lib0023.html

Memory Management—Algorithms and implementation in C/C++ Introduction Chapter 1 - Memory Manag

<html>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Case Study: Windows</title>
<link rel="STYLESHEET" type="text/css" href="images/xpolecat.css">
<link rel="STYLESHEET" type="text/css" href="images/ie.content.books24x7.css">
</head>
<body >
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<td><div STYLE="MARGIN-LEFT: 0.15in;">
<a href="toc.html"><img src="images/teamlib.gif" width="62" height="15" border="0" align="absmiddle"  alt="Team LiB"></a></div></td>
<td valign="top" class="v2" align="right"><div STYLE="MARGIN-RIGHT: 0.15in"><a href="LiB0022.html"><img src="images/previous.gif" width="62" height="15" border="0" align="absmiddle" alt="Previous Section"></a>
<a href="LiB0024.html"><img src="images/next.gif" width="41" height="15" border="0" align="absmiddle" alt="Next Section"></a>
</div></td></tr>
</table>

<div class="chapter">
<a name="ch02"></a>
<div class="section">
<h2 class="first-section-title"><a name="223"></a><a name="ch02lev1sec4"></a>Case Study: Windows</h2><p class="first-para">Windows is a closed source operating system, and this will probably somewhat limit the depth of my examination. DOS is another closed source project from Microsoft, but DOS is literally so small that this fact doesn't have much of an impact. You could probably disassemble DOS in a few weeks. I am pretty sure that some of Microsoft's competitors actually took this route. With the Windows operating system, full-scale reverse engineering is just not feasible. In this case, all I have to go on is whatever Microsoft gives me. The rest will be pure detective work: picking up leads and seeing where they take me.</p>
<blockquote class="blockquote">
<p class="first-para">"We work in the dark<br style="line-height:1">We do what we can<br style="line-height:1">We give what we have.<br style="line-height:1">Our doubt is our passion<br style="line-height:1">And our passion is our task.<br style="line-height:1">The rest is the madness of art."</p>
<p class="last-para">&mdash; Henry James</p>
</blockquote>
<p class="para">Of the four operating systems that are examined in this chapter, Windows is, by far, the largest and most complicated. The engineers who designed Windows should probably consider it an accomplishment just to have been able to successfully manage the construction of such a behemoth. Thus, I will spend more effort describing how this leviathan works.</p>
<div class="section">
<h3 class="sect3-title">
<a name="224"></a><a name="ch02lev2sec21"></a>Historical Forces</h3>
<p class="first-para">Microsoft's DOS operating system has never really died off. I have seen DOS 6.22 books at Barnes &amp; Noble. In fact, you can still buy a copy of IBM's PC DOS. This is known as PC DOS 2000, found at <a target="_top" class="url" href="http://www3.ibm.com/software/os/dos">http://www3.ibm.com/software/os/dos</a>.</p>
<p class="para">Unofficially, however, the death knell of DOS was sounded when Windows 1.0 was released on November 20, 1985. A little over two years later, Windows 2.0 was released. Windows 2.0 ran on an Intel 80286 in protected mode. The first truly popular version of Windows, 3.1, was presented to the public on April 6, 1992. It provided a <a name="225"></a><a name="IDX-93"></a>modest GUI and ran on affordable hardware. Microsoft also made a foray into peer-to-peer networking with Windows 3.11. These versions of Windows all required one thing: an existing DOS installation. This is because Windows, during these early years, was more of a glorified DOS program than a stand-alone operating system. It is a well-known fact that Windows 3.11 and its predecessors used the file system manager (i.e., INT 21 system calls) provided by DOS.</p>
<p class="para">In August of 1995, Windows 95 was made available to the public. It was a major facelift and was completely independent of DOS, although it did ship with MS-DOS 7.0. Windows 95 supported advanced features like pre-emptive multitasking and TCP/IP networking. Windows 95 also possessed a much more attractive user interface. It was a smashing success. Microsoft followed Windows 95 with Windows 98, whose success was not as celebrated.</p>
<p class="para">The limitation of Windows 95 and 98 was that they targeted the average consumer. Windows 95 and 98 both ran a broad spectrum of desktop applications, but that was about it. The memory protection was still weak, and they had a tendency to crash, or freeze, when multiple applications were loaded (I am a voice of experience). In other words, neither of these operating systems was intended to run as a business server.</p>
<p class="para">In the early 1990s, Microsoft did not have an industrial-strength, enterprise level operating system to sell, like UNIX, VMS, or OS/390. Computers that ran the Windows operating system were viewed by mainframe vendors as nothing more than embroidered clients. The high-end system vendors, like IBM and HP, could turn up their noses and smirk.</p>
