guess the theory is that an attacker will succeed because a few realloc'd objects don't 'relocate' as much as expected. I don't believe this is likely. I think we have placed a reasonable number of hurdles at various levels with an eye on compute cost... we recognize if we reject standard compsci "caching strategies" too much, then perforance still stink.
