Linux proc maps file analysis

Proc/pid/maps shows the memory regions and access rights mapped by the process. The operation set in the corresponding kernel is proc_pid_maps_op, and the specific export function is Show_map. A segment of the process's address space in the kernel is represented by a vm_area_struct struct, and all address spaces are stored in the Task->mm->mmap list.

A file can be mapped to a memory area of the process, and the mapped file description characters in the Vm_area_struct->vm_file domain, which is called a known memory area and, instead, belongs to an anonymous mapped memory area. Vm_area_struct each corresponding resolution is shown in the following table:

Vm_area_struct entries per process of the kernel	Items in the/proc/pid/maps	Meaning
Vm_start	"-" The previous column, such as 00377000	This segment virtual address space start address
Vm_end	"-" After a column, such as 00390000	End address of this segment virtual address space
Vm_flags	The third column, such as R-xp	The properties of this segment of the virtual address space. Each attribute is represented by a field, R is readable, W is writable, X is executable, p and S share a field, mutex, p represents a private segment, s represents a shared segment, and '-' instead of if there is no corresponding permission
Vm_pgoff	Fourth column, such as 00000000	For a well-known mapping, represents the offset of this segment of the virtual memory start address in the file as a page unit. For anonymous mappings, it equals 0 or Vm_start/page_size
Vm_file->f_dentry->d_inode->i_sb->s_dev	Fifth column, such as fd:00	The device number to which the mapping file belongs. For anonymous mappings, because there is no file on disk, there is no device number and is always 00:00. For a well-known mapping, the device number of the device on which the mapped file resides
Vm_file->f_dentry->d_inode->i_ino	Sixth column, such as 9176473	The node number to which the mapping file belongs. For anonymous mappings, because there is no file on disk, there is no node number and is always 00:00. For a well-known mapping, the node number of the mapped file
	Seventh column, such as/lib/ld-2.5.so	For famous, it is the file name of the map. For anonymous mappings, there is a role in the process within this segment of the virtual. [Stack] means that it is used as a stack in the process, and [heap] represents the heap. The rest of the situation is not shown

Let's look at the next example of proc maps.

Cat/proc/19970/task/19970/maps

001f7000-00212000 R-xp 00000000 fd:00 2719760/lib/ld-2.5.so

00212000-00213000 r-xp 0001a000 fd:00 2719760/lib/ld-2.5.so

00213000-00214000 rwxp 0001b000 fd:00 2719760/lib/ld-2.5.so

00214000-0036b000 R-xp 00000000 fd:00 2719767/lib/libc-2.5.so

0036b000-0036d000 r-xp 00157000 fd:00 2719767/lib/libc-2.5.so

0036d000-0036e000 rwxp 00159000 fd:00 2719767/lib/libc-2.5.so

0036e000-00371000 Rwxp 0036e000 00:00 0

0054f000-00565000 R-xp 00000000 fd:00 2719791/lib/libpthread-2.5.so

00565000-00566000 r-xp 00015000 fd:00 2719791/lib/libpthread-2.5.so

00566000-00567000 rwxp 00016000 fd:00 2719791/lib/libpthread-2.5.so

00567000-00569000 Rwxp 00567000 00:00 0

006f5000-006f6000 r-xp 006f5000 00:00 0 [VDSO]

08048000-08049000 R-xp 00000000 fd:00 3145810/home/lijz/code/pthread

08049000-0804a000 Rw-p 00000000 fd:00 3145810/home/lijz/code/pthread

08c50000-08c71000 rw-p 08c50000 00:00 0 [Heap]

b75d7000-b75d8000---p b75d7000 00:00 0

b75d8000-b7fda000 rw-p b75d8000 00:00 0

b7fe4000-b7fe5000 rw-p b7fe4000 00:00 0

bf987000-bf99c000 rw-p bffea000 00:00 0 [Stack]

Each segment of the process address space is described by struct vm_area_struct. Each line shown above corresponds to a vm_area_struct struct. A file can be mapped into memory, and Vm_area_struct's vm_file holds the file descriptor, which is known as a map and, conversely, an anonymous mapping. The following is an example of the 14th Act, explaining the contents of each example.

First column: 08049000-0804a000-----The virtual address space range of the memory map for this section, corresponding to Vm_start and Vm_end in Vm_area_struct.

Second column: rw-p----Permissions R-Read, W-write X-executable p-private, corresponding to Vm_flags.

The third column: 00000000----for a well-known mapping, refers to the map address in this section of the offset in the file, corresponding to Vm_pgoff. For anonymous mappings, it is vm_area_struct->vm_start.

