

# **Virtual Memory: Details**

15-213/14-513/15-513: Introduction to Computer Systems 12<sup>th</sup> Lecture, October 5, 2023

### Announcements

#### Written #5: Midterm Written

- Available on Gradescope (not canvas)
- Covers first half of course, with questions similar to the final exam
- Due Wed Oct 11 at 11:59 pm
- No peer grading. Instead, graded by TAs before Fall break
- Counts double a normal Written (can be 2 of your 2 dropped Writtens)
  - For mid-semester grades, we will temporarily count it as 20%

### Cache Lab

- Due Thurs Oct 12
- Code review signup due Fri Oct 13

### Fall Break

Sat Oct 14 to Sun Oct 22

### Today

### Review concepts from last lecture

- Simple memory system example
- Case study: Core i7/Linux memory system
- Memory mapping

CSAPP 9.6.4 CSAPP 9.7 CSAPP 9.8

### **Review: Virtual Addressing**



Virtual address space is an abstraction, not real memory
 Physical memory refers to the actual computer memory (DRAM)

### **Review: Per-process Virtual Address Space**

- **Each process has its own virtual address space**
- All processes share the same Physical Memory



### **Review: Page Table**



### A page table contains page table entries (PTEs) that map virtual pages to physical pages.

### **Conceptual Question**

The MMU must know the *physical* address of the page table in order to read page table entries from memory. Why does it need a physical address?

If the MMU knew only a virtual address for the page table, then, in order to find the page table in memory, it would first need to look up the physical address of the page table, in the page table itself, ...

# **Review: Translating with a k-level Page Table**

Having multiple levels greatly reduces total page table size



### **Conceptual Questions**

### Why are one-level page tables impractical?

For typical system sizes, the table would require more physical memory (e.g., 512 GBs) than most computers have.

### How does a multi-level page table fix this problem? Only allocates the part of the page table tree that's needed for the virtual addresses the program uses.

# Why is memory access slower with a multi-level page table than with a one-level page table?

A k-level page table requires k memory loads in order to determine the physical address. There is no spatial locality to these loads (see next slide).

# The problem (with k-level page tables)



### **Review: Translation Lookaside Buffer (TLB)**

- A small cache dedicated to storing mappings from virtual addresses to physical addresses (page table entries)
- MMU consults the TLB for each address as its first action. If there is a TLB hit, it does not need to fetch anything from the page table (avoiding k lookups)



### **Review: Accessing the TLB**

MMU uses the VPN portion of the virtual address to access the TLB:



### **Conceptual Question**

How does virtual memory interact with the CPU cache(s)?

The cache's function is to speed up access to whatever data is most frequently used. The MMU sits "in between" the CPU and the cache; the cache works only with physical addresses. This means data from multiple processes may coexist in the cache (or compete for cache space).



#### 1. MMU uses VA to find PTE & get PA



#### 2. PA is used to look in cache for data

# Today

- Review concepts from last lecture
- Simple memory system example
- Case study: Core i7/Linux memory system
- Memory mapping

### **Simple Memory System Example**



# **Simple Memory System TLB**

- 16 entries
- 4-way associative



VPN = 0b1101 = 0x0D

#### Translation Lookaside Buffer (TLB)

| Set | Tag | PPN | Valid |
|-----|-----|-----|-------|-----|-----|-------|-----|-----|-------|-----|-----|-------|
| 0   | 03  | -   | 0     | 09  | 0D  | 1     | 00  | -   | 0     | 07  | 02  | 1     |
| 1   | 03  | 2D  | 1     | 02  | -   | 0     | 04  | -   | 0     | 0A  | -   | 0     |
| 2   | 02  | -   | 0     | 08  | -   | 0     | 06  | -   | 0     | 03  | -   | 0     |
| 3   | 07  | _   | 0     | 03  | 0D  | 1     | 0A  | 34  | 1     | 02  | _   | 0     |

