<?xml version="1.0" encoding="UTF-8"?>
<chapter id="mm">
<?dbhtml filename="mm.html"?>
<title>Memory management</title>
<para>In previous chapters, this book described the scheduling subsystem as
the creator of the impression that threads execute in parallel. The memory
management subsystem, on the other hand, creates the impression that there
is enough physical memory for the kernel and that userspace tasks have the
entire address space only for themselves.</para>
<section>
<title>Physical memory management</title>
<section id="zones_and_frames">
<title>Zones and frames</title>
<para>HelenOS represents continuous areas of physical memory in
structures called frame zones (abbreviated as zones). Each zone contains
information about the number of allocated and unallocated physical
memory frames as well as the physical base address of the zone and
number of frames contained in it. A zone also contains an array of frame
structures describing each frame of the zone and, in the last, but not
the least important, front, each zone is equipped with a buddy system
that faciliates effective allocation of power-of-two sized block of
frames.</para>
<para>This organization of physical memory provides good preconditions
for hot-plugging of more zones. There is also one currently unused zone
attribute: <code>flags</code>. The attribute could be used to give a
special meaning to some zones in the future.</para>
<para>The zones are linked in a doubly-linked list. This might seem a
bit ineffective because the zone list is walked everytime a frame is
allocated or deallocated. However, this does not represent a significant
performance problem as it is expected that the number of zones will be
rather low. Moreover, most architectures merge all zones into
one.</para>
<para>Every physical memory frame in a zone, is described by a structure
that contains number of references and other data used by buddy
system.</para>
</section>
<section id="frame_allocator">
<indexterm>
<primary>frame allocator</primary>
</indexterm>
<title>Frame allocator</title>
<para>The frame allocator satisfies kernel requests to allocate
power-of-two sized blocks of physical memory. Because of zonal
organization of physical memory, the frame allocator is always working
within a context of a particular frame zone. In order to carry out the
allocation requests, the frame allocator is tightly integrated with the
buddy system belonging to the zone. The frame allocator is also
responsible for updating information about the number of free and busy
frames in the zone. <figure>
<mediaobject id="frame_alloc">
<imageobject role="eps">
<imagedata fileref="images.vector/frame_alloc.eps" format="EPS" />
</imageobject>
<imageobject role="html">
<imagedata fileref="images/frame_alloc.png" format="PNG" />
</imageobject>
<imageobject role="fop">
<imagedata fileref="images.vector/frame_alloc.svg" format="SVG" />
</imageobject>
</mediaobject>
<title>Frame allocator scheme.</title>
</figure></para>
<formalpara>
<title>Allocation / deallocation</title>
<para>Upon allocation request via function <code>frame_alloc()</code>,
the frame allocator first tries to find a zone that can satisfy the
request (i.e. has the required amount of free frames). Once a suitable
zone is found, the frame allocator uses the buddy allocator on the
zone's buddy system to perform the allocation. During deallocation,
which is triggered by a call to <code>frame_free()</code>, the frame
allocator looks up the respective zone that contains the frame being
deallocated. Afterwards, it calls the buddy allocator again, this time
to take care of deallocation within the zone's buddy system.</para>
</formalpara>
</section>
<section id="buddy_allocator">
<indexterm>
<primary>buddy system</primary>
</indexterm>
<title>Buddy allocator</title>
<para>In the buddy system, the memory is broken down into power-of-two
sized naturally aligned blocks. These blocks are organized in an array
of lists, in which the list with index <emphasis>i</emphasis> contains
all unallocated blocks of size
<emphasis>2<superscript>i</superscript></emphasis>. The index
<emphasis>i</emphasis> is called the order of block. Should there be two
adjacent equally sized blocks in the list <emphasis>i</emphasis> (i.e.
