Computer System Chapter 10. Virtual Memory Lynn Choi Korea University A System with Physical Memory Only Examples: Most Cray machines, early PCs, nearly all embedded systems, etc. Memory Physical Addresses 0: 1: CPU N-1: Addresses generated by the CPU correspond directly to bytes in physical memory A System with Virtual Memory Examples: Memory Workstations, servers, modern PCs, etc. 0: 1: Page Table Virtual Addresses 0: 1: Physical Addresses CPU P-1: N-1: Disk Address Translation: Hardware converts virtual addresses to physical addresses via OS-managed lookup table (page table) Page Faults (like “Cache Misses”) What if an object is on disk rather than in memory? Page table entry indicates virtual address not in memory OS exception handler invoked to move data from disk into memory Current process suspends, others can resume OS has full control over placement, etc. Before fault After handling fault Memory Memory Page Table Virtual Addresses Physical Addresses CPU Page Table Virtual Addresses Physical Addresses CPU Disk Disk Servicing a Page Fault (1) Initiate Block Read Processor Signals Controller Read block of length P starting at disk address X and store starting at memory address Y Read Occurs Processor Reg (3) Read Done Cache Direct Memory Access (DMA) Under control of I/O controller I / O Controller Signals Completion Interrupt processor OS resumes suspended process Memory-I/O bus (2) DMA Transfer Memory I/O controller disk Disk disk Disk Memory Management Multiple processes can reside in physical memory. How do we resolve address conflicts? What if two processes access something at the same address? kernel virtual memory stack %esp memory invisible to user code Memory mapped region for shared libraries Linux/x86 process memory image the “brk” ptr runtime heap (via malloc) 0 uninitialized data (.bss) initialized data (.data) program text (.text) forbidden Solution: Separate Virt. Addr. Spaces Virtual and physical address spaces divided into equal-sized blocks Blocks are called “pages” (both virtual and physical) Each process has its own virtual address space Operating system controls how virtual pages as assigned to physical memory 0 Virtual Address Space for Process 1: Address Translation 0 VP 1 VP 2 PP 2 ... N-1 PP 7 Virtual Address Space for Process 2: Physical Address Space (DRAM) 0 VP 1 VP 2 PP 10 ... N-1 M-1 (e.g., read/only library code) Protection Page table entry contains access rights information Hardware enforces this protection (trap into OS if violation occurs) Page Tables Read? Write? Process i: Physical Addr VP 0: Yes No PP 9 VP 1: Yes Yes PP 4 No XXXXXXX VP 2: No • • • • • • Read? Write? Process j: Memory • • • Physical Addr VP 0: Yes Yes PP 6 VP 1: Yes No PP 9 VP 2: No XXXXXXX No • • • • • • 0: 1: • • • N-1: Address Translation Symbols Virtual Address Components VPO: virtual page offset VPN: virtual page number TLBI: TLB index TLBT: TLB tag Physical Address Components PPO: physical page offset PPN: physical page number CO: byte offset within cache block CI: cache index CT: cache tag Simple Memory System Example Addressing 14-bit virtual addresses 12-bit physical address Page size = 64 bytes 13 12 11 10 9 8 7 6 5 4 VPN 10 2 1 0 VPO (Virtual Page Offset) (Virtual Page Number) 11 3 9 8 7 6 5 4 3 2 1 PPN PPO (Physical Page Number) (Physical Page Offset) 0 Simple Memory System Page Table Only show first 16 entries VPN PPN Valid VPN PPN Valid 00 28 1 08 13 1 01 – 0 09 17 1 02 33 1 0A 09 1 03 02 1 0B – 0 04 – 0 0C – 0 05 16 1 0D 2D 1 06 – 0 0E 11 1 07 – 0 0F 0D 1 Simple Memory System TLB TLB 16 entries 4-way associative TLBT 13 12 11 10 TLBI 9 8 7 6 5 4 3 VPN 2 1 0 VPO Set Tag PPN Valid Tag PPN Valid Tag PPN Valid Tag PPN Valid 0 03 – 0 09 0D 1 00 – 0 07 02 1 1 03 2D 1 02 – 0 04 – 0 0A – 0 2 02 – 0 08 – 0 06 – 0 03 – 0 3 07 – 0 03 0D 1 0A 34 1 02 – 0 Simple Memory System Cache Cache 16 lines 4-byte line size Direct mapped CI CT 11 10 9 8 7 6 5 4 CO 3 PPN 2 1 0 PPO Idx Tag Valid B0 B1 B2 B3 Idx Tag Valid B0 B1 B2 B3 0 19 1 99 11 23 11 8 24 1 3A 00 51 89 1 15 0 – – – – 9 2D 0 – – – – 2 1B 1 00 02 04 08 A 2D 1 93 15 DA 3B 3 36 0 – – – – B 0B 0 – – – – 4 32 1 43 6D 8F 09 C 12 0 – – – – 5 0D 1 36 72 F0 1D D 16 1 04 96 34 15 6 31 0 – – – – E 13 1 83 77 1B D3 7 16 1 11 C2 DF 03 F 14 0 – – – – Address Translation Example #1 Virtual Address 0x03D4 TLBT 13 12 11 TLBI 10 9 8 7 6 5 4 3 VPN VPN ___ TLBI ___ TLBT ____ TLB Hit? __ CI___ 0 9 8 CT ____ PPN: ____ CI 7 6 PPN Offset ___ Page Fault? __ CT 10 1 VPO Physical Address 11 2 5 4 CO 3 2 PPO Hit? __ Byte: ____ 1 0 Address Translation Example #2 Virtual Address 0x0B8F TLBT 13 12 11 TLBI 10 9 8 7 6 5 4 3 VPN VPN ___ TLBI ___ 2 1 0 VPO TLBT ____ TLB Hit? __ Page Fault? __ PPN: ____ Physical Address CI CT 11 10 9 8 7 6 PPN Offset ___ CI___ CT ____ 5 4 CO 3 2 PPO Hit? __ Byte: ____ 1 0 Address Translation Example #3 Virtual Address 0x0040 TLBT 13 12 11 TLBI 10 9 8 7 6 5 4 3 VPN VPN ___ TLBI ___ 2 1 0 VPO TLBT ____ TLB Hit? __ Page Fault? __ PPN: ____ Physical Address CI CT 11 10 9 8 7 6 PPN Offset ___ CI___ CT ____ 5 4 CO 3 2 PPO Hit? __ Byte: ____ 1 0 Program Start Scenario Before starting the process Load the page directory into physical memory Load the PDBR (page directory base register) with the beginning of the page directory Load the PC with the start address of code When the 1st reference to code triggers iTLB miss (translation failed for instruction address) Exception handler looks up PTE1 dTLB miss (translation failed for PTE1) Exception handler looks up PTE2 Lookup page directory and find PTE2 Add PTE2 to dTLB dTLB hit, but page miss (PTE1 not in memory) Load page containing PTE1 Lookup page table and find PTE1 Add PTE1 to iTLB iTLB hit, but page miss (code page not present in memory) Load the instruction page Cache miss, but memory returns the instruction P6 Memory System 32 bit address space DRAM 4 KB page size L1, L2, and TLBs external system bus (e.g. PCI) inst TLB L2 cache instruction fetch unit L1 i-cache inst TLB data TLB L1 d-cache 64 entries 16 sets L1 i-cache and d-cache 16 KB 32 B line size 128 sets L2 cache processor package 32 entries 8 sets data TLB cache bus bus interface unit 4-way set associative unified 128 KB -- 2 MB Overview of P6 Address Translation 32 result CPU 20 VPN 12 virtual address (VA) VPO L1 (128 sets, 4 lines/set) TLB hit ... ... TLB (16 sets, 4 entries/set) 10 10 VPN1 VPN2 20 PPN PDE PDBR L1 miss L1 hit 16 4 TLBT TLBI TLB miss L2 and DRAM PTE Page tables 20 CT 12 PPO physical address (PA) 7 5 CI CO P6 2-level Page Table Structure Page directory 1024 4-byte page directory entries (PDEs) that point to page tables One page directory per process. Page directory must be in memory when it s process is running page Always pointed to by PDBR directory Page tables: 1024 4-byte page table entries (PTEs) that point to pages. Page tables can be paged in and out. 1024 PDEs Up to 1024 page tables 1024 PTEs ... 1024 PTEs ... 1024 PTEs P6 Page Directory Entry (PDE) 31 12 11 Page table physical base addr 9 Avail 8 7 G PS 6 5 A 4 3 2 1 0 CD WT U/S R/W P=1 Page table physical base address: 20 most significant bits of physical page table address (forces page tables to be 4KB aligned) Avail: These bits available for system programmers G: global page (don’t evict from TLB on task switch) PS: page size 4K (0) or 4M (1) A: accessed (set by MMU on reads and writes, cleared by software) CD: cache disabled (1) or enabled (0) WT: write-through or write-back cache policy for this page table U/S: user or supervisor mode access R/W: read-only or read-write access P: page table is present in memory (1) or not (0) 31 1 Available for OS (page table location in secondary storage) 0 P=0 P6 Page Table Entry (PTE) 31 12 11 Page physical base address 9 Avail 8 7 6 5 G 0 D A 4 3 2 1 0 CD WT U/S R/W P=1 Page base address: 20 most significant bits of physical page address (forces pages to be 4 KB aligned) Avail: available for system programmers G: global page (don’t evict from TLB on task switch) D: dirty (set by MMU on writes) A: accessed (set by MMU on reads and writes) CD: cache disabled or enabled WT: write-through or write-back cache policy for this page U/S: user/supervisor R/W: read/write P: page is present in physical memory (1) or not (0) 31 1 Available for OS (page location in secondary storage) 0 P=0 How P6 Page Tables Map Virtual Addresses to Physical Ones 10 VPN1 10 VPN2 word offset into page directory 12 VPO word offset into page table page directory word offset into physical and virtual page page table PTE PDE PDBR physical address of page directory Virtual address physical address of page table base (if P=1) 20 PPN physical address of page base (if P=1) 12 PPO Physical address Representation of Virtual Address Space PT 3 Page Directory P=1, M=1 P=1, M=1 P=0, M=0 P=0, M=1 • • • • PT 2 PT 0 Simplified Example P=1, M=1 P=0, M=0 P=1, M=1 P=0, M=1 P=1, M=1 P=0, M=0 P=1, M=1 P=0, M=1 P=0, M=1 P=0, M=1 P=0, M=0 P=0, M=0 • • • • • • • • • • • • 16 page virtual address space Flags P: Is entry in physical memory? M: Has this part of VA space been mapped? Page 15 Page 14 Page 13 Page 12 Page 11 Page 10 Page 9 Page 8 Page 7 Page 6 Page 5 Page 4 Mem Addr Disk Addr Page 3 Page 2 Page 1 In Mem On Disk Page 0 Unmapped P6 TLB Translation 32 result CPU 20 VPN 12 virtual address (VA) VPO L1 (128 sets, 4 lines/set) TLB hit ... ... TLB (16 sets, 4 entries/set) 10 10 VPN1 VPN2 20 PPN PDE PDBR L1 miss L1 hit 16 4 TLBT TLBI TLB miss L2 andDRAM PTE Page tables 20 CT 12 PPO physical address (PA) 7 5 CI CO P6 TLB TLB entry (not all documented, so this is speculative): 32 16 1 1 PDE/PTE Tag PD V V: indicates a