Subversion Repositories HelenOS-doc

<?xml version="1.0" encoding="UTF-8"?>

<chapter id="mm">

  <?dbhtml filename="mm.html"?>

  <title>Memory management</title>

  <para>In previous chapters, this book described the scheduling subsystem as

  the creator of the impression that threads execute in parallel. The memory

  management subsystem, on the other hand, creates the impression that there

  is enough physical memory for the kernel and that userspace tasks have the

  entire address space only for themselves.</para>

  <section>

    <title>Physical memory management</title>

    <section id="zones_and_frames">

      <title>Zones and frames</title>

      <para>HelenOS represents continuous areas of physical memory in

      structures called frame zones (abbreviated as zones). Each zone contains

      information about the number of allocated and unallocated physical

      memory frames as well as the physical base address of the zone and

      number of frames contained in it. A zone also contains an array of frame

      structures describing each frame of the zone and, in the last, but not

      the least important, front, each zone is equipped with a buddy system

      that faciliates effective allocation of power-of-two sized block of

      frames.</para>

      <para>This organization of physical memory provides good preconditions

      for hot-plugging of more zones. There is also one currently unused zone

      attribute: <code>flags</code>. The attribute could be used to give a

      special meaning to some zones in the future.</para>

      <para>The zones are linked in a doubly-linked list. This might seem a

      bit ineffective because the zone list is walked everytime a frame is

      allocated or deallocated. However, this does not represent a significant

      performance problem as it is expected that the number of zones will be

      rather low. Moreover, most architectures merge all zones into

      one.</para>

      <para>Every physical memory frame in a zone, is described by a structure

      that contains number of references and other data used by buddy

      system.</para>

    </section>

    <section id="frame_allocator">

      <indexterm>

        <primary>frame allocator</primary>

      </indexterm>

      <title>Frame allocator</title>

      <para>The frame allocator satisfies kernel requests to allocate

      power-of-two sized blocks of physical memory. Because of zonal

      organization of physical memory, the frame allocator is always working

      within a context of a particular frame zone. In order to carry out the

      allocation requests, the frame allocator is tightly integrated with the

      buddy system belonging to the zone. The frame allocator is also

      responsible for updating information about the number of free and busy

      frames in the zone. <figure>

          <mediaobject id="frame_alloc">

            <imageobject role="eps">

              <imagedata fileref="images.vector/frame_alloc.eps" format="EPS" />

            </imageobject>

            <imageobject role="html">

              <imagedata fileref="images/frame_alloc.png" format="PNG" />

            </imageobject>

            <imageobject role="fop">

              <imagedata fileref="images.vector/frame_alloc.svg" format="SVG" />

            </imageobject>

          </mediaobject>

          <title>Frame allocator scheme.</title>

        </figure></para>

      <formalpara>

        <title>Allocation / deallocation</title>

        <para>Upon allocation request via function <code>frame_alloc()</code>,

        the frame allocator first tries to find a zone that can satisfy the

        request (i.e. has the required amount of free frames). Once a suitable

        zone is found, the frame allocator uses the buddy allocator on the

        zone's buddy system to perform the allocation. During deallocation,

        which is triggered by a call to <code>frame_free()</code>, the frame

        allocator looks up the respective zone that contains the frame being

        deallocated. Afterwards, it calls the buddy allocator again, this time

        to take care of deallocation within the zone's buddy system.</para>

      </formalpara>

    </section>

    <section id="buddy_allocator">

      <indexterm>

        <primary>buddy system</primary>

      </indexterm>

      <title>Buddy allocator</title>

      <para>In the buddy system, the memory is broken down into power-of-two

      sized naturally aligned blocks. These blocks are organized in an array

      of lists, in which the list with index <emphasis>i</emphasis> contains

      all unallocated blocks of size

      <emphasis>2<superscript>i</superscript></emphasis>. The index

      <emphasis>i</emphasis> is called the order of block. Should there be two

      adjacent equally sized blocks in the list <emphasis>i</emphasis> (i.e.

