Memory Management: Paging

.
The memory management unit allows each process to have its own address space. Each
process has its own page table, so the same virtual address can exist in her two different page
frames in two different processes. The operating system manages page tables for each process.
During a context switch, the operating system must notify the processor's memory management
unit that it should use a different page table. This is done by modifying the page table base
register (the register containing the starting address of the page table).

Each page table entry, in addition to storing the corresponding page frame, contains
various page table entries indicating whether the page is valid (whether there is a corresponding
page frame) and how the page is accessed (read only, execute, only). It can also store flags.
Whether the page was accessed or modified (in kernel mode).

There are generally two optimizations in the memory management unit. One optimizes seek time and the other
optimizes the space used by the page table.
1. If each address translation requires a page table lookup, memory access performance is twice as slow because the
page table must be read in addition to accessing the desired memory location. This overhead is reduced by translation
lookaside buffers (TLBs) that cache frequently used page table entries in associative memory.
2nd Most processes use only a small portion of the available virtual address space, resulting in large areas of page
tables that contain no entries. Hierarchical structures are often used to help manage the size of the page table. Virtual
address page bits are divided into two parts. The high bit defines the offset into the topmost index table. This index
table contains the base register of the partial page table. The low order bits of the page bits define the offset within this
partial page table.

Logical and physical addressing modes

Most processors support two modes of operation: a virtual addressing mode, which uses address translation by the
memory management unit, and a physical addressing mode, which bypasses the MMU. In this latter mode, each
memory reference is a reference to an actual physical memory location within the memory system. Since the page
tables are not yet set up, the CPU boots in physical addressing mode on power up. The system normally remains in
physical addressing mode while the operating system is loading and running to initialize the page tables. The
operating system then switches the processor to virtual addressing mode.

System memory map

In current operating systems, the memory view is divided into two logical regions: kernel
memory and process memory. Kernel memory is memory reserved for the operating system
kernel's code, data, and stack. Its position in the virtual address space remains constant and is
usually at the top of the address space. On 32-bit Linux systems, kernel memory is configurable
(PAGE_OFFSET) and is typically set in the top 1 GB of the address space. On Microsoft
Windows 7 systems, the top 2 GB of address space is mapped to kernel memory on 32-bit
systems (8 TB on 64-bit systems).

process memory represents the remaining address space and is available for user processes. In
physical memory, page frames are allocated to various processes. Virtual memory, on the other
hand, looks at memory in terms of the context of the process. The view of memory is defined by
a process's page table, which contains a mapping to the pages associated with that particular
process and a mapping to the kernel. If a mode switch is caused by a

interrupt or system call, the current page table is unchanged. A mode switch is occurring, not a
context switch. Execution is transferred to the kernel and memory can be accessed as needed in
the context of the process that spawned the mode switch. Page tables are typically set up to
disallow user-mode execution access to regions of the address space that are mapped into
kernel memory.

Most memory management units allow kernel-only permissions to be set on pages.

Page allocator and kernel memory management

Under virtual memory, processes are free to use non-contiguous pages as they need more and more memory. Memory
management unit (MMU) page tables can be made to appear contiguous by contiguous virtual address space. On the
other hand, the kernel may require physically contiguous memory buffers.

The Linux operating system maintains an array named free_area that contains a list of free pages. The first element of
the array is a list of free single-page regions. The second element is a list of free two-sided regions (adjacent free
faces). The third element is a list of free rectangular regions. etc The

buddy algorithm is a memory allocation and management algorithm that manages memory in powers of two. This
brief description shows only a basic list of blocks of free memory chunks. Buddy algorithm; there are some variations
to it. A list of blocks of free memory blocks.

ARMv7A MMU Architecture

ARM is a 32-bit reduced instruction set computer (RISC) architecture developed and owned
by ARM Holdings. The processors are licensed to manufacturers who may augment them with
custom DSPs (digital signal processors), radios, or graphics processors. The processors are used
in most cell phones and gaming consoles. The ARMv7-A architecture that we'll be examining is
present in the Cortex-A8 and Cortex-A9 processors. The Cortex-A8 is used in Motorola Droid
phones, the iPad, and the iPhone (3GS and 4), among numerous other devices. The Cortex-A9
is used in Apple's A5 processor that powers the iPad 2. Recent previous generations of ARM
processors are not significantly different in terms of their MMU architecture so much of this
discussion can apply to them as well. References to the ARM processor, MMU, or ARM
architecture in the rest of this section will refer to the ARMv7-A architecture.

