This is only about Linux malloc implementations.
Many Linux or Posix malloc implementations use mmap (2) syscall to get a fairly large memory range. then they can use munmap (2) to release it.
(It seems sbrk (2) will no longer be used, in particular, it is not ASLR friendly and cannot be multi-threaded)
Both of these system calls can be quite expansive, so some implementations request memory (using mmap ) in fairly large chunks (for example, in a chunk of one or more megabytes). Then they manage the free space, for example. linked block lists, etc. They will process small mallocks and large mullocks in different ways.
The mmap script usually does not start giving a range of memory on some fixed parts (especially due to ASLR .
Try running a simple program on your system by printing the result of one malloc (for example, 128 int -s). You will probably see different addresses from one run to the next (due to ASLR). And strace (1) is very instructive. Try also cat /proc/self/maps (or print the lines /proc/self/maps inside your program). See proc (5)
Therefore, there is no need to “run” the heap on some address and on many systems that do not make any sense. The kernel provides virtual address segments on random pages.
BTW, GNU libc and musl libc are free software . You should look into the source code of your malloc implementation. I believe the musl libc source code is very readable.