– 1 – 15-213, F’02 Dynamic Memory Allocation Explicit vs. Implicit Memory Allocator Explicit: application allocates and frees space Implicit: application

– 1 – 15-213, F’02

Dynamic Memory AllocationDynamic Memory Allocation

Explicit vs. Implicit Memory AllocatorExplicit vs. Implicit Memory Allocator Explicit: application allocates and frees space Implicit: application allocates, but does not free space

AllocationAllocation In both cases the memory allocator provides an

abstraction of memory as a set of blocks Doles out free memory blocks to application

Application

Dynamic Memory Allocator

Heap Memory

– 2 – 15-213, F’02

Process Memory ImageProcess Memory Image

kernel virtual memory

Memory mapped region forshared libraries

run-time heap (via malloc)

program text (.text)

initialized data (.data)

uninitialized data (.bss)

stack

0

%esp

memory invisible to user code

The “brk” ptr

Allocators requestadditional heap memoryfrom the operating system using the sbrk function.

– 3 – 15-213, F’02

Malloc PackageMalloc Package#include <stdlib.h>#include <stdlib.h>

void *malloc(size_t size)void *malloc(size_t size) If successful:

Returns a pointer to a memory block of at least size bytes, (typically) aligned to 8-byte boundary.

If size == 0, returns NULL If unsuccessful: returns NULL (0) and sets errno.

void free(void *p)void free(void *p) Returns the block pointed at by p to pool of available memory p must come from a previous call to malloc or realloc.

void *realloc(void *p, size_t size)void *realloc(void *p, size_t size) Changes size of block p and returns pointer to new block. Contents of new block unchanged up to min of old and new size.

– 4 – 15-213, F’02

AssumptionsAssumptions

Memory is word addressed (each word can hold a pointer)

Allocated block(4 words)

Free block(3 words)

Free word

Allocated word

– 5 – 15-213, F’02

Allocation ExamplesAllocation Examplesp1 = malloc(4)

p2 = malloc(5)

p3 = malloc(6)

free(p2)

p4 = malloc(2)

– 6 – 15-213, F’02

ConstraintsConstraints

Applications:Applications: Can issue arbitrary sequence of allocation and free requests Free requests must correspond to an allocated block

AllocatorsAllocators Can’t control number or size of allocated blocks Must respond immediately to all allocation requests

i.e., can’t reorder or buffer requests

Must allocate blocks from free memoryi.e., can only place allocated blocks in free memory

Must align blocks so they satisfy all alignment requirements8 byte alignment for GNU malloc (libc malloc) on Linux boxes

Can only manipulate and modify free memory Can’t move the allocated blocks once they are allocated

i.e., compaction is not allowed

– 7 – 15-213, F’02

Goals of Good malloc/free Goals of Good malloc/free

Primary goalsPrimary goals Good time performance for malloc and free

Ideally should take constant time (not always possible)Should certainly not take linear time in the number of blocks

Good space utilizationUser allocated structures should be large fraction of the heap.Want to minimize “fragmentation”.

Some other goalsSome other goals Good locality properties

Structures allocated close in time should be close in space“Similar” objects should be allocated close in space

RobustCan check that free(p1) is on a valid allocated object p1Can check that memory references are to allocated space

– 8 – 15-213, F’02

Internal FragmentationInternal FragmentationPoor memory utilization caused by Poor memory utilization caused by fragmentationfragmentation..

Comes in two forms: internal and external fragmentation

Internal fragmentationInternal fragmentation For some block, internal fragmentation is the difference between

the block size and the payload size.

Caused by overhead of maintaining heap data structures, padding for alignment purposes, or explicit policy decisions (e.g., not to split the block).

Depends only on the pattern of previous requests, and thus is easy to measure.

payloadInternal fragmentation

block

Internal fragmentation

– 9 – 15-213, F’02

External FragmentationExternal Fragmentation

p1 = malloc(4)

p2 = malloc(5)

p3 = malloc(6)

free(p2)

p4 = malloc(6)oops!

Occurs when there is enough aggregate heap memory, but no singlefree block is large enough

External fragmentation depends on the pattern of future requests, andthus is difficult to measure.

– 10 – 15-213, F’02

Implementation IssuesImplementation Issues How do we know how much memory to free just How do we know how much memory to free just

given a pointer?given a pointer?

How do we keep track of the free blocks?How do we keep track of the free blocks?

What do we do with the extra space when allocating What do we do with the extra space when allocating a structure that is smaller than the free block it is a structure that is smaller than the free block it is placed in?placed in?

How do we pick a block to use for allocation -- many How do we pick a block to use for allocation -- many might fit?might fit?