Fourth column: fd:00----The device number of the device to which the mapped file belongs, corresponding to Vm_file->f_dentry->d_inode->i_sb->s_dev. The anonymous mapping is 0. Where FD is the main device number, 00 is the secondary device number.

Fifth Column: The index node number of the 3145810----file, corresponding to the Vm_file->f_dentry->d_inode->i_ino, matches the content displayed by the ls–i. The anonymous mapping is 0.

Sixth column:/home/lijz/code/pthread---The file name that is mapped. For a well-known mapping, it is the file name of the map, which is the role of the process in this section for anonymous mappings. [Stack] indicates that this section of memory is used as a stack, [heap] is used as a heap, and other cases are none.

Through the above analysis, the meaning of each column in proc maps is already very clear. Next, look at the parsing of each line in proc per maps. The code snippet of each shared library, which holds the binary executable machine instruction, maps the code snippet of the library elf file to the virtual storage space, and the data section of each shared library holds the global variables required by the program execution, and the data segment of the Elf file is map to the virtual storage space by kernel; user code snippet, stored in the binary form of the executable machine instruction, by kernel the elf file code snippet map to the virtual storage space, the user data segment, which holds the global variables required by the program execution, by the kernel the elf file data segment map to the virtual storage space; heap, When and only when malloc is called, by kernel the anonymous memory map to the virtual storage space, the heap does not exist in the case where malloc is not called in the program, stack (stack), as the temporary data area of the process, by kernel the anonymous memory map to the virtual storage space, The growth direction of the stack space is from high address to low address.

Pthread This application occupies two lines in maps with the following content:

08048000-08049000 R-xp 00000000 fd:00 3145810/home/lijz/code/pthread

08049000-0804a000 Rw-p 00000000 fd:00 3145810/home/lijz/code/pthread

The permission for the first line is read-only and executable, stating that the first line is the code snippet for the application, while the second row has a readable and writable permission, but does not have execute permission to indicate that the segment is a pthread data segment.

00c56000-00dad000 R-xp 00000000 fd:00 2719767/lib/libc-2.5.so

00dad000-00daf000 r-xp 00157000 fd:00 2719767/lib/libc-2.5.so

00daf000-00db0000 rwxp 00159000 fd:00 2719767/lib/libc-2.5.so

These are the records of the libc-2.5 shared library in the maps file, and each shared library corresponds to three rows in the maps file, which are data segments and code snippets.

Heap [Heap] segment.

08c64000-08c85000 rw-p 08c64000 00:00 0 [Heap]

Some maps files do not appear in this record, mainly related to the use of malloc in the program, if the main thread uses malloc will have the record, otherwise there is no. Calling malloc in a child thread produces additional heap mappings, but does not mark [heap]. For example, to dynamically allocate 1MB of memory space in a child thread, the PTHREAD2 application executes as follows:

Tid addr 0xbfd818f0

Child thread Run

StackBase 0xb7f4f3c0

STACKADDR =0x7754e008----malloc assigned address

Guardsize 4096

The corresponding maps file:

08048000-08049000 R-xp 00000000 fd:00 3145811/home/lijz/code/pthread2

08049000-0804a000 Rw-p 00000000 fd:00 3145811/home/lijz/code/pthread2

0945a000-0947b000 rw-p 0945a000 00:00 0 [Heap]

7754e000-b754f000 rw-p 7754e000 00:00 0-----------interval size is 1MB

b754f000-b7550000---p b754f000 00:00 0

b7550000-b7f52000 rw-p b7550000 00:00 0

b7f5c000-b7f5d000 rw-p b7f5c000 00:00 0

bfd6e000-bfd83000 rw-p bffea000 00:00 0 [Stack]

Maps file in red labeled lines, from the content, the memory size is 1MB, the permission is read and write private, offset to the beginning of the memory of this paragraph, the device number and the file index node is 0. It can be seen that this section of memory is a process through the mmap mapping of a space, is an anonymous mapping. In the PTHREAD2 program, a 1MB memory is allocated with malloc, which corresponds to this memory. At the same time, malloc assigns the address 0x7754e008 is falling in the interval, and the deviation of the interval low address part, indicating that the interval is a heap address space. Illustrates that this 1M of memory is indeed a process called malloc allocated, where malloc calls the MMAP system to call anonymous mappings.

stack segment [Stack], with a few examples below to illustrate the stack.

bfd50000-bfd65000 rw-p bffea000 00:00 0 [Stack]

For single-threaded applications, there is only one [stack] segment, the corresponding multithreaded application, the [stack] segment is the main thread's stack space, and the sub-thread's stack space is automatically allocated with the Pthread library.

