CS444 Experimenting with the x86 MMU

 

The SAPC starts up using Linux 2.2 startup code. Paging is on. The VA space goes from A=0 to A=0x3fffff, 4MB. There is one page table for the 4MB of memory on the SAPC. The page table lies at VA=0x52000, within the Tutor memory region that starts at VA=0x50000. We can play with the low-numbered pages without disturbing the running system (Tutor). All the sensitive data is above 0x50000, including the interrupt vector table.

 

 

1. First 4 PTEs. With a fresh system (reboot to make sure), we dump the first 4 PTEs and analyze them (status bits, what VA->PA translation they do).

 

~Resetting board #6!

Tutor> md 52000

00052000    07 00 00 00 07 10 00 00 07 20 00 00 07 30 00 00 ......... ...0..

            |---------| |---------| |---------| |---------|   4 bytes each

 

Use “mdd” to display data in 32-bit hex numbers (double words, in x86 terminology)

Tutor> mdd 52000

00052000    00000007 00001007 00002007 00003007 ......... ...0..

 

Expanding hex 007 to binary 0000 0000 0111 to look at bits: use Pg. 887 here.

 

PTE#    PTE     pfn      D  A      U/S R/W P       VA          PA

 0   00000 007    0      0  0  0  0  1  1  1   0000-0fff   0000-0fff

 1   00001 007    1      0  0  0  0  1  1  1   1000-1fff   1000-1fff

 2   00002 007    2      0  0  0  0  1  1  1   2000-2fff   2000-2fff

 3   00003 007    3      0  0  0  0  1  1  1   3000-3fff   3000-3fff

 

All these 4 pages are clean (not dirty), not been accessed, all user, writable and present bits are on. This is identity mapping from VA-->PA.

So for example, VA 0x2345 maps to PA 0x2345, both page 2, offset 0x345

 

2. Tutor PTEs. We find and dump the first 4 PTEs for Tutor, which starts at VA 50000, and analyze them. 

 

  For VA 50000, its vpn is 0x50, so it has PTE# 0x50.  One PTE occupies 4 bytes, so this PTE lies at address 0x50*4 above 0x52000, the start of the page table.

       Address  0x52000+0x50*4=0x52140

Tutor> md 52140

00052140    27 00 05 00 07 10 05 00 27 20 05 00 07 30 05 00 '.......' ...0..

Tutor> mdd 52140

00052140    00050027 00051007 00052027 00053007 '.......' ...0..

 

PTE#    PTE     pfn     D  A      U/S R/W P

 50   00050027   50     0  1  0  0  1  1  1

 51   00051007   51     0  0  0  0  1  1  1

 52   00052027   52     0  1  0  0  1  1  1

 53   00053007   53     0  0  0  0  1  1  1

 

The pages which have PTE#50 & 52 are clean, been accessed (but not been written), user, writable and present. The pages which have PTE#51 & 53 are clean, not been accessed, user, writable and present.

 

Page51 & page 53 are the pages that have never been touched since system reset (~r), because their A bits are 0.

 

 

 

 

3. Page Reference and Dirty Bits in the PTE.

We saw that page 3 is present but not yet ref'd.  Let’s do a read on it, ck the PTE, then a write, ck the PTE and interpret the findings.

Reading page 3, then looking at the PT--

Tutor> md 00003007

00003007    00 e8 f3 fb ff ff c7 05 00 10 09 00 00 2c 00 00 .............,..

Tutor> mdd 52000

00052000    00000007 00001007 00002007 00003027 ......... ..'0..

                                       ======!!

After reading the page, the bit A in the PTE is changed to 1.

Write on page 3

Tutor> ms 00003007 aaaa

Tutor> md 00003007

00003007    aa aa f3 fb ff ff c7 05 00 10 09 00 00 2c 00 00 .............,..

Tutor> mdd 52000

00052000    00000007 00001007 00002007 00003067 ......... ..g0..

After writing to the page, the D bit in the PTE is changed to 1.

 

4. Page Fault. Now set page 2 as invalid and try reads and/or writes—see page fault. Set P to be 0 so that the page is invalid,

Tutor> ms 52008 2000

Tutor> mdd 52000

00052000    00000007 00001007 00002000 00003027 ......... ...0..

Tutor> md 2000

00003000    Exception 14 at EIP=00060bd6: Page fault

                                          ^^^^ ^^^^^

Tutor> rd all

EAX=00003000 EBX=00000000   EBP=0006f124

EDX=00000000 ECX=00060bd0   ESP=0006f124

ESI=0006f154 EDI=0006f150   EIP=00060bd6

EFLAGS=10206 (IF=1 SF=0 ZF=0 CF=0 OF=0)

CS=0010 DS=0018 SS=0018 ES=0018 FS= 0018 GS=0018

CR0=80050033   CR2=c0002000   CR3=51000 /* CR2 is stored fault address */

                   ^^^^^^^^

We see 0xc0002000 in CR2, the “LA” of VA 0x2000, the faulting address.

 

5. Shared Memory. We write the PTEs to make both VA 3000 and VA 5000 refer to PA 5000.  Show that it is working by writing once and reading twice.

Tutor> ~resetting board #6!

Exception 3 at EIP=000578ee: Breakpoint

Tutor> mdd 52000

00052000    00000007 00001007 00002007 00003007 ......... ...0..

Tutor>

00052010    00004007 00005007 00006007 00007007 .@...P...`...p..

Change PTE#3 to use pfn 5

Tutor> ms 5200c 5007

Tutor> mdd 52000   /* The initialized PTE#3 & #5 */

00052000    00000007 00001007 00002007 00005007 ......... ...P..

Tutor>

00052010    00004007 00005007 00006007 00007007 .@...P...`...p..

 

Tutor> mdd 3200      /* read two ways, see same garbage */

00003200    2de4e97d e03c8a98 6895993b f64a719f }..-..<.;..h.qJ.

Tutor> mdd 5200

00005200    2de4e97d e03c8a98 6895993b f64a719f }..-..<.;..h.qJ.

 

Tutor> ms 3200 abcd0123  /* write via page 3 */

Tutor> mdd 3200         /* read via page 3 */

00003200    abcd0123 e03c8a98 6895993b f64a719f #.....<.;..h.qJ.

Tutor> mdd 5200          /* read  via page 5—see same stuff */

00005200    abcd0123 e03c8a98 6895993b f64a719f #.....<.;..h.qJ.