valid (1) or invalid (0) TLB entry PD: is this entry a PDE (1) or a PTE (0)? tag: disambiguates entries cached in the same set PDE/PTE: page directory or page table entry Structure of the data TLB: 16 sets, 4 entries/set entry entry entry entry entry entry entry entry entry entry entry entry entry entry set 0 set 1 set 2 entry entry set 15 ... Translating with the P6 Page Tables (case 1/1) 20 VPN Case 1/1: page table a nd page present. MMU Action: 12 VPO 20 PPN VPN1 VPN2 12 PPO Mem OS action PDE p=1 PTE p=1 data Page directory Page table Data page PDBR Disk MMU builds physica l address and fetches data word. none Translating with the P6 Page Tables (case 1/0) 20 VPN Case 1/0: page table present but page missing. MMU Action: 12 VPO Page fault exception Handler receives the followin g args: VPN1 VPN2 Mem PDE p=1 PTE p=0 Page directory Page table VA that caused fault Fault caused by non-present page or page-level protectio n violation Read/write User/supervisor PDBR Disk data Data page Translating with the P6 Page Tables (case 1/0) OS Action: 20 VPN 12 VPO 20 PPN VPN1 VPN2 Mem PDE p=1 PTE p=1 data Page directory Page table Data page PDBR Disk 12 PPO Check for a legal virtual addr ess. Read PTE through PDE. Find free physical page (swa pping out current page if nec essary) Read virtual page from disk a nd copy to virtual page Restart faulting instruction b y returning from exception ha ndler. Translating with the P6 Page Tables (case 0/1) 20 VPN Case 0/1: page table missi ng but page present. Introduces consistency iss ue. 12 VPO Potentially every page out requires update of disk pa ge table. VPN1 VPN2 Linux disallows this Mem PDE p=0 data Page directory Data page PDBR Disk PTE p=1 Page table If a page table is swapped out, then swap out its data pages too. Translating with the P6 Page Tables (case 0/0) 20 VPN Case 0/0: page table a nd page missing. MMU Action: 12 VPO Page fault exception VPN1 VPN2 PDE p=0 Mem PDBR Page directory Disk PTE p=0 data Page table Data page Translating with the P6 Page Tables (case 0/0) 20 VPN 12 VPO OS action: Swap in page table. Restart faulting instru ction by returning fro m handler. VPN1 VPN2 Mem PDE p=1 PTE p=0 Page directory Page table PDBR Disk Like case 1/0 from her e on. data Data page P6 L1 Cache Access 32 result CPU 20 VPN 12 virtual address (VA) VPO L1 (128 sets, 4 lines/set) TLB hit ... ... TLB (16 sets, 4 entries/set) 10 10 VPN1 VPN2 20 PPN PDE PDBR L1 miss L1 hit 16 4 TLBT TLBI TLB miss L2 andDRAM PTE Page tables 20 CT 12 PPO physical address (PA) 7 5 CI CO Speeding Up L1 Access Tag Check 20 CT 7 5 CI CO PPN PPO Physical address (PA) Addr. Trans. virtual address (VA) No Change VPN VPO 20 12 CI Observation Bits that determine CI identical in virtual and physical address Can index into cache while address translation taking place Then check with CT from physical address “Virtually indexed, physically tagged” Cache carefully sized to make this possible Linux Organizes VM as Collection of “Areas” Area Contiguous chunk of (allocated) virtual memory whose pages are related Examples: code segment, data segment, heap, shared library segment, etc. Any existing virtual page is contained in some area. Any virtual page that is not part of some area does not exist and cannot be referenced! Thus, the virtual address space can have gaps. The kernel does not keep track of virtual pages that do not exist. task_struct Kernel maintains a distinct task structure for each process Contain all the information that the kernel needs to run the process PID, pointer to the user stack, name of the executable object file, program counter, etc. mm_struct One of the entries in the task structure that characterizes the current state of virtual memory pgd – base of the page directory table mmap – points to a list of vm_area_struct Linux Organizes VM as Collection of “Areas” task_struct mm vm_area_struct mm_struct pgd mmap vm_end vm_start vm_prot vm_flags vm_next vm_prot: read/write permissions for this area vm_flags process virtual memory vm_end vm_start vm_prot vm_flags shared libraries 0x40000000 data 0x0804a020 vm_next shared with other processes or private to this process text vm_end vm_start vm_prot vm_flags vm_next 0x08048000 0 Linux Page Fault Handling process virtual memory Is the VA legal? vm_area_struct i.e. is it in an area defined by a vm_area_struct? if not then signal segmentation violation (e.g. (1)) vm_end vm_start r/o shared libraries vm_next 1 read vm_end vm_start r/w 3 read data vm_next 2 write vm_end vm_start r/o text vm_next 0 Is the operation legal? i.e., can the process read/write this area? if not then signal protection violation fault (e.g., (2)) If OK, handle the page fault e.g., (3) Memory Mapping Linux (also, UNIX) initializes the contents of a virtual memory area by associating it with an object