4

i came across a sample gdbinit file, which was having following statements. can anyone plz let me know what is so specific about the addresses (0x40000000, 0x80000000 and 0xBF000000) ? why the following check again them is letting me know of valid or invalid address ?

define dd
if ( ($arg0 & 0x40000000) || ($arg0 & 0x08000000) || ($arg0 & 0xBF000000) )
set $data_addr=$arg0
ddump 0x10 $arg0
else
printf "Invalid address: %08X\n", $arg0
end
end

Further how the following check against the same addresses again tells me which register to choose for data address ?

define datawin
if ( ($esi & 0x40000000) || ($esi & 0x08000000) || ($esi & 0xBF000000) )
set $data_addr=$esi
else
if ( ($edi & 0x40000000) || ($edi & 0x08000000) || ($edi & 0xBF000000) )
set $data_addr=$edi
else
if ( ($eax & 0x40000000) || ($eax & 0x08000000) || ($eax & 0xBF000000) )
set $data_addr=$eax
else
set $data_addr=$esp
end

any help will be greatly appreciated. thanks.

unwind
  • 391,730
  • 64
  • 469
  • 606
mezda
  • 3,537
  • 6
  • 30
  • 37

4 Answers4

2

Most modern operating systems that run on a CPU which has MMU capability, provides processes a virtual memory model that is divided into certain regions. Generally, lower addresses belong to the process and higher addresses belong to the OS. Between these, there is the stack space. In your case, it is an 32-bit system. First part checks the address for validity (but this check does not guarantee the accessibility of the given address), second part just uses the given register...

Malkocoglu
  • 2,522
  • 2
  • 26
  • 32
  • thanks for the answer. can you please let me know the factors which come into picture when you say **Generally, lower addresses belong to the process and higher addresses belong to the OS.** Also let me know when you say **First part checks the address for validity (but this check does not guarantee the accessibility of the given address)** what is the issue with the given check. Can it be improved upon for a valid check. Also can you point me to some links, also let me know some books which can tell me about memory mapping in details. thanks a lot. – mezda Apr 05 '12 at 14:49
  • 1
    Lower addr belong to the process because of both historical and practical reasons. When there was no concept of VM, it was very logical to start the memory map from 0x0. This VM address is not the physical address so it can be anywhere in the physical memory. Also, Virtual Machine Garbage Collectors may perform better with lower addresses. Validity of the address means if that process can access that particular VM address. You can not access addresses beyond program break, also there is 'const'. Read :: http://en.wikipedia.org/wiki/Sbrk , http://www.internals.com/articles/protmode/protmode.htm – Malkocoglu Apr 05 '12 at 17:38
  • thanks for the info. can you let me know some book titles which tell about memory mapping in depth. thanks again. – mezda Apr 06 '12 at 05:34
  • Any recent OS kernel book should explain, sorry i do not have a recommendation. Online sources may be enough. Jhonnash pointed out some useful links... – Malkocoglu Apr 06 '12 at 16:29
2

In mostly boards In that case 0x00000000 to 0x00ffffff RAM is mapped and the Flash 0x40000000 to 0x407fffff mapped.

There are a lot of problems with that particular page - IMHO it's mostly obsolete (it might have been less incorrect for 80386). Specifically: - the EBDA size and the size of both the video ROM and BIOS aren't fixed sizes. Some computers are "headless" and have no video (or video ROM).

  • the area between the video ROM and BIOS has never contained "nothing". It has always been reserved for other "device specific ROMS" (SCSI BIOS, ethernet boot ROMs, etc) and for some systems this area may contain usable RAM (some OS's, like Windows 95, actually scan this area and use any RAM found within it).

  • for older computers (and possibly recent computers, including some new computers if the BIOS is configured for it) the area between 15 MB and 16 MB is a "memory hole" that was (and may still be) used for old ISA devices for memory mapped I/O. This area was most often used by ISA SVGA cards, but could be used by any ISA card (even an old ISA card plugged into a brand new computer).

  • NVRAM and ACPI do not use memory above 0xFEC00000 and never have. Instead memory at the top of RAM is used (for e.g. just below 0x10000000 for a computer with 256 MB of RAM).

  • typically there's an area below 0xFEC00000 that is used for memory mapped PCI/AGP devices (e.g. video linear frame buffer). The size of this area depends on the BIOS and motherboard (often it begins at 0xC0000000 or 0xE0000000). This means that for a computer with 4 GB of RAM, a "32 bit" OS will only be able to use 3 GB or 3.5 GB of it. Most "good" motherboards will map the spare RAM above 4 GB (an OS will need to use PAE, PSE36 or long mode to access it). Cheap motherboards may just waste this RAM instead.

