分析

<h2>概述</h2> <p>1、malloc 的区域，可以被合并到某个区域内。也就是说：并不是每个 malloc 就会创建一个新的 vm_area</p> <h2>进程虚拟内存</h2> <p>每个进程都有 mm 结构，定义如下：</p> <pre><code class="language-c">// file: include/linux/mm_types.h struct mm_struct { struct { struct vm_area_struct *mmap; /* list of VMAs */ // 描述各个虚拟内存区域，按照从低到高的地址进行排序。双向不循环链表的方式方便遍历 struct rb_root mm_rb; // 同上，红黑树的方式方便查找虚拟地址属于哪个区域。这是根节点 u64 vmacache_seqnum; /* per-thread vmacache */ #ifdef CONFIG_MMU unsigned long (*get_unmapped_area) (struct file *filp, unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags); #endif unsigned long mmap_base; /* base of mmap area */ // 映射区起始地址 unsigned long mmap_legacy_base; /* base of mmap area in bottom-up allocations */ #ifdef CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES /* Base adresses for compatible mmap() */ unsigned long mmap_compat_base; unsigned long mmap_compat_legacy_base; #endif unsigned long task_size; /* size of task vm space */ // 用户空间界限 0x0000 7fff ffff 0000 unsigned long highest_vm_end; /* highest vma end address */ pgd_t * pgd; /** * @mm_users: The number of users including userspace. * * Use mmget()/mmget_not_zero()/mmput() to modify. When this * drops to 0 (i.e. when the task exits and there are no other * temporary reference holders), we also release a reference on * @mm_count (which may then free the &amp;amp;struct mm_struct if * @mm_count also drops to 0). */ atomic_t mm_users; /** * @mm_count: The number of references to &amp;amp;struct mm_struct * (@mm_users count as 1). * * Use mmgrab()/mmdrop() to modify. When this drops to 0, the * &amp;amp;struct mm_struct is freed. */ atomic_t mm_count; #ifdef CONFIG_MMU atomic_long_t pgtables_bytes; /* PTE page table pages */ #endif int map_count; /* number of VMAs */ spinlock_t page_table_lock; /* Protects page tables and some * counters */ struct rw_semaphore mmap_sem; struct list_head mmlist; /* List of maybe swapped mm's. These * are globally strung together off * init_mm.mmlist, and are protected * by mmlist_lock */ unsigned long hiwater_rss; /* High-watermark of RSS usage */ unsigned long hiwater_vm; /* High-water virtual memory usage */ unsigned long total_vm; /* Total pages mapped */ unsigned long locked_vm; /* Pages that have PG_mlocked set */ unsigned long pinned_vm; /* Refcount permanently increased */ unsigned long data_vm; /* VM_WRITE &amp;amp; ~VM_SHARED &amp;amp; ~VM_STACK */ unsigned long exec_vm; /* VM_EXEC &amp;amp; ~VM_WRITE &amp;amp; ~VM_STACK */ unsigned long stack_vm; /* VM_STACK */ unsigned long def_flags; spinlock_t arg_lock; /* protect the below fields */ unsigned long start_code, end_code, start_data, end_data; // 各个段 unsigned long start_brk, brk, start_stack; unsigned long arg_start, arg_end, env_start, env_end; // 据说是在栈的最高地址 unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ /* * Special counters, in some configurations protected by the * page_table_lock, in other configurations by being atomic. */ struct mm_rss_stat rss_stat; struct linux_binfmt *binfmt; /* Architecture-specific MM context */ mm_context_t context; unsigned long flags; /* Must use atomic bitops to access */ struct core_state *core_state; /* coredumping support */ #ifdef CONFIG_MEMBARRIER atomic_t membarrier_state; #endif #ifdef CONFIG_AIO spinlock_t ioctx_lock; struct kioctx_table __rcu *ioctx_table; #endif #ifdef CONFIG_MEMCG /* * &amp;quot;owner&amp;quot; points to a task that is regarded as the canonical * user/owner of this mm. All of the following must be true in * order for it to be changed: * * current == mm-&amp;gt;owner * current-&amp;gt;mm != mm * new_owner-&amp;gt;mm == mm * new_owner-&amp;gt;alloc_lock is held */ struct task_struct __rcu *owner; #endif struct user_namespace *user_ns; /* store ref to file /proc/&amp;lt;pid&amp;gt;/exe symlink points to */ struct file __rcu *exe_file; #ifdef CONFIG_MMU_NOTIFIER struct mmu_notifier_mm *mmu_notifier_mm; #endif #if defined(CONFIG_TRANSPARENT_HUGEPAGE) &amp;amp;&amp;amp; !USE_SPLIT_PMD_PTLOCKS