Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Page frame reuse(Windows 7)

Hello everyone.

I noticed some weird behavior on my Windows 7 virtual machine. I'm using Linux's KVM to track execution and modifications to page frames.

I have some code in Windows 7 thats uses MmProbeAndLockPages() to lock
a virtual memory range belonging to a DLL that is loaded in userspace.

Now, i noticed that one of the frames that is locked within that DLL, is also used in some other DLL! even though i see no connection between these DLLs, and i don't see the content being equal too.

Is there any possibility for this to happen? Does Windows 7 have a mechanism similar to Linux's KSM(Kernel same page merging)?

I noticed each DLL uses a different segment of that page frame.

Thanks.

Comments

  • Tim_RobertsTim_Roberts Posts: 12,622
    xxxxx@gmail.com wrote:
    > I noticed some weird behavior on my Windows 7 virtual machine. I'm using Linux's KVM to track execution and modifications to page frames.
    >
    > I have some code in Windows 7 thats uses MmProbeAndLockPages() to lock
    > a virtual memory range belonging to a DLL that is loaded in userspace.
    >
    > Now, i noticed that one of the frames that is locked within that DLL, is also used in some other DLL! even though i see no connection between these DLLs, and i don't see the content being equal too.

    Do you mean, within the code portion of the DLL?  Part of the .text
    section?  Are these within a single process?


    > Is there any possibility for this to happen?

    No.  It's certainly possible for a single page to have multiple virtual
    mappings, but in that case the views will (of course) all be identical. 
    Can you show us the actual evidence for this?  If you dump the physical
    page, the contents are what they are.  If a virtual region in another
    DLL shows different content, then it cannot possibly be mapped to the
    same physical page.


    > I noticed each DLL uses a different segment of that page frame.

    What does that mean?  A page is an indivisible structure.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Some hypervisors will optimize physical memory use by detecting identical pages, even across VMs, and map them all to the same physical page. If you have a hundred VMs, all the identical read only pages, like code, can add up to a significant amount of memory.

    Jan

    > On Jan 11, 2018, at 10:34 AM, xxxxx@probo.com <xxxxx@lists.osr.com> wrote:
    >
    > xxxxx@gmail.com wrote:
    >> I noticed some weird behavior on my Windows 7 virtual machine. I'm using Linux's KVM to track execution and modifications to page frames.
    >>
    >> I have some code in Windows 7 thats uses MmProbeAndLockPages() to lock
    >> a virtual memory range belonging to a DLL that is loaded in userspace.
    >>
    >> Now, i noticed that one of the frames that is locked within that DLL, is also used in some other DLL! even though i see no connection between these DLLs, and i don't see the content being equal too.
    >
    > Do you mean, within the code portion of the DLL? Part of the .text
    > section? Are these within a single process?
    >
    >
    >> Is there any possibility for this to happen?
    >
    > No. It's certainly possible for a single page to have multiple virtual
    > mappings, but in that case the views will (of course) all be identical.
    > Can you show us the actual evidence for this? If you dump the physical
    > page, the contents are what they are. If a virtual region in another
    > DLL shows different content, then it cannot possibly be mapped to the
    > same physical page.
    >
    >
    >> I noticed each DLL uses a different segment of that page frame.
    >
    > What does that mean? A page is an indivisible structure.
    >
    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    > Details at <http://www.osr.com/seminars>;
    >
    > To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>;
  • mmmm Posts: 1,408
    Like zero pages, for example.

    On Jan 11, 2018 10:31 PM, "xxxxx@pmatrix.com"
    wrote:

    > Some hypervisors will optimize physical memory use by detecting identical
    > pages, even across VMs, and map them all to the same physical page. If you
    > have a hundred VMs, all the identical read only pages, like code, can add
    > up to a significant amount of memory.
    >
    > Jan
    >
    > > On Jan 11, 2018, at 10:34 AM, xxxxx@probo.com
    > wrote:
    > >
    > > xxxxx@gmail.com wrote:
    > >> I noticed some weird behavior on my Windows 7 virtual machine. I'm
    > using Linux's KVM to track execution and modifications to page frames.
    > >>
    > >> I have some code in Windows 7 thats uses MmProbeAndLockPages() to lock
    > >> a virtual memory range belonging to a DLL that is loaded in userspace.
    > >>
    > >> Now, i noticed that one of the frames that is locked within that DLL,
    > is also used in some other DLL! even though i see no connection between
    > these DLLs, and i don't see the content being equal too.
    > >
    > > Do you mean, within the code portion of the DLL? Part of the .text
    > > section? Are these within a single process?
    > >
    > >
    > >> Is there any possibility for this to happen?
    > >
    > > No. It's certainly possible for a single page to have multiple virtual
    > > mappings, but in that case the views will (of course) all be identical.
    > > Can you show us the actual evidence for this? If you dump the physical
    > > page, the contents are what they are. If a virtual region in another
    > > DLL shows different content, then it cannot possibly be mapped to the
    > > same physical page.
    > >
    > >
    > >> I noticed each DLL uses a different segment of that page frame.
    > >
    > > What does that mean? A page is an indivisible structure.
    > >
    > > --
    > > Tim Roberts, xxxxx@probo.com
    > > Providenza & Boekelheide, Inc.
    > >
    > >
    > > ---
    > > NTDEV is sponsored by OSR
    > >
    > > Visit the list online at: showlists.cfm?list=ntdev>
    > >
    > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > > Details at
    > >
    > > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Tim_RobertsTim_Roberts Posts: 12,622
    On Jan 11, 2018, at 8:30 PM, xxxxx@pmatrix.com <xxxxx@lists.osr.com> wrote:
    >
    > Some hypervisors will optimize physical memory use by detecting identical pages, even across VMs, and map them all to the same physical page. If you have a hundred VMs, all the identical read only pages, like code, can add up to a significant amount of memory.

    Yes, but you cannot have two virtual pages map to a single physical page with two different contents.

    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • There are cases of multiple writable virtual pages being aliased with totally differently contexts to the same physical page. These are for "don't care" pages. Specifically in the case where the virtual memory manager generates sparse MDLs to optimize IO read sizes. In these cases the OS wants to read say disk offset 0x1000 and 0x3000, so it might generate a single read that's 0x3000 long, mapping the 0x1000 data to the desired location, mapping the 0x2000 data to a don't care page, and the 0x3000 data to the desired location. When the dma transfer happens, the middle page is still read, but it's values are sent to a don’t care page. The strategy is it's faster to do a single 0x3000 read than two 0x1000 reads. I've written code myself where I needed a big dummy receive buffer, and built an MDL that mapped all the pages of a few megabytes virtual space to a single page. This was used for some error recovery where I needed to discard a bunch of data, but still needed a virtual address/MDL to pass to the transfer API.

    Jan

    -----Original Message-----
    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@probo.com
    Sent: Friday, January 12, 2018 12:04 AM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: Re: [ntdev] Page frame reuse(Windows 7)

    On Jan 11, 2018, at 8:30 PM, xxxxx@pmatrix.com <xxxxx@lists.osr.com> wrote:
    >
    > Some hypervisors will optimize physical memory use by detecting identical pages, even across VMs, and map them all to the same physical page. If you have a hundred VMs, all the identical read only pages, like code, can add up to a significant amount of memory.

    Yes, but you cannot have two virtual pages map to a single physical page with two different contents.

    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.


    ---
    NTDEV is sponsored by OSR

    Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>;
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!