<blockquote class="blockquote">
<p class="first-para">"Here's a nickel, kid. Buy yourself a better computer."</p>
<p class="last-para">&mdash; UNIX Admin from "Dilbert"</p>
</blockquote>
<p class="para">Bill Gates decided that he wanted in; the potential for profit was too much to resist. So, like any political action committee, he went out and bought the best that money could buy. He hired Dave Cutler, the lead architect of Digital Equipment Corporation's (DEC) VMS operating system. Cutler also played a pivotal role in the development of DEC's RSX-11 system. Many people don't know about Cutler, and he doesn't get the publicity that someone like Ken Thompson commands. Nevertheless, hiring Cutler and his small group of engineers was the best money that Gates ever spent. In 1994, Windows NT 3.1 was released and marked the beginning of Microsoft's wildly profitable ascent into the server market.</p>
<a name="226"></a><a name="IDX-94"></a>
<div class="sidebar" style="background-color:">
<a name="227"></a><a name="ch02usb01"></a>
<table class="BlueLine" border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td bgcolor="000080" class="bluecell"><font size="2" face="Arial" color="010100"><b><img src="_.gif" width="1" height="2" alt="Start Sidebar" border="0"></b></font></td>
</tr>
</table>
<span class="sidebar-title"><b>
<center>ASIDE</center>
</b></span>
<p class="first-para">In 1997, I was hired by an ERP company in the Midwest. I walked smack into the middle of a major effort to port their 16 million line, middleware code base to Windows NT 4.0. This, in and of itself, was enough to prove to me that NT was finally gaining attention. Porting a 16 million line code base is anything but cheap. In fact, it is more like getting married: You don't do it unless you are willing to make a significant long-term commitment.</p>
<p class="last-para">There were complaints from the engineers undertaking the port. Their primary gripe was that NT was not a multiuser system. Microsoft, you see, was espousing a fundamentally different network model. Instead of having everyone log into a central machine, Microsoft wanted program components to be spread out so that applications could take advantage of the processing power on each machine in the network. This new paradigm was christened the <i class="emphasis">Distributed Network Architecture</i> (DNA). It sent some UNIX developers I know into conniptions.</p>
<table class="BlueLine" border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td bgcolor="000080" class="bluecell"><font size="2" face="Arial" color="010100"><b><img src="_.gif" width="1" height="2" alt="End Sidebar" border="0"></b></font></td>
</tr>
</table>
</div>
<table class="BlankSpace" border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td height="16"></td>
</tr>
</table>
<p class="para">Microsoft attempted to mainstream NT in an effort to appeal to a larger audience. The result of this attempt was Windows 2000, which was unleashed on the public in February of 2000. Windows 2000 was based heavily on the NT kernel, and it was originally referred to as Windows NT 5.0. However, Microsoft still was in the business of building and selling low-end operating systems belonging to the Windows 3.1/95/98 lineage. For example, in September of 2000, Microsoft released Windows Millennium Edition (ME), which was the next iteration of Windows 98.</p>
<p class="para">On October 25, 2001, Microsoft unveiled its latest incarnation of Windows: Windows XP. XP is intended to target both consumers and businesses. It also offers Microsoft the opportunity to merge the Windows 2000 product line with the Windows ME product line. The Windows XP kernel is an extension of the Windows 2000 kernel. So in a way, it is more of a descendent of NT, with extra driver support to offer the plug-and-play features of Windows ME.</p>
<p class="para">An abbreviated version of the family tree of Microsoft operating systems is displayed in <a class="internaljump" href="#ch02fig16">Figure 2.16</a> on the following page.</p>
<div class="figure">
<a name="228"></a><a name="ch02fig16"></a><span class="figuremediaobject"><a href="images/fig123%5F01%5F0%2Ejpg" NAME="IMG_38" target="_parent"><img src="images/fig123_01.jpg" height="265" width="350" alt="Click To expand" border="0"></a></span>
<br style="line-height: 1">
<span class="figure-title"><span class="figure-titlelabel">Figure 2.16</span></span>
</div>
<p class="para">Microsoft has historically made a point of jealously protecting their intellectual property. I am not making a judgment call, just stating a fact. The source code to Windows is carefully hidden away on a cluster of servers in Redmond. Only companies that Microsoft <a name="229"></a><a name="IDX-95"></a>judges as being "organizations that have a long-term commitment to Windows" are allowed to view the source code. This includes OEMs, like Compaq, that need to tweak Windows to run on their hardware. The marketing people at Microsoft like to make a big deal when OEMs come to Redmond to pick up their source code CDs. The OEMs typically fly to Redmond in a helicopter and are handed special suitcases that resemble something you might use to carry radioactive material. Considering that Microsoft pours billions of dollars a year into Windows, this is not a bad analogy. Those CDs are worth their weight in weapons-grade plutonium.</p>