How do we reinsert freed block?How do we reinsert freed block?

p1 = malloc(1)

p0

free(p0)

– 11 – 15-213, F’02

Knowing How Much to FreeKnowing How Much to FreeStandard methodStandard method

Keep the length of a block in the word preceding the block.This word is often called the header field or header

Requires an extra word for every allocated block

free(p0)

p0 = malloc(4) p0

Block size data

5

– 12 – 15-213, F’02

Keeping Track of Free BlocksKeeping Track of Free Blocks

Method 1Method 1: : Implicit listImplicit list using lengths -- links all blocks using lengths -- links all blocks

Method 2Method 2: : Explicit listExplicit list among the free blocks using among the free blocks using pointers within the free blockspointers within the free blocks

Method 3Method 3: : Segregated free listSegregated free list Different free lists for different size classes

Method 4Method 4: Blocks sorted by size: Blocks sorted by size Can use a balanced tree (e.g. Red-Black tree) with pointers

within each free block, and the length used as a key

5 4 26

5 4 26

– 13 – 15-213, F’02

Method 1: Implicit ListMethod 1: Implicit List

Need to identify whether each block is free or allocatedNeed to identify whether each block is free or allocated Can use extra bit Bit can be put in the same word as the size if block sizes are

always multiples of two (mask out low order bit when reading size).

size

1 word

Format ofallocated andfree blocks

payload

a = 1: allocated block a = 0: free block

size: block size

payload: application data(allocated blocks only)

a

optionalpadding

– 14 – 15-213, F’02

Implicit List: Finding a Free BlockImplicit List: Finding a Free BlockFirst fit:First fit:

Search list from beginning, choose first free block that fits Can take linear time in total number of blocks (allocated and free) In practice it can cause “splinters” at beginning of list

Next fit:Next fit: Like first-fit, but search list from location of end of previous search Research suggests that fragmentation is worse

Best fit:Best fit: Search the list, choose the free block with the closest size that fits Keeps fragments small --- usually helps fragmentation Will typically run slower than first-fit

– 15 – 15-213, F’02

Implicit List: Allocating in Free BlockImplicit List: Allocating in Free Block

Allocating in a free block - Allocating in a free block - splittingsplitting Since allocated space might be smaller than free space, we

might want to split the block

4 4 26

4 24

p

24

addblock(p, 2)

– 16 – 15-213, F’02

Implicit List: Freeing a BlockImplicit List: Freeing a Block

Simplest implementation:Simplest implementation: Only need to clear allocated flag

void free_block(ptr p) { *p = *p & -2} But can lead to “false fragmentation”

There is enough free space, but the allocator won’t be able to find it

4 24 2

free(p) p

4 4 2

4

4 2

malloc(5)Oops!

– 17 – 15-213, F’02

Implicit List: CoalescingImplicit List: Coalescing

Join (Join (coelescecoelesce) with next and/or previous block ) with next and/or previous block if they are freeif they are free Coalescing with next block

But how do we coalesce with previous block?

4 24 2

free(p) p

4 4 2

4

6

– 18 – 15-213, F’02

Implicit List: Bidirectional Coalescing Implicit List: Bidirectional Coalescing Boundary tagsBoundary tags [Knuth73] [Knuth73]

Replicate size/allocated word at bottom of free blocks Allows us to traverse the “list” backwards, but requires extra space Important and general technique!

size

1 word

Format ofallocated andfree blocks

payload andpadding

a = 1: allocated block a = 0: free block

size: total block size

payload: application data(allocated blocks only)

a

size aBoundary tag (footer)

4 4 4 4 6 46 4

Header

– 19 – 15-213, F’02

Constant Time CoalescingConstant Time Coalescing

allocated

allocated

allocated

free

free

allocated

free

free

block beingfreed

Case 1 Case 2 Case 3 Case 4

– 20 – 15-213, F’02

m1 1

Constant Time Coalescing (Case 1)Constant Time Coalescing (Case 1)

m1 1

n 1

n 1

m2 1

m2 1

m1 1

m1 1

n 0

n 0

m2 1

m2 1

– 21 – 15-213, F’02

m1 1


m1 1

n+m2 0

n+m2 0

m1 1

m1 1

n 1

n 1

m2 0

m2 0

– 22 – 15-213, F’02

m1 0


m1 0

n 1

n 1

m2 1

m2 1

n+m1 0

n+m1 0

m2 1

m2 1

– 23 – 15-213, F’02

m1 0


m1 0

n 1

n 1

m2 0

m2 0

n+m1+m2 0

n+m1+m2 0

– 24 – 15-213, F’02

Summary of Key Allocator PoliciesSummary of Key Allocator PoliciesPlacement policy:Placement policy:

First fit, next fit, best fit, etc. Trades off lower throughput for less fragmentation

Interesting observation: segregated free lists approximate a best fit placement policy without having to search entire free list.

Splitting policy:Splitting policy: When do we go ahead and split free blocks? How much internal fragmentation are we willing to tolerate?

Coalescing policy:Coalescing policy: Immediate coalescing: coalesce adjacent blocks each time free is

called Deferred coalescing: try to improve performance of free by

deferring coalescing until needed. e.g., Coalesce as you scan the free list for malloc. Coalesce when the amount of external fragmentation reaches some

threshold.

