Memory Management II

CS 470 - Spring 2002

Overview

• Logical Addressing and Virtual Memory– Logical to Linear Address Mapping– Linear to Physical Address Mapping

• NT Virtual Address Descriptors– What is a VAD?– Virtual Memory Functions– Example: Displaying the VAD splay– Example: How does the stack work?

Logical to Physical Mapping

Selector Segment OffsetLogical Address

Segment Translation

PG?

Dir Page Page Offset

Page Translation

Linear Address

Physical Address

Yes

NoControl Register 0, bit 31

031

31 0

31 0015

Linear to Physical Mapping

Dir Page Offset

0122231Linear Address

Dir Entry.

Page Directory

Pg Tbl Entry

Page Table

CR3

Physical Address

031Physical Address

Trans. Lookaside Buffer

misshit

Valid?

yes

Page FaultHandler

no

Page/Directory Table Entry

Page Frame Addr D ACD

RW

US

V

31 12 9 8 7 6 5 4 3 2 1 0

V ValidR/W Read / WriteU/S User / SupervisorW/T Write throughC/D Cache DisabledA AccessedD DirtyL Large pageGL Global

WT

GL

L

VM Access Steps• Instruction references logical address

• Hardware looks up page table entry

• Valid PTE gives physical address

• Invalid PTE causes address exception (page fault)

• Handler copies page to memory from disk or net, updates PTE and restarts instruction. Now have valid PTE and so get physical address

• Physical address used to access cache

Virtual Memory Advantages

• Allows programs to be larger than physical memory, but more importantly it allows many more processes to be simultaneously active

• Page table entries allow for security with page level granularity

• But, much added complexity, especially danger of thrashing as memory is so much faster than disk access

NT Process Structure

Process

AccessToken

Thread a

File c

Section f

Object Table

Virtual Address Space Description

Handle 1

Handle 2

Handle 3

Virtual Address Descriptors• Per process splay of VAD’s describes its

virtual address space

• VAD records location, security, and inheritance of a range of pages

• Each region can be free, reserved, or reserved and committed.– Reserved - No storage, Inaccessible, can’t

reserve a second time– Committed - Storage can be associated with

the region, can be accessible, PTE constructed on first access.

VAD Information• Starting and Ending address for VAD

range; amount of committed memory

• Pointers to other VAD structures in splay

• Attributes– Is allocated memory committed?– Shared/private flag– Protection (cf next slide)– Copy-on-write enabled flag - For Posix fork()– Inherited by forked child? (for mapped views)– Mapped view of section object?

VAD Protection Bits

• Combinations of the following: PAGE_NOACCESS, PAGE_READONLY, PAGE_READWRITE, PAGE_EXECUTE, PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE, PAGE_GUARD, and PAGE_NOCACHE

• Allocation types:

MEM_RESERVE, MEM_COMMIT, MEM_TOP_DOWN

Virtual Memory Functions

• VirtualAllocateEx - To reserve or commit

• VirtualFreeEx - To de-commit or release

• VirtualProtectEx - To modify protection

• VirtualLock, VirtualUnlock - To lock pages into memory

• VirtualQueryEx - To get information on a region of memory

• GlobalMemoryStatus - To get summary information

Virtual Memory Allocation

LPVOID VirtualAllocEx(

HANDLE hProcess,

LPVOID lpAddress, // can be NULL

DWORD dwSize,

DWORD flAllocationType, // See last slide

DWORD flProtect // See last slide

);

Freeing Virtual Memory

• BOOL VirtualFreeEx(

HANDLE hProcess,

LPVOID lpAddress,

DWORD dwSize,

DWORD dwFreeType );

• Types: MEM_DECOMMIT, MEM_RELEASE

Changing Protection

• BOOL VirtualProtectEx(

HANDLE hProcess,

LPVOID lpAddress,

DWORD dwSize,

DWORD flNewProtect,

PDWORD lpflOldProtect );

Locking Pages into Memory

• BOOL VirtualLock(

LPVOID lpAddress,

DWORD dwSize );

• BOOL VirtualUnlock(

LPVOID lpAddress,

DWORD dwSize );

• At most 30 pages can be locked -- without changing minimum working set size.

VAD Status Functions

• DWORD VirtualQueryEx(

HANDLE hProcess,

LPCVOID lpAddress,

PMEMORY_BASIC_INFORMATION lpBuffer, // See next

slide

DWORD dwLength );

• VOID GlobalMemoryStatus(

LPMEMORYSTATUS lpBuffer );

Memory Info Structure• typedef struct

_MEMORY_BASIC_INFORMATION {

PVOID BaseAddress;

PVOID AllocationBase;

DWORD AllocationProtect;

DWORD RegionSize;

DWORD State;

DWORD Protect;

DWORD Type; // e.g. MEM_PRIVATE

} MEMORY_BASIC_INFORMATION;

Summary Info Struct

typedef struct _MEMORYSTATUS {

DWORD dwLength; // of this struct

DWORD dwMemoryLoad;

DWORD dwTotalPhys, dwAvailPhys;

DWORD dwTotalPageFile;

dwAvailPageFile;

DWORD dwTotalVirtual, dwAvailVirtual;

} MEMORYSTATUS;

Example: mem.c• Use VirtualQueryEx to print out vad info• DWORD ShowRegion(

HANDLE hProcess, LPCVOID addr) {

MEMORY_BASIC_INFORMATION mbi;

if (!VirtualQueryEx(hProcess, addr, &mbi, sizeof(mbi))) {

Gripe(); return -1;

} else {

print_out_mbi (&mbi);

} }

PAGE_GUARD Protection

• Visual C++ VirtualAlloc doc says --

Pages in the region become guard pages. Any attempt to read from or write to a guard page causes the operating system to raise a STATUS_GUARD_PAGE exception and turn off the guard page status. Guard pages thus act as a one-shot access alarm.

How does the stack work?#include <stdio.h>

#include <windows.h>

void main() {

unsigned sptr;

__asm {

mov eax, esp

mov sptr, eax

}

printf("esp: 0x%x\n", sptr);

while (getchar()) { __asm { mov eax, esp sub eax, 4096 mov esp, eax mov sptr, eax mov eax, [esp] } printf("esp: 0x%x\n",

sptr); }}

Jumping over the Guard Page• void main() { char a[4096]; }• The assembly language is:

push ebp mov ebp, esp mov eax, 4096 call __chkstk mov esp, ebp pop ebp• See vc98\crt\src\intel\chkstk.asm in c:\

program files\Microsoft Visual Studio