Linux – Purpose of Seemingly Unusable Memory Mappings

linuxprocessvirtual-memory

It seems that every process has private memory mappings that are neither readable nor writeable nor executable (whose flags are "—p"):

grep -- --- /proc/self/maps
7f2bd9bf7000-7f2bd9df6000 ---p 001be000 fc:00 3733                       /lib/x86_64-linux-gnu/libc-2.19.so
7f2bd9e04000-7f2bda003000 ---p 00003000 fc:00 3743                       /lib/x86_64-linux-gnu/libdl-2.19.so
7f2bda042000-7f2bda241000 ---p 0003d000 fc:00 36067                      /lib/x86_64-linux-gnu/libpcre.so.3.13.1

returns some in shared libraries and doing that for java (JVM) processes even returns a dozen of anonymous mappings with hundreds of megabytes.

Edit: If these mappings are placeholders, who will be using these kept places at which events and from which other activity are they protected – in other words: What is the wrong behavior that could happen if these placeholders were not there ?

2nd edit: Given these holes in shared libraries are in fact helpful for some purpose of the compiler and/or dynamic linker, there must be some other purpose for these holes in anonymous mappings visible in JVM processes. Sorted the anonymous mappings of a tomcat JVM process by size:

 20 MB  00007FA0AAB52000-00007FA0AC000000 ---p 00000000 00:00 0
 41 MB  00007FA0B1603000-00007FA0B4000000 ---p 00000000 00:00 0
 50 MB  00007FA090D04000-00007FA094000000 ---p 00000000 00:00 0
 53 MB  00007FA0F8A40000-00007FA0FC000000 ---p 00000000 00:00 0
 61 MB  00007FA0C42C5000-00007FA0C8000000 ---p 00000000 00:00 0
 61 MB  00007FA0CC29A000-00007FA0D0000000 ---p 00000000 00:00 0
 61 MB  00007FA0D0293000-00007FA0D4000000 ---p 00000000 00:00 0
 62 MB  00007FA0D814C000-00007FA0DC000000 ---p 00000000 00:00 0
 62 MB  00007FA0E017E000-00007FA0E4000000 ---p 00000000 00:00 0
 63 MB  00007FA0B803B000-00007FA0BC000000 ---p 00000000 00:00 0
 63 MB  00007FA0BC021000-00007FA0C0000000 ---p 00000000 00:00 0
 63 MB  00007FA0C0021000-00007FA0C4000000 ---p 00000000 00:00 0
 63 MB  00007FA0D4075000-00007FA0D8000000 ---p 00000000 00:00 0
 63 MB  00007FA0DC040000-00007FA0E0000000 ---p 00000000 00:00 0
 63 MB  00007FA0E4067000-00007FA0E8000000 ---p 00000000 00:00 0
189 MB  00007FA0EC300000-00007FA0F8000000 ---p 00000000 00:00 0
1008 MB  0000000100FF5000-0000000140000000 ---p 00000000 00:00 0

Best Answer

Note that there are two memory regions of 2044KB with null permissions. As mentioned earlier, the ELF's 'execution view' is concerned with how to load an executable binary into memory. When ld.so brings in the dynamic libraries, it looks at the segments labelled as LOAD (look at "Program Headers" and "Section to Segment mapping" from readelf -a xxx.so command.) Usually there are two LOAD segments, and there is a "hole" between the two segments (look at the VirtAddr and MemSiz of these two segments), so ld.so will make this hole inaccessible deliberately: Look for the PROT_NONE symbol in _dl_map_object_from_fd in elf/dl-load.c

http://www.cs.stevens.edu/~jschauma/810/elf.html

It's also easy to see this happening as a mprotect call, using strace e.g. strace -f grep -- . /proc/self/maps 2>&1 |less.

open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\25\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=471728, ...}) = 0
mmap(NULL, 2564360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0e3ad2a000
mprotect(0x7f0e3ad9c000, 2093056, PROT_NONE) = 0
mmap(0x7f0e3af9b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x71000) = 0x7f0e3af9b000
close(3)                                = 0

There are mirrors of the glibc repo on github, so it wasn't hard to search for PROT_NONE...

/* This implementation assumes (as does the corresponding implementation of _dl_unmap_segments, in dl-unmap-segments.h) that shared objects are always laid out with all segments contiguous (or with gaps between them small enough that it's preferable to reserve all whole pages inside the gaps with PROT_NONE mappings rather than permitting other use of those parts of the address space). */

https://github.com/bminor/glibc/blob/73dfd088936b9237599e4ab737c7ae2ea7d710e1/elf/dl-map-segments.h#L21

/* _dl_map_segments ensures that any whole pages in gaps between segments are filled in with PROT_NONE mappings. So we can just unmap the whole range in one fell swoop. */

https://github.com/bminor/glibc/blob/73dfd088936b9237599e4ab737c7ae2ea7d710e1/elf/dl-unmap-segments.h#L25

Java

OpenJDK ... uses PROT_NONE mappings to reserve uncommitted address space (which is then committed with mprotect calls, as needed).

