Memory dumps

Revision as of 04:09, 31 August 2016 by Kir (talk | contribs) (Deduplication: link to a separate article)
Jump to: navigation, search

This page describes the way memory is stored in the image files.


Process mappings are stored in mm.img images. But that info is only about the virtual memory areas. The data sitting inside those areas is all stored in pairs of files described below.

The memory dumps contain the contents of individual pages (4k) and the information about at which address in the virtual memory the data in question should be. Those images are not connected to the VMA list in mm.img at all, just the addresses matching makes things get into proper locations.

What gets into memory dumps is

  • Present pages from anonymous private mappings
  • Present pages from anonymous shared mappings
  • Private (copied) pages from file private mappings

Images structure

Memory dumps are stored into two images.

This is the list of entries each of which is a pair -- where in the memory the data should go and which amount of pages it includes.
This is the plain set of 4k entries -- each one is a full page with data.


Let's imagine we have pagemap contain two entries

  { 0x1000000, 4 }
  { 0xCF000000, 8 }

In this case the pages should have 12 pages in it, i.e. be 48K in size. Then the first 4 pages (16k, the first pagemap entry) would be read from image and put at address 0x1000000 thus occupying space up to the 0x1000000 + 4 * 4096 = 0x1004000 address. The last 8 pages (32k, the 2nd pagemap entry) would be read and put at the 0xCF000000 address.

Stacked images

When you do incremental dumps there appear the parent symlink and images with pages become dependant on each other.

There appears the 3rd field in the pagemap, called in_parent. When set this boolean value means, that the respective data for the pagemap should be found in the parent images. While searching for data in parent the same algorithm is used -- first the pagemap is resolved, then the data is found in pages. For parent images, the data (either complete or partial) can also be found in its parent images.

Respectively, the bottom image (with no parent link) should have no in_parent bits at all.


Let's take another example, consider we have pagemap from previous example with one in_parent bit:

  { 0x1000000, 4, in_parent }
  { 0xCF000000, 8 }

In this case the pages image would be only 32k in size, since the first 4 pages should be found in the parent. Thus the parent pagemap image should container one ore more pagemaps that cover the 0x1000000 ... 0x1004000 area, for example like this

  { 0x1000000, 2 }
  { 0x1002000, 2, in_parent }

This, in turn, would mean that first 2 pages from this range are in parent's pages image file and the last 2 should be looked up deeper -- in the grand-parent pagemaps.


See Memory images deduplication.

See also