Mac OS 8 Address Spaces and Memory Protection

By Tony Francis

[As you may have heard by now, Apple has made the announcement that Mac OS 8 (aka Copland) will be delivered in parts instead of one large release. The first of these releases is slated for January, 1997. Some Mac OS 8 technologies previously announced may not ever be part of any release - but many are and will be implemented over the next 18 months. This month, we’re bringing you an excerpt from Mac OS 8 Revealed by Addison-Wesley. This book contains important information/background about technologies that are definitely to come in one release or another. We at MacTech felt is was important for you to see what is coming so that you could intelligently plan for, discuss, and debate these new parts of the operating system. If you’d like to know more about other technologies, Mac OS 8 Revealed is a good source of information - just be aware of which technologies are coming in which timeframes (and if at all) when you do your planning. - Ed. nst]

We are indebted to Addison Wesley Longman for permission to reproduce an edited version of Chapter 3 from Mac OS 8 Revealed by Tony Francis. Copyright © 1996 by Tony Francis. Addison-Wesley Publishing Company, One Jacob Way, Reading, MA 01867. 617/944-3700. Suggested retail price $34.95. Available at your local bookstore, by calling 1-800-822-6339, or through DevDepot™.

When a program is launched-for instance, when a user double-clicks its icon-the operating system prepares the program code for execution, creates memory areas for the code and its temporary data, and assigns locations for the code and data within these memory areas. In this way, the program becomes instantiated as a process on the computer. The memory areas created for a process lie within a 4-gigabyte (GB) range of logical addresses. This range of addressable memory constitutes the address space for that process.

Mac OS 8 maintains multiple simultaneous address spaces. A program can’t reference any memory locations outside of its address space. Therefore, if code in a given address space malfunctions, it can’t corrupt the data in a different address space. Mac OS 8 provides other forms of memory protection, too. Mac OS 8 protects all code, for example, by mapping it into read-only memory areas where it can’t be corrupted by any errant code elsewhere in the system. Crucial system data is protected because it’s stored in memory areas where operating system services-such as the microkernel, device drivers, and the file system-have read/write permission to the data, but application-level software has read-only permission. This greatly decreases the ability of applications to cause a system-wide crash. Yet another kind of memory protection, called guard pages, enhances system stability by limiting the amount of damage that software can do if it attempts to read or write outside the memory area it’s entitled to access.

Key Terms and Concepts

• A process is an instance of a program running at execution time. A process is characterized by a set of one or more tasks and the operating system resources necessary to support those tasks.

• A task is the basic unit of program execution in Mac OS 8. Every process has at least one task. As you’ll read in the next chapter, each task is assigned a priority and, when eligible for execution, is preemptively scheduled by the microkernel.

• A memory area is a range of logical addresses.

• Virtual memory is addressable memory beyond the limits of available physical memory. Mac OS 8 extends physical memory by storing on a secondary storage device, such as a hard disk, code and data not immediately required by the CPU.

• A logical address is a memory address used by code when it’s running. By comparison, a physical address is a memory address represented by bits on a physical address bus. Physical addresses are assigned to memory locations in RAM chips and to various hardware devices. When executing code, the CPU translates the logical addresses of an address space into physical addresses.

• An access permission stipulates whether other programs can read from or write to a memory area.

• A guard page is a 4-kilobyte (K) range of logical addresses that excludes all program access. Guard pages may appear at the beginnings and ends of memory areas to help prevent code from inadvertently accessing the wrong memory areas. If a programming error causes code to reference a guard page, the CPU generates an exception before the erring code can adversely affect a contiguous memory area.

Major Points of Interest

All code and data for a process exist within an address space. Because Mac OS 8 uses a 32-bit address space-which is the maximum size supported by the PowerPC CPU-an address space can contain up to 232 addresses. In every address space, in other words, addressable locations number up to 4GB.

A 4-GB address space encompasses far more memory addresses than are available in physical memory on most computers. So Mac OS 8 uses a virtual memory system to extend the range of addressable memory beyond what is available in physical memory. The virtual memory system stores unused portions of code and data on a secondary storage device, such as hard disk. The virtual memory system then transfers into physical memory only those portions immediately needed by the CPU. (As you’ll see in Chapter 6, the virtual memory system also makes efficient use of secondary storage by using only enough disk space to support currently open programs.)

When launching a program, the operating system creates memory areas that constitute only a small portion of an address space. The operating system creates a memory area for the program code, and it creates an initial memory area for the program to store the data-such as its global variables and dynamic data structures-that it needs while it’s running. Other portions of an address space are unavailable to the program because they’re used to store code (including code for the microkernel and code for the libraries used by the program), or they’re reserved for other uses by the operating system. From the 4GB of logical addresses in a single address space, at least 1GB is available to programs for data storage.

