Vladislav Shpilevoy PRO
Database C developer at Tarantool. Backend C++ developer at VirtualMinds.
Version: 3
System programming
Education
Lecture 3:
Memory. Virtual and physical. Cache levels, cache line. User space and kernel space memory. False sharing.
Lecture plan
- CPU registers
- CPU cache
- Types
- False sharing
- Attacking
- Main memory (RAM)
- Virtual memory
- Mapping to physical memory
- Hardware part
- Kernel part
- On top of virtual memory
- Homework
Process
.text
.data
.stack
.heap
.stack
.stack
File descriptors
Signal queue
IPC
Memory
Memory levels
Registers
Cache L1
Cache LN
Main memory
Flash memory
Magnetic memory
Speed
Volume
Registers [1]
- The fastest memory
- Access speed - one processor tick
- No addresses = no virtualization = direct access = speed
- Expensive - occupies physical space on processor, intricate microcircuit
- Fixed in size, hardwired on processor
Registers [2]
Registers [3]
Trigger to save a value
Value to save
Saved value
NAND - Not And
Static Random Access Memory - SRAM
pc
mar
ir
asid
eax
ebx
ecx
edx
esi
...
<=128 bits
Cache [1]
Cache [2]
Time locality
Space locality
for (int i = 0; i < count; ++i)
{
/* ... cache 'i' */
}char buffer[128];
/* ... cache buffer */
read(buffer, 0, 64);
/* ... */
read(buffer, 64, 128);
/* ... */
read(buffer, 32, 96);
/* ... */Cache [3]
| Cache | Size | Access speed |
|---|---|---|
| L1 | tens of Кб | ~1 tick, < nanosecond |
| L2 | ones of Мб | tens of ticks, ones of nanoseconds |
| L3 | tens of Мб | hundreds of ticks, tens of nanoseconds |
Cache [4]
Why so big difference in access speeds to cache levels?
Bigger size - longer search. Farther from processor - electricity goes notably longer.
1 point
Cache [5]
1 - in a big cache search is longer, many comparisons
c = 299 792 458\ m/s;\\
v = 3GHz;\\
1\ tick = 1/3 ns; \\
1\ tick * c ~= 10 sm
2 - going to a place in the cache and back really costs time
Cache [6]
Main memory
Bus
Cache L3
Cache L2
Cache L1
Processor core
Processor chip
Cache inclusion policies
Inclusive
L3
L2
L1
Exclusive
L3
L2
L1
NINE
L3
L2
L1
Inclusive cache
L1
L2
Х
A processor reads Х ...
Read from L1
L1
L2
Х
Copy into L1
Х
L1
L2
Х
Load into L1 and L2
Х
Y
Y
Read from L1
Fix inclusion
Read from L1
Y
Х
Exclusive cache [1]
L1
L2
Х
Read from L1
L1
L2
Х
Move to L1
Х
L1
L2
Х
Load into L1
Read from L1
Read from L1
A processor reads Х ...
Exclusive cache [2]
How are filled L2, L3 exclusive cache levels?
With records evicted from the previous level
L1
L2
Х
Evict old into L2, load new into L1
Read from L1
Y
Y
1 point
NINE cache
Not Inclusive Not Exclusive
L1
L2
Х
Read from L1
L1
L2
Х
Load into L1 and L2
Read from L1
L1
L2
Х
Copy into L1
Х
Read from L1
Y
Y
X
Same data in L1 and L2 - not exclusive
No eviction from L1 to satisfy inclusion with L2 - not inclusive
Y
Cache write policies
L3
L2
L1
Main memory
Write through
Need to wait when write is done
L3
L2
L1
Main memory
Write back
Set dirty bit
Need to sync caches between processor cores
Cache schema [1]
64 B
64 B
64 B
64 B
64 B
...
addr1
addr2
addr3
addr4
addrN
char *
read_from_cache(unsigned long addr)
{
/* This is machine code, 64 bit. */
unsigned offset = addr & 63;
unsigned cache_addr = addr ~ offset;
char *line = lookup_line(cache_addr);
return line + offset;
}Address mapping policy
Storage and reading in blocks
Cache schema [2]
64 bytes
Cache line:
Address layout:
tag
tag
offset
6 bits
policy helper
- Fully-associative cache
- Direct mapping cache
- N-associative cache
user data
Fully-associative cache
Addresses
Cache
...