      buddies), the buddy allocator would coalesce them and put the resulting

      block in list <emphasis>i + 1</emphasis>, provided that the resulting

      block would be naturally aligned. Similarily, when the allocator is

      asked to allocate a block of size

      <emphasis>2<superscript>i</superscript></emphasis>, it first tries to

      satisfy the request from the list with index <emphasis>i</emphasis>. If

      the request cannot be satisfied (i.e. the list <emphasis>i</emphasis> is

      empty), the buddy allocator will try to allocate and split a larger

      block from the list with index <emphasis>i + 1</emphasis>. Both of these

      algorithms are recursive. The recursion ends either when there are no

      blocks to coalesce in the former case or when there are no blocks that

      can be split in the latter case.</para>

      <para>This approach greatly reduces external fragmentation of memory and

      helps in allocating bigger continuous blocks of memory aligned to their

      size. On the other hand, the buddy allocator suffers increased internal

      fragmentation of memory and is not suitable for general kernel

      allocations. This purpose is better addressed by the <link

      linkend="slab">slab allocator</link>.<figure>

          <mediaobject id="buddy_alloc">

            <imageobject role="eps">

              <imagedata fileref="images.vector/buddy_alloc.eps" format="EPS" />

            </imageobject>

            <imageobject role="html">

              <imagedata fileref="images/buddy_alloc.png" format="PNG" />

            </imageobject>

            <imageobject role="fop">

              <imagedata fileref="images.vector/buddy_alloc.svg" format="SVG" />

            </imageobject>

          </mediaobject>

          <title>Buddy system scheme.</title>

        </figure></para>

      <section>

        <title>Implementation</title>

        <para>The buddy allocator is, in fact, an abstract framework wich can

        be easily specialized to serve one particular task. It knows nothing

        about the nature of memory it helps to allocate. In order to beat the

        lack of this knowledge, the buddy allocator exports an interface that

        each of its clients is required to implement. When supplied with an

        implementation of this interface, the buddy allocator can use

        specialized external functions to find a buddy for a block, split and

        coalesce blocks, manipulate block order and mark blocks busy or

        available.</para>

        <formalpara>

          <title>Data organization</title>

          <para>Each entity allocable by the buddy allocator is required to

          contain space for storing block order number and a link variable

          used to interconnect blocks within the same order.</para>

          <para>Whatever entities are allocated by the buddy allocator, the

          first entity within a block is used to represent the entire block.