As you’ll see in Chapter 7, the operating system dynamically creates and releases memory areas as needed so that programs can store temporary data. The Dynamic Storage-Allocation Services provided by Mac OS 8 also allow developers to create their own memory areas suitable for special program needs.

For overall system stability, Mac OS 8 employs multiple address spaces. The data referenced by a program in one address space is inaccessible to programs in other address spaces. Therefore, programming errors affecting one address space are isolated from all other address spaces. For example, suppose that a game program has a programming error that corrupts portions of its address space, causing the game to crash. Operating on data in its own address space, a World Wide Web server program continues serving web pages, immune to the game’s error.

Within an address space, areas of memory may be further protected by access permissions. For example, all executable code in Mac OS 8 is stored in read-only memory areas where code can’t possibly be corrupted. And data used by critical portions of the operation system, such as the microkernel, is kept in areas protected by access permissions that prevent applications from corrupting it.

For compatibility with System 7 applications, which rely on a single address space, all cooperative programs share a single address space. Every server program, by comparison, is given its own address space.

The Cooperative Program Address Space

Whereas Mac OS 8 supports multiple address spaces, System 7 supports only one address space. To provide compatibility for System 7 applications, many of which are designed to read or manipulate each other’s data structures, Mac OS 8 assigns all cooperative programs to a shared address space. Figure 3.1 illustrates the cooperative-program address space for a system on which the user has launched an e-mail editing program and a game program from the Finder program. All three cooperative programs store their temporary data in this address space. (These applications, by the way, are cooperative programs because they present a human interface.)

Figure 3.1: Cooperative programs sharing an address space

The figures in this book don’t literally represent the layout of logical memory. For example, data for the Finder appears near the top of the address space in Figure 3.1; however, Finder data isn’t necessarily mapped into memory areas at the top of the cooperative address space.

Whereas the amount of memory that’s available to applications in System 7 is usually far less than 4GB, an entire 4-GB address space is available to them in Mac OS 8. This large amount of addressable memory, backed by the Mac OS 8 virtual memory system, allows the user to keep many more applications open simultaneously than is possible in System 7.

Like Mac OS 8, System 7 uses a 32-bit address space, where any address between 0x0000 0000 and 0xFFFF FFFF is a valid logical address. In System 7, however, the range of logical addresses actually available from this address space is determined at system startup by the amount of virtual memory previously selected by the user. Mac OS 8, by comparison, dynamically allocates storage locations from this address range to satisfy program needs as they arise.

For example, if a user in System 7 sets total memory to 12MB and launches an e-mail application and a game, they’d share 12MB of addressable memory even if they required only 5MB between them. If the user then tried to launch a photo-editing application requiring 8MB of addressable memory, the program would fail to open because of insufficient memory. To launch the photo-editing program, the user would need to quit the e-mail application or the game.

When these same programs are launched in Mac OS 8, the operating system supplies their memory needs dynamically. For example, the operating system allocates from the 4-GB address space only the 5MB necessary to run the e-mail program and the game. When the user launches the photo-editing application, the operating system allocates another 8MB from this address space. As the user launches more applications, Mac OS 8 continues allocating more addressable memory from the address space. (As you’ll see in Chapter 6, the number and size of applications that the user may launch are constrained only by the disk space available to the virtual memory system for storing temporary data. To extend virtual memory without consuming any additional disk space, the operating system memory-maps the disk files of all code used at execution time.)

The enormous range of addressable memory that Mac OS 8 supplies to cooperative programs nearly eliminates the memory fragmentation problems experienced by users of operating systems supplying smaller amounts of addressable memory. For example, a System 7 user might launch enough applications to fill all 12MB of available memory and then quit two applications to release 8MB of memory. If the two applications weren’t contiguous in memory, the total available memory might be fragmented into two 4-MB areas, preventing the user from launching a 5-MB application. On a Mac OS 8 system, memory for this application would be allocated from some unused portion of the 4-GB address space.

Protected Address Spaces for Server Programs

When a server program is launched (usually this happens automatically when the user starts the computer), the operating system instantiates the process for that server program in its own address space. Because every server program exists in its own address space, where other programs can’t address its data, server programs are protected from possible programming errors in cooperative programs and other server programs.

Figure 3.2 illustrates separate address spaces for two server programs: an e-mail server program and a World Wide Web server program. Each program operates on data stored exclusively in its own address space.