# Simple Memory System Page Table

VPO

Only showing the first 16 entries (out of 256)

|                                     | VPN            | PPN | Valid |             | VPN        | PPN                 | Valid                 |                         |
|-------------------------------------|----------------|-----|-------|-------------|------------|---------------------|-----------------------|-------------------------|
|                                     | 00             | 28  | 1     |             | 08         | 13                  | 1                     |                         |
|                                     | 01             | _   | 0     |             | 09         | 17                  | 1                     |                         |
|                                     | 02             | 33  | 1     |             | <b>0</b> A | 09                  | 1                     |                         |
|                                     | 03             | 02  | 1     |             | OB         | -                   | 0                     |                         |
|                                     | 04             | _   | 0     |             | <b>0C</b>  | _                   | 0                     |                         |
|                                     | 05             | 16  | 1     |             | <b>0</b> D | 2D                  | 1                     | $0x0D \rightarrow 0x2D$ |
|                                     | 06             | _   | 0     |             | OE         | 11                  | 1                     | -                       |
|                                     | 07             | _   | 0     |             | OF         | 0D                  | 1                     |                         |
|                                     |                |     |       |             |            |                     |                       | -                       |
| TLBT                                | TLBI           |     |       |             |            |                     |                       |                         |
| 11     10     9       0     0     1 | 8 7 6<br>1 0 1 |     | 3 2   | 1 0         |            | 11 10<br><b>1 0</b> | 9 8 7<br><b>1 1 0</b> |                         |
| VPN                                 |                | →∢  | VPO — | <b>&gt;</b> | ·          | •                   | PPN                   | → PPO →                 |

13

12 1

0

# **Simple Memory System Cache**

- 16 lines, 4-byte cache line size
- Physically addressed
- Direct mapped

V[0b00001101101001] = V[0x369]P[0b101101101001] = P[0xB69] = 0x15 CT CI CO 11 10 9 8 6 5 3 7 1 4 2 0 1 0 Ο 0 0 **PPO** PPN

| Idx | Tag | Valid | <b>B0</b> | <b>B1</b> | B2 | <b>B3</b> | ldx | Tag | Valid | <b>B0</b> | <b>B1</b> | <b>B2</b> | <b>B3</b> |
|-----|-----|-------|-----------|-----------|----|-----------|-----|-----|-------|-----------|-----------|-----------|-----------|
| 0   | 19  | 1     | 99        | 11        | 23 | 11        | 8   | 24  | 1     | 3A        | 00        | 51        | 89        |
| 1   | 15  | 0     | _         | -         | _  | -         | 9   | 2D  | 0     | _         | -         | _         | -         |
| 2   | 1B  | 1     | 00        | 02        | 04 | 08        | Α   | 2D  | 1     | 93        | 15        | DA        | 3B        |
| 3   | 36  | 0     | _         | _         | _  | -         | В   | OB  | 0     | _         | -         | _         | -         |
| 4   | 32  | 1     | 43        | 6D        | 8F | 09        | С   | 12  | 0     | _         | _         | _         | -         |
| 5   | 0D  | 1     | 36        | 72        | F0 | 1D        | D   | 16  | 1     | 04        | 96        | 34        | 15        |
| 6   | 31  | 0     | _         | _         | _  | _         | E   | 13  | 1     | 83        | 77        | 1B        | D3        |
| 7   | 16  | 1     | 11        | C2        | DF | 03        | F   | 14  | 0     | _         | _         | _         | -         |

### **Address Translation Example**

#### Virtual Address: 0x03D4



#### **Physical Address**



# **Address Translation Example**

#### **Physical Address**



Cache

| Idx | Tag | Valid | <b>B0</b> | <b>B1</b> | B2 | <b>B3</b> | Idx | Tag | Valid | BO | <b>B1</b> | B2 | <b>B3</b> |
|-----|-----|-------|-----------|-----------|----|-----------|-----|-----|-------|----|-----------|----|-----------|
| 0   | 19  | 1     | 99        | 11        | 23 | 11        | 8   | 24  | 1     | 3A | 00        | 51 | 89        |
| 1   | 15  | 0     | _         | _         | -  | -         | 9   | 2D  | 0     | -  | _         | -  | _         |
| 2   | 1B  | 1     | 00        | 02        | 04 | 08        | Α   | 2D  | 1     | 93 | 15        | DA | 3B        |
| 3   | 36  | 0     | _         | _         | -  | _         | В   | OB  | 0     | -  | _         | -  | -         |
| 4   | 32  | 1     | 43        | 6D        | 8F | 09        | С   | 12  | 0     | -  | _         | -  | -         |
| 5   | 0D  | 1     | 36        | 72        | F0 | 1D        | D   | 16  | 1     | 04 | 96        | 34 | 15        |
| 6   | 31  | 0     | _         | _         | _  | _         | E   | 13  | 1     | 83 | 77        | 1B | D3        |
| 7   | 16  | 1     | 11        | C2        | DF | 03        | F   | 14  | 0     | -  | _         | _  | _         |

