
Anatomy of a Program in Memory (2009) - Tomte
http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/
======
haberman
Really great article and blog.

> You can examine binary images using the nm and objdump commands to display
> symbols, their addresses, segments, and so on.

You can also use my new tool Bloaty McBloatface
([https://github.com/google/bloaty](https://github.com/google/bloaty)). Check
out the -v option especially, which will dump a memory map of both the file
domain and the VM address domain:

    
    
        $ ./bloaty `which ls` -v -d segments
        FILE MAP:
        [0, 19d44] LOAD [RX], LOAD [RX]
        [19d44, 19df0] [None], [Unmapped]
        [19df0, 1a5f4] LOAD [RW], LOAD [RW]
        [1a5f4, 1a700] [None], [Unmapped]
        [1a700, 1ae00] [None], [ELF Headers]
        VM MAP:
        [0, 400000] NO ENTRY
        [400000, 419d44] LOAD [RX], LOAD [RX]
        [419d44, 619df0] NO ENTRY
        [619df0, 61a5f4] LOAD [RW], LOAD [RW]
        [61a5f4, 61b360] LOAD [RW], LOAD [RW]
             VM SIZE                     FILE SIZE
         --------------               --------------
          95.1%   103Ki LOAD [RX]       103Ki  96.1%
           4.9%  5.36Ki LOAD [RW]      2.00Ki   1.9%
           0.0%       0 [ELF Headers]  1.75Ki   1.6%
           0.0%       0 [Unmapped]        440   0.4%
         100.0%   108Ki TOTAL           107Ki 100.0%
    

If you leave off "-d segments" the map will include all sections too (like
.bss, .text, etc). Here is an example of that output:
[http://pastebin.com/3XGcqA8k](http://pastebin.com/3XGcqA8k)

------
xenadu02
> Once virtual addresses are enabled, they apply to all software running in
> the machine, including the kernel itself. Thus a portion of the virtual
> address space must be reserved to the kernel

Reserving a portion of the address space for the kernel is a performance
optimization and not necessarily required.

In 32-bit macOS the kernel has its own separate address space just like a
process. Syscalls copy or map data in and out. The benefit is user mode
processes can use all 4 GB. The obvious downside is the extra overhead and TLB
flushes.

32/64-bit iOS and 64-bit macOS use the standard convention if having the
kernel's address space mapped into all processes. Especially on 64-bit there
is no benefit to doing otherwise.

------
rimher
I'd recommend reading absolutely everything that's on this website. Everything
from CS-related stuff to Feynman is worth the time!

------
qwertyuiop924
Wow this is a cool blog. Seriously.

And now I understand memory segmentation. Wow, that is terrible. Seriously
Intel, what is it with you and overcomplicating things?

------
adamnemecek
This blog is the best resource for anything related to the kernel/hw boundary.
Better than any book I've seen.

------
userbinator
Win9x actually looks more similar to the Linux layout, with ring0 only
occupying the highest GB, but has an additional area from 80000000h~BFFFFFFFh
which is shared across all user-mode processes and used for things like DLLs.