          The first entity keeps the order of the whole block. Other entities

          within the block are assigned the magic value

          <constant>BUDDY_INNER_BLOCK</constant>. This is especially important

          for effective identification of buddies in a one-dimensional array

          because the entity that represents a potential buddy cannot be

          associated with <constant>BUDDY_INNER_BLOCK</constant> (i.e. if it

          is associated with <constant>BUDDY_INNER_BLOCK</constant> then it is

          not a buddy).</para>

        </formalpara>

      </section>

    </section>

    <section id="slab">

      <indexterm>

        <primary>slab allocator</primary>

      </indexterm>

      <title>Slab allocator</title>

      <para>The majority of memory allocation requests in the kernel is for

      small, frequently used data structures. The basic idea behind the slab

      allocator is that commonly used objects are preallocated in continuous

      areas of physical memory called slabs<footnote>

          <para>Slabs are in fact blocks of physical memory frames allocated

          from the frame allocator.</para>

        </footnote>. Whenever an object is to be allocated, the slab allocator

      returns the first available item from a suitable slab corresponding to

      the object type<footnote>

          <para>The mechanism is rather more complicated, see the next

          paragraph.</para>

        </footnote>. Due to the fact that the sizes of the requested and

      allocated object match, the slab allocator significantly reduces

      internal fragmentation.</para>

      <indexterm>

        <primary>slab allocator</primary>

        <secondary>- slab cache</secondary>

      </indexterm>

      <para>Slabs of one object type are organized in a structure called slab

      cache. There are ususally more slabs in the slab cache, depending on

      previous allocations. If the the slab cache runs out of available slabs,

      new slabs are allocated. In order to exploit parallelism and to avoid

      locking of shared spinlocks, slab caches can have variants of

      processor-private slabs called magazines. On each processor, there is a

      two-magazine cache. Full magazines that are not part of any

      per-processor magazine cache are stored in a global list of full

      magazines.</para>

      <indexterm>

        <primary>slab allocator</primary>

        <secondary>- magazine</secondary>

      </indexterm>

      <para>Each object begins its life in a slab. When it is allocated from

      there, the slab allocator calls a constructor that is registered in the

      respective slab cache. The constructor initializes and brings the object

      into a known state. The object is then used by the user. When the user

      later frees the object, the slab allocator puts it into a processor

      private <indexterm>

          <primary>slab allocator</primary>

          <secondary>- magazine</secondary>

        </indexterm>magazine cache, from where it can be precedently allocated

      again. Note that allocations satisfied from a magazine are already

      initialized by the constructor. When both of the processor cached

      magazines get full, the allocator will move one of the magazines to the

      list of full magazines. Similarily, when allocating from an empty

      processor magazine cache, the kernel will reload only one magazine from

      the list of full magazines. In other words, the slab allocator tries to

      keep the processor magazine cache only half-full in order to prevent

      thrashing when allocations and deallocations interleave on magazine

      boundaries. The advantage of this setup is that during most of the

      allocations, no global spinlock needs to be held.</para>

      <para>Should HelenOS run short of memory, it would start deallocating

      objects from magazines, calling slab cache destructor on them and

      putting them back into slabs. When a slab contanins no allocated object,

      it is immediately freed.</para>

      <para>

        <figure>

          <mediaobject id="slab_alloc">

            <imageobject role="eps">

              <imagedata fileref="images.vector/slab_alloc.eps" format="EPS" />

            </imageobject>

            <imageobject role="html">

              <imagedata fileref="images/slab_alloc.png" format="PNG" />

            </imageobject>

            <imageobject role="fop">

              <imagedata fileref="images.vector/slab_alloc.svg" format="SVG" />

            </imageobject>

          </mediaobject>

          <title>Slab allocator scheme.</title>

        </figure>

      </para>

      <section>

        <title>Implementation</title>

        <para>The slab allocator is closely modelled after <xref

        linkend="Bonwick01" /> with the following exceptions:<itemizedlist>

            <listitem>

              <para>empty slabs are immediately deallocated and</para>

            </listitem>

            <listitem>

              <para>empty magazines are deallocated when not needed.</para>

            </listitem>

          </itemizedlist>The following features are not currently supported

        but would be easy to do: <itemizedlist>

            <listitem>cache coloring and</listitem>

            <listitem>dynamic magazine grow (different magazine sizes are

            already supported, but the allocation strategy would need to be

            adjusted).</listitem>

          </itemizedlist></para>

        <section>

          <title>Allocation/deallocation</title>

          <para>The following two paragraphs summarize and complete the

          description of the slab allocator operation (i.e.