Address
tag
offset
6 bits
58 bits
Hardware schema
Direct mapping cache
Addresses
Cache
Address
tag
offset
6 bits
26 bits
Hardware schema
index
32 bits
N-associative cache [1]
Addresses
Cache
Address
tag
offset
6 bits
Hardware schema
index
...
58 - log_{2}{r}
log_{2}{r}
r
- cache line count
N-associative cache [2]
Gap declines and almost disappears
Instruction cache [1]
<opcode> := <argcount> <argtypes> <indirect_args>
<ret_type> <target_dev>Argument count
Argument types
Implicit arguments
Return type
Where to execute?
Instruction cache [2]
CPU Pipeline:
- Instruction fetch
- Instruction decode
- Execute
- Memory access
- Register write back
Multiprocessor cache [1]
Shared cache?
- need to move out from chip
- contention for access
Separate cache?
- need to sync access - provide cache coherency
Multiprocessor cache [2]
- Modified - processor-owner modified a line, but it is not loaded into another caches;
- Exclusive - a line is not modified and is not loaded into another caches;
- Shared - a line is not modified, but can be loaded into another caches;
- Invalid - a line is free, no valid data.
False sharing [1]
struct my_object {
int32_t a;
int32_t b;
int32_t c;
int32_t d;
};
struct my_object object;
void
thread1_func()
{
while (true) {
do_something(object.a);
do_something(object.b);
}
}
void
thread2_func()
{
while (true) {
write_into(&object.c);
write_info(&object.d);
}
}a, b
c, d
Cache line
8 bytes
8 bytes
48 bytes
Reading thread
Writing thread, invalidates the cache
False sharing [2]
struct my_object {
int32_t a;
int32_t b;
char padding[56];
int32_t c;
int32_t d;
};a, b
padding
Cache lines
8 bytes
56 bytes
Reading thread
Writing thread
c, d
8 bytes
56 bytes
Since C++17 can use
std::hardware_destructive_interference_size.
Meltdown [1]
Now here
Execution in advance, speculation, branch prediction
Privileges check after speculation
Meltdown [2]
static jmp_buf jmp;
void
process_signal(int code)
{
printf("Process SIGSEGV, code = %d, "\
"SIGSEGV = %d\n", code, SIGSEGV);
longjmp(jmp, 1);
}
int
main()
{
char *p = NULL;
signal(SIGSEGV, process_signal);
printf("Before SIGSEGV\n");
if (setjmp(jmp) == 0)
*p = 100;
printf("After SIGSEGV\n");
return 0;
}It is not hard to get segfault - just access invalid memory
vladislav$> gcc 2_catch_sigsegv.c vladislav$> ./a.out Before SIGSEGV Process SIGSEGV, code = 11, SIGSEGV = 11 After SIGSEGV vladislav$>
Set a handler on SIGSEGV, which ignores it
Meltdown [3]
char userspace_array[256 * 4096];
char kernel_byte_value;
char
get_kernel_byte(const char *kernel_addr)
{
clear_cache_for(userspace_array);
register_exception_handler(process_exception);
char index = *kernel_addr;
/* Next code is for speculation. */
char unused = userspace_array[index * 4096];
/* Next code is after exception handler. */
return kernel_byte_value;
}
void
process_exception()
{
uint min_time = UINT_MAX;
for (char i = 0; i < 256; ++i) {
uint start = time();
char unused = userspace_array[i * 4096];
uint duration = time() - start;
if (duration < min_time) {
min_time = duration;
kernel_byte_value = i;
}
}
}Location to read kernel memory into
Cleanup caches, because the attack needs them empty
Read a forbidden address into a variable, which then is used to read another memory location