### Address Translation Example: TLB/Cache Miss

#### Virtual Address: 0x0020



### Address Translation Example: TLB/Cache Miss

#### Cache

| Idx | Тад | Valid | BO | <b>B1</b> | B2 | <b>B3</b> | ldx | Tag | Valid | BO | <b>B1</b> | B2 | <b>B3</b> |
|-----|-----|-------|----|-----------|----|-----------|-----|-----|-------|----|-----------|----|-----------|
| 0   | 19  | 1     | 99 | 11        | 23 | 11        | 8   | 24  | 1     | 3A | 00        | 51 | 89        |
| 1   | 15  | 0     | -  | _         | _  | -         | 9   | 2D  | 0     | -  | _         | _  | -         |
| 2   | 1B  | 1     | 00 | 02        | 04 | 08        | Α   | 2D  | 1     | 93 | 15        | DA | 3B        |
| 3   | 36  | 0     | -  | -         | -  | -         | В   | 0B  | 0     | -  | -         | -  | -         |
| 4   | 32  | 1     | 43 | 6D        | 8F | 09        | С   | 12  | 0     | _  | _         | -  | -         |
| 5   | 0D  | 1     | 36 | 72        | FO | 1D        | D   | 16  | 1     | 04 | 96        | 34 | 15        |
| 6   | 31  | 0     | _  | _         | _  | _         | E   | 13  | 1     | 83 | 77        | 1B | D3        |
| 7   | 16  | 1     | 11 | C2        | DF | 03        | F   | 14  | 0     | _  | _         | _  | -         |

#### **Physical Address**



### **Quiz Time!**

### Canvas Quiz: Day 12 – Virtual Memory: Details

## Today

- Review concepts from last lecture
- Simple memory system example
- Case study: Core i7/Linux memory system
- Memory mapping

# **Intel Core i7 Memory System**



# **End-to-end Core i7 Address Translation**



### **Core i7 Level 1-3 Page Table Entries**

| 63 | 62 52  | 51 12                            | 11 9   | 8 | 7  | 6 | 5 | 4  | 3  | 2   | 1   | 0   |
|----|--------|----------------------------------|--------|---|----|---|---|----|----|-----|-----|-----|
| XD | Unused | Page table physical base address | Unused | G | PS |   | Α | CD | wт | U/S | R/W | P=1 |

Available for OS (page table location on disk)

P=0

#### Each entry references a 4K child page table. Significant fields:

- **P:** Child page table present in physical memory (1) or not (0).
- **R/W:** Read-only or read-write access access permission for all reachable pages.
- U/S: user or supervisor (kernel) mode access permission for all reachable pages.
- WT: Write-through or write-back cache policy for the child page table.
- A: Reference bit (set by MMU on reads and writes, cleared by software).
- PS: Page size either 4 KB or 4 MB (defined for Level 1 PTEs only).
- Page table physical base address: 40 most significant bits of physical page table address (forces page tables to be 4KB aligned)
- XD: Disable or enable instruction fetches from all pages reachable from this PTE.

P=0

### **Core i7 Level 4 Page Table Entries**

| 63 | 62 52  | 2 51                       | 12 11 | 9   | 8 | 7 | 6 | 5 | 4  | 3  | 2   | 1   | 0   |
|----|--------|----------------------------|-------|-----|---|---|---|---|----|----|-----|-----|-----|
| XD | Unused | Page physical base address | Unus  | sed | G |   | D | Α | CD | wт | U/S | R/W | P=1 |

Available for OS (page location on disk)

#### Each entry references a 4K child page. Significant fields:

- P: Child page is present in memory (1) or not (0)
- R/W: Read-only or read-write access permission for child page
- U/S: User or supervisor mode access
- WT: Write-through or write-back cache policy for this page
- A: Reference bit (set by MMU on reads and writes, cleared by software)
- D: Dirty bit (set by MMU on writes, cleared by software)
- G: Global page (don't evict from TLB on task switch)

Page physical base address: 40 most significant bits of physical page address (forces pages to be 4KB aligned)

**XD:** Disable or enable instruction fetches from this page.

### **Core i7 Page Table Translation**



### **Cute Trick for Speeding Up L1 Access**



#### Observation

- Bits that determine CI identical in virtual and physical address
- Can index into cache while address translation taking place
- Generally we hit in TLB, so PPN bits (CT bits) available quickly
- "Virtually indexed, physically tagged"
- Cache carefully sized to make this possible

## Today

- Review concepts from last lecture
- Simple memory system example
- Case study: Core i7/Linux memory system
- Memory mapping

### **Memory-Mapped Files**

- Paging = every page of a program's physical memory is backed by some page of disk\*
- Normally, those pages belong to swap space
- But what if some pages were backed by ... files?