– 25 – 15-213, F’02

Keeping Track of Free BlocksKeeping Track of Free Blocks Method 1Method 1: Implicit list using lengths -- links all blocks: Implicit list using lengths -- links all blocks

Method 2Method 2: Explicit list among the free blocks using : Explicit list among the free blocks using pointers within the free blockspointers within the free blocks

Method 3Method 3: Segregated free lists: Segregated free lists Different free lists for different size classes

Method 4Method 4: Blocks sorted by size (not discussed): Blocks sorted by size (not discussed) Can use a balanced tree (e.g. Red-Black tree) with pointers


5 4 26

5 4 26

– 26 – 15-213, F’02

Explicit Free ListsExplicit Free Lists

Use data space for link pointersUse data space for link pointers Typically doubly linked Still need boundary tags for coalescing

It is important to realize that links are not necessarily in the same order as the blocks

A B C

4 4 4 4 66 44 4 4

Forward links

Back links

A B

C

– 27 – 15-213, F’02

Allocating From Explicit Free ListsAllocating From Explicit Free Lists

free block

pred succ

free block

pred succ

Before:

After:(with splitting)

– 28 – 15-213, F’02

Freeing With Explicit Free ListsFreeing With Explicit Free Lists

Insertion policyInsertion policy: Where in the free list do you put a : Where in the free list do you put a newly freed block?newly freed block? LIFO (last-in-first-out) policy

Insert freed block at the beginning of the free listPro: simple and constant timeCon: studies suggest fragmentation is worse than address

ordered.

Address-ordered policy Insert freed blocks so that free list blocks are always in address

order

» i.e. addr(pred) < addr(curr) < addr(succ) Con: requires search Pro: studies suggest fragmentation is better than LIFO

– 29 – 15-213, F’02

Explicit List SummaryExplicit List Summary

Comparison to implicit list:Comparison to implicit list: Allocate is linear time in number of free blocks instead of

total blocks -- much faster allocates when most of the memory is full

Slightly more complicated allocate and free since needs to splice blocks in and out of the list

Some extra space for the links (2 extra words needed for each block)

Main use of linked lists is in conjunction with Main use of linked lists is in conjunction with segregated free listssegregated free lists Keep multiple linked lists of different size classes, or

possibly for different types of objects

– 30 – 15-213, F’02

Keeping Track of Free BlocksKeeping Track of Free Blocks

Method 1Method 1: : Implicit listImplicit list using lengths -- links all blocks using lengths -- links all blocks

Method 2Method 2: : Explicit listExplicit list among the free blocks using among the free blocks using pointers within the free blockspointers within the free blocks

Method 3Method 3: : Segregated free listSegregated free list Different free lists for different size classes

Method 4Method 4: Blocks sorted by size: Blocks sorted by size Can use a balanced tree (e.g. Red-Black tree) with pointers


5 4 26

5 4 26

– 31 – 15-213, F’02

Segregated StorageSegregated Storage

Each Each size classsize class has its own collection of blocks has its own collection of blocks

1-2

3

4

5-8

9-16

Often have separate size class for every small size (2,3,4,…) For larger sizes typically have a size class for each power of 2

– 32 – 15-213, F’02

Simple Segregated StorageSimple Segregated StorageSeparate heap and free list for each size classSeparate heap and free list for each size class

No splittingNo splitting

To allocate a block of size n:To allocate a block of size n: If free list for size n is not empty,

allocate first block on list (note, list can be implicit or explicit) If free list is empty,

get a new page create new free list from all blocks in page allocate first block on list

Constant time

To free a block:To free a block: Add to free list If page is empty, return the page for use by another size (optional)

Tradeoffs:Tradeoffs: Fast, but can fragment badly

– 33 – 15-213, F’02

Segregated FitsSegregated FitsArray of free lists, each one for some size classArray of free lists, each one for some size class

To allocate a block of size n:To allocate a block of size n: Search appropriate free list for block of size m > n If an appropriate block is found:

Split block and place fragment on appropriate list (optional) If no block is found, try next larger class Repeat until block is found

To free a block:To free a block: Coalesce and place on appropriate list (optional)

TradeoffsTradeoffs Faster search than sequential fits (i.e., log time for power of two

size classes) Controls fragmentation of simple segregated storage Coalescing can increase search times

Deferred coalescing can help

– 34 – 15-213, F’02

Implicit Memory Management:Garbage CollectionImplicit Memory Management:Garbage Collection

Garbage collectionGarbage collection: : automatic reclamation of heap-automatic reclamation of heap-allocated storage -- application never has to freeallocated storage -- application never has to free

Common in functional languages, scripting languages, Common in functional languages, scripting languages, and modern object oriented languages:and modern object oriented languages: Lisp, ML, Java, Perl, Mathematica,

Variants (conservative garbage collectors) exist for C Variants (conservative garbage collectors) exist for C and C++and C++ Cannot collect all garbage

void foo() { int *p = malloc(128); return; /* p block is now garbage */}

– 35 – 15-213, F’02

Garbage CollectionGarbage CollectionHow does the memory manager know when memory How does the memory manager know when memory

can be freed?can be freed? In general we cannot know what is going to be used in the

future since it depends on conditionals But we can tell that certain blocks cannot be used if there

are no pointers to them

Need to make certain assumptions about pointersNeed to make certain assumptions about pointers Memory manager can distinguish pointers from non-

pointers All pointers point to the start of a block Cannot hide pointers (e.g., by coercing them to an int, and

then back again)

– 36 – 15-213, F’02

Classical GC algorithmsClassical GC algorithms

Mark and sweep collection (McCarthy, 1960)Mark and sweep collection (McCarthy, 1960) Does not move blocks (unless you also “compact”)

Reference counting (Collins, 1960)Reference counting (Collins, 1960) Does not move blocks (not discussed)

Copying collection (Minsky, 1963)Copying collection (Minsky, 1963) Moves blocks (not discussed)

For more information, see For more information, see Jones and Lin, “Garbage Jones and Lin, “Garbage Collection: Algorithms for Automatic Dynamic Collection: Algorithms for Automatic Dynamic Memory”, John Wiley & Sons, 1996.Memory”, John Wiley & Sons, 1996.

