Aha, I guess it’s kinda nice coincidence! Me and Bon Jovi, one of my favorite songs “(You want to) Make A Memory”. And from my perspective, I really want to make such a thing!

Before diving into memory mysteries, here are few things that need to be clarified. I will start out stating the basic terms in memory management. In MM world, we care most about the Virtual Memory. VM is a virtual and contagious range of memory addresses. In turn, it simplifies working with the Real or Physical Memory. It also extends the PR “Physical RAM” space by using the existing disk space “Paging”. So, the program will deal with a very simplified, optimized, and more importantly addressable version of the Physical RAM. I really should be thanking the MMU “Memory Management Unit” for making this possible.

The demand paging is usually the process of swapping the data “as pages” from disk to the RAM. This process could raise a Page Fault exception, luckily this exception is handled by the OS which will try to find an available physical page to place the faulted data. Sometimes, the OS takes long time to swap data which described as thrashing. It looks obvious that to overcome those bottlenecks you mostly need to add RAM. Have a look at the Windows Task Manager “taskmgr.exe” and add the Page Faults option from the processes tab, view menu, Select Set Columns, check the Page Faults.

Memory Tracing

Most likely, to trace what is going on behind the scene is pretty much tough. Though, it is interesting. The first tool that we are going to use is as previously mentioned, Windows Task Manager. The two misleading columns in the task manager are the Mem Usage and Virtual Memory Size. So, what’s the deal? Mainly, it’s not as it sounds… Mem Usage demonstrates the Working Set “Resident Set”, which means the pages that are currently in main memory and can be shared by other processes. On the other hand, VM Size is the private memory that committed by the process and can’t be shared by other processes.
A very similar but advanced tool to the WTM is the Perfmon “perfmon.msc” which resides in the Administrative Tools. Huge number of counters is adapted in this tool to provide a graphical chart of the counters’ performance. Basically, we can map the WTM attributes to this one as following:

• Mem Usage -> Process/Working Set
• VM Size -> Process/Private Bytes
• Page Faults -> Process/Page Faults

The “Performance” tool can show you (the explanations were taken from the “Performance” tool):

• Private Bytes -(Corresponds to the “VM Size” from Task Manager). A not-shareable amount of memory “in bytes ” with other processes.
• Virtual Bytes – (Not shown in Task Manager) Virtual Bytes is the current size in bytes of the virtual address space that the process is using.
• Working Set “Resident set” – (Corresponds to the “Mem Usage” from Task Manager) – Number of pages that are reside in physical RAM memory. These pages are available for application use without triggering a page fault. The default working set amount is 50 pages for each process, the maximum size can not exceed the system wide maximum. In 32-bit machines, the system can reach up to 2GB memory application. It can also reach up to 3GB using 3-GB user space (precisely 00000000~BFFFFFFF). Above 4GB can be mapped up using PAE (Physical Address Extension) using 36-bit physical address.

Before closing this part, I’m really eager to demystify the difference between Paged and non-paged pool. As mentioned earlier, Paging is the process of writing objects to disk. So Pool Paged is the size of bytes of writing objects to disk when those objects are not currently used. Pool non-paged is the opposite, this means that those objects can not be written to the disk and should remain in the physical memory.

Memory segmentation or linear address decomposition can be described into two parts, the segment and the offset “segment:offset form”. For example, 0AFE:0100 is a segmented address in my debug session. One of the main ideas here is to emphasize the Segment Registers in IA-32 (CS, DS, SS, ES, FS, and GS). Basically, there are three types of storage. Code “text”, data and stack segment. Code segment contains the executable instructions. Data Segment as its name suggests is a portion of memory that deals with variables “data”. Stack segment which stores the procedure stack for the program. x86 processors can operate in two execution modes. Real and protection mode. Real mode execution is limited to map up to 1MB memory space, in this way, the processor needs 20 bits of the address bus for that (2^20 = 1048576 = 1024 * 1024). In this mode, there is no address translation for the memory. And the memory interpretation is processed directly into physical memory. Protected mode execution is what we’re here about. Without this mode, there is no multitasking, memory protection, paging, V86 mode.

Reading Memory Dump

I always consider debugging one of the most challenging tasks. Especially, when it comes to memory debugging “mini-assemblers”. Sometimes I stuck in boring training labs, I don’t have a tool to give me some challenge and excitement. The best thing to do in this situation is to use the little debug.exe tool that is included in windows.
Start a Windows prompt session using debug command “debug”. And have fun!

• “r” command is used to display the contents of the register.
• “d” can display the memory contents in both hexadecimal and ASCII.
• “0BB3:0100″ is the memory address which includes the segment “0BB3″ and the offset “0100″
• The next 16 bytes are the hexadecial content of each byte.
• In the right, the ASCII representation of each byte.

Conclusion

That was a complete startup for memory management. The next parts will go deeper in how the developer or the administrator can trace and optimize memory management using debuggers and tracing tools. Stay tuned!