buddies), the buddy allocator would coalesce them and put the resulting
block in list <emphasis>i + 1</emphasis>, provided that the resulting
block would be naturally aligned. Similarily, when the allocator is
asked to allocate a block of size
<emphasis>2<superscript>i</superscript></emphasis>, it first tries to
satisfy the request from the list with index <emphasis>i</emphasis>. If
the request cannot be satisfied (i.e. the list <emphasis>i</emphasis> is
empty), the buddy allocator will try to allocate and split a larger
block from the list with index <emphasis>i + 1</emphasis>. Both of these
algorithms are recursive. The recursion ends either when there are no
blocks to coalesce in the former case or when there are no blocks that
can be split in the latter case.</para>
<para>This approach greatly reduces external fragmentation of memory and
helps in allocating bigger continuous blocks of memory aligned to their
size. On the other hand, the buddy allocator suffers increased internal
fragmentation of memory and is not suitable for general kernel
allocations. This purpose is better addressed by the <link
linkend="slab">slab allocator</link>.<figure>
<mediaobject id="buddy_alloc">
<imageobject role="eps">
<imagedata fileref="images.vector/buddy_alloc.eps" format="EPS" />
</imageobject>
<imageobject role="html">
<imagedata fileref="images/buddy_alloc.png" format="PNG" />
</imageobject>
<imageobject role="fop">
<imagedata fileref="images.vector/buddy_alloc.svg" format="SVG" />
</imageobject>
</mediaobject>
<title>Buddy system scheme.</title>
</figure></para>
<section>
<title>Implementation</title>
<para>The buddy allocator is, in fact, an abstract framework wich can
be easily specialized to serve one particular task. It knows nothing
about the nature of memory it helps to allocate. In order to beat the
lack of this knowledge, the buddy allocator exports an interface that
each of its clients is required to implement. When supplied with an
implementation of this interface, the buddy allocator can use
specialized external functions to find a buddy for a block, split and
coalesce blocks, manipulate block order and mark blocks busy or
available.</para>
<formalpara>
<title>Data organization</title>
<para>Each entity allocable by the buddy allocator is required to
contain space for storing block order number and a link variable
used to interconnect blocks within the same order.</para>
<para>Whatever entities are allocated by the buddy allocator, the
first entity within a block is used to represent the entire block.
The first entity keeps the order of the whole block. Other entities
within the block are assigned the magic value
<constant>BUDDY_INNER_BLOCK</constant>. This is especially important
for effective identification of buddies in a one-dimensional array
because the entity that represents a potential buddy cannot be
associated with <constant>BUDDY_INNER_BLOCK</constant> (i.e. if it
is associated with <constant>BUDDY_INNER_BLOCK</constant> then it is
not a buddy).</para>
</formalpara>
</section>
</section>
<section id="slab">
<indexterm>
<primary>slab allocator</primary>
</indexterm>
<title>Slab allocator</title>
<para>The majority of memory allocation requests in the kernel is for
small, frequently used data structures. The basic idea behind the slab
allocator is that commonly used objects are preallocated in continuous
areas of physical memory called slabs<footnote>
<para>Slabs are in fact blocks of physical memory frames allocated
from the frame allocator.</para>
</footnote>. Whenever an object is to be allocated, the slab allocator
returns the first available item from a suitable slab corresponding to
the object type<footnote>
<para>The mechanism is rather more complicated, see the next
paragraph.</para>
</footnote>. Due to the fact that the sizes of the requested and
allocated object match, the slab allocator significantly reduces
internal fragmentation.</para>
<indexterm>
<primary>slab allocator</primary>
<secondary>- slab cache</secondary>
</indexterm>
<para>Slabs of one object type are organized in a structure called slab
cache. There are ususally more slabs in the slab cache, depending on
previous allocations. If the the slab cache runs out of available slabs,
new slabs are allocated. In order to exploit parallelism and to avoid
locking of shared spinlocks, slab caches can have variants of
processor-private slabs called magazines. On each processor, there is a
two-magazine cache. Full magazines that are not part of any
per-processor magazine cache are stored in a global list of full
magazines.</para>
<indexterm>
<primary>slab allocator</primary>
<secondary>- magazine</secondary>
</indexterm>
<para>Each object begins its life in a slab. When it is allocated from
there, the slab allocator calls a constructor that is registered in the
respective slab cache. The constructor initializes and brings the object
into a known state. The object is then used by the user. When the user
later frees the object, the slab allocator puts it into a processor
private <indexterm>
<primary>slab allocator</primary>
<secondary>- magazine</secondary>
</indexterm>magazine cache, from where it can be precedently allocated
again. Note that allocations satisfied from a magazine are already
initialized by the constructor. When both of the processor cached
magazines get full, the allocator will move one of the magazines to the
list of full magazines. Similarily, when allocating from an empty
processor magazine cache, the kernel will reload only one magazine from
the list of full magazines. In other words, the slab allocator tries to
keep the processor magazine cache only half-full in order to prevent
thrashing when allocations and deallocations interleave on magazine
boundaries. The advantage of this setup is that during most of the
allocations, no global spinlock needs to be held.</para>
<para>Should HelenOS run short of memory, it would start deallocating
objects from magazines, calling slab cache destructor on them and
putting them back into slabs. When a slab contanins no allocated object,
it is immediately freed.</para>
<para>
<figure>
<mediaobject id="slab_alloc">
<imageobject role="eps">
<imagedata fileref="images.vector/slab_alloc.eps" format="EPS" />
</imageobject>
<imageobject role="html">
<imagedata fileref="images/slab_alloc.png" format="PNG" />
</imageobject>
<imageobject role="fop">
<imagedata fileref="images.vector/slab_alloc.svg" format="SVG" />
</imageobject>
</mediaobject>
<title>Slab allocator scheme.</title>
</figure>
</para>
<section>
<title>Implementation</title>
<para>The slab allocator is closely modelled after <xref
linkend="Bonwick01" /> with the following exceptions:<itemizedlist>
<listitem>
<para>empty slabs are immediately deallocated and</para>
</listitem>
<listitem>
<para>empty magazines are deallocated when not needed.</para>
</listitem>
</itemizedlist>The following features are not currently supported
but would be easy to do: <itemizedlist>
<listitem>cache coloring and</listitem>
<listitem>dynamic magazine grow (different magazine sizes are
already supported, but the allocation strategy would need to be
adjusted).</listitem>
</itemizedlist></para>
<section>
<title>Allocation/deallocation</title>
<para>The following two paragraphs summarize and complete the
description of the slab allocator operation (i.e.