– 37 – 15-213, F’02

Memory as a GraphMemory as a GraphWe view memory as a directed graphWe view memory as a directed graph

Each block is a node in the graph Each pointer is an edge in the graph Locations not in the heap that contain pointers into the heap are called root nodes

(e.g. registers, locations on the stack, global variables)

Root nodes

Heap nodes

Not-reachable(garbage)

reachable

A node (block) is A node (block) is reachable if there is a path from any root to that node. if there is a path from any root to that node.

Non-reachable nodes are Non-reachable nodes are garbage garbage (never needed by the application)(never needed by the application)

– 38 – 15-213, F’02

ApplicationApplication new(n): returns pointer to new block with all locations cleared read(b,i): read location i of block b into register write(b,i,v): write v into location i of block b

Each block will have a header wordEach block will have a header word addressed as b[-1], for a block b Used for different purposes in different collectors

Instructions used by the Garbage CollectorInstructions used by the Garbage Collector is_ptr(p): determines whether p is a pointer length(b): returns the length of block b, not including the header get_roots(): returns all the roots

– 39 – 15-213, F’02

Mark and Sweep CollectingMark and Sweep Collecting

Can build on top of malloc/free packageCan build on top of malloc/free package Allocate using malloc until you “run out of space”

When out of space:When out of space: Use extra mark bit in the head of each block Mark: Start at roots and set mark bit on all reachable memory Sweep: Scan all blocks and free blocks that are not marked

Before mark

root

After mark

After sweep free

Mark bit set

free

– 40 – 15-213, F’02

Conservative Mark and Sweep in CConservative Mark and Sweep in C

A conservative collector for C programsA conservative collector for C programs Is_ptr() determines if a word is a pointer by checking if it

points to an allocated block of memory. But, in C pointers can point to the middle of a block.

So how do we find the beginning of the block?So how do we find the beginning of the block? Can use balanced tree to keep track of all allocated blocks

where the key is the location Balanced tree pointers can be stored in header (use two

additional words)

header

ptr

head data

left right

size

– 41 – 15-213, F’02

Memory-Related BugsMemory-Related Bugs

Dereferencing bad pointersDereferencing bad pointers

Reading uninitialized memoryReading uninitialized memory

Overwriting memoryOverwriting memory

Referencing nonexistent variablesReferencing nonexistent variables

Freeing blocks multiple timesFreeing blocks multiple times

Referencing freed blocksReferencing freed blocks

Failing to free blocksFailing to free blocks

– 42 – 15-213, F’02

Dereferencing Bad PointersDereferencing Bad Pointers

The classic The classic scanfscanf bug bug

scanf(“%d”, val);

– 43 – 15-213, F’02

Reading Uninitialized MemoryReading Uninitialized Memory

Assuming that heap data is initialized to zeroAssuming that heap data is initialized to zero

/* return y = Ax */int *matvec(int **A, int *x) { int *y = malloc(N*sizeof(int)); int i, j;

for (i=0; i<N; i++) for (j=0; j<N; j++) y[i] += A[i][j]*x[j]; return y;}

– 44 – 15-213, F’02

Overwriting MemoryOverwriting Memory

Allocating the (possibly) wrong sized objectAllocating the (possibly) wrong sized object

int **p;

p = malloc(N*sizeof(int));

for (i=0; i<N; i++) { p[i] = malloc(M*sizeof(int));}

– 45 – 15-213, F’02


Off-by-one errorOff-by-one error

int **p;

p = malloc(N*sizeof(int *));

for (i=0; i<=N; i++) { p[i] = malloc(M*sizeof(int));}

– 46 – 15-213, F’02


Not checking the max string sizeNot checking the max string size

Basis for classic buffer overflow attacksBasis for classic buffer overflow attacks 1988 Internet worm Modern attacks on Web servers

char s[8];int i;

gets(s); /* reads “123456789” from stdin */

– 47 – 15-213, F’02


Referencing a pointer instead of the object it points toReferencing a pointer instead of the object it points to

int *BinheapDelete(int **binheap, int *size) { int *packet; packet = binheap[0]; binheap[0] = binheap[*size - 1]; *size--; Heapify(binheap, *size, 0); return(packet);}

– 48 – 15-213, F’02


Misunderstanding pointer arithmeticMisunderstanding pointer arithmetic

int *search(int *p, int val) { while (*p && *p != val) p += sizeof(int);

return p;}

– 49 – 15-213, F’02

Referencing Nonexistent VariablesReferencing Nonexistent Variables

Forgetting that local variables disappear when a Forgetting that local variables disappear when a function returnsfunction returns

int *foo () { int val; return &val;}

– 50 – 15-213, F’02

Referencing Freed BlocksReferencing Freed Blocks

x = malloc(N*sizeof(int));<manipulate x>free(x);...y = malloc(M*sizeof(int));for (i=0; i<M; i++) y[i] = x[i]++;

– 51 – 15-213, F’02

Failing to Free Blocks(Memory Leaks)Failing to Free Blocks(Memory Leaks)Slow, long-term killer! Slow, long-term killer!

foo() { int *x = malloc(N*sizeof(int)); ... return;}

– 52 – 15-213, F’02

Failing to Free Blocks(Memory Leaks)Failing to Free Blocks(Memory Leaks)Freeing only part of a data structureFreeing only part of a data structure

struct list { int val; struct list *next;};

foo() { struct list *head = malloc(sizeof(struct list)); head->val = 0; head->next = NULL; <create and manipulate the rest of the list> ... free(head); return;}

– 53 – 15-213, F’02

Dynamic and Virtual Memoryreal life example

Dynamic and Virtual Memoryreal life example

Target machine: IBM power 5 at LLNLTarget machine: IBM power 5 at LLNL

– 54 – 15-213, F’02

Exceptional Control FlowExceptional Control Flow Mechanisms for exceptional control flow exists at all levels of a

computer system.