  • the area from 0xFEC00000 to the bottom of the BIOS (which is actually just below 4 GB - all or part of it appears to be below 1 MB due to chipset tricks) is mainly reserved for local APICs and I/O APICs (if any).

  • RAM may be above 4 GB on newer computers. This isn't that common yet, but Vista hasn't been officially released yet either.

  • for servers, things can be even more complicated. NUMA is one problem (which includes simple "dual-socket" AMD systems) which may cause RAM to be configured in banks (e.g. 512 MB at 0x00000000 and another 512 MB at 0x80000000 with a big hole in-between). Also some servers support "hot-plug" RAM areas (which are typically above "installed RAM at boot", and also typically above 4 GB).

http://forum.osdev.org/viewtopic.php?t=11391

http://books.google.co.in/books?id=xnFdWfJAK9wC&pg=PT289&lpg=PT289&dq=on+hard+disk+addresses+0x40000000&source=bl&ots=GFQJQ5R_-Z&sig=VchcoPWMeIE4E-Vzom1lmUxxJSg&hl=en&sa=X&ei=jvx6T4CiL8amrAeVzbiEAg&sqi=2&ved=0CEsQ6AEwAQ#v=onepage&q=on%20hard%20disk%20addresses%200x40000000&f=false

So, I can Say these are the limits of the Linux OS on the memory. We can't acquire the base address from 0x00000000 because it is mapped up to a certain limit. Base address 0x40000000 normally the Start of the OS Code and similarly I can say base address 0xBF000000 is the limit of OS code.

suneet saini
  • 592
  • 3
  • 16
  • i am not able to get several things in your comments. further it seems to be specific for some board. Also can you point me to some links, also let me know some books which can tell me about memory mapping in details. thanks a lot. – mezda Apr 05 '12 at 15:07
1

Process of Mapping can be viewed: 

$ pmap pid
$ pmap 3724

Books:

"Understanding the Linux Kernel" 9.3. Memory Regions; 16.2. Memory Mapping "Understanding the Linux Virtual Memory Manager" 4.4 Memory Regions

Links:

http://www.scs.ch/~frey/linux/memorymap.html
http://www.linuxdoc.org/HOWTO/KernelAnalysis-HOWTO-7.html
http://linuxdevcenter.com/pub/a/linux/2006/11/30/linux-out-of-memory.html
http://www.linux-tutorial.info/modules.php?name=MContent&pageid=260
http://www.syslinux.org/wiki/index.php/Memory_Map_(General)

As I don't know about your code is running out of memory on what type of system; and what are you using so exact definition is hard to give. In the above answer I had given the details of a board mapping example from "Linux kernel Programming - Robert Love" and some details about various operating systems(linux) & hardware having several limitations. So, it is hard to tell what is the memory limit.

suneet saini
  • 592
  • 3
  • 16
1

This is for Linux. You have one address wrong in your title, it's not 0x80000000 but 0x8000000.

Linux programs are typically loaded at 0x8210000 (iirc). That range is for your code itself.

The stack is by default at 0xBFFF????. That's the second range.

The third range is probably the start of the writable data part, or where libraries are loaded.

The checks appear to be badly written though, there are no checks what the binary AND ends up returning so the and with "0xBF000000" will return true for way more addresses than it should.

[Edit] Second part of your question, if any of esi/edi/eax contains a number in this region, it's likely to point to somewhere in your data region.

dascandy
  • 7,184
  • 1
  • 29
  • 50
  • thanks for pointing the mistake in title. can you plz tell a bit more when you say **Linux programs are typically loaded at 0x8210000 (iirc).** what is iirc, what is typically loading means. Does it change with some factor ? Also what is ??? indicate here **0xBFFF????*** . Can the checks be written in a better way ? **Second part of your question.. in this region** This was the check to dump the hex data from the beginning of data segment in memory. Also can you point me to some links, also let me know some books which can tell me about memory mapping in details. thanks a lot. – mezda Apr 05 '12 at 15:05
  • 1
    http://wiki.osdev.org/Expanded_Main_Page contains a lot of information on operating system internals in general among which memory mapping. There's http://asm.sourceforge.net/articles/startup.html on Linux, which shows that it's not 8210000 but 8048000 where programs are loaded and that the stack ends at 0xBFFFFFFF. The question marks are "any number". These places may change if you use ASLR - address space layout randomization, which reduces some hacking attempt success chances. – dascandy Apr 06 '12 at 11:30