虚拟内存图解教学文档<\/h1>

1. 虚拟内存基础概念<\/h2>
虚拟内存是现代操作系统提供的一种内存管理技术，它为每个进程提供了一个连续的、私有的地址空间，使得每个进程都认为自己独占整个内存空间。<\/p>

虚拟内存的主要特点：<\/h3>

每个进程有自己独立的地址空间<\/li>
内存地址与实际物理内存分离<\/li>
提供内存保护机制<\/li>

允许使用比实际物理内存更大的地址空间<\/li> <\/ul>

2. 实验环境准备<\/h2>

测试环境<\/h3>

操作系统：Ubuntu 14.04 LTS<\/li>
内核版本：Linux 4.4.0-31-generic<\/li>

架构：x86_64<\/li> <\/ul>

所需工具<\/h3>

gcc<\/strong>：用于编译C程序<\/li>
objdump<\/strong>：用于反汇编可执行文件<\/li>
udcli<\/strong>（Udis86反汇编器）：用于交互式反汇编<\/li>
bc<\/strong>：用于进制转换计算<\/li>

\/proc\/[pid]\/maps<\/strong>：查看进程内存映射<\/li> <\/ol>
3. 虚拟内存布局探索<\/h2>
3.1 栈(Stack)的定位<\/h3>
栈用于存储局部变量、函数调用信息等。通过打印局部变量的地址可以定位栈的位置。<\/p>
#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(void<\/span>) { <\/span><\/span> int<\/span> a; <\/span><\/span> printf("Address of a: %p<\/span>\n<\/span>"<\/span>, (void<\/span> *<\/span>)&<\/span>a); <\/span><\/span> return<\/span> (EXIT_SUCCESS); <\/span><\/span>} <\/span><\/span><\/code><\/pre>运行结果示例：<\/p> Address of a: 0x7ffd14b8bd9c <\/code><\/pre> 栈的特点：<\/p> 位于高地址区域<\/li> 向下增长（地址递减）<\/li> 存储局部变量、函数参数、返回地址等<\/li> <\/ul> 3.2 堆(Heap)的定位<\/h3> 堆用于动态内存分配，通过malloc函数分配的内存位于堆中。<\/p> #include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(void<\/span>) { <\/span><\/span> int<\/span> a; <\/span><\/span> void<\/span> *<\/span>p; <\/span><\/span> <\/span><\/span> printf("Address of a: %p<\/span>\n<\/span>"<\/span>, (void<\/span> *<\/span>)&<\/span>a); <\/span><\/span> p =<\/span> malloc(98<\/span>); <\/span><\/span> printf("Allocated space in the heap: %p<\/span>\n<\/span>"<\/span>, p); <\/span><\/span> return<\/span> (EXIT_SUCCESS); <\/span><\/span>} <\/span><\/span><\/code><\/pre>运行结果示例：<\/p> Address of a: 0x7ffd4204c554 Allocated space in the heap: 0x901010 <\/code><\/pre> 堆的特点：<\/p> 位于低地址区域（相对于栈）<\/li> 向上增长（地址递增）<\/li> 通过malloc\/free管理内存<\/li> <\/ul> 3.3 代码段(Text Segment)的定位<\/h3> 代码段存储程序的执行代码，通过打印main函数的地址可以定位代码段。<\/p> #include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(void<\/span>) { <\/span><\/span> int<\/span> a; <\/span><\/span> void<\/span> *<\/span>p; <\/span><\/span> <\/span><\/span> printf("Address of a: %p<\/span>\n<\/span>"<\/span>, (void<\/span> *<\/span>)&<\/span>a); <\/span><\/span> p =<\/span> malloc(98<\/span>); <\/span><\/span> printf("Allocated space in the heap: %p<\/span>\n<\/span>"<\/span>, p); <\/span><\/span> printf("Address of function main: %p<\/span>\n<\/span>"<\/span>, (void<\/span> *<\/span>)main); <\/span><\/span> return<\/span> (EXIT_SUCCESS); <\/span><\/span>} <\/span><\/span><\/code><\/pre>运行结果示例：<\/p> Address