          <code>slab_alloc()</code> and <code>slab_free()</code>

          functions).</para>

          <formalpara>

            <title>Allocation</title>

            <para><emphasis>Step 1.</emphasis> When an allocation request

            comes, the slab allocator checks availability of memory in the

            current magazine of the local processor magazine cache. If the

            available memory is there, the allocator just pops the object from

            magazine and returns it.</para>

            <para><emphasis>Step 2.</emphasis> If the current magazine in the

            processor magazine cache is empty, the allocator will attempt to

            swap it with the last magazine from the cache and return to the

            first step. If also the last magazine is empty, the algorithm will

            fall through to Step 3.</para>

            <para><emphasis>Step 3.</emphasis> Now the allocator is in the

            situation when both magazines in the processor magazine cache are

            empty. The allocator reloads one magazine from the shared list of

            full magazines. If the reload is successful (i.e. there are full

            magazines in the list), the algorithm continues with Step

            1.</para>

            <para><emphasis>Step 4.</emphasis> In this fail-safe step, an

            object is allocated from the conventional slab layer and a pointer

            to it is returned. If also the last magazine is full,</para>

          </formalpara>

          <formalpara>

            <title>Deallocation</title>

            <para><emphasis>Step 1.</emphasis> During a deallocation request,

            the slab allocator checks if the current magazine of the local

            processor magazine cache is not full. If it is, the pointer to the

            objects is just pushed into the magazine and the algorithm

            returns.</para>

            <para><emphasis>Step 2.</emphasis> If the current magazine is

            full, the allocator will attempt to swap it with the last magazine

            from the cache and return to the first step. If also the last

            magazine is empty, the algorithm will fall through to Step

            3.</para>

            <para><emphasis>Step 3.</emphasis> Now the allocator is in the

            situation when both magazines in the processor magazine cache are

            full. The allocator tries to allocate a new empty magazine and

            flush one of the full magazines to the shared list of full

            magazines. If it is successfull, the algoritm continues with Step

            1.</para>

            <para><emphasis>Step 4. </emphasis>In case of low memory condition

            when the allocation of empty magazine fails, the object is moved

            directly into slab. In the worst case object deallocation does not

            need to allocate any additional memory.</para>

          </formalpara>

        </section>

      </section>

    </section>

  </section>

  <section>

    <title>Virtual memory management</title>

    <para>Virtual memory is essential for an operating system because it makes

    several things possible. First, it helps to isolate tasks from each other

    by encapsulating them in their private address spaces. Second, virtual

    memory can give tasks the feeling of more memory available than is

    actually possible. And third, by using virtual memory, there might be

    multiple copies of the same program, linked to the same addresses, running

    in the system. There are at least two known mechanisms for implementing

    virtual memory: segmentation and paging. Even though some processor

    architectures supported by HelenOS<footnote>

        <para>ia32 has full-fledged segmentation.</para>

      </footnote> provide both mechanism, the kernel makes use solely of

    paging.</para>

    <section id="paging">

      <title>VAT subsystem</title>

      <para>In a paged virtual memory, the entire virtual address space is

      divided into small power-of-two sized naturally aligned blocks called

      pages. The processor implements a translation mechanism, that allows the

      operating system to manage mappings between set of pages and set of

      indentically sized and identically aligned pieces of physical memory

      called frames. In a result, references to continuous virtual memory

      areas don't necessarily need to reference continuos area of physical

      memory. Supported page sizes usually range from several kilobytes to

      several megabytes. Each page that takes part in the mapping is

      associated with certain attributes that further desribe the mapping

      (e.g. access rights, dirty and accessed bits and present bit).</para>

      <para>When the processor accesses a page that is not present (i.e. its

      present bit is not set), the operating system is notified through a

      special exception called page fault. It is then up to the operating

      system to service the page fault. In HelenOS, some page faults are fatal

      and result in either task termination or, in the worse case, kernel

      panic<footnote>

          <para>Such a condition would be either caused by a hardware failure

          or a bug in the kernel.</para>

        </footnote>, while other page faults are used to load memory on demand

      or to notify the kernel about certain events.</para>

      <indexterm>

        <primary>page tables</primary>

      </indexterm>

      <para>The set of all page mappings is stored in a memory structure

      called page tables. Some architectures have no hardware support for page

      tables<footnote>

          <para>On mips32, TLB-only model is used and the operating system is

          responsible for managing software defined page tables.</para>

        </footnote> while other processor architectures<footnote>

          <para>Like amd64 and ia32.</para>

        </footnote> understand the whole memory format thereof. Despite all

      the possible differences in page table formats, the HelenOS VAT

      subsystem<footnote>

          <para>Virtual Address Translation subsystem.</para>

        </footnote> unifies the page table operations under one programming

      interface. For all parts of the kernel, three basic functions are

      provided:</para>

      <itemizedlist>

        <listitem>

          <para><code>page_mapping_insert()</code>,</para>

        </listitem>

        <listitem>

          <para><code>page_mapping_find()</code> and</para>

        </listitem>

        <listitem>

          <para><code>page_mapping_remove()</code>.</para>

        </listitem>

      </itemizedlist>

      <para>The <code>page_mapping_insert()</code> function is used to

      introduce a mapping for one virtual memory page belonging to a

      particular address space into the page tables. Once the mapping is in

      the page tables, it can be searched by <code>page_mapping_find()</code>

      and removed by <code>page_mapping_remove()</code>. All of these

      functions internally select the page table mechanism specific functions

      that carry out the self operation.</para>

      <para>There are currently two supported mechanisms: generic 4-level

      hierarchical page tables and global page hash table. Both of the

      mechanisms are generic as they cover several hardware platforms. For

      instance, the 4-level hierarchical page table mechanism is used by

      amd64, ia32, mips32 and ppc32, respectively. These architectures have

      the following page table format: 4-level, 2-level, TLB-only and hardware

      hash table, respectively. On the other hand, the global page hash table

      is used on ia64 that can be TLB-only or use a hardware hash table.