Low level MechanismLow level Mechanism exceptions

change in control flow in response to a system event (i.e., change in system state)

Combination of hardware and OS software

Higher Level MechanismsHigher Level Mechanisms Process context switch Signals Nonlocal jumps (setjmp/longjmp) Implemented by either:

OS software (context switch and signals). C language runtime library: nonlocal jumps.

– 55 – 15-213, F’02

ExceptionsExceptions

An An exceptionexception is a transfer of control to the OS in response is a transfer of control to the OS in response to some to some eventevent (i.e., change in processor state) (i.e., change in processor state)

User Process OS

exceptionexception processingby exception handler

exception return (optional)

event currentnext

– 56 – 15-213, F’02

Interrupt VectorsInterrupt Vectors

Each type of event has a unique exception number k

Index into jump table (a.k.a., interrupt vector)

Jump table entry k points to a function (exception handler).

Handler k is called each time exception k occurs.

interruptvector

01

2 ...n-1

code for exception handler 0




code forexception handler 2

code forexception handler 2

code for exception handler n-1

code for exception handler n-1

...

Exception numbers

– 57 – 15-213, F’02

Asynchronous Exceptions (Interrupts)Asynchronous Exceptions (Interrupts)

Caused by events external to the processorCaused by events external to the processor Indicated by setting the processor’s interrupt pin handler returns to “next” instruction.

Examples:Examples: I/O interrupts

hitting ctl-c at the keyboardarrival of a packet from a networkarrival of a data sector from a disk

Hard reset interrupthitting the reset button

Soft reset interrupthitting ctl-alt-delete on a PC

– 58 – 15-213, F’02

0x00000100 irmovl $300,rA0x00000100 irmovl $300,rA

0x00000106 irmovl $3,rB0x00000106 irmovl $3,rB

0x0000010C irmov $10,rC0x0000010C irmov $10,rC

0x00000112 addl rC,rB0x00000112 addl rC,rB

0x00000114 rmmovl rB,(rA)0x00000114 rmmovl rB,(rA)

The jump table The jump table

1 0x100000001 0x10000000

2 0x100010002 0x10001000

3 0x100030003 0x10003000

4 0x100040004 0x10004000

hardware interrupt 3 came while hardware interrupt 3 came while addladdl

call getKBcall getKB

mrmovl 0x00000000,rAmrmovl 0x00000000,rA

rmmovl rB,(rA)rmmovl rB,(rA)

– 59 – 15-213, F’02

0x10003000 push CFLAGS0x10003000 push CFLAGS

0x10003002 push rA0x10003002 push rA

0x10003004 push rB0x10003004 push rB

0x10003006 push rC0x10003006 push rC

0x10003008 push rD0x10003008 push rD

0x1000300a push rE0x1000300a push rE

0x1000300c call getKB0x1000300c call getKB

0x10003011 mrmovl 0x0,rA0x10003011 mrmovl 0x0,rA

0x10003017 rmmovl rB,(rA)0x10003017 rmmovl rB,(rA)

0x1000301d pop rE0x1000301d pop rE

0x1000301f pop rD0x1000301f pop rD

0x10003021 pop rC0x10003021 pop rC

0x10003023 pop rB0x10003023 pop rB

0x10003025 pop rA0x10003025 pop rA

0x10003027 pop CFLAFS0x10003027 pop CFLAFS

– 60 – 15-213, F’02

Synchronous ExceptionsSynchronous Exceptions

Caused by events that occur as a result of executing an Caused by events that occur as a result of executing an instruction:instruction: Traps

IntentionalExamples: system calls, breakpoint traps, special instructionsReturns control to “next” instruction

FaultsUnintentional but possibly recoverable Examples: page faults (recoverable), protection faults

(unrecoverable).Either re-executes faulting (“current”) instruction or aborts.

Abortsunintentional and unrecoverableExamples: parity error, machine check.Aborts current program

– 61 – 15-213, F’02

Trap ExampleTrap Example

User Process OS

exceptionOpen file

return

intpop

Opening a FileOpening a File User calls open(filename, options)

Function open executes system call instruction int

OS must find or create file, get it ready for reading or writing Returns integer file descriptor

0804d070 <__libc_open>: . . . 804d082: cd 80 int $0x80 804d084: 5b pop %ebx . . .