pgtable_t pmd_huge_pte; /* protected by page_table_lock */ #endif #ifdef CONFIG_NUMA_BALANCING /* * numa_next_scan is the next time that the PTEs will be marked * pte_numa. NUMA hinting faults will gather statistics and * migrate pages to new nodes if necessary. */ unsigned long numa_next_scan; /* Restart point for scanning and setting pte_numa */ unsigned long numa_scan_offset; /* numa_scan_seq prevents two threads setting pte_numa */ int numa_scan_seq; #endif /* * An operation with batched TLB flushing is going on. Anything * that can move process memory needs to flush the TLB when * moving a PROT_NONE or PROT_NUMA mapped page. */ atomic_t tlb_flush_pending; #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH /* See flush_tlb_batched_pending() */ bool tlb_flush_batched; #endif struct uprobes_state uprobes_state; #ifdef CONFIG_HUGETLB_PAGE atomic_long_t hugetlb_usage; #endif struct work_struct async_put_work; #if IS_ENABLED(CONFIG_HMM) /* HMM needs to track a few things per mm */ struct hmm *hmm; #endif } __randomize_layout; /* * The mm_cpumask needs to be at the end of mm_struct, because it * is dynamically sized based on nr_cpu_ids. */ unsigned long cpu_bitmap[]; }; </code></pre> <p>其中 <code>struct vm_area_struct *mmap</code> 描述的是各个虚拟内存区域的信息，可以通过 <code>pmap pid</code> 查看，就是遍历的这个链表。</p> <pre><code class="language-c">// file: include/linux/mm_types.h /* * This struct defines a memory VMM memory area. There is one of these * per VM-area/task. A VM area is any part of the process virtual memory * space that has a special rule for the page-fault handlers (ie a shared * library, the executable area etc). */ struct vm_area_struct { /* The first cache line has the info for VMA tree walking. */ unsigned long vm_start; /* Our start address within vm_mm. */ // 最低地址 unsigned long vm_end; /* The first byte after our end address // 最高地址（不含） within vm_mm. */ /* linked list of VM areas per task, sorted by address */ struct vm_area_struct *vm_next, *vm_prev; // 双向链表方式 struct rb_node vm_rb; // 红黑树方式 /* * Largest free memory gap in bytes to the left of this VMA. * Either between this VMA and vma-&amp;gt;vm_prev, or between one of the * VMAs below us in the VMA rbtree and its -&amp;gt;vm_prev. This helps * get_unmapped_area find a free area of the right size. */ unsigned long rb_subtree_gap; /* Second cache line starts here. */ struct mm_struct *vm_mm; /* The address space we belong to. */ // 回链。每个虚拟地址区域都有回链 pgprot_t vm_page_prot; /* Access permissions of this VMA. */ // 偏向于页这一级别的权限 unsigned long vm_flags; /* Flags, see mm.h. */ // 偏向于整个虚拟内存区域的权限 /* * For areas with an address space and backing store, * linkage into the address_space-&amp;gt;i_mmap interval tree. */ struct { struct rb_node rb; unsigned long rb_subtree_last; } shared; /* * A file's MAP_PRIVATE vma can be in both i_mmap tree and anon_vma * list, after a COW of one of the file pages. A MAP_SHARED vma * can only be in the i_mmap tree. An anonymous MAP_PRIVATE, stack * or brk vma (with NULL file) can only be in an anon_vma list. */ struct list_head anon_vma_chain; /* Serialized by mmap_sem &amp;amp; * page_table_lock */ struct anon_vma *anon_vma; /* Serialized by page_table_lock */ // 匿名映射，例如 malloc 较大内存时 /* Function pointers to deal with this struct. */ const struct vm_operations_struct *vm_ops; // ops /* Information about our backing store: */ unsigned long vm_pgoff; /* Offset (within vm_file) in PAGE_SIZE units */ struct file * vm_file; /* File we map to (can be NULL). */ // 文件映射 void * vm_private_data; /* was vm_pte (shared mem) */ atomic_long_t swap_readahead_info; #ifndef CONFIG_MMU struct vm_region *vm_region; /* NOMMU mapping region */ #endif #ifdef CONFIG_NUMA struct mempolicy *vm_policy; /* NUMA policy for the VMA */ #endif struct vm_userfaultfd_ctx vm_userfaultfd_ctx; } __randomize_layout;</code></pre> <h2>内核虚拟地址</h2> <p>可通过 <code>cat /proc/iomem</code> 查看物理内存布局。</p>