on disk Create new vm_area_struct and page tables for area Areas can be mapped to one of two types of objects (i.e., get its initial values from) : Regular file on disk (e.g., an executable object file) The file is divided into page-sized pieces. The initial contents of a virtual page comes from each piece. If the area is larger than file section, then the area is padded with zeros. Anonymous file (e.g., bss) An area can be mapped to an anonymous file, created by the kernel. The initial contents of these pages are initialized as zeros Also, called demand-zero pages Key point: no virtual pages are copied into physical memory until they are referenced! Known as “demand paging” Crucial for time and space efficiency User-Level Memory Mapping void *mmap(void *start, int len, int prot, int flags, int fd, int offset) map len bytes starting at offset offset of the file specified by file description fd, preferably at address start (usually 0 for don’t care). prot: PROT_EXEC, PROT_READ, PROT_WRITE flags: MAP_PRIVATE, MAP_SHARED, MAP_ANON MAP_PRIVATE indicates a private copy-on-write object MAP_SHARED indicates a shared object MAP_ANON with NULL fd indicates an anonymous file (demand-zero pages) Return a pointer to the mapped area. Int munmap(void *start, int len) Delete the area starting at virtual address start and length len Shared Objects Why shared objects? Many processes need to share identical read-only text areas. For example, Each tcsh process has the same text area. Standard library functions such as printf It would be extremely wasteful for each process to keep duplicate copies in physical memory An object can be mapped as either a shared object or a private object Shared object Any write to that area is visible to any other processes that have also mapped the shared object. The changes are also reflected in the original object on disk. A virtual memory area into which a shared object is mapped is called a shared area. Private object Any write to that area is not visible to other processes. The changes are not reflected back to the object on disk. Private objects are mapped into virtual memory using copy-on-write. Only one copy of the private object is stored in physical memory. The page table entries for the private area are flagged as read-only Any write to some page in the private area triggers a protection fault The hander needs to create a new copy of the page in physical memory and then restores the write permission to the page. After the handler returns, the process proceeds normally Shared Object Process 1 virtual memory Physical memory Shared object Process 2 Process 1 virtual memory virtual memory Physical memory Shared object Process 2 virtual memory Private Object Process 1 virtual memory Physical memory Process 2 virtual memory Process 1 virtual memory Physical memory Process 2 virtual memory Copy-on-write Write to private copy-on-write page Private copy-on-write object Private copy-on-write object Exec() Revisited To run a new program p in the c urrent process using exec(): process-specific data structures (page tables, task and mm structs) physical memory same for each process stack kernel VM demand-zero process VM Memory mapped region for shared libraries .data .text kernel code/data/stack 0xc0 %esp libc.so brk runtime heap (via malloc) 0 uninitialized data (.bss) initialized data (.data) program text (.text) forbidden demand-zero .data .text p Free vm_area_struct’s and page tab les for old areas. Create new vm_area_struct’s and p age tables for new areas. stack, bss, data, text, shared libs. text and data backed by ELF executa ble object file. bss and stack initialized to zero. Set PC to entry point in .text Linux will swap in code and data pa ges as needed. Fork() Revisited To create a new process using fork(): Make copies of the old process’s mm_struct, vm_area_struct’s, and page tables. At this point the two processes are sharing all of their pages. How to get separate spaces without copying all the virtual pages from one space to a nother? “copy on write” technique. copy-on-write Make pages of writeable areas read-only flag vm_area_struct’s for these areas as private “copy-on-write”. Writes by either process to these pages will cause page faults. Fault handler recognizes copy-on-write, makes a copy of the page, and restores write permi ssions. Net result: Copies are deferred until absolutely necessary (i.e., when one of the processes tries to modify a shared page). Dynamic Memory Allocation Heap An area of demand-zero memory that begins immediately after the bss area. Allocator Maintains the heap as a collection of various sized blocks. Each block is a contiguous chunk of virtual memory that is either allocated or free. Explicit allocator requires the application to allocate and free space E.g., malloc