<code>slab_alloc()</code> and <code>slab_free()</code>
functions).</para>
<formalpara>
<title>Allocation</title>
<para><emphasis>Step 1.</emphasis> When an allocation request
comes, the slab allocator checks availability of memory in the
current magazine of the local processor magazine cache. If the
available memory is there, the allocator just pops the object from
magazine and returns it.</para>
<para><emphasis>Step 2.</emphasis> If the current magazine in the
processor magazine cache is empty, the allocator will attempt to
swap it with the last magazine from the cache and return to the
first step. If also the last magazine is empty, the algorithm will
fall through to Step 3.</para>
<para><emphasis>Step 3.</emphasis> Now the allocator is in the
situation when both magazines in the processor magazine cache are
empty. The allocator reloads one magazine from the shared list of
full magazines. If the reload is successful (i.e. there are full
magazines in the list), the algorithm continues with Step
1.</para>
<para><emphasis>Step 4.</emphasis> In this fail-safe step, an
object is allocated from the conventional slab layer and a pointer
to it is returned. If also the last magazine is full,</para>
</formalpara>
<formalpara>
<title>Deallocation</title>
<para><emphasis>Step 1.</emphasis> During a deallocation request,
the slab allocator checks if the current magazine of the local
processor magazine cache is not full. If it is, the pointer to the
objects is just pushed into the magazine and the algorithm
returns.</para>
<para><emphasis>Step 2.</emphasis> If the current magazine is
full, the allocator will attempt to swap it with the last magazine
from the cache and return to the first step. If also the last
magazine is empty, the algorithm will fall through to Step
3.</para>
<para><emphasis>Step 3.</emphasis> Now the allocator is in the
situation when both magazines in the processor magazine cache are
full. The allocator tries to allocate a new empty magazine and
flush one of the full magazines to the shared list of full
magazines. If it is successfull, the algoritm continues with Step
1.</para>
<para><emphasis>Step 4. </emphasis>In case of low memory condition
when the allocation of empty magazine fails, the object is moved
directly into slab. In the worst case object deallocation does not
need to allocate any additional memory.</para>
</formalpara>
</section>
</section>
</section>
</section>
<section>
<title>Virtual memory management</title>
<para>Virtual memory is essential for an operating system because it makes
several things possible. First, it helps to isolate tasks from each other
by encapsulating them in their private address spaces. Second, virtual
memory can give tasks the feeling of more memory available than is
actually possible. And third, by using virtual memory, there might be
multiple copies of the same program, linked to the same addresses, running
in the system. There are at least two known mechanisms for implementing
virtual memory: segmentation and paging. Even though some processor
architectures supported by HelenOS<footnote>
<para>ia32 has full-fledged segmentation.</para>
</footnote> provide both mechanism, the kernel makes use solely of
paging.</para>
<section id="paging">
<title>VAT subsystem</title>
<para>In a paged virtual memory, the entire virtual address space is
divided into small power-of-two sized naturally aligned blocks called
pages. The processor implements a translation mechanism, that allows the
operating system to manage mappings between set of pages and set of
indentically sized and identically aligned pieces of physical memory
called frames. In a result, references to continuous virtual memory
areas don't necessarily need to reference continuos area of physical
memory. Supported page sizes usually range from several kilobytes to
several megabytes. Each page that takes part in the mapping is
associated with certain attributes that further desribe the mapping
(e.g. access rights, dirty and accessed bits and present bit).</para>
<para>When the processor accesses a page that is not present (i.e. its
present bit is not set), the operating system is notified through a
special exception called page fault. It is then up to the operating
system to service the page fault. In HelenOS, some page faults are fatal
and result in either task termination or, in the worse case, kernel
panic<footnote>
<para>Such a condition would be either caused by a hardware failure
or a bug in the kernel.</para>
</footnote>, while other page faults are used to load memory on demand
or to notify the kernel about certain events.</para>
<indexterm>
<primary>page tables</primary>
</indexterm>
<para>The set of all page mappings is stored in a memory structure
called page tables. Some architectures have no hardware support for page