Figure 1. ARM sections and pages

Sections and pages

The ARM MMU supports fourpage sizes. The largest sizes are called sections and the smaller
sizes are called pages:
Supersections: 16 MB memory blocks (24-bit offsets)
Sections: 1 MB memory
blocks (20-bit offsets)
Large pages: 64 KB pages (16-bit offsets)
Small pages: 4 KB pages (12-bit offsets)
first-level table containseither a pointer to a second-level tables (partial page
tables) or a base address of a section or a supersection. Hence, if we use the really
big pages — sections and supersections — then we don't have to go through two
levels of hierarchy. The benefit of sections and supersections is that you can have
a large region of memory, such as the operating system, mapped using just a
single entry in the TLB.
The MMU can be configured to use either small or large pages as well as sections
or supersections. Sections (or supersections) can be mixed together with pages.
Just because the architecture supports mapping blocks of several different sizes
does not mean that the operating system will use the capability. Doing so
introduces the problems associated with variable size partitions that we discussed
earlier. However, even if this is not used for general-purpose memory
management, it makes a lot of sense for mapping the operating system address
space efficiently Translation Lookaside Buffers (TLB)
The ARM has two levels of TLBs. The smallest and fastest is the MicroTLB. There is a
MicroTLB for the instruction and data sides of the CPU (instruction fetches uses one
MicroTLB while data read/write operations use the other). The MicroTLB can store 32 entries
[2]. The cache is fully associative and can perform a lookup in one clock cycle. Hence, there is
no performance penalty for any memory references that are satisfied by the MicroTLB. The
architecture supports the use of an address space identifier (ASID) to allow the operating
system to identify one process' address space from another's without flushing the cache. Entries
can also be tagged as global; so that they are shared among all address spaces. This is, of
course, useful for mapping the memory regions used by the operating system. Each entry
contains a number of protection bits and these are checked at each address lookup. If the
protections disallow the requested memory operation (e.g., no-execute or read-only) then the
MMU will signal a Data Abort, which will cause a trap. On a cache miss, the replacement
algorithm may be selected to be either round-robin (the default) or a random replacement.
The second-level TLB is called the Main TLB. It catches any cache misses from the
microTLBs. There is only one of these per processor, so it handles misses from both the
dataside and instruction-side MicroTLBs. The cache comprises eight fully associative entries,
which are fast and may also have their contents locked (i.e., they will not be replaced). It also

Figure 2. ARM memory translation

The operating system, in addition to locking the TLB entries, has to ensure that the
corresponding page frames stay locked in memory as well.
Figure 2 illustrates the full set elements that come into play for memory translation:

1. The first step is a MicroTLB lookup. An instruction fetch accesses the Instruction
MicroTLB and a data read/write operation accesses the Data MicroTLB. If this lookup
yields a match then the access permission in the page table entry are validated. If the
request does not have proper permissions then a trap is generated (Data Abort signal).
Otherwise, the memory access takes place. If the lookup yields no match then we
continue to step 2.

2. If the MicroTLB lookup yielded a cache miss then we consult the Main TLB. The process
is the same as with the MicroTLB. If there is a match for the requested page and the
 permissions pass then the memory access is performed. If the lookup yields no match
then we continue to step 2.

3. The final step is to consult the page table(s) in memory.

4. The first-level table is checked first. The system supports two first-level tables. High-
order bits of the virtual address determine which one to use. The base of the table is
stored in one of two base registers (TTBR0 or TTBR1), depending on whether the
topmost n bits of the virtual address are 0 (use TTBR0) or not (use TTBR1). The value
for n is defined by the Translation Table Base Control Register (TTBCR). Why this extra
complexity? This allows one to have a design where the operating system and memory-
mapped I/O are located in the upper part of the address space and managed by the page
table in TTBR1 and user processes are in the lower part of memory and managed by the
page table in TTB0. On a context switch, the operating system has to change TTBR0 to
point to the first-level table for the new process. TTBR0 will still contain the memory
map for the operating system and memory-mapped I/O. The page table defined in
TTBR0 encompasses memory that is common to all processes.
Looking up an address via in-memory page tables is called a translation table
walk since it may involve going through a hierarchy of tables. With the ARM MMU, this
is a one-step direct mapping via the first-level page table if sections the entry refers to a
section or else a two-step process if the entry refers to a page. With sections, the physical
base address is stored in the page table entry of the first-level table. With pages, the page
table entry contains the address of the second-level table.

