--- libmalloc/libmalloc-283.100.5/src/magazine_zone.h
+++ libmalloc/libmalloc-474.0.13/src/magazine_zone.h
@@ -132,6 +132,11 @@
  * their size in the block, and store it both after the 'next' pointer, and in
  * the last 2 bytes of the block.
  *
+ * With zero-on-free, free blocks of two or more quanta are zeroed out after
+ * their leading inline metadata.  This invariant is maintained when blocks are
+ * split and coalesced, enabling calloc(3) to return free blocks as-is after
+ * clearing the metadata.
+ *
  * 1-quantum block
  * Offset (32-bit mode)	(64-bit mode)
  * 0x0          0x0      : previous
@@ -143,6 +148,7 @@
  * 0x0          0x0      : previous
  * 0x4          0x08     : next
  * 0x8          0x10     : size (in quantum counts)
+ * 0xa          0x12     : start of zeroed body
  * end - 2      end - 2  : size (in quantum counts)
  * end          end
  *
@@ -225,6 +231,11 @@
 } region_free_blocks_t;
 
 typedef uint32_t region_cookie_t;
+
+OS_ENUM(rack_dispose_flags, uint32_t,
+	RACK_DISPOSE_DELAY = 0x1,
+	RACK_DISPOSE_NEEDED = 0x2,
+);
 
 typedef struct region_trailer {
 	struct region_trailer *prev;
@@ -234,6 +245,8 @@
 	mag_index_t mag_index;
 	volatile int32_t pinned_to_depot;
 	bool recirc_suitable;
+	// Locking: dispose_flags must be locked under the rack's region lock
+	rack_dispose_flags_t dispose_flags;
 } region_trailer_t;
 
 typedef struct tiny_region {
@@ -723,7 +736,11 @@
 typedef struct large_entry_s {
 	vm_address_t address;
 	vm_size_t size;
+#if CONFIG_DEFERRED_RECLAIM
+	uint64_t reclaim_index;
+#else
 	boolean_t did_madvise_reusable;
+#endif /* CONFIG_DEFERRED_RECLAIM */
 } large_entry_t;
 
 #if !CONFIG_LARGE_CACHE && DEBUG_MALLOC