\* This is how it used to work 20 years ago. Nowadays, not always true.

### **Memory-Mapped Files**



### **Memory-Mapped Files**



### **Copy-on-write sharing**

- fork creates a new process by copying the entire address space of the parent process
  - That sounds slow
  - It is slow



#### Clever trick:

- Just duplicate the page tables
- Mark everything read only (PTE permission bits for all pages set to read-only)
- Copy only on write faults

## **Copy-on-write sharing**



#### Clever trick:

- Just duplicate the page tables
- Mark everything read only
- Copy only on write faults

# **Copy-on-write sharing**



#### Clever trick:

- Just duplicate the page tables
- Mark everything read only
- Copy only on write faults

# **User-Level Memory Mapping**

Map len bytes starting at offset offset of the file specified by file description fd, preferably at address start

- start: may be 0 for "pick an address"
- prot: PROT\_READ, PROT\_WRITE, PROT\_EXEC, ...
- **flags**: MAP\_ANON, MAP\_PRIVATE, MAP\_SHARED, ...

Return a pointer to start of mapped area (may not be start)

## **User-Level Memory Mapping**

void \*mmap(void \*start, int len,

int prot, int flags, int fd, int offset)



# Uses of mmap

## Reading big files

Uses paging mechanism to bring files into memory

#### Shared data structures

- When call with MAP\_SHARED flag
  - Multiple processes have access to same region of memory (Risky!)

### File-based data structures

- E.g., database
- When unmap region, file will be updated via write-back
- Can implement load from file / update / write back to file

#### Enable Attack Lab

- Allow students to execute code on the stack (which is forbidden on shark machines)
- See backup slides for details

## Summary

### Programmer's view of virtual memory

- Each process has its own private linear address space
- Cannot be corrupted by other processes

#### System view of virtual memory

- Uses memory efficiently by caching virtual memory pages
  - Efficient only because of locality
- Simplifies memory management and programming
- Simplifies protection by providing a convenient interpositioning point to check permissions

Implemented via combination of hardware & software

- MMU, TLB, exception handling mechanisms part of hardware
- Page fault handlers, TLB management performed in software

## **Review Question**

For a simple system with a one-level page table, what sub-steps does the MMU take when it fetches a PTE from a page table?

The MMU has to split the virtual address into VPN and VPO. The VPN can then be used to index directly into the page table.

If the valid bit is set on the PTE, the entry contains a PPN and the physical address is PPN followed by PPO (=VPO).

Otherwise, a page fault is triggered.

# **Address Translation With a Page Table**



**Physical address** 

# Example: Using mmap to Support Attack Lab

### Problem

- Want students to be able to perform code injection attacks
- Shark machine stacks are not executable
- Solution
  - Suggested by Sam King (now at UC Davis)
  - Use mmap to allocate region of memory marked executable
  - Divert stack to new region
  - Execute student attack code
  - Restore back to original stack
  - Use munmap to remove mapped region









Bryant and O'Hallaron, Computer Systems: A Programmer's Perspective, Third Edition

Restore original %rsp Use munmap to remove mapped region

#### Allocate new region

| <pre>void *new_stack = mmap(START_ADDR, STACK_SIZE, PROT_EXEC PROT_READ PROT_WRITE,</pre> |
|-------------------------------------------------------------------------------------------|
| MAP_PRIVATE   MAP_GROWSDOWN   MAP_ANONYMOUS   MAP_FIXED,                                  |
| 0, 0);                                                                                    |
| <pre>if (new_stack != START_ADDR) {</pre>                                                 |
| <pre>munmap(new_stack, STACK_SIZE);</pre>                                                 |
| exit(1);                                                                                  |
| }                                                                                         |
|                                                                                           |

#### Divert stack to new region & execute attack code

```
stack_top = new_stack + STACK_SIZE - 8;
asm("movq %%rsp,%%rax ; movq %1,%%rsp ;
movq %%rax,%0"
    : "=r" (global_save_stack) // %0
    : "r" (stack_top) // %1
);
launch(global_offset);
```

#### Restore stack and remove region



## Virtual Address Space of a Linux Process



# Linux Organizes VM as Collection of "Areas"



# **Linux Page Fault Handling**