<div class="sidebar" style="background-color:">
<a name="230"></a><a name="ch02usb02"></a>
<table class="BlueLine" border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td bgcolor="000080" class="bluecell"><font size="2" face="Arial" color="010100"><b><img src="_.gif" width="1" height="2" alt="Start Sidebar" border="0"></b></font></td>
</tr>
</table>
<span class="sidebar-title"><b>
<center>ASIDE</center>
</b></span>
<p class="first-para">Microsoft has recently announced that it will share the source code to its .NET tool suite with academic programs throughout the United States. My guess is that this is a response to the growing popularity of Linux, which is currently the system of choice for research. UNIX gained a strong following among universities in the 1970s, back when Bell Labs gave its UNIX source code to computer science departments. These same 1970s students went out into the marketplace and made UNIX the dominant high-end player that it is today. The same could happen with Linux, and I think this scares Microsoft.</p>
<p class="para">On the other hand, what gains a stronghold at universities does not always gain a foothold in the real world. The RISC architecture is a darling in many academic programs, but unless you are looking at Apple PCs or high-end UNIX servers, you will be stuck with CISC. CISC is not going to die no mat<a name="231"></a><a name="IDX-96"></a>ter how much the professors want it to.</p>
<p class="last-para">Likewise, Microsoft is not going to die because Windows runs on CISC and the company knows how to support and document its products. Anyone who has an MSDN subscription knows that Microsoft's documentation is exhaustive and complete. This is more than I can say for the scattered collection of man pages, textinfo files, HOWTOs, and README files that you get with the typical Linux distribution. Bill Gates pours billions of dollars into Windows, and it shows.</p>
<table class="BlueLine" border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td bgcolor="000080" class="bluecell"><font size="2" face="Arial" color="010100"><b><img src="_.gif" width="1" height="2" alt="End Sidebar" border="0"></b></font></td>
</tr>
</table>
</div>
<table class="BlankSpace" border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td height="16"></td>
</tr>
</table>
<p class="last-para">For the following discussion, I am going to focus on the Windows NT/2000/XP family of operating systems. This branch of the Windows family tree does a better job of isolating and protecting applications from each other and the kernel. What else would you expect from a guy like Dave Cutler? So when I refer to "Windows," I am talking about Windows NT/2000/XP and not 95/98/ME.</p>
<a></a>
</div>
<div class="section">
<h3 class="sect3-title">
<a name="232"></a><a name="ch02lev2sec22"></a>Memory Map Overview</h3>
<p class="first-para">Windows uses both the segmentation and paging facilities of the Pentium processor. This means that, like Linux and MMURTL, applications see the world in terms of a "fake" linear address space instead of an actual physical address space. Again, like Linux and MMURTL, the Windows 32-bit, 4GB linear address space is broken up into two sections. For normal, consumer-based versions of Windows, the kernel occupies the upper 2GB of linear memory (<span class="fixed">0x80000000</span> to <span class="fixed">0xFFFFFFFF</span>). Each user process gets its own private linear address region in the lower 2GB (<span class="fixed">0x0</span> to <span class="fixed">0x7FFFFFFF</span>). This layout of memory is displayed in <a class="internaljump" href="#ch02fig17">Figure 2.17</a>.</p>
<div class="figure">
<a name="233"></a><a name="ch02fig17"></a><span class="figuremediaobject"><a href="images/fig124%5F01%5F0%2Ejpg" NAME="IMG_39" target="_parent"><img src="images/fig124_01.jpg" height="156" width="350" alt="Click To expand" border="0"></a></span>
<br style="line-height: 1">
<span class="figure-title"><span class="figure-titlelabel">Figure 2.17</span></span>
</div>
<a name="234"></a><a name="IDX-97"></a>
<table border="0" cellspacing="0" cellpadding="0" class="note">
<tr>
<td valign="top" class="admon-check"></td><td valign="top" class="admon-title">Note&nbsp;</td><td valign="top" class="admon-body">
<p class="first-para">As I have mentioned before, 2GB of linear address space does not require 2GB of physical storage; it's more of a bookkeeping convention.</p>
</td>
</tr>
</table>
<p class="para">For applications that are memory intensive, like databases, there are versions of Windows (i.e., Windows 2000 Advanced Server and Windows 2000 Datacenter Server) that pack the kernel into the topmost gigabyte of linear address space so that the applications can have 3GB of linear address space. This feature is enabled via the following sort of entry in <span class="fixed">BOOT.INI:</span>