Example 1, the address of a single-threaded application's local variable is printed, and the result is as follows:

./pthread2

Tid addr 0xbfc73600

The corresponding maps file:

08048000-08049000 R-xp 00000000 fd:00 3145811/home/lijz/code/pthread2

08049000-0804a000 Rw-p 00000000 fd:00 3145811/home/lijz/code/pthread2

b7f7e000-b7f80000 rw-p b7f7e000 00:00 0

b7f8a000-b7f8b000 rw-p b7f8a000 00:00 0

bfc5f000-bfc74000 rw-p bffea000 00:00 0 [Stack]

The address of the local variable is 0xbfc73600 in the [stack] interval.

Example 2: Print an app local variable with one child thread, and the result is as follows:

Tid addr 0xbfd64740---------The local variable address printed in the main thread

Child thread Run

STACKADDR The local variable address printed in the 0XB7FC93C4--------child thread

guardsize 4096---------Stack protection page size

The corresponding maps file is as follows:

08048000-08049000 R-xp 00000000 fd:00 3145811/home/lijz/code/pthread2

08049000-0804a000 Rw-p 00000000 fd:00 3145811/home/lijz/code/pthread2

08c64000-08c85000 rw-p 08c64000 00:00 0 [Heap]

b75c9000-b75ca000---p b75c9000 00:00 0---------pthread_create default stack Overflow protected area

b75ca000-b7fcc000 rw-p b75ca000 00:000------------pthread_create The stack space of the child threads created

b7fd6000-b7fd7000 rw-p b7fd6000 00:00 0------------------4KB should also be anonymous mappings generated through MMAP

bfd50000-bfd65000 rw-p bffea000 00:00 0 [stack]---------the stack space of the main process

The result of the execution shows that the local variable address 0xbfd64740 in the main thread falls in the [stack] interval, while the sub-thread local variable address 0XB7FC93C4 falls in the b75ca000-b7fcc000 rw-p b75ca00 interval. And the address of the local variable is allocated from the high address, indicating that the VMA is the stack address space of the child thread. In addition, to the stack space, pthread default set a 4KB stack protection page, the corresponding interval is: b75c9000-b75ca000---P b75c9000, the interval is not readable, not writable, and can not be executed, through the setting of these properties information, the function of stack overflow protection is achieved.

Example 3: On the basis of Example 2, create a more thread, the execution result of the PTHREAD2 program is as follows:

./pthread2

Tid addr 0xbfc81610----------main thread local variable address

Child thread Run

STACKADDR = 0xb7f183c0-------Child thread 1 local variable address

Guardsize 4096

Child Thread2 Run

STACKADDR =0XB75173C4----------Child thread local variable address

Guardsize 4096

The corresponding maps file:

08048000-08049000 R-xp 00000000 fd:00 3145811/home/lijz/code/pthread2

08049000-0804a000 Rw-p 00000000 fd:00 3145811/home/lijz/code/pthread2

092d6000-092f7000 rw-p 092d6000 00:00 0 [Heap]

76b16000-b6b17000 rw-p 76b16000 00:00 0----------Mallocmmap

b6b17000-b6b18000---p b6b17000 00:00 0

b6b18000-b7518000 rw-p b6b18000 00:000---------pthread thread2 Stack space

b7518000-b7519000---p b7518000 00:00 0

b7519000-b7f1b000 rw-p b7519000 00:000----------pthread thread1 Stack space

b7f25000-b7f26000 rw-p b7f25000 00:00 0

bfc6e000-bfc83000 rw-p bffea000 00:00 0 [stack]---main thread stack space

From the maps file record, add a sub-thread, in the maps file added two records, respectively, the sub-thread stack space and the Stack Protection page records. By default, Pthread reserves the size of 1MB for a child thread, and the Stack Protection page is 4KB (which is primarily related to page size).

In summary, the proc maps file can view information such as the memory map of a process, the permission properties of each section of memory.

Linux proc maps file analysis

Alibaba Cloud Hot Products
Elastic Compute Service (ECS)	Dedicated Host (DDH)	ApsaraDB RDS for MySQL (RDS)	ApsaraDB for PolarDB(PolarDB)	AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL)	Data Transmission Service (DTS)	Server Load Balancer (SLB)	Global Accelerator (GA)	Cloud Enterprise Network (CEN)
Object Storage Service (OSS)	Content Delivery Network (CDN)	Short Message Service (SMS)	Container Service for Kubernetes (ACK)	Data Lake Analytics (DLA)
ApsaraDB for Redis (Redis)	ApsaraDB for MongoDB (MongoDB)	NAT Gateway	VPN Gateway	Cloud Firewall
Anti-DDoS	Web Application Firewall (WAF)	Log Service	DataWorks	MaxCompute
Elastic MapReduce (EMR)	Elasticsearch