and free in C Implicit allocator requires the application to allocate, but not to free sp ace The allocator needs to detect when an allocated block is no longer being used Implicit allocators are also known as garbage collectors. The process of automatically freeing unused blocks is known as garbage collection. E.g. garbage collection in Java, ML or Lisp Heap kernel virtual memory memory invisible to user code stack %esp Memory mapped region for shared libraries run-time heap (via malloc) uninitialized data (.bss) initialized data (.data) program text (.text) 0 the “brk” ptr points to the top of the heap Malloc Package #include <stdlib.h> void *malloc(size_t size) If successful: Returns a pointer to a memory block of at least size bytes (Typically) aligned to 8-byte boundary so that any kind of data object can be contained in the block If size == 0, returns NULL If unsuccessful (i.e. larger than virtual memory): returns NULL (0) and sets errno. Two other variations: calloc (initialize the allocated memory to zero) and realloc Use the mmap or munmap function, or use sbrk function void *realloc(void *p, size_t size) Changes the size of block pointed by p and returns pointer to the new block. Contents of the new block unchanged up to min of old and new size. void free(void *p) Returns the block pointed by p to pool of available memory p must come from a previous call to malloc or realloc. Malloc Example void foo(int n, int m) { int i, *p; /* allocate a block of n ints */ if ((p = (int *) malloc(n * sizeof(int))) == NULL) { perror("malloc"); exit(0); } for (i=0; i<n; i++) p[i] = i; /* add m bytes to end of p block */ if ((p = (int *) realloc(p, (n+m) * sizeof(int))) == NULL) { perror("realloc"); exit(0); } for (i=n; i < n+m; i++) p[i] = i; /* print new array */ for (i=0; i<n+m; i++) printf("%d\n", p[i]); free(p); /* return p to available memory pool */ } Allocation Examples p1 = malloc(4) p2 = malloc(5) p3 = malloc(6) free(p2) p4 = malloc(2) Requirements (Explicit Allocators) Applications: Can issue arbitrary sequence of allocation and free requests Free requests must correspond to an allocated block Allocators Can’t control the number or the size of allocated blocks Must respond immediately to all allocation requests i.e., can’t reorder or buffer requests Must allocate blocks from free memory i.e., can only place allocated blocks in free memory Must align blocks so they satisfy all alignment requirements 8 byte alignment for GNU malloc (libc malloc) on Linux boxes Can only manipulate and modify free memory Can’t move the allocated blocks once they are allocated i.e., compaction is not allowed Goals of Allocators Maximize throughput Throughput: number of completed requests per unit time Example: 5,000 malloc calls and 5,000 free calls in 10 seconds Throughput is 1,000 operations/second Maximize memory utilization Need to minimize “fragmentation”. Fragmentation (holes) – unused area There is a tradeoff between throughput and memory utilization Need to balance these two goals Good locality properties “Similar” objects should be allocated close in space Internal Fragmentation Poor memory utilization caused by fragmentation. Comes in two forms: internal and external fragmentation Internal fragmentation For some block, internal fragmentation is the difference between the block size and the payl oad size. block Internal fragmentation payload Internal fragmentation Caused by overhead of maintaining heap data structures, i.e. padding for alignment purposes. Any virtual memory allocation policy using the fixed sized block such as paging can suffer from internal fragmentation External Fragmentation Occurs when there is enough aggregate heap memory, but no single free block is large enough p1 = malloc(4) p2 = malloc(5) p3 = malloc(6) free(p2) p4 = malloc(6) oops! External fragmentation depends on the pattern of future requests, and thus is difficult to measure. Implementation Issues Free block organization How do we know the size of a free block? How do we keep track of the free blocks? Placement How do we choose an appropriate free block in which to place a newly allocated block? Splitting What do we do with the extra space after the placement? Coalescing What do we do with small blocks that have been freed p1 = malloc(1) How do we know the size of a block? Standard method Keep the length of a block in the word preceding the block. This word is often called the header field or header Requires an extra word for every allocated block Format of a simple heap block 31 malloc returns a pointer to the beginning of the payload 3 Block size 2 1 0 00a Payload (allocated block only) Padding (optional) a = 1: Allocated a = 0: Free The block size includes the header, payload, and any padding. Example p0 = malloc(4) p0 5 free(p0) Block size data Keeping