– 62 – 15-213, F’02

Fault Example #1Fault Example #1

User Process OS

page faultCreate page and load into memoryreturn

event movl

Memory ReferenceMemory Reference User writes to memory location That portion (page) of user’s memory is

currently on disk

Page handler must load page into physical memory

Returns to faulting instruction Successful on second try

int a[1000];main (){ a[500] = 13;}

80483b7: c7 05 10 9d 04 08 0d movl $0xd,0x8049d10

– 63 – 15-213, F’02

Fault Example #2Fault Example #2

User Process OS

page fault

Detect invalid address

event movl

Memory ReferenceMemory Reference User writes to memory location Address is not valid

Page handler detects invalid address Sends SIGSEG signal to user process User process exits with “segmentation fault”

int a[1000];main (){ a[5000] = 13;}

80483b7: c7 05 60 e3 04 08 0d movl $0xd,0x804e360

Signal process

– 64 – 15-213, F’02

ProcessesProcessesDef: A Def: A processprocess is an instance of a running program. is an instance of a running program.

One of the most profound ideas in computer science. Not the same as “program” or “processor”

Process provides each program with two key Process provides each program with two key abstractions:abstractions: Logical control flow

Each program seems to have exclusive use of the CPU.

Private address spaceEach program seems to have exclusive use of main memory.

How are these Illusions maintained?How are these Illusions maintained? Process executions interleaved (multitasking) Address spaces managed by virtual memory system

– 65 – 15-213, F’02

Logical Control FlowsLogical Control Flows

Time

Process A Process B Process C

Each process has its own logical control flow

– 66 – 15-213, F’02

User View of Concurrent ProcessesUser View of Concurrent Processes

Control flows for concurrent processes are physically Control flows for concurrent processes are physically disjoint in time.disjoint in time.

However, we can think of concurrent processes are However, we can think of concurrent processes are running in parallel with each other.running in parallel with each other.

Time


– 67 – 15-213, F’02

Context SwitchingContext SwitchingProcesses are managed by a shared chunk of OS code Processes are managed by a shared chunk of OS code

called the called the kernelkernel Important: the kernel is not a separate process, but rather

runs as part of some user process

Control flow passes from one process to another via a Control flow passes from one process to another via a context switch.context switch.

Process Acode

Process Bcode

user code

kernel code

user code

kernel code

user code

Timecontext switch

context switch

– 68 – 15-213, F’02

Private Address SpacesPrivate Address SpacesEach process has its own private address space.Each process has its own private address space.

kernel virtual memory(code, data, heap, stack)

memory mapped region forshared libraries

run-time heap(managed by malloc)

user stack(created at runtime)

unused0

%esp (stack pointer)

memoryinvisible touser code

brk

0xc0000000

0x08048000

0x40000000

read/write segment(.data, .bss)

read-only segment(.init, .text, .rodata)

loaded from the executable file

0xffffffff

– 69 – 15-213, F’02

fork: Creating new processesfork: Creating new processes

int fork(void)int fork(void) creates a new process (child process) that is identical to the

calling process (parent process) returns 0 to the child process returns child’s pid to the parent process

if (fork() == 0) { printf("hello from child\n");} else { printf("hello from parent\n");}

Fork is interesting(and often confusing)because it is calledonce but returns twice

– 70 – 15-213, F’02

Fork Example #1Fork Example #1

void fork1(){ int x = 1; pid_t pid = fork(); if (pid == 0) {

printf("Child has x = %d\n", ++x); } else {

printf("Parent has x = %d\n", --x); } printf("Bye from process %d with x = %d\n", getpid(), x);}

Key PointsKey Points Parent and child both run same code

Distinguish parent from child by return value from fork Start with same state, but each has private copy

Including shared output file descriptorRelative ordering of their print statements undefined

– 71 – 15-213, F’02


void fork2(){ printf("L0\n"); fork(); printf("L1\n"); fork(); printf("Bye\n");}

Key PointsKey Points Both parent and child can continue forking

L0 L1

L1

Bye

Bye

Bye

Bye

– 72 – 15-213, F’02

User View of Concurrent ProcessesUser View of Concurrent Processes

Control flows for concurrent processes are physically Control flows for concurrent processes are physically disjoint in time.disjoint in time.

However, we can think of concurrent processes are However, we can think of concurrent processes are running in parallel with each other.running in parallel with each other.

Time


– 73 – 15-213, F’02

Context SwitchingContext SwitchingProcesses are managed by a shared chunk of OS code Processes are managed by a shared chunk of OS code

called the called the kernelkernel Important: the kernel is not a separate process, but rather

runs as part of some user process

Control flow passes from one process to another via a Control flow passes from one process to another via a context switch.context switch.

Process Acode

Process Bcode

user code

kernel code

user code

kernel code

user code

Timecontext switch

context switch

– 74 – 15-213, F’02

Private Address SpacesPrivate Address SpacesEach process has its own private address space.Each process has its own private address space.

kernel virtual memory(code, data, heap, stack)

memory mapped region forshared libraries

run-time heap(managed by malloc)

user stack(created at runtime)

unused0

%esp (stack pointer)

memoryinvisible touser code

brk

0xc0000000

0x08048000

0x40000000

read/write segment(.data, .bss)

read-only segment(.init, .text, .rodata)

loaded from the executable file

0xffffffff

– 75 – 15-213, F’02

fork: Creating new processesfork: Creating new processes

int fork(void)int fork(void) creates a new process (child process) that is identical to the

calling process (parent process) returns 0 to the child process returns child’s pid to the parent process

if (fork() == 0) { printf("hello from child\n");} else { printf("hello from parent\n");}