Figure 3.2: Server programs protected
by separate address spaces

To protect a program from being corrupted by other programs, a developer can implement portions of an application as a server program. Only the portions of an application that incorporate a human interface need to be implemented in a cooperative program. For example, after a user writes an electronic mail message with an e-mail editing program, that cooperative program can call an e-mail server program and request the server program to deliver the message over a network. Likewise, the e-mail server program can receive messages sent to the user from across the network and store them until the user is ready to read them with the e-mail editing program.

To protect critical system data and increase system reliability, many nonprivileged Mac OS 8 services are implemented as server programs. For example, the Process Manager and the Font Manager (which provides font-rendering services to the system) are implemented as server programs, each in its own protected address space. As you’ll see later in this chapter, privileged code-such as the microkernel-has protection mechanisms of its own.

Another benefit to designing software as a server program is that it has an address space all to itself for storing its temporary data. Cooperative programs, by contrast, must share their address space with each other, reducing the amount of address space available to each cooperative program.

Address Space Switching by the Microkernel

The CPU can read from and write to the memory of only one address space at a time. The microkernel is responsible for keeping track of all the memory addresses for the code and data residing in these address spaces. The microkernel manages these address spaces so that the CPU works with only one address space at a time.

Figure 3.3: Switching between address spaces

Figure 3.3 symbolizes how the microkernel manages multiple address spaces. In this figure, address spaces are represented as slides in a slide projector. The microkernel operates like the slide projector-while many address spaces are available, the microkernel projects only one at a time onto the CPU. In this figure, the microkernel is projecting the cooperative program address space onto the CPU, represented here as a projection screen. When the microkernel determines that it’s time for one of the server programs to execute on the CPU, the microkernel “projects” that program’s address space onto the CPU. (Chapter 4 explains how the operating system determines which task of which program gets to execute on the CPU at any given moment.)

System-Wide and Shared Memory Areas

A memory area is a range of logical addresses within an address space. In addition to supporting memory areas specific to individual address spaces, Mac OS 8 also maintains

• system-wide memory areas, which can be referenced across all address spaces

• shared memory areas, which can be referenced within two or more address spaces

A system-wide memory area appears at the same location in every address space. The contents of a system-wide area are potentially visible in all address spaces. For example, the microkernel employs system-wide memory areas for storing its own data, as shown in Figure 3.4. The microkernel is essentially a process that exists simultaneously in every address space. By storing its data in system-wide memory areas, the microkernel can efficiently manage system-wide responsibilities. (To protect the stability of the entire system, only other essential operating system services-such as device drivers-have permission to change the data in the microkernel’s system-wide memory areas. Access permissions are described in the next section.)

The operating system also maps all executable code into system-wide memory areas. Thus, a single copy of the code from any library-such as any of the libraries implementing operating system services-can be efficiently shared by all of the programs using that library. As Figure 3.4 illustrates, the code for all programs on a system exists in identical locations across all address spaces in the system, even though the programs store their data in memory areas local to each address space.

Figure 3.4: System-wide memory areas

A program can create a system-wide memory area to share its data with programs in other address spaces. More likely, however, a program will use a shared memory area for this purpose. A shared memory area exists in two or more address spaces, but not necessarily all address spaces. A shared memory area can begin at the same address in various address spaces (which is useful if shared data is accessed by pointers, because pointers contain memory addresses), or it can begin at different addresses. A shared memory area can have different access permissions in different address spaces. For example, a program can write data into a shared memory area in its own address space but, as you’ll see in the next section, make the data read-only to programs in other address spaces, thereby granting other programs access to a reliable copy of the data.

Additional Forms of Memory Protection

You’ve seen how Mac OS 8 separates server programs into their own address spaces, making them and the entire system more reliable. In addition to the protection afforded by separate address spaces, Mac OS 8 offers two more levels of memory protection that reduce the possibility of one program corrupting the code or data used by another:

• access permissions for memory areas

• guard pages for memory areas

Access Permissions for Memory Areas

Access permissions provide additional protection to memory areas, even to those within a single address space. A program can create a memory area and set one of these three permission levels:

• read/write, which allows tasks in the same address space to view and change the contents of the memory area

• read-only, which allows tasks in the same address space to view but not change the contents of the memory area

• excluded, which forbids all tasks from reading from and writing to the memory area

When a program or the operating system assigns either read-only or excluded permission to a memory area, its contents are safe from corruption from other programs because no other program can write to that memory area. If a program or the operating system attempts to access a memory area to which it has insufficient access privileges, the processor generates an exception. An exception is an error or other special condition that is detected by the CPU during code execution. An exception transfers control from the code generating the exception to another piece of code, usually an exception handler.