Track of Free Blocks Method 1: Implicit list using lengths -- links all blocks 5 4 6 2 Method 2: Explicit list among the free blocks using pointers within the fre e blocks 5 4 6 Method 3: Segregated free list Different free lists for different size classes 2 Placement Policy First fit: Search list from the beginning, choose the first free block that fits Can take linear time in total number of blocks (allocated and free) (+) Tend to retain large free blocks at the end (-) Leave small free blocks at beginning Next fit: Like first-fit, but search the list starting from the end of previous search (+) Run faster than the first fit (-) Worse memory utilization than the first fit Best fit: Search the list, choose the free block with the closest size that fits (+) Keeps fragments small – better memory utilization than the other two (-) Will typically run slower – requires an exhaustive search of the heap Splitting Allocating in a free block - splitting Since allocated space might be smaller than free space, we might want to split the block 4 4 6 2 p addblock(p, 2) 4 4 4 2 2 Coalescing Coalescing When the allocator frees a block, there might be other free blocks that are adjacent. Such adjacent free blocks can cause a false fragmentation, where there is an enough free space, but chopped up into small, unusable free spaces. Need to coalesce next and/or previous block if they are free Coalescing with next block 4 4 4 2 2 p free(p) 4 4 6 But how do we coalesce with previous block? 2 Bidirectional Coalescing Boundary tags [Knuth73] Replicate size/allocated word (called footer) at the bottom of a block Allows us to traverse the “list” backwards, but requires extra space Important and general technique! – allow constant time coalescing 1 word Header Format of allocated and free blocks a payload and padding Boundary tag (footer) 4 size 4 4 size 4 6 a = 1: allocated block a = 0: free block size: total block size a payload: application data (allocated blocks only) 6 4 4 Constant Time Coalescing block being freed Case 1 Case 2 Case 3 Case 4 allocated allocated free free allocated free allocated free Constant Time Coalescing (Case 1) m1 1 m1 1 m1 1 m1 1 n 1 n 0 n 1 n 0 m2 1 m2 1 m2 1 m2 1 Constant Time Coalescing (Case 2) m1 1 m1 1 m1 1 m1 1 n 1 n+m2 0 n 1 m2 0 m2 0 n+m2 0 Constant Time Coalescing (Case 3) m1 0 n+m1 0 m1 0 n 1 n 1 n+m1 0 m2 1 m2 1 m2 1 m2 1 Constant Time Coalescing (Case 4) m1 0 m1 0 n 1 n 1 m2 0 m2 0 n+m1+m2 0 n+m1+m2 0 Implicit Lists: Summary Implementation is very simple Allocate takes linear time in the worst case Free takes constant time in the worst case -- even with coalescing Memory usage will depend on placement policy First fit, next fit or best fit Not used in practice for malloc/free because of linear time allocate. Used for special purpose applications where the total number of blocks is known beforehand to be small However, the concepts of splitting and boundary tag coalescing are gener al to all allocators. Keeping Track of Free Blocks Method 1: Implicit list using lengths -- links all blocks 5 4 6 2 Method 2: Explicit list among the free blocks using pointers within the free blocks 5 4 6 Method 3: Segregated free lists Different free lists for different size classes 2 Explicit Free Lists A B C Use data space for pointers Typically doubly linked Still need boundary tags for coalescing Forward links A 4 B 4 4 4 6 6 4 C 4 4 4 Back links Format of Doubly-Linked Heap Blocks 31 3 2 1 Block size a/f 0 31 Header 3 2 1 Block size a/f 0 Header pred (Predecessor) Payload succ (Successor) Padding (optional) Padding (optional) Block size a/f Allocated Block Footer Block size Free Block Old payload a/f Footer Freeing With Explicit Free Lists Insertion policy: Where in the free list do you put a newly freed block? LIFO (last-in-first-out) policy Insert freed block at the beginning of the free list (+) Simple and freeing a block can be performed in constant time. If boundary tags are used, coalescing can also be performed in constant time. Address-ordered policy Insert freed blocks so that free list blocks are always in address order i.e. addr(pred) < addr(curr) < addr(succ) (-) Freeing a block requires linear-time search (+) Studies suggest address-ordered first fit enjoys better memory utilization than LIFO-ordered first fit. Explicit List Summary Comparison to implicit list: Allocation time takes linear in the number of free blocks instead of total blocks Much faster allocates when most of the memory is full Slightly more complicated allocate and free since needs to splice blocks in and out of the list Extra space for the links (2 extra words needed for each block) This results in a larger minimum block size, and potentially increase the degree of internal fragmentation Main use of linked lists is in conjunction with segregated