The kernel throws a segfault, but the needed element is already loaded into a cache. Its index is a value from the kernel memory
PROFIT
Cache profit
AAT = hit\_time + miss\_rate * miss\_penalty
Average Access Time
AAT = hit_{cache} + miss_{cache} * ram\_time
Assume these pessimistic values:
ram\_time = 100ns\\
miss_{L1\_cache} = 10\%\\
hit_{L1\_cache} = 1ns\\
miss_{L2\_cache} = 5\%\\
hit_{L2\_cache} = 10ns\\
miss_{L3\_cache} = 1\%\\
hit_{L3\_cache} = 50ns
Result average access time:
no cache: AAT = 100ns\\
cache L1: AAT = 1ns + 10\% * 100ns = 11ns\\
cache L2: AAT = 1ns + 10\% * (10ns + 5\% * 100ns) = 2.5ns\\
cache L3: AAT = 1ns + 10\% * (10ns + 5\% * (50ns + 1\% * 100ns)) = 2.255ns
x44
Memory access cost
Latency Comparison Numbers (~2012)
+ "World constants 2022" from Andrey Aksenov
----------------------------------
L1 cache reference 0.3 ns
Branch mispredict 5 ns
L2 cache reference 7 ns
Main memory reference 25 ns
Mutex lock/unlock 100 ns
Compress 1K bytes with Zippy 3,000 ns
Send 1K bytes over 1 Gbps network 10,000 ns
Read 1 MB sequentially from memory 66,000 ns
Read 4K randomly from SSD* 150,000 ns
Read 1 MB sequentially from SSD* 333,000 ns
Round trip within same datacenter 500,000 ns
Disk seek 10,000,000 ns
Read 1 MB sequentially from disk 20,000,000 ns
Send packet CA->Netherlands->CA 150,000,000 nsHelp to cache
struct complex_struct {
int id;
double a;
long d;
char buf[10];
char *long_buf;
};
struct complex_struct *
complex_struct_bad_new(int long_buf_len)
{
struct complex_struct *ret =
(struct complex_struct *) malloc(sizeof(*ret));
ret->long_buf = (char *) malloc(long_buf_len);
return ret;
}
struct complex_struct *
complex_struct_good_new(int long_buf_len)
{
struct complex_struct *ret;
int size = sizeof(*ret) + long_buf_len;
ret = (struct complex_struct *) malloc(size);
ret->long_buf = (char *) ret + sizeof(*ret);
return ret;
}
int main()
{
return 0;
}This is bad
Structure and its buffer are sequential in memory and in one cache line
*This is good
Main memory [1]
Dynamic Random Access Memory - DRAM
DRAM bit
SRAM bit
- capacity - femtofarad (10^-15)
- resistance - teraohm 10^12
- need reset once per 50-100ms
Main memory [2]
Main memory - main problem. It is slow
What next?
Disks
External devices, transfer data through main memory, accessed via kernel always
Next is virtual memory
Virtual memory [1]
Memory Management Unit - a chip to translate virtual addresses into physical ones
Virtual memory [2]
Physical and virtual memory consists of pages of fixed size (like 4-8 KB)
virt_page
offset
log_{2}{(page\_count)}
MMU:
virtual\_page \Rightarrow physical\_page
Virtual address
// Linux-specific
size = getpagesize();
// Portable.
size = sysconf(_SC_PAGESIZE);
Virtual memory [3]
1.
2.
3.
4.
5.
6.
7.
123
54
68
90
230
170
13
Physical page number
Array index - virtual page number
void *
translate(void *virt)
{
int virt_page = virt >> offset_bits;
int phys_page = page_table[virt_page];
int offset = virt ~ (virt_page << offset_bits);
return (phys_page << offset_bits) | offset;
}One huge hardware table? - too expensive
Everything in main memory? - too slow
Page table
Virtual memory [4]
How to solve MMU and page table lookup speed problem?