As you’ve seen, the operating system maps all executable code into system-wide memory areas. These areas are assigned read-only permission, thereby preventing any program from writing over and corrupting the code of any other program.

If a program needs to share data with other programs, it can create a read-only memory area for the data. The creator of a memory area can also specify separate access permissions for nonprivileged and privileged code. Nonprivileged code is executed while the CPU is in user mode. User mode, in turn, is a state of operation for the PowerPC CPU that protects certain processor resources, such as various processor registers, from being modified. (Nonprivileged code is restricted from using various CPU instructions and hardware addresses and from changing data used by critical portions of the operating system. (To protect the stability of the user’s system, most code in Mac OS 8 runs while the processor is in user mode.) A processor register is a named area of high-speed memory located on the CPU.)

Only the code for device drivers, the microkernel, and some other portions of the operating system is privileged. Privileged code is executed while the CPU is in supervisor mode. Supervisor mode, in turn, is a state of operation for the PowerPC CPU that allows full access to critical processor resources, such as all processor instructions and the tables that control memory protection. Privileged code can execute CPU instructions that are restricted from nonprivileged code and can access hardware addresses invisible to nonprivileged code.

The data used by privileged code can be excluded from nonprivileged code. A device driver, for example, may create a memory area that allows read/write access to privileged software but read-only access to nonprivileged software. Even privileged software can be denied write access to a memory area. For example, the system-wide memory areas containing code are always assigned read-only access for both privileged and nonprivileged software. Video RAM, which also resides in a system-wide memory area, is assigned read/write permission for both nonprivileged and privileged code.

(As a sidelight, it should be noted that to help protect system reliability, only privileged code can switch the CPU between supervisor mode and user mode. The microkernel always runs in supervisor mode; functions that call the microkernel cause the CPU to switch to supervisor mode. Before returning execution control back to nonprivileged code, the microkernel switches the CPU back to user mode.)

Guard Pages

A page is the smallest unit, measured in bytes, of information that the virtual memory system can transfer between physical memory and backing store. As you’ll see in Chapter 6, a memory area is always a multiple of some number of pages.

Guard pages provide another level of protection, even to memory areas with read/write permission. When any program is launched in Mac OS 8, the operating system automatically places one or more guard pages at each end the program’s stack and around the areas (sometimes known as heaps) created for its dynamic memory allocation needs. A program can specify its own number of guard pages to appear at the beginning and end of these areas and around any additional memory areas it creates. Mac OS 8 allows no access whatsoever to guard pages; neither privileged nor nonprivileged software can write to or read from them.

Figure 3.5: A memory area with guard pages

Figure 3.5 illustrates a memory area with guard pages. If any code, even for the program using that memory area, attempts to access a guard page, the CPU generates an exception. For example, a program can surround its stack with a range of guard pages equal to the length of its maximum stack frame. These guard pages then prevent the program’s stack from overflowing into the memory area of any other program. If the stack were to overflow and the stack attempted to access one of its guard pages, the CPU would send an exception to the program with the overflowing stack, resulting in the termination of that program before it could adversely affect any adjoining memory areas.

(A stack is a memory area where a task stores some of its temporary variables during execution. A stack frame is the area of the stack used by a routine for its parameters, return address, local variables, and temporary storage.)

Summary

Mac OS 8 uses multiple address spaces. The microkernel manages the system’s multiple address spaces so that the CPU always references the right address space at the proper time.

By separating server programs into their own address spaces, Mac OS 8 protects these programs, making them and the whole system more reliable. Cooperative programs share a single address space to support System 7 application compatibility. Within this 4-GB address space, the large amount of addressable memory virtually eliminates memory fragmentation problems so that the user can open the greatest possible number of cooperative programs.

Mac OS 8 provides other forms of memory protection, too. First, programs as well as the operating system can assign read-only or excluded privileges to memory areas, thereby limiting access to and possible corruption of these areas by other programs. The operating system, for example, loads all code in areas that permit read-only access. Second, a program can place guard pages around a memory area to help prevent the program from accidentally accessing adjacent memory areas.

In order for code and data to be shared among address spaces, Mac OS 8 provides system-wide memory areas, which are visible in every address space, and shared memory areas, which are visible only in the address spaces of the programs that need access to these areas.

Planning a Product for Mac OS 8

If you’re a developer, you can begin preparing to take advantage of multiple address spaces by determining whether some portion of your product benefits from the extra protection afforded by a separate address space. If so, you should plan to implement this portion as a server program.