free lists Keep multiple linked lists of different size classes, or possibly for different types o f objects Keeping Track of Free Blocks Method 1: Implicit list using lengths -- links all blocks 5 4 6 2 Method 2: Explicit list among the free blocks using pointers within the fre e blocks 5 4 6 2 Method 3: Segregated free list Different free lists for different size classes Can be used to reduce the allocation time compared to a linked list organization Segregated Storage Partition the set of all free blocks into equivalent classes called size classes The allocator maintains an array of free lists, with one free list per size class ordered by increasing size. 1-2 3 4 5-8 9-16 Often have separate size class for every small size (2,3,4,…) Classes with larger sizes typically have a size class for each power of 2 Variations of segregated storage They differ in how they define size classes, when they perform coalescing, and when they request additional heap memory to OS, whether they allow splitting, and so on. Examples: simple segregated storage, segregated fits Simple Segregated Storage Separate heap and free list for each size class Free list for each size class contains same-sized blocks of the largest element size For example, the free list for size class {17-32} consists entirely of block size 32 To allocate a block of size n: If free list for size n is not empty, allocate the first block in its entirety If free list is empty, get a new page from OS, create a new free list from all the blo cks in page, and then allocate the first block on list To free a block: Simply insert the free block at the front of the appropriate free list (+) Both allocating and freeing blocks are fast constant-time operations. (+) Little per-block memory overhead: no splitting and no coalescing (-) Susceptible to internal and external fragmentation Internal fragmentation: since free blocks are never split External fragmentation: since free blocks are never coalesced Segregated Fits Array of free lists, each one for some size class Free list for each size class contains potentially different-sized blocks To allocate a block of size n: Do a first-fit search of the appropriate free list If an appropriate block is found: Split (option) the block and place the fragment on the appropriate list If no block is found, try the next larger class and repeat this until block is found If none of free lists yields a block that fits, request additional heap memory to OS, allocate the block out of this new heap memory, and place the remainder in the largest size To free a block: Coalesce and place on the appropriate list (+) Fast Since searches are limited to part of the heap rather than the entire heap area However, coalescing can increase search times (+) Good memory utilization A simple first-fit search approximates a best-fit search of the entire heap Popular choice for production-quality allocators such as GNU malloc Garbage Collection Garbage collector: dynamic storage allocator that automatically frees allocated blocks that are no longer used Implicit memory management: an application never has to free void foo() { int *p = malloc(128); return; /* p block is now garbage */ } Common in functional languages, scripting languages, and modern object oriented languages: Lisp, ML, Java, Perl, Mathematica, Variants (conservative garbage collectors) exist for C and C++ Cannot collect all garbages Garbage Collection How does the memory manager know when memory can be freed? In general we cannot know what is going to be used in the future since it depends on conditionals But we can tell that certain blocks cannot be used if there are no pointers to them Need to make certain assumptions about pointers Memory manager need to distinguish pointers from non-pointers Garbage Collection Garbage collectors views memory as a reachability graph and periodically reclaim the unreachable nodes Classical GC Algorithms Mark and sweep collection (McCarthy, 1960) Does not move blocks (unless you also “compact”) Reference counting (Collins, 1960) Does not move blocks (not discussed) Copying collection (Minsky, 1963) Moves blocks (not discussed) Memory as a Graph Reachability graph: we view memory as a directed graph Each block is a node in the graph Each pointer is an edge in the graph Locations not in the heap that contain pointers into the heap are called root node e.g. registers, locations on the stack, global variables Root nodes Heap nodes reachable Not-reachable (garbage) A node (block) is reachable if there is a path from any root to that node. Non-reachable nodes are garbage (never needed by the application) Mark and Sweep Garbage Collectors A Mark&Sweep garbage collector consists of a mark phase followed by a sweep phase Use extra mark bit in the head of each block When out of