tables<footnote>
<para>On mips32, TLB-only model is used and the operating system is
responsible for managing software defined page tables.</para>
</footnote> while other processor architectures<footnote>
<para>Like amd64 and ia32.</para>
</footnote> understand the whole memory format thereof. Despite all
the possible differences in page table formats, the HelenOS VAT
subsystem<footnote>
<para>Virtual Address Translation subsystem.</para>
</footnote> unifies the page table operations under one programming
interface. For all parts of the kernel, three basic functions are
provided:</para>
<itemizedlist>
<listitem>
<para><code>page_mapping_insert()</code>,</para>
</listitem>
<listitem>
<para><code>page_mapping_find()</code> and</para>
</listitem>
<listitem>
<para><code>page_mapping_remove()</code>.</para>
</listitem>
</itemizedlist>
<para>The <code>page_mapping_insert()</code> function is used to
introduce a mapping for one virtual memory page belonging to a
particular address space into the page tables. Once the mapping is in
the page tables, it can be searched by <code>page_mapping_find()</code>
and removed by <code>page_mapping_remove()</code>. All of these
functions internally select the page table mechanism specific functions
that carry out the self operation.</para>
<para>There are currently two supported mechanisms: generic 4-level
hierarchical page tables and global page hash table. Both of the
mechanisms are generic as they cover several hardware platforms. For
instance, the 4-level hierarchical page table mechanism is used by
amd64, ia32, mips32 and ppc32, respectively. These architectures have
the following page table format: 4-level, 2-level, TLB-only and hardware
hash table, respectively. On the other hand, the global page hash table
is used on ia64 that can be TLB-only or use a hardware hash table.
Although only two mechanisms are currently implemented, other mechanisms
(e.g. B+tree) can be easily added.</para>
<section id="page_tables">
<indexterm>
<primary>page tables</primary>
<secondary>- hierarchical</secondary>
</indexterm>
<title>Hierarchical 4-level page tables</title>
<para>Hierarchical 4-level page tables are generalization of the
frequently used hierarchical model of page tables. In this mechanism,
each address space has its own page tables. To avoid confusion in
terminology used by hardware vendors, in HelenOS, the root level page
table is called PTL0, the two middle levels are called PTL1 and PTL2,
and, finally, the leaf level is called PTL3. All architectures using
this mechanism are required to use PTL0 and PTL3. However, the middle
levels can be left out, depending on the hardware hierachy or
structure of software-only page tables. The genericity is achieved
through a set of macros that define transitions from one level to
another. Unused levels are optimised out by the compiler.</para>
</section>
<section>
<indexterm>
<primary>page tables</primary>
<secondary>- hashing</secondary>
</indexterm>
<title>Global page hash table</title>
<para>Implementation of the global page hash table was encouraged by
64-bit architectures that can have rather sparse address spaces. The
hash table contains valid mappings only. Each entry of the hash table
contains an address space pointer, virtual memory page number (VPN),
physical memory frame number (PFN) and a set of flags. The pair of the
address space pointer and the virtual memory page number is used as a
key for the hash table. One of the major differences between the
global page hash table and hierarchical 4-level page tables is that
there is only a single global page hash table in the system while
hierarchical page tables exist per address space. Thus, the global
page hash table contains information about mappings of all address
spaces in the system.</para>
<para>The global page hash table mechanism uses the generic hash table
type as described in the chapter dedicated to <link
linkend="hashtables">data structures</link> earlier in this
book.</para>
</section>
</section>
</section>
<section id="tlb">
<indexterm>
<primary>TLB</primary>
</indexterm>
<title>Translation Lookaside buffer</title>
<para>Due to the extensive overhead of several extra memory accesses
during page table lookup that are necessary on every instruction, modern
architectures deploy fast assotiative cache of recelntly used page
mappings. This cache is called TLB - Translation Lookaside Buffer - and is
present on every processor in the system. As it has been already pointed
out, TLB is the only page translation mechanism for some
architectures.</para>
<section id="tlb_shootdown">
<indexterm>
<primary>TLB</primary>
<secondary>- TLB shootdown</secondary>
</indexterm>
<title>TLB consistency</title>
<para>The operating system is responsible for keeping TLB consistent