</p>
<div class="informalexample">
<pre class="literallayout">
multi(0)disk(0)rdisk(0)partition(2)\WINNT="Windows
         2000 Advanced Server"  /3GB
</pre>
</div>
<div class="figure">
<a name="235"></a><a name="ch02fig18"></a><span class="figuremediaobject"><img src="images/fig125_01.jpg" height="247" width="299" alt="" border="0"></span>
<br style="line-height: 1">
<span class="figure-title"><span class="figure-titlelabel">Figure 2.18</span></span>
</div>
<p class="para">Windows is also able to take advantage of the PAE flag in CR4 that allows 36 address lines (i.e., 64GB) to be used instead of the normal 32. Naturally, Microsoft had to invent its own acronym so you would think they had invented it. The facility, in Windows, that allows a 32-bit application to use more than 2GB of physical memory is known as Address Windowing Extensions (AWE). In order to take advantage of AWE, one of the core kernel binaries has to be replaced. Specifically, the <span class="fixed">Ntoskrnl.exe</span> executable must be replaced by <span class="fixed">Ntkrnlpa.exe</span>. AWE is supported by all of the Windows 2000 implementations. It is enabled by the <span class="fixed">/PAE</span> switch in <span class="fixed">BOOT.INI</span>.</p>
<div class="informalexample">
<pre class="literallayout">
multi(0)disk(0)rdisk(0)partition(2)\WINNT="Windows
         2000 Advanced Server"  /PAE
</pre>
</div>
<p class="para">Windows supports two rings of memory protection. The operating system runs in <i class="emphasis">kernel mode,</i> which is another way to say that it executes at privilege level 0x0. User processes execute at privilege level 0x3 (also called <i class="emphasis">user mode).</i> I bet you see a pattern developing <a name="236"></a><a name="IDX-98"></a>here. Both MMURTL and Linux used this same type of two-ring scheme so that the paging facilities of the Pentium could provide the bulk of memory management accounting work. MMURTL and Linux also make only minimal use of segmentation, seeing as how it is a somewhat redundant memory partitioning technology. I suspect that Windows will also eschew an involved segmentation approach in favor of using paging to divvy up memory. As we will see in the following section, my suspicions were correct.</p>
<p class="para">The operating system is the only real universally visible construct. Applications might be isolated from each other, each one in its own private 2GB linear address space, but they all see the operating system as occupying the bottom portion of memory. <a class="internaljump" href="#ch02fig19">Figure 2.19</a> displays the most common topography of the operating system's components.</p>
<div class="figure">
<a name="237"></a><a name="ch02fig19"></a><span class="figuremediaobject"><a href="images/fig126%5F01%5F0%2Ejpg" NAME="IMG_41" target="_parent"><img src="images/fig126_01.jpg" height="252" width="350" alt="Click To expand" border="0"></a></span>
<br style="line-height: 1">
<span class="figure-title"><span class="figure-titlelabel">Figure 2.19</span></span>
</div>
<p class="para">Some of the regions in <a class="internaljump" href="#ch02fig19">Figure 2.19</a> are not exact in terms of their starting and stopping range because some components of the operating system address space are dynamic. The really important thing to take from <a class="internaljump" href="#ch02fig19">Figure 2.19</a> is that the kernel's machine instructions are secluded in the basement of the operating system's linear address space. The remaining space is taken up by data structures of one form or another.</p>
<a name="238"></a><a name="IDX-99"></a>
<a></a>
</div>
<div class="section">
<h3 class="sect3-title">
<a name="239"></a><a name="ch02lev2sec23"></a>Windows and Segmentation</h3>
<p class="first-para">I don't have access to the full-blown source code distribution on Windows. However, I have lurked around in device driver header files shipped with the Windows 2000 DDK, and this is where I obtained my first lead with regard to how Windows manages its memory segments. This makes sense because device drivers, by their nature, access the kernel. In a header file named <span class="fixed">ntddk.h</span>, the following macros are defined:</p>
<a name="240"></a><a name="ch02table05"></a>
<table class="table" border="1">
<caption class="table-title">
<span class="table-title"><span class="table-titlelabel">Table 2.5</span></span>
</caption>
<thead>
<tr valign="top">
<th class="th" scope="col" align="left">
<p class="table-para">
<b class="bold">Macro</b>
</p>
</th><th class="th" scope="col" align="left">
<p class="table-para">
<b class="bold">Meaning</b>
</p>
</th>
</tr>
</thead>
<tbody>
<tr valign="top">
<td class="td" align="left">
<p class="table-para">KGDT_NULL</p>
</td><td class="td" align="left">
<p class="table-para">Null selector (points to vacant entry at start of GDT)</p>
</td>