of a: 0x7ffdced37d74 Allocated space in the heap: 0x2199010 Address of function main: 0x40060d <\/code><\/pre> 验证代码段内容：<\/p> objdump -M intel -j .text -d 程序名 | grep '<main>:'<\/span> -A 10<\/span> <\/span><\/span><\/code><\/pre>代码段特点：<\/p> 位于最低的地址区域<\/li> 具有可执行权限<\/li> 存储程序指令<\/li> <\/ul> 3.4 命令行参数和环境变量<\/h3> 命令行参数和环境变量存储在栈之上的区域。<\/p> #include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <string.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(int<\/span> ac, char<\/span> **<\/span>av, char<\/span> **<\/span>env) { <\/span><\/span> printf("Address of the array of arguments: %p<\/span>\n<\/span>"<\/span>, (void<\/span> *<\/span>)av); <\/span><\/span> printf("Addresses of the arguments:<\/span>\n<\/span>"<\/span>); <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> ac; i++<\/span>) { <\/span><\/span> printf("[%s]:%p "<\/span>, av[i], av[i]); <\/span><\/span> } <\/span><\/span> printf("<\/span>\n<\/span>Address of the array of environment variables: %p<\/span>\n<\/span>"<\/span>, (void<\/span> *<\/span>)env); <\/span><\/span> return<\/span> (EXIT_SUCCESS); <\/span><\/span>} <\/span><\/span><\/code><\/pre>运行结果示例：<\/p> Address of the array of arguments: 0x7ffe7d6d8e98 Addresses of the arguments: [.\/prog]:0x7ffe7d6da373 [Hello]:0x7ffe7d6da377 Address of the array of environment variables: 0x7ffe7d6d8ec0 <\/code><\/pre> 内存布局顺序：<\/p> 栈<\/li> argv数组（命令行参数指针数组）<\/li> env数组（环境变量指针数组）<\/li> 实际的参数字符串<\/li> 实际的环境变量字符串<\/li> <\/ol> 3.5 栈增长方向验证<\/h3> 通过比较不同函数中局部变量的地址验证栈的增长方向。<\/p> #include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> f<\/span>(void<\/span>) { <\/span><\/span> int<\/span> a, b, c; <\/span><\/span> printf("[f] Addresses: a=%p, b=%p, c=%p<\/span>\n<\/span>"<\/span>, &<\/span>a, &<\/span>b, &<\/span>c); <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(void<\/span>) { <\/span><\/span> int<\/span> a; <\/span><\/span> printf("[main] Address of a: %p<\/span>\n<\/span>"<\/span>, &<\/span>a); <\/span><\/span> f(); <\/span><\/span> return<\/span> (EXIT_SUCCESS); <\/span><\/span>} <\/span><\/span><\/code><\/pre>运行结果示例：<\/p> [main] Address of a: 0x7ffdae53ea4c [f] Addresses: a=0x7ffdae53ea04, b=0x7ffdae53ea08, c=0x7ffdae53ea0c <\/code><\/pre> 结论：栈向低地址方向增长（后调用的函数变量地址更小）<\/p> 4. \/proc\/[pid]\/maps分析<\/h2> 通过\/proc文件系统查看进程的完整内存映射。