The natural assumption is that it wishes to have contiguous heap memory for some reason.

It uses PROT_NONE to reserve space, until it actually needs it. The original context of this comment is a discussion about Linux VM overcommit: using unaccessible mappings avoids requiring any commitment from the kernel (until the mapping is needed & made accessible), in case the kernel is configure for strict commit mode.

If you're wondering why it needs to make this reservation in advance in the context of the JVM, consider that native code linked in using JNI or equivalent might also be using mmap.

https://lwn.net/Articles/627728/

Related Solutions

Linux – How to breakdown ‘Shmem’ RAM usage in Linux

For detailing shmem memory usage (and more), you have got the ipcs command.

From man ipcs

NAME ipcs - show information on IPC facilities

SYNOPSIS ipcs [options]

DESCRIPTION ipcs shows information on the inter-process communication facilities for which the calling process has read access. By default it shows information about all three resources: shared memory segments, message queues, and semaphore arrays.

As an example, I am running it here in an Apache server:

$ipcs

------ Message Queues --------
key        msqid      owner      perms      used-bytes   messages    

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status      
0xf4123d98 20643870   root       600        3294       12                      
0xfb123d9b 20676639   root       600        1242       12                      
0x0a123d9d 20709408   root       600        3294       12                      
0x91123da0 20742177   root       600        1242       12                      
0x75123da2 20774946   root       600        3294       12                      
0xbc123da5 20807715   root       600        1242       12                      
0x3d123da7 20840484   root       600        3294       12                      
0x84123daa 20873253   root       600        1242       12                      
0x47123dac 20906022   root       600        3294       12                      
0x0e123daf 20938791   root       600        1242       12                      
0xa6123db1 20971560   root       600        3294       12                      
0x2d123db4 21004329   root       600        1242       12                      
0x77123db6 21037098   root       600        3294       12                      
0x3e123db9 21069867   root       600        1242       12                      
0x80123dbb 21102636   root       600        3294       12                      
0x87123dbe 21135405   root       600        1242       12                      
0xa4123dc0 21168174   root       600        3294       12                      
0xab123dc3 21200943   root       600        1242       12                      
0xfd123dc5 21233712   root       600        3294       12                      
0x44123dc8 21266481   root       600        1242       12                      
0x96123dca 21299250   root       600        3294       12                      
0x1d123dcd 21332019   root       600        1242       12                      
0xa4123dcf 21364788   root       600        3294       12                      
0xab123dd2 21397557   root       600        1242       12                      
0x7a123dd4 21430326   root       600        3294       12                      
0x01123dd7 21463095   root       600        1242       12                      
0xd9123dd9 21495864   root       600        3294       12                      
0x20123ddc 21528633   root       600        1242       12                      
0x86123dde 21561402   root       600        3294       12                      
0x0d123de1 21594171   root       600        1242       12                      

------ Semaphore Arrays --------
key        semid      owner      perms      nsems     
0x00000000 425984     www-data   600        1         
0x00000000 1441793    www-data   600        1         
0x00000000 1474562    www-data   600        1

Linux – what is the purpose of memory overcommitment on Linux

The reason for overcommitting is to avoid underutilization of physical RAM. There is a difference between how much virtual memory a process has allocated and how much of this virtual memory has been actually mapped to physical page frames. In fact, right after a process is started, it reserves very little RAM. This is due to demand paging: the process has a virtual memory layout, but the mapping from the virtual memory address to a physical page frame isn't established until the memory is read or written.

A program typically never uses its whole virtual memory space, and the memory areas touched varies during the run of the program. For example, mappings to page frames containing initialization code that is executed only at the start of the run can be discarded and the page frames can be used for other mappings.

The same applies to data: when a program calls malloc, it reserves a sufficiently large contiguous virtual address space for storing data. However, mappings to physical page frames are not established until the pages are actually used, if ever. Or consider the program stack: every process gets a fairly big contiguous virtual memory area set aside for the stack (typically 8 MB). A process typically uses only a fraction of this stack space; small and well-behaving programs use even less.

A Linux computer typically has a lot of heterogeneous processes running in different stages of their lifetimes. Statistically, at any point in time, they do not collectively need a mapping for every virtual page they have been assigned (or will be assigned later in the program run).

A strictly non-overcommitting scheme would create a static mapping from virtual address pages to physical RAM page frames at the moment the virtual pages are allocated. This would result in a system that can run far fewer programs concurrently, because a lot of RAM page frames would be reserved for nothing.

I don't deny that overcommitting memory has its dangers, and can lead to out-of-memory situations that are messy to deal with. It's all about finding the right compromise.

Best Answer

Java

Related Solutions

Linux – How to breakdown ‘Shmem’ RAM usage in Linux

Linux – what is the purpose of memory overcommitment on Linux

Related Question