Fork is interesting(and often confusing)because it is calledonce but returns twice

– 76 – 15-213, F’02


void fork1(){ int x = 1; pid_t pid = fork(); if (pid == 0) {

printf("Child has x = %d\n", ++x); } else {

printf("Parent has x = %d\n", --x); } printf("Bye from process %d with x = %d\n", getpid(), x);}

Key PointsKey Points Parent and child both run same code

Distinguish parent from child by return value from fork Start with same state, but each has private copy

Including shared output file descriptorRelative ordering of their print statements undefined

– 77 – 15-213, F’02


void fork2(){ printf("L0\n"); fork(); printf("L1\n"); fork(); printf("Bye\n");}


L0 L1

L1

Bye

Bye

Bye

Bye

– 78 – 15-213, F’02


void fork3(){ printf("L0\n"); fork(); printf("L1\n"); fork(); printf("L2\n"); fork(); printf("Bye\n");}


L1 L2

L2

Bye

Bye

Bye

Bye

L1 L2

L2

Bye

Bye

Bye

Bye

L0

– 79 – 15-213, F’02


void fork4(){ printf("L0\n"); if (fork() != 0) {

printf("L1\n"); if (fork() != 0) { printf("L2\n"); fork();}

} printf("Bye\n");}


L0 L1

Bye

L2

Bye

Bye

Bye

– 80 – 15-213, F’02


void fork5(){ printf("L0\n"); if (fork() == 0) {

printf("L1\n"); if (fork() == 0) { printf("L2\n"); fork();}

} printf("Bye\n");}


L0 Bye

L1

Bye

Bye

Bye

L2

– 81 – 15-213, F’02

exit: Destroying Processexit: Destroying Process

void exit(int status)void exit(int status) exits a process

Normally return with status 0

atexit() registers functions to be executed upon exit

void cleanup(void) { printf("cleaning up\n");}

void fork6() { atexit(cleanup); fork(); exit(0);}

– 82 – 15-213, F’02

ZombiesZombiesIdeaIdea

When process terminates, still consumes system resourcesVarious tables maintained by OS

Called a “zombie”Living corpse, half alive and half dead

ReapingReaping Performed by parent on terminated child Parent is given exit status information Kernel discards process

What if Parent Doesn’t Reap?What if Parent Doesn’t Reap? If any parent terminates without reaping a child, then child

will be reaped by init process Only need explicit reaping for long-running processes

E.g., shells and servers

– 83 – 15-213, F’02

wait: Synchronizing with childrenwait: Synchronizing with childrenint wait(int *child_status)int wait(int *child_status)

suspends current process until one of its children terminates

return value is the pid of the child process that terminated if child_status != NULL, then the object it points to will

be set to a status indicating why the child process terminated

– 84 – 15-213, F’02

SignalsSignals

A A signalsignal is a small message that notifies a process that is a small message that notifies a process that an event of some type has occurred in the system.an event of some type has occurred in the system. Kernel abstraction for exceptions and interrupts. Sent from the kernel (sometimes at the request of another

process) to a process. Different signals are identified by small integer ID’s The only information in a signal is its ID and the fact that it

arrived.

IDID NameName Default ActionDefault Action Corresponding EventCorresponding Event

22 SIGINTSIGINT TerminateTerminate Interrupt from keyboard (Interrupt from keyboard (ctl-cctl-c))

99 SIGKILLSIGKILL TerminateTerminate Kill program (cannot override or ignore)Kill program (cannot override or ignore)

1111 SIGSEGVSIGSEGV Terminate & DumpTerminate & Dump Segmentation violationSegmentation violation

1414 SIGALRMSIGALRM TerminateTerminate Timer signalTimer signal

1717 SIGCHLDSIGCHLD IgnoreIgnore Child stopped or terminatedChild stopped or terminated

– 85 – 15-213, F’02

Signal Concepts Signal Concepts

Sending a signalSending a signal Kernel sends (delivers) a signal to a destination process by

updating some state in the context of the destination process.

Kernel sends a signal for one of the following reasons:Kernel has detected a system event such as divide-by-zero

(SIGFPE) or the termination of a child process (SIGCHLD)Another process has invoked the kill system call to explicitly

request the kernel to send a signal to the destination process.

– 86 – 15-213, F’02

Signal Concepts (cont)Signal Concepts (cont)

Receiving a signalReceiving a signal A destination process receives a signal when it is forced by

the kernel to react in some way to the delivery of the signal. Three possible ways to react:

Ignore the signal (do nothing)Terminate the process.Catch the signal by executing a user-level function called a

signal handler.

» Akin to a hardware exception handler being called in response to an asynchronous interrupt.

– 87 – 15-213, F’02

Signal Concepts (cont)Signal Concepts (cont)

A signal is A signal is pendingpending if it has been sent but not yet if it has been sent but not yet received.received. There can be at most one pending signal of any particular

type. Important: Signals are not queued

If a process has a pending signal of type k, then subsequent signals of type k that are sent to that process are discarded.

A process can A process can blockblock the receipt of certain signals. the receipt of certain signals. Blocked signals can be delivered, but will not be received until

the signal is unblocked.

A pending signal is received at most once.A pending signal is received at most once.