      Although only two mechanisms are currently implemented, other mechanisms

      (e.g. B+tree) can be easily added.</para>

      <section id="page_tables">

        <indexterm>

          <primary>page tables</primary>

          <secondary>- hierarchical</secondary>

        </indexterm>

        <title>Hierarchical 4-level page tables</title>

        <para>Hierarchical 4-level page tables are generalization of the

        frequently used hierarchical model of page tables. In this mechanism,

        each address space has its own page tables. To avoid confusion in

        terminology used by hardware vendors, in HelenOS, the root level page

        table is called PTL0, the two middle levels are called PTL1 and PTL2,

        and, finally, the leaf level is called PTL3. All architectures using

        this mechanism are required to use PTL0 and PTL3. However, the middle

        levels can be left out, depending on the hardware hierachy or

        structure of software-only page tables. The genericity is achieved

        through a set of macros that define transitions from one level to

        another. Unused levels are optimised out by the compiler.</para>

      </section>

      <section>

        <indexterm>

          <primary>page tables</primary>

          <secondary>- hashing</secondary>

        </indexterm>

        <title>Global page hash table</title>

        <para>Implementation of the global page hash table was encouraged by

        64-bit architectures that can have rather sparse address spaces. The

        hash table contains valid mappings only. Each entry of the hash table

        contains an address space pointer, virtual memory page number (VPN),

        physical memory frame number (PFN) and a set of flags. The pair of the

        address space pointer and the virtual memory page number is used as a

        key for the hash table. One of the major differences between the

        global page hash table and hierarchical 4-level page tables is that

        there is only a single global page hash table in the system while

        hierarchical page tables exist per address space. Thus, the global

        page hash table contains information about mappings of all address

        spaces in the system.</para>

        <para>The global page hash table mechanism uses the generic hash table

        type as described in the chapter dedicated to <link

        linkend="hashtables">data structures</link> earlier in this

        book.</para>

      </section>

    </section>

  </section>

  <section id="tlb">

    <indexterm>

      <primary>TLB</primary>

    </indexterm>

    <title>Translation Lookaside buffer</title>

    <para>Due to the extensive overhead of several extra memory accesses

    during page table lookup that are necessary on every instruction, modern

    architectures deploy fast assotiative cache of recelntly used page

    mappings. This cache is called TLB - Translation Lookaside Buffer - and is

    present on every processor in the system. As it has been already pointed

    out, TLB is the only page translation mechanism for some

    architectures.</para>

    <section id="tlb_shootdown">

      <indexterm>

        <primary>TLB</primary>

        <secondary>- TLB shootdown</secondary>

      </indexterm>

      <title>TLB consistency</title>

      <para>The operating system is responsible for keeping TLB consistent

      with the page tables. Whenever mappings are modified or purged from the

      page tables, or when an address space identifier is reused, the kernel

      needs to invalidate the respective contents of TLB. Some TLB types

      support partial invalidation of their content (e.g. ranges of pages or

      address spaces) while other types can be invalidated only entirely. The

      invalidation must be done on all processors for there is one TLB per

      processor. Maintaining TLB consistency on multiprocessor configurations

      is not as trivial as it might look from the first glance.</para>

      <para>The remote TLB invalidation is called TLB shootdown. HelenOS uses

      a simplified variant of the algorithm described in <xref

      linkend="Black89" />.</para>

      <para>TLB shootdown is performed in three phases.</para>

      <formalpara>

        <title>Phase 1.</title>

        <para>The initiator clears its TLB flag and locks the global TLB

        spinlock. The request is then enqueued into all other processors' TLB

        shootdown message queues. When the TLB shootdown message queue is full

        on any processor, the queue is purged and a single request to