Don't know what to do? - add a cache
1 point
Virtual memory [5]
1.
2.
3.
4.
5.
6.
7.
123
54
68
90
230
170
13
Page table
187.
232.
34.
48.
519.
94.
58
123
54
68
90
230
170
13
TLB
Translation Lookaside Buffer
std::vector<unsigned>std::map<unsigned, unsigned>Hardware, < 100 records. It is a core part of MMU.
Programmatic, thousands and millions of records
Processor loads needed pages in advance, before they are accessed. It can be helped with
__builtin_prefetchContent Addressable Memory - CAM
Virtual memory [6]
Page global directory
Page middle directory
Page table entry
L1_idx
Virtual address
L2_idx
offset
L3_idx
Virtual memory [7]
How to share TLB between processes?
Address Space Identifier, ASID. It is an implicit prefix of each address in the TLB, and each process has ASID.
1 point
Virtual memory [8] in the kernel
/**
* 16.10.2018
* 138 lines.
*/
struct page {
unsigned long flags;
void *virtual;
struct list_head lru;
};Page tables are maintained by the kernel
Virtual memory [9]
0x0
0xffffffff
.text
.data
.bss
.heap
.stack
.env
0xс0000000
.kernel
Virtual memory [10]
KASLR - Kernel Address Space Layout Randomization
KAISER - Kernel Address Isolation to have Side-channels Efficiently Removed
Fight against errors in the kernel code
Fight against attacks like Meltdown - with an implicit channel leaking information
Virtual memory [11]
#define __builtin_prefetch
#define __builtin_expect
int
madvise(void *addr, size_t len, int advice);Cache and physical memory concepts are hidden from user, except for some small bits of info
But virtual memory management is fully accessible in user space
void *
mmap(void *addr, size_t len, int prot, int flags, int fd, off_t offset);
void *
brk(const void *addr);
void *
alloca(size_t size);
void *
malloc(size_t size);Malloc
32MB
32MB
16MB
16MB
16MB
16MB
8MB
8MB
8MB
8MB
8MB
8MB
8MB
8MB
malloc(size);Rounds up to the nearest block size, fills headers, returns
Alternatives to malloc
- jemalloc
- tcmalloc
Summary
Memory has many layers - CPU registers, CPU cache, main (RAM)), virtual addresses, abstractions like heap
Virtual addresses are important. All processes have the same address space, but different mappings to the physical memory. Same virtual address in 2 processes always* points at 2 different physical bytes.
Kernel manages memory in pages. Both physical and virtual. For each process it stores a map like {virtual page address -> physical page address}. Page address points at its first byte.
Hardware translates the addresses on each memory access. Special device TLB uses a cached subset of the page mapping. Sometimes it falls back to the kernel for pages missing in the cache.
Heap, stack, mmap also operate on virtual addresses and whole pages. They are just abstractions on top of the virtual address space.
Processes, memory. Practice
Shell
Write a simplified version of a command line console. It should read lines like this:
> cmd1 arg arg | cmd2 arg | cmd3 arg arg arg ...
and execute them, just like a normal console, like 'bash'. Use pipe() + dup() + fork() + exec().
Points: 15 - 25.
Deadline: 2 weeks.
Penalty: -1 for each day after deadline, max -10
Publish your solution on Github and give me the link. Assessment: any way you want - messengers, calls, emails.
Conclusion
Lectures: slides.com/gerold103/decks/sysprog_eng
Next time:
Signals. Hardware and programmatic interrupts, their nature. Top and bottom halves. Signals and system calls, signal context.
Press on the heart, if like the lecture
System programming 3
By Vladislav Shpilevoy
System programming 3
Virtual and physical memory. Cache, cache line, cache levels, cache coherence, false sharing. High and low memory. Page tables. User space and kernel space memory, layout. Functions brk, madvice, mmap. Malloc and alternative libraries.