with the page tables. Whenever mappings are modified or purged from the
page tables, or when an address space identifier is reused, the kernel
needs to invalidate the respective contents of TLB. Some TLB types
support partial invalidation of their content (e.g. ranges of pages or
address spaces) while other types can be invalidated only entirely. The
invalidation must be done on all processors for there is one TLB per
processor. Maintaining TLB consistency on multiprocessor configurations
is not as trivial as it might look from the first glance.</para>
<para>The remote TLB invalidation is called TLB shootdown. HelenOS uses
a simplified variant of the algorithm described in <xref
linkend="Black89" />. </para>
<para>TLB shootdown is performed in three phases.</para>
<formalpara>
<title>Phase 1.</title>
<para>The initiator clears its TLB flag and locks the global TLB
spinlock. The request is then enqueued into all other processors' TLB
shootdown message queues. When the TLB shootdown message queue is full
on any processor, the queue is purged and a single request to
invalidate the entire TLB is stored there. Once all the TLB shootdown
messages were dispatched, the initiator sends all other processors an
interrupt to notify them about the incoming TLB shootdown message. It
then spins until all processors accept the interrupt and clear their
TLB flags.</para>
</formalpara>
<formalpara>
<title>Phase 2.</title>
<para>Except for the initiator, all other processors are spining on
the TLB spinlock. The initiator is now free to modify the page tables
and purge its own TLB. The initiator then unlocks the global TLB
spinlock and sets its TLB flag.</para>
</formalpara>
<formalpara>
<title>Phase 3.</title>
<para>When the spinlock is unlocked by the initiator, other processors
are sequentially granted the spinlock. However, once they manage to
lock it, they immediately release it. Each processor invalidates its
TLB according to messages found in its TLB shootdown message queue. In
the end, each processor sets its TLB flag and resumes its previous
operation.</para>
</formalpara>
</section>
<section>
<title>Address spaces</title>
<section>
<indexterm>
<primary>address space</primary>
<secondary>- area</secondary>
</indexterm>
<title>Address space areas</title>
<para>Each address space consists of mutually disjunctive continuous
address space areas. Address space area is precisely defined by its
base address and the number of frames/pages is contains.</para>
<para>Address space area , that define behaviour and permissions on
the particular area. <itemizedlist>
<listitem><emphasis>AS_AREA_READ</emphasis> flag indicates reading
permission.</listitem>
<listitem><emphasis>AS_AREA_WRITE</emphasis> flag indicates
writing permission.</listitem>
<listitem><emphasis>AS_AREA_EXEC</emphasis> flag indicates code
execution permission. Some architectures do not support execution
persmission restriction. In this case this flag has no
effect.</listitem>
<listitem><emphasis>AS_AREA_DEVICE</emphasis> marks area as mapped
to the device memory.</listitem>
</itemizedlist></para>
<para>Kernel provides possibility tasks create/expand/shrink/share its
address space via the set of syscalls.</para>
</section>
<section>
<indexterm>
<primary>address space</primary>
<secondary>- ASID</secondary>
</indexterm>
<title>Address Space ID (ASID)</title>
<para>Every task in the operating system has it's own view of the
virtual memory. When performing context switch between different
tasks, the kernel must switch the address space mapping as well. As
modern processors perform very aggressive caching of virtual mappings,
flushing the complete TLB on every context switch would be very
inefficient. To avoid such performance penalty, some architectures
introduce an address space identifier, which allows storing several
different mappings inside TLB.</para>
<para>HelenOS kernel can take advantage of this hardware support by
having an ASID abstraction. I.e. on ia64 kernel ASID is derived from
RID (region identifier) and on the mips32 kernel ASID is actually the
hardware identifier. As expected, this ASID information record is the
part of <emphasis>as_t</emphasis> structure.</para>
<para>Due to the hardware limitations, hardware ASID has limited
length from 8 bits on ia64 to 24 bits on mips32, which makes it
impossible to use it as unique address space identifier for all tasks
running in the system. In such situations special ASID stealing
algoritm is used, which takes ASID from inactive task and assigns it
to the active task.</para>
<indexterm>
<primary>address space</primary>
<secondary>- ASID stealing</secondary>
</indexterm>
<para>
<classname>ASID stealing algoritm here.</classname>
</para>
</section>
</section>
</section>
</chapter>