ログ設計を行う⇒不具合の原因を早く特定したい⇒そもそも、停止したプログラムからどのように動作ログを回収して役立てればいいんだろう？

OS上のプログラムの動きを学ぶ診断プログラムを作った

Linux (WSL)               Windows
=== print registers ===   === print registers ===
rax: 0x00000000000001     rax: 0x00000000000000
rbx: 0x007ffdde46bd11     rbx: 0x00015c8d8d0750
rcx: 0x007fecc623ffb4     rcx: 0x007ff63d6d7148
rdx: 0x00000000000001     rdx: 0x00000000000000
rsi: 0x005622122cd041     rsi: 0x000051b7cff630
rdi: 0x005622137be501     rdi: 0x000051b7cff600
rbp: 0x00000000000002     rbp: 0x000051b7cfea90
rsp: 0x007ffdde46bb91     rsp: 0x000051b7cfe550
r8:  0x00000000000010     r8:  0x00000000000000
r9:  0x00000000000002     r9:  0x007ffe645c133e
r10: 0x007ffdde46bac9     r10: 0x007ffe645c0000
r11: 0x00000000000247     r11: 0x00000000000246
r12: 0x007ffdde46bd11     r12: 0x00000000000000
r13: 0x005622122c7fb1     r13: 0x00000000000000
r14: 0x005622122abac1     r14: 0x00000000000000
r15: 0x005622137bef19     r15: 0x00000000000000
                                        
=== main ===              === main ===
0x000056221226bf60:       0x00007ff63d67db20: address of fn main
0x00007ffdde46be18:       0x00000051b7cfed68: address of local var
0x00005622137beee0:       0x0000015c8d8d6230: address of heap box
0x00005622122b219c:       0x00007ff63d6c3788: address of global var
0x00005622122b2000:       0x00007ff63d6c32b0: address of module var

Virtual Memory in Windows

virtual address space

x86

Low  2GB (00000000 ~ 7FFFFFFF)	Used by the process.
High 2GB (80000000 ~ FFFFFFFF)	Used by the system.

x86_64

== until Windows 8
Low  8TB   (0000000000000000 ~ 000007FFFFFFFFFF) user/process
High 8TB   (FFFFF80000000000 ~ FFFFFFFFFFFFFFFF) kernel/system
== from Windows 8.1
Low  128TB (0000000000000000 ~ 00007FFFFFFFFFFF) user/process
High 128TB (FFFF800000000000 ~ FFFFFFFFFFFFFFFF) kernel/system

• https://learn.microsoft.com/ja-jp/windows/win32/memory/virtual-address-space
• http://blog.livedoor.jp/south_kanto_dm/archives/52099134.html
• https://learn.microsoft.com/en-us/windows/win32/memory/memory-limits-for-windows-releases#memory-and-address-space-limits
• https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/virtual-address-spaces

base address (/BASE)

x86

exe: 40_0000h
dll: 1000_0000h

x64

exe: 1_40000000h
dll: 1_80000000h

/DYNAMICBASE:ON と ASLR (address space layout randomization) によって異なるベースアドレスに再配置される。

• https://learn.microsoft.com/en-us/cpp/build/reference/base-base-address

Virtual Memory in Linux (WSL)

virtual address space

x86

0x00000000 ~ 0xBFFFFFFF     process
0xC0000000 ~ 0xFFFFFFFF     kernel

x86_64

128TB  00000000_00000000 ~ 00007FFF_FFFFFFFF    user-space/process
...    00008000_00000000 ~ FFFF7FFF_FFFFFFFF    hole
128TB  FFFF8000_00000000 ~ FFFFFFFF_FFFFFFFF    kernel

• https://www.kernel.org/doc/Documentation/x86/x86_64/mm.txt

base address

x86

.text     40_0000h if ET_EXEC
.text    804_8000h if ET_DYN
.data   1000_0000h
ENTRY     40_1000h (linker)

x86_64

.text          400000h if ET_EXEC
.text   5555_55555000h if ET_DYN

初期値は400000hだが、たいていの実行ファイルはET_DYN型/PIE(Position Independent Executable)なのでコードが再配置される。

x86は 8048000h, x64は 00005555_55555000h が選択されるらしい。ASLRが効くため、固定値にはならない。

• https://stackoverflow.com/questions/39689516/why-is-address-0x400000-chosen-as-a-start-of-text-segment-in-x86-64-abi
• https://stackoverflow.com/questions/61061830/i-am-wondering-if-pie-does-anything-if-the-aslr-is-turned-off-on-the-system-or

/proc/[pid]/maps

x86

08048000-08049000 r-xp 00000000 16:44 66267    /home/foo/a.out
08049000-0804a000 rw-p 00000000 16:44 66267    /home/foo/a.out
40000000-40016000 r-xp 00000000 16:42 442401   /lib/ld-2.2.4.so
40016000-40017000 rw-p 00015000 16:42 442401   /lib/ld-2.2.4.so
40017000-40019000 rw-p 00000000 00:00 0
40033000-40166000 r-xp 00000000 16:42 327696   /lib/i686/libc-2.2.4.so
40166000-4016b000 rw-p 00132000 16:42 327696   /lib/i686/libc-2.2.4.so
4016b000-4016f000 rw-p 00000000 00:00 0
bfffe000-c0000000 rwxp fffff000 00:00 0

x86_64

559b4580c000-559b4580f000 r--p 00000000 08:20 7495    /usr/sbin/cron
559b4580f000-559b45816000 r-xp 00003000 08:20 7495    /usr/sbin/cron
...
559b45934000-559b45955000 rw-p 00000000 00:00 0       [heap]
...
7fd56d513000-7fd56d535000 r--p 00000000 08:20 216577  /lib/x86_64-linux-gnu/libc-2.31.so
...
7ffcdc0b0000-7ffcdc0d1000 rw-p 00000000 00:00 0       [stack]
7ffcdc111000-7ffcdc115000 r--p 00000000 00:00 0       [vvar]
7ffcdc115000-7ffcdc117000 r-xp 00000000 00:00 0       [vdso]

readelf -h

Type:                              DYN (Position-Independent Executable file)
Entry point address:               0xd8b0
...
[Nr] Name              Type            Address          Off    Size   ES
[11] .init             PROGBITS        000000000000a000 00a000 000017 00
[14] .text             PROGBITS        000000000000a080 00a080 04999f 00
[16] .rodata           PROGBITS        0000000000054000 054000 008da8 00
[27] .data             PROGBITS        000000000006f000 06e000 000030 00
[28] .bss              NOBITS          000000000006f030 06e030 000128 00