space: Mark: Start at roots and set mark bit on all reachable memory blocks Sweep: Scan all blocks and free blocks that are not marked Mark bit set root Before mark After mark After sweep free free Mark and Sweep (cont.) Mark using depth-first traversal of the memory graph ptr mark(ptr p) { if (!is_ptr(p)) return; if (markBitSet(p)) return setMarkBit(p); for (i=0; i < length(p); i++) mark(p[i]); return; } // // // // Sweep using lengths to find next block ptr sweep(ptr p, ptr end) { while (p < end) { if markBitSet(p) clearMarkBit(); else if (allocateBitSet(p)) free(p); p += length(p); } do nothing if not pointer check if already marked set the mark bit mark all children Functions is_ptr(p): If p is a pointer to an allocated block, return a pointer b to the beginning of that block. Return NULL otherwise. blockMarked(b): return true if block b is already marked blockAllocated(b): return true if block b is allocated length(b): returns the length of block b Common Memory-Related Bugs in C Dereferencing bad pointers Reading uninitialized memory Stack buffer overflow Assuming pointers and the objects are the same size Making Off-by-One errors Referencing a pointer instead of the object Misunderstanding pointer arithmetic Referencing nonexistent variables Freeing blocks multiple times Referencing freed blocks Memory leaks Dereferencing Bad Pointers Bad pointers There are large holes in the virtual address space of a process that are not mapped to any meaningful data. If we attempt to dereference a pointer into one of these holes, the process will cause a segmentation exception The classic scanf bug Read an integer from stdin into a variable scanf(“%d”, val); In the best case, the program terminates immediately with an exception In the worst case, the content of val correspond to some valid read/write area, and we overwrite memory, usually with disastrous consequence much later The correct form is scanf(“%d”, &val); Reading Uninitialized Memory Assuming that heap data is initialized to zero While .bss sections are always initialized to zeros by the loader, this is not true for heap memory. /* return y = Ax */ int *matvec(int **A, int *x) { int *y = malloc(N*sizeof(int)); int i, j; for (i=0; i<N; i++) for (j=0; j<N; j++) y[i] += A[i][j]*x[j]; return y; } Should use ‘calloc’ instead of ‘malloc’ Stack Overflow Buffer overflow A program can run into a buffer overflow bug if it writes to a target buffer on the stack without examining the size of the input string Void bufoverflow() { char buf[64]; gets(buf); return; } gets function copies an arbitrary length string to the buffer. To fix this, should use fgets, which limits the size of the input string. Basis for classic buffer overflow attacks 1988 Internet worm Modern attacks on Web servers AOL/Microsoft IM war Pointers and the Objects are Different in Size Allocating the (possibly) wrong sized object Create an array of n pointers, each of which points to an array of m ints. int **p; p = malloc(N*sizeof(int)); for (i=0; i<N; i++) { p[i] = malloc(M*sizeof(int)); } If we run this code on Alpha processor, where a pointer is larger than an int, The for loop will write past the end of the A array. Should use sizeof(int *) for the first malloc Off-by-One Errors Off-by-one error Try to initialize n+1 elements instead of n int **p; p = malloc(N*sizeof(int *)); for (i=0; i<=N; i++) { p[i] = malloc(M*sizeof(int)); } Pointer vs Object Referencing a pointer instead of the object it points to int *BinheapDelete(int **binheap, int *size) { int *packet; packet = binheap[0]; binheap[0] = binheap[*size - 1]; *size--; Heapify(binheap, *size, 0); return(packet); } The two unary operators – and * have the same precedence and right-associativity Will decrement pointer and then dereference The correct form is (*size)-- Pointer Arithmetic Misunderstanding pointer arithmetic int *search(int *p, int val) { while (*p && *p != val) p += sizeof(int); return p; } p += 4 will incorrectly scans every fourth integer in the array The correct form is p++ Referencing Nonexistent Variables Forgetting that local variables disappear when a function returns Later, if the program assigns some value to the pointer, it might modify an entry in another function’s stack frame int *foo () { int val; return &val; } Referencing Freed Blocks Evil! Reference data in heap blocks that have already been freed! x = malloc(N*sizeof(int)); <manipulate x> free(x); ... y = malloc(M*sizeof(int)); for (i=0; i<M; i++) y[i] = x[i]++; Failing to Free Blocks (Memory Leaks) Slow, long-term killer! foo() { int *x = malloc(N*sizeof(int)); ... return; } Memory leaks are particularly serious for programs such as deamons and servers, which by definition never terminate. Homework 7 Read Chapter 8 from Computer System Textbook Exercise 9.11 9.13 9.15 9.17 9.19