Ravenbrook / Projects / Memory Pool System / Master Product Sources / Design Documents

Memory Pool System Project


              SUNOS 4 IMPLEMENTATION OF PROTECTION MODULE
                           design.mps.protsu
                             incomplete doc
                             drj 1997-03-20

INTRODUCTION

.readership: Any MPS developer

.intro: This is the design of the SunOS 4 implementation of the protection 
module.  It is intended to be used only in SunOS 4 (os.su).  It makes use of 
various services provided by SunOS 4.

[largely unwritten]

REQUIREMENTS

.req.general: Required to implement the general protection interface defined in 
design.mps.prot.if.*.


OVERVIEW

[uses mprotect]

MISC

.improve.sig-stack: Currently we do not handle signals on a separate signal 
stack.  If we handled signals on our own stack then we could guarantee not to 
run out of stack while we were handling the signal.  This would be useful (it 
may even be required).  We would have to use sigvec(2) rather than signal(3) 
(set the SV_ONSTACK flag and use sigstack(2)).  This has drawbacks as the 
signal stack is not grown automatically, so we would have to to frig the stacks 
back if we wanted to pass on the signal to some other handler as that handler 
may require arbitrary amounts of stack.

.improve.sigvec: Note 1 of ProtSetup notes that we can't honour the sigvec(2) 
entries of the next handler in the chain.  What if when we want to pass on the 
signal instead of calling the handler we call sigvec with the old entry and use 
kill to send the signal to ourselves and then restore our handler using sigvec 
again.  ramble ramble. [need more detail and analysis here].

assume mprotect never fails and why.  [We also need a policy here]

DATASTRUCTURES

.data.signext: This is static.  Because that is the only communications channel 
available to signal handlers. [write a little more here]


FUNCTIONS

.fun.setup:

ProtSetup

The setup involves installing a signal handler for the signal SIGSEGV to catch 
and handle protection faults (this handler is the function sigHandle, see 
.fun.sighandle). The previous handler is recorded (in the variable sigNext, see 
.data.signext) so that it can be reached from sigHandle if it fails to handle 
the fault.

The problem with this approach is that we can't honor the wishes of the 
sigvec(2) entry for the previous handler (in terms of masks in particular).

Obviously it would be okay to always chain the previous signal handler onto 
sigNext, however in the case where the previous handler is the one we've just 
installed (ie, sigHandle) then it is not necessary to chain the handler, so we 
don't.

.fun.set:

void ProtSet(Addr base, Addr limit, AccessSet mode)

.fun.set.convert: The requested protection (which is expressed in the mode 
parameter, see design.mps.prot.if.set) is translated into an OS protection.  If 
read accesses are to be forbidden then all accesses are forbidden, this is done 
by setting the protection of the page to PROT_NONE.  If write access are to be 
forbidden (and not read accesses) then write accesses are forbidden and read 
accesses are allowed, this is done by setting the protection of the page to 
PROT_READ|PROT_EXEC.  Otherwise (all access are okay), the protection is set to 
PROT_READ|PROT_WRITE|PROT_EXEC.

.fun.set.assume.mprotect: We assume that the call to mprotect always succeeds.  
.fun.set.assume.mprotect: This is because we should always call the function 
with valid arguments (aligned, references to mapped pages, and with an access 
that is compatible with the access of the underlying object).

.fun.sync:

void ProtSync(Space space);

This does nothing in this implementation as ProtSet sets the protection without 
any delay.

.fun.tramp:

void ProtTramp(void **resultReturn, void *(*f)(void *, size_t), void *p, size_t 
s);

The protection trampoline is trivial under SunOS, as there is nothing that 
needs to be done in the dynamic context of the mutator in  order to catch 
faults.  (Contrast this with Win32 Structured Exception Handling.)


A. References

B. Document History

2002-06-07 RB Converted from MMInfo database design document.

C. Copyright and License

This document is copyright © 1995-2002 Ravenbrook Limited. All rights reserved. This is an open source license. Contact Ravenbrook for commercial licensing options.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. Redistributions in any form must be accompanied by information on how to obtain complete source code for the this software and any accompanying software that uses this software. The source code must either be included in the distribution or be available for no more than the cost of distribution plus a nominal fee, and must be freely redistributable under reasonable conditions. For an executable file, complete source code means the source code for all modules it contains. It does not include source code for modules or files that typically accompany the major components of the operating system on which the executable file runs.

This software is provided by the copyright holders and contributors "as is" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement, are disclaimed. In no event shall the copyright holders and contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.


$Id: //info.ravenbrook.com/project/mps/branch/2002-05-22/open-source-prep/design/protsu/index.html#1 $

Ravenbrook / Projects / Memory Pool System / Master Product Sources / Design Documents