Intel IA32 and x8664

The Intel architecture quickly became the dominant PC architecture after the introduction of the IBM PC in 1981 using
Intel's 8088 processor (a 16-bit processor with an 8-bit external data bus). A range of Intel and other compatible
(AMD, VIA, etc.) processors followed, all supporting the same instruction set. The architecture evolved to 32-bit and
then 64-bit on the 80386 while maintaining backward compatibility with previous instruction sets. The early
8086/8088 architectures were strictly segmented architectures with no memory access protection or privileged
execution modes. The IA-32 architecture (Intel Architecture, 32-bit) refers to the instruction set architecture of Intel
processors from the 80386 to today's Atom processors, supporting a dual segmentation/paging model. Intel's 64-bit
Itanium processors with the IA-64 architecture broke this compatibility and failed to achieve commercial success.
AMD, on the other hand, extended his IA-32 instruction set to 64-bit, creating the x86-64 instruction set architecture
adopted by Intel after the Itanium failure. The x86-64 architecture offers several backward compatibility modes for
running IA-32 software. In this section, we consider highlights of the IA-32 and x64 MMU architectures.Segmented
memory model
In this model, memory is represented as a series of independent address spaces called segments (code segment, data
segment, stack segment, etc.). A logical address is a combination of a segment selector and an offset (the address
within the segment). Certain segments are dedicated to specific operations (code, stack, etc.), but the processor
supports 16,383 segments, each of which can address up to 232 bytes (4GB). A full memory address, called a far
pointer, is a 16-bit segment descriptor and a 32-bit offset within the segment.Real mode
This is the legacy 8086 segmented memory model. Segments can be up to 64 KB in size
(16bit addresses within a segment) and the maxiumum address space is limited to 2 20 bytes
(1 MB). This is the mode used by the PC BIOS.
Figure 3. IA­32 Combined Segmentation & Paging

The IA-32 architecture supports a combined segmentation and paging model (figure 2).
There are two tables of segments. Each contains base addresses of up to 8,191 segments. the
Local Descriptor Table (LDT) contains segment information that is private per process. The
Global Descriptor Table (GDT) contains segment information that is shared among all
processes (e.g., segments into the operating system). The segment selector, which comprises 16
bits of a "far pointer", is an index into these tables. To select a segment, the selector is loaded
into a segment register. Also, every instruction that references memory has an implicit segment
register, which can be overridden by adding a segment prefix before the machine instruction.

The value of the segment selector automatically selects the GDT (shared) or LDT (private).
This combined model uses segmentation to generate a linear address. This linear address is
then treated as a virtual address and is translated by the paging logic of the MMU through a
two-level page table hierarchy.
The paging logic can be disabled if it is not needed. If segment descriptors contain 0, they
effectively set the base address of a segment to 0, making every memory reference a linear one.
Thus, you can effectively use either paging or segmentation or both.

IA32 segmentation
Each entry in the GDT contains not just the base address of a segment but also a number of
flags that define segment attributes:
S flag: Is this a code or data segment?
Accessed: Has the segment been accessed since the last time the OS cleared this bit?
Dirty: Has the page been modified since the last time the OS cleared this bit?
Data/write-enable: Is the segment read-only or read/write?
Data/expansion direction: Normally, changing the segment limit (size) causes
space to be added to the top of the segment. This changes the expansion direction
downward, causing space to be added at the bottom of memory. This was designed for
stacks.
Code/execute-only or execute/read: If this is a code segment, can the memory be
read as data or just executed?
Conforming: If the code is tagged as conforming then execution can continue even if
the privilege level is elevated.

IA32 paging
The paging logic uses a 32-bit logical address space to create either a 52-bit or a 36-bit physical
address, addressing up to either 4 petabytes or 4 gigabytes of memory. 52-bit addressing is
enabled via the Physical Address Extension (PAE) mechanism. However, a process can access
only a 4 GB address space at any time. The 36