– 88 – 15-213, F’02

Signal ConceptsSignal Concepts

Kernel maintains Kernel maintains pendingpending and and blockedblocked bit vectors in bit vectors in the context of each process.the context of each process. pending – represents the set of pending signals

Kernel sets bit k in pending whenever a signal of type k is delivered.

Kernel clears bit k in pending whenever a signal of type k is received

blocked – represents the set of blocked signalsCan be set and cleared by the application using the sigprocmask function.

– 89 – 15-213, F’02

Process GroupsProcess GroupsEvery process belongs to exactly Every process belongs to exactly

one process groupone process group

Fore-ground

job

Back-groundjob #1

Back-groundjob #2

Shell

Child Child

pid=10pgid=10

Foregroundprocess group 20

Backgroundprocess group 32

Backgroundprocess group 40

pid=20pgid=20

pid=32pgid=32

pid=40pgid=40

pid=21pgid=20

pid=22pgid=20

getpgrp() getpgrp() – Return process – Return process group of current processgroup of current process

setpgid() – setpgid() – Change process Change process group of a processgroup of a process

– 90 – 15-213, F’02

Sending Signals with kill FunctionSending Signals with kill Functionvoid fork12(){ pid_t pid[N]; int i, child_status; for (i = 0; i < N; i++)

if ((pid[i] = fork()) == 0) while(1); /* Child infinite loop */

/* Parent terminates the child processes */ for (i = 0; i < N; i++) {

printf("Killing process %d\n", pid[i]);kill(pid[i], SIGINT);

}

/* Parent reaps terminated children */ for (i = 0; i < N; i++) {

pid_t wpid = wait(&child_status);if (WIFEXITED(child_status)) printf("Child %d terminated with exit status %d\n",

wpid, WEXITSTATUS(child_status));else printf("Child %d terminated abnormally\n", wpid);

}}

– 91 – 15-213, F’02

Receiving SignalsReceiving Signals

Suppose kernel is returning from exception handler Suppose kernel is returning from exception handler and is ready to pass control to process and is ready to pass control to process pp..

Kernel computesKernel computes pnb = pending & ~blocked pnb = pending & ~blocked The set of pending nonblocked signals for process p

If (If (pnb == 0pnb == 0) ) Pass control to next instruction in the logical flow for p.

ElseElse Choose least nonzero bit k in pnb and force process p to

receive signal k. The receipt of the signal triggers some action by p Repeat for all nonzero k in pnb. Pass control to next instruction in logical flow for p.

– 92 – 15-213, F’02

Default ActionsDefault Actions

Each signal type has a predefined Each signal type has a predefined default actiondefault action, which , which is one of:is one of: The process terminates The process terminates and dumps core. The process stops until restarted by a SIGCONT signal. The process ignores the signal.

– 93 – 15-213, F’02

Installing Signal HandlersInstalling Signal Handlers

The The signalsignal function modifies the default action function modifies the default action associated with the receipt of signal associated with the receipt of signal signumsignum:: handler_t *signal(int signum, handler_t *handler)

Different values for Different values for handlerhandler:: SIG_IGN: ignore signals of type signum SIG_DFL: revert to the default action on receipt of signals of

type signum. Otherwise, handler is the address of a signal handler

Called when process receives signal of type signumReferred to as “installing” the handler.Executing handler is called “catching” or “handling” the signal.When the handler executes its return statement, control passes

back to instruction in the control flow of the process that was interrupted by receipt of the signal.

– 94 – 15-213, F’02

Signal Handling ExampleSignal Handling Examplevoid int_handler(int sig){ printf("Process %d received signal %d\n", getpid(), sig); exit(0);}

void fork13(){ pid_t pid[N]; int i, child_status; signal(SIGINT, int_handler);

. . .}

linux> ./forks 13 Killing process 24973 Killing process 24974 Killing process 24975 Killing process 24976 Killing process 24977 Process 24977 received signal 2 Child 24977 terminated with exit status 0 Process 24976 received signal 2 Child 24976 terminated with exit status 0 Process 24975 received signal 2 Child 24975 terminated with exit status 0 Process 24974 received signal 2 Child 24974 terminated with exit status 0 Process 24973 received signal 2 Child 24973 terminated with exit status 0 linux>

– 95 – 15-213, F’02

A Program That Reacts toExternally Generated Events (ctrl-c)A Program That Reacts toExternally Generated Events (ctrl-c)

#include <stdlib.h> #include <stdio.h> #include <signal.h>

void handler(int sig) { printf(“caught sigint \n"); exit(0); } main() { signal(SIGINT, handler); /* installs ctl-c handler */ while(1) { } }

– 96 – 15-213, F’02

A Program That Reacts to Internally Generated EventsA Program That Reacts to Internally Generated Events#include <stdio.h> #include <signal.h> int beeps = 0; /* SIGALRM handler */void handler(int sig) { printf("BEEP\n"); fflush(stdout); if (++beeps < CNT) alarm(1); else { printf("BOOM!\n"); exit(0); } }

main() { signal(SIGALRM, handler); alarm(1); /* send SIGALRM in 1 second */ while (1) { /* handler returns here */ } }

linux> a.out BEEP BEEP BEEP BEEP BEEP BOOM! bass>

Documents

– 1 – 15-213, F’02 Dynamic Memory Allocation Explicit vs. Implicit Memory Allocator Explicit: application allocates and frees space Implicit: application