        invalidate the entire TLB is stored there. Once all the TLB shootdown

        messages were dispatched, the initiator sends all other processors an

        interrupt to notify them about the incoming TLB shootdown message. It

        then spins until all processors accept the interrupt and clear their

        TLB flags.</para>

      </formalpara>

      <formalpara>

        <title>Phase 2.</title>

        <para>Except for the initiator, all other processors are spining on

        the TLB spinlock. The initiator is now free to modify the page tables

        and purge its own TLB. The initiator then unlocks the global TLB

        spinlock and sets its TLB flag.</para>

      </formalpara>

      <formalpara>

        <title>Phase 3.</title>

        <para>When the spinlock is unlocked by the initiator, other processors

        are sequentially granted the spinlock. However, once they manage to

        lock it, they immediately release it. Each processor invalidates its

        TLB according to messages found in its TLB shootdown message queue. In

        the end, each processor sets its TLB flag and resumes its previous

        operation.</para>

      </formalpara>

    </section>

  </section>

  <section>

    <title>Address spaces</title>

    <para>last bits about address spaces</para>

    <section>

      <indexterm>

        <primary>address space</primary>

        <secondary>- ASID</secondary>

      </indexterm>

      <title>Address Space ID (ASID)</title>

      <para>Modern processor architectures optimize TLB utilization by

      associating TLB entries with address spaces through assigning

      identification numbers to them. In HelenOS, the term ASID, originally

      taken from the mips32 terminology, is used to refer to the address space

      identification number. The advantage of having ASIDs is that TLB does

      not have to be invalidated on thread context switch as long as ASIDs are

      unique. Unfotunatelly, architectures supported by HelenOS use all

      different widths of ASID numbers<footnote>

          <para>amd64 and ia32 don't use similar abstraction at all, mips32

          has 8-bit ASIDs and ia64 can have ASIDs between 18 to 24 bits

          wide.</para>

        </footnote> out of which none is sufficient. The amd64 and ia32

      architectures cannot make use of ASIDs as their TLB doesn't recognize

      such an abstraction. Other architectures have support for ASIDs, but for

      instance ppc32 doesn't make use of them in the current version of

      HelenOS. The rest of the architectures does use ASIDs. However, even on

      the ia64 architecture, the minimal supported width of ASID<footnote>

          <para>RID in ia64 terminology.</para>

        </footnote> is insufficient to provide a unique integer identifier to

      all address spaces that might hypothetically coexist in the running

      system. The situation on mips32 is even worse: the architecture has only

      256 unique identifiers.</para>

      <indexterm>

        <primary>address space</primary>

        <secondary>- ASID stealing</secondary>

      </indexterm>

      <para>To mitigate the shortage of ASIDs, HelenOS uses the following

      strategy. When the system initializes, a FIFO queue<footnote>

          <para>Note that architecture-specific measures are taken to avoid

          too large FIFO queue. For instance, seven consecutive ia64 RIDs are

          grouped to form one HelenOS ASID.</para>

        </footnote> is created and filled with all available ASIDs. Moreover,

      every address space remembers the number of processors on which it is

      active. Address spaces that have a valid ASID and that are not active on

      any processor are appended to the list of inactive address spaces with

      valid ASID. When an address space needs to be assigned a valid ASID, it

      first checks the FIFO queue. If it contains at least one ASID, the ASID

      is allocated. If the queue is empty, an ASID is simply stolen from the

      first address space in the list. In that case, the address space that

      loses the ASID in favor of another address space, is removed from the

      list. After the new ASID is purged from all TLBs, it can be used by the

      address space. Note that this approach works due to the fact that the

      number of ASIDs is greater than the maximal number of processors

      supported by HelenOS and that there can be only one active address space

      per processor. In other words, when the FIFO queue is empty, there must

      be address spaces that are not active on any processor.</para>

    </section>

  </section>

</chapter>