display process memory map
utility lists the virtual memory
mappings underlying the given process. The start address of each entry is
always given and, depending on the options given, other information such as
the end address, the underlying file's device and inode numbers, and various
protection information will be displayed, along with the path to the file, if
such data is available.
requires the ability to open
which may be restricted based upon the
value of the kern.allowkmem
By default, procmap
displays information for its
parent process, so that when run from a shell prompt, the shell's memory
information is displayed. If other PIDs are given as arguments on the command
line, information for those processes will be printed also. If the special PID
of 0 is given, then information for the kernel's memory map is printed.
The options are as follows:
- Print more detailed information on anonymous map
- Display “all” information from the process's
memory map. This output mode is an amalgam of the contents of the Solaris,
Linux, and OpenBSD style output modes.
- Enable various debug facilities. The
number is a bit mask of the values:
- dump the process's vmspace structure
- dump the process's vm_map structure
- dump the vm_map.header structure
- dump each vm_map_entry in its entirety
- dump the namei cache as it is traversed
- Dumps the vm_map and vm_map_entry structures in a style
similar to that of
combined with the -v option, the device
number, inode number, name, vnode addresses, or other identifying
information from the vm_map_entry fields will be printed.
- Dumps information in a format like the contents of the maps
pseudo-file under the /proc file system which
was, in turn, modeled after the similarly named entry in the Linux
/proc file system. When combined with the
-v option, identifiers for all entries are
- Extract values associated with the name list from the
specified core instead of the default
- Dumps information in the same format as the map pseudo-file
of the /proc file system. When the
-v option is also given, device number, inode
number, and filename or other identifying information is printed.
- Extract the name list from the specified system instead of
the running kernel.
- Causes procmap to print
information about itself.
- Tells procmap to print
information about the given process. If -p
pid occurs last on the command line, the
-p is optional.
- The Solaris style output format, modeled after the Solaris
command “pmap”. This is the default output style.
- Verbose output. When used with
-d, -l, or
-m, more information is printed, possibly
including device and inode numbers, file path names, or other identifying
information. If specified more than once, a ‘*’ will be
printed in between two entries that are not adjacent, making the visual
identification of spaces in the process's map easier to see.
override each other, so the last one to appear on the command line takes
effect. If you do wish to see information about
and another process as the same time,
simply omit the -p
and place the extra PID at the
end of the command line.
utility exits 0 on success,
and >0 if an error occurs.
While the meaning most of the output is self-evident, some pieces of it may
appear to be a little inscrutable.
Here a portion of the default output from procmap
being run at a sh(1)
prompt shows the starting address of the map entry, the size of the map entry,
the current protection level of the map entry, and either the name of the file
backing the entry or some other descriptive text.
08048000 420K read/exec /bin/sh
080B1000 8K read/write /bin/sh
080B3000 28K read/write [ anon ]
080BA000 16K read/write/exec [ heap ]
When the ddb(4)
style is selected, the first thing printed is the contents of the vm_map
structure, followed by the individual map entries.
$ procmap -d
MAP 0xcf7cac84: [0x0->0xbfbfe000]
#ent=8, sz=34041856, ref=1, version=20, flags=0x21
- 0xcfa3a358: 0x8048000->0x80b1000: obj=0xcf45a8e8/0x0, amap=0x0/0
submap=F, cow=T, nc=T, prot(max)=5/7, inh=1, wc=0, adv=0
The value of the flags field (in hexadecimal) is taken from the include file
VM_MAP_PAGEABLE 0x01 ro: entries are pageable
VM_MAP_INTRSAFE 0x02 ro: interrupt safe map
VM_MAP_WIREFUTURE 0x04 rw: wire future mappings
VM_MAP_BUSY 0x08 rw: map is busy
VM_MAP_WANTLOCK 0x10 rw: want to write-lock
The “submap”, “cow”, and “nc” fields
are true or false, and indicate whether the map is a submap, whether it is
marked for copy on write, and whether it needs a copy. The
“prot” (or protection) field, along with “max”
(maximum protection allowed) are made up of the following flags from
PROT_READ 0x01 read allowed
PROT_WRITE 0x02 write allowed
PROT_EXEC 0x04 execute allowed
The “obj” and “amap” fields are pointers to, and
offsets into, the underlying uvm_object or vm_amap object. The value for
resident is always unknown because digging such information out of the kernel
is beyond the scope of this application.
The two output styles that mirror the contents of the
file system appear as follows:
$ procmap -m
0x8048000 0x80b1000 r-x rwx COW NC 1 0 0
0x80b1000 0x80b3000 rw- rwx COW NC 1 0 0
0x80b3000 0x80ba000 rw- rwx COW NNC 1 0 0
0x80ba000 0x80be000 rwx rwx COW NNC 1 0 0
$ procmap -l
08048000-080b1000 r-xp 00000000 00:00 70173 /bin/sh
080b1000-080b3000 rw-p 00068000 00:00 70173 /bin/sh
080b3000-080ba000 rw-p 00000000 00:00 0
080ba000-080be000 rwxp 00000000 00:00 0
Here the protection and maximum protection values are indicated with
‘r’, ‘w’, and ‘x’ characters,
indicating read permission, write permission, and execute permission,
respectively. The “COW”, “NC”, and
“NNC” values that follow indicate, again, that the map is marked
for copy on write and either needs or does not need a copy. It is also
possible to see the value “NCOW” here, which indicates that an
entry will not be copied. The three following numbers indicate the inheritance
type of the map, the wired count of the map, and any advice value assigned via
In the second form, the permissions indicated are followed by a
‘p’ or ‘s’ character indicating whether the map
entry is private or shared (copy on write or not), and the numbers are the
offset into the underlying object, the device and numbers of the object if it
is a file, and the path to the file (if available).
As noted above (see section
“all” output format is an amalgam of the previous output
$ procmap -a
Start End Size Offset rwxpc RWX I/W/A ...
08048000-080b0fff 420k 00000000 r-xp+ (rwx) 1/0/0 ...
In this format, the column labeled “rwxpc” contains the
permissions for the mapping along with the shared/private flag, and a
character indicating whether the mapping needs to be copied on write
(‘+’) or has already been copied (‘-’) and is
followed by a column that indicates the maximum permissions for the map entry.
The column labeled “I/W/A” indicates the inheritance, wired, and
advice values for the map entry, as previously described.
utility first appeared in
. It was derived from the
utility known as “pmap”.
utility and documentation was written
by Andrew Brown
Very little will work unless procmap
from the correct kernel in order to retrieve the proper symbol information.
Since processes can change state while procmap
running, some of the information printed may be inaccurate. This is especially
important to consider when examining the kernel's map, since merely executing
will cause some of the information to
The pathnames to files backing certain vnodes (such as the text and data
sections of programs and shared libraries) are extracted from the kernel's
namei cache which is considerably volatile. If a path is not found there in
its entirety, as much information as was available will be printed. In most
cases, simply running
with the expected
path to the file will cause the information to be reentered into the cache.
The Solaris version (“pmap”) has some interesting command line
flags that would be nice to emulate here. In particular, the
option that lists a process's reserved
addresses, and the -x
option that prints
resident/shared/private mapping details for each entry.
Some of the output modes can be or are wider than the standard 80 columns of a
terminal. Some sort of formatting might be nice.