<\/p> #include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(void<\/span>) { <\/span><\/span> printf("My PID: %d<\/span>\n<\/span>"<\/span>, getpid()); <\/span><\/span> getchar(); \/\/ 暂停程序，查看\/proc\/[pid]\/maps <\/span><\/span><\/span><\/span> return<\/span> (EXIT_SUCCESS); <\/span><\/span>} <\/span><\/span><\/code><\/pre>示例maps输出：<\/p> 00400000-00401000 r-xp 00000000 08:01 171828 \/home\/user\/prog 00600000-00601000 r--p 00000000 08:01 171828 \/home\/user\/prog 00601000-00602000 rw-p 00001000 08:01 171828 \/home\/user\/prog 02050000-02071000 rw-p 00000000 00:00 0 [heap] 7f68caa1c000-7f68cabd6000 r-xp 00000000 08:01 136253 \/lib\/x86_64-linux-gnu\/libc-2.19.so 7fff16c62000-7fff16c83000 rw-p 00000000 00:00 0 [stack] <\/code><\/pre> 关键区域解释：<\/p> 00400000-00401000<\/strong>：代码段，可执行权限<\/li> 00600000-00601000<\/strong>：只读数据段<\/li> 00601000-00602000<\/strong>：可读写数据段<\/li> 02050000-02071000<\/strong>：堆区域<\/li> 7fff16c62000-7fff16c83000<\/strong>：栈区域<\/li> <\/ol> 5. 完整的虚拟内存布局图<\/h2> 基于实验结果，64位Linux系统的进程虚拟内存布局如下（从高地址到低地址）：<\/p> +-----------------------+ | 内核空间 | +-----------------------+ | 栈 (向下增长) | 0x7fff16c62000-7fff16c83000 | 环境变量和命令行参数 | +-----------------------+ | 共享库映射区 | +-----------------------+ | 堆 (向上增长) | 0x02050000-02071000 +-----------------------+ | 未初始化数据段 (bss) | 0x00601000-00602000 | 已初始化数据段 (data) | 0x00600000-00601000 +-----------------------+ | 代码段 (text) | 0x00400000-00401000 +-----------------------+ <\/code><\/pre> 6. 关键发现与总结<\/h2> 栈和堆的位置<\/strong>：<\/p> 栈位于高地址区域，向下增长<\/li> 堆位于低地址区域，向上增长<\/li> 两者之间有巨大的地址空间用于共享库映射等<\/li> <\/ul> <\/li> 内存分配细节<\/strong>：<\/p> malloc分配的内存地址不是从堆的最开始处开始<\/li> 堆管理器会使用前16字节左右的空间用于管理信息<\/li> <\/ul> <\/li> 可执行文件分段加载<\/strong>：<\/p> 代码段(.text)：只读可执行<\/li> 数据段(.data)：已初始化全局变量<\/li> BSS段(.bss)：未初始化全局变量<\/li> 每个段加载到内存的不同区域，具有不同权限<\/li> <\/ul> <\/li> 命令行参数和环境变量<\/strong>：<\/p> 存储在栈之上的区域<\/li> 实际字符串存储在更高地址处<\/li> argv和env数组在内存中相邻<\/li> <\/ul> <\/li> 验证方法<\/strong>：<\/p> 使用\/proc\/[pid]\/maps验证内存区域<\/li> 通过打印变量地址定位内存区域<\/li> 使用反汇编工具验证代码段内容<\/li> <\/ul> <\/li> <\/ol> 7. 进一步探索方向<\/h2> 堆分配的内部机制（malloc实现原理）<\/li> 内存分页机制和页表<\/li> 共享库的动态链接过程<\/li> 内存映射文件(mmap)的实现<\/li> 虚拟内存与物理内存的转换机制<\/li> <\/ol> 通过本实验，我们深入了解了Linux进程的虚拟内存布局，掌握了通过编程和系统工具分析内存布局的方法，为后续深入研究操作系统内存管理机制打下了坚实基础。<\/p>

虚拟内存图解教学文档<\/h1>

1. 虚拟内存基础概念<\/h2> 虚拟内存是现代操作系统提供的一种内存管理技术，它为每个进程提供了一个连续的、私有的地址空间，使得每个进程都认为自己独占整个内存空间。<\/p>

2. 实验环境准备<\/h2>

3. 虚拟内存布局探索<\/h2>

1. 虚拟内存基础概念<\/h2>
虚拟内存是现代操作系统提供的一种内存管理技术，它为每个进程提供了一个连续的、私有的地址空间，使得每个进程都认为自己独占整个内存空间。<\/p>