1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
|
.\" $OpenBSD: procmap.1,v 1.22 2016/09/25 15:23:37 deraadt Exp $
.\" $NetBSD: pmap.1,v 1.6 2003/01/19 21:25:43 atatat Exp $
.\"
.\" Copyright (c) 2002 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Andrew Brown.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: September 25 2016 $
.Dt PROCMAP 1
.Os
.Sh NAME
.Nm procmap
.Nd display process memory map
.Sh SYNOPSIS
.Nm
.Op Fl AadlmPsv
.Op Fl D Ar number
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl p Ar pid
.Op Ar pid ...
.Sh DESCRIPTION
The
.Nm
utility lists the virtual memory mappings underlying the given
process.
The start address of each entry is always given and,
depending on the options given, other information such as the end
address, the underlying file's device and inode numbers, and various
protection information will be displayed, along with the path to the
file, if such data is available.
.Pp
.Nm
requires the ability to open
.Pa /dev/kmem
which may be restricted based upon the value of the
.Ar kern.allowkmem
.Xr sysctl 8 .
.Pp
By default,
.Nm
displays information for its parent process, so that when run from a
shell prompt, the shell's memory information is displayed.
If other
PIDs are given as arguments on the command line, information for those
processes will be printed also.
If the special PID of 0 is given,
then information for the kernel's memory map is printed.
.Pp
The options are as follows:
.Bl -tag -width XXXnumberXX
.It Fl A
Print more detailed information on anonymous map usage.
.It Fl a
Display
.Dq all
information from the process's memory map.
This output
mode is an amalgam of the contents of the Solaris, Linux, and
.Ox
style output modes.
.It Fl D Ar number
Enable various debug facilities.
The
.Ar number
is a bit mask of the values:
.Pp
.Bl -tag -width flag -compact
.It Cm 1
dump the process's vmspace structure
.It Cm 2
dump the process's vm_map structure
.It Cm 4
dump the vm_map.header structure
.It Cm 8
dump each vm_map_entry in its entirety
.It Cm 16
dump the namei cache as it is traversed
.El
.It Fl d
Dumps the vm_map and vm_map_entry structures in a style similar to
that of
.Xr ddb 4 .
When combined with the
.Fl v
option, the device number, inode number, name, vnode addresses, or
other identifying information from the vm_map_entry fields will be
printed.
.It Fl l
Dumps information in a format like the contents of the maps
pseudo-file under the
.Pa /proc
file system which was, in turn, modeled after the similarly named entry
in the Linux
.Pa /proc
file system.
When combined with the
.Fl v
option, identifiers for all entries are printed.
.It Fl M Ar core
Extract values associated with the name list from the specified core
instead of the default
.Pa /dev/kmem .
.It Fl m
Dumps information in the same format as the map pseudo-file of the
.Pa /proc
file system.
When the
.Fl v
option is also given, device number, inode number, and filename
or other identifying information is printed.
.It Fl N Ar system
Extract the name list from the specified system instead of the
running kernel.
.It Fl P
Causes
.Nm
to print information about itself.
.It Fl p Ar pid
Tells
.Nm
to print information about the given process.
If
.Fl p Ar pid
occurs last on the command line, the
.Fl p
is optional.
.\" .It Fl R
.\" Recurse into submaps.
.\" In some cases, a vm_map_entry in the kernel
.\" will point to a submap.
.\" Using this flag tells
.\" .Nm
.\" to print the entries of the submap as well.
.\" The submap output is
.\" indented, and does not affect any total printed at the bottom of the
.\" output.
.It Fl s
The Solaris style output format, modeled after the Solaris command
.Dq pmap .
This is the default output style.
.It Fl v
Verbose output.
When used with
.Fl d ,
.Fl l ,
or
.Fl m ,
more information is printed, possibly including device and inode
numbers, file path names, or other identifying information.
If specified more than once, a
.Sq *
will be printed in between two
entries that are not adjacent, making the visual identification of
spaces in the process's map easier to see.
.El
.Pp
The
.Fl P
and
.Fl p
options override each other, so the last one to appear on the command
line takes effect.
If you do wish to see information about
.Nm
and another process as the same time, simply omit the
.Fl p
and place the extra PID at the end of the command line.
.Sh EXIT STATUS
.Ex -std procmap
.Sh EXAMPLES
While the meaning most of the output is self-evident, some pieces of
it may appear to be a little inscrutable.
.Pp
Here a portion of the default output from
.Nm
being run at a
.Xr sh 1
prompt shows the starting address of the map entry, the size of the
map entry, the current protection level of the map entry, and either
the name of the file backing the entry or some other descriptive text.
.Bd -literal -offset indent
$ procmap
08048000 420K read/exec /bin/sh
080B1000 8K read/write /bin/sh
080B3000 28K read/write [ anon ]
080BA000 16K read/write/exec [ heap ]
\&...
.Ed
.Pp
When the
.Xr ddb 4
output style is selected, the first thing printed is the contents of
the vm_map structure, followed by the individual map entries.
.Bd -literal -offset indent
$ procmap -d
MAP 0xcf7cac84: [0x0-\*(Gt0xbfbfe000]
#ent=8, sz=34041856, ref=1, version=20, flags=0x21
pmap=0xcf44cee0(resident=\*(Ltunknown\*(Gt)
- 0xcfa3a358: 0x8048000-\*(Gt0x80b1000: obj=0xcf45a8e8/0x0, amap=0x0/0
submap=F, cow=T, nc=T, prot(max)=5/7, inh=1, wc=0, adv=0
\&...
.Ed
.Pp
The value of the flags field (in hexadecimal) is taken from
the include file
.In uvm/uvm_map.h :
.Bd -literal -offset indent
VM_MAP_PAGEABLE 0x01 ro: entries are pageable
VM_MAP_INTRSAFE 0x02 ro: interrupt safe map
VM_MAP_WIREFUTURE 0x04 rw: wire future mappings
VM_MAP_BUSY 0x08 rw: map is busy
VM_MAP_WANTLOCK 0x10 rw: want to write-lock
.Ed
.Pp
The
.Dq submap ,
.Dq cow ,
and
.Dq nc
fields are true or false, and indicate whether the map is a submap,
whether it is marked for copy on write, and whether it needs a copy.
The
.Dq prot
(or protection) field, along with
.Dq max
(maximum protection allowed) are made up of the following flags from
.In uvm/uvm_extern.h :
.\" this column width specifically chosen so that all the header file
.\" excerpts appear to line up cleanly
.Bd -literal -offset indent
PROT_READ 0x01 read allowed
PROT_WRITE 0x02 write allowed
PROT_EXEC 0x04 execute allowed
.Ed
.Pp
The
.Dq obj
and
.Dq amap
fields are pointers to, and offsets into, the underlying uvm_object or
vm_amap object.
The value for resident is always unknown because digging such
information out of the kernel is beyond the scope of this application.
.Pp
The two output styles that mirror the contents of the
.Pa /proc
file system
appear as follows:
.Bd -literal -offset indent
$ procmap -m
0x8048000 0x80b1000 r-x rwx COW NC 1 0 0
0x80b1000 0x80b3000 rw- rwx COW NC 1 0 0
0x80b3000 0x80ba000 rw- rwx COW NNC 1 0 0
0x80ba000 0x80be000 rwx rwx COW NNC 1 0 0
\&...
$ procmap -l
08048000-080b1000 r-xp 00000000 00:00 70173 /bin/sh
080b1000-080b3000 rw-p 00068000 00:00 70173 /bin/sh
080b3000-080ba000 rw-p 00000000 00:00 0
080ba000-080be000 rwxp 00000000 00:00 0
\&...
.Ed
.Pp
Here the protection and maximum protection values are indicated with
.Sq r ,
.Sq w ,
and
.Sq x
characters, indicating read permission, write permission, and execute
permission, respectively.
The
.Dq COW ,
.Dq NC ,
and
.Dq NNC
values that follow indicate, again, that the map is marked for copy on
write and either needs or does not need a copy.
It is also possible
to see the value
.Dq NCOW
here, which indicates that an entry will not be copied.
The three
following numbers indicate the inheritance type of the map, the wired
count of the map, and any advice value assigned via
.Xr madvise 2 .
.Pp
In the second form, the permissions indicated are followed by a
.Sq p
or
.Sq s
character indicating whether the map entry is private or shared (copy
on write or not), and the numbers are the offset into the underlying
object, the device and numbers of the object if it is a file, and the
path to the file (if available).
.Pp
As noted above (see section
.Sx DESCRIPTION ) ,
the
.Dq all
output format is an amalgam of the previous output formats.
.Bd -literal -offset indent
$ procmap -a
Start End Size Offset rwxpc RWX I/W/A ...
08048000-080b0fff 420k 00000000 r-xp+ (rwx) 1/0/0 ...
\&...
.Ed
.Pp
In this format, the column labeled
.Dq rwxpc
contains the permissions for the mapping along with the shared/private
flag, and a character indicating whether the mapping needs to be
copied on write
.Pq Sq +
or has already been copied
.Pq Sq -
and is followed by a column that indicates the maximum permissions for
the map entry.
The column labeled
.Dq I/W/A
indicates the inheritance, wired, and advice values for the map entry,
as previously described.
.Sh SEE ALSO
.Xr ls 1 ,
.\" .Xr stat 1 ,
.Xr madvise 2 ,
.Xr mmap 2 ,
.Xr kvm 3 ,
.Xr ddb 4 ,
.Xr namei 9 ,
.Xr vnode 9
.Sh HISTORY
The
.Nm
utility first appeared in
.Ox 3.5 .
It was derived from the
.Nx
utility known as
.Dq pmap .
.Sh AUTHORS
The
.Nm
utility and documentation was written by
.An Andrew Brown Aq Mt atatat@netbsd.org .
.Sh BUGS
Very little will work unless
.Nm
is reading from the correct kernel in order to retrieve the
proper symbol information.
.Pp
Since processes can change state while
.Nm
is running, some of the information printed may be inaccurate.
This is especially important to consider when examining the kernel's map,
since merely executing
.Nm
will cause some of the information to change.
.Pp
The pathnames to files backing certain vnodes (such as the text and
data sections of programs and shared libraries) are extracted from the
kernel's namei cache which is considerably volatile.
If a path is not
found there in its entirety, as much information as was available
will be printed.
In most cases, simply running
.Xr ls 1
.\" or
.\" .Xr stat 1
with the expected path to the file will cause the information to be
reentered into the cache.
.Pp
The Solaris version
.Pq Dq pmap
has some interesting command line flags that would be nice to emulate here.
In particular, the
.Fl r
option that lists a process's reserved addresses, and the
.Fl x
option that prints resident/shared/private mapping details for each
entry.
.Pp
Some of the output modes can be or are wider than the standard 80
columns of a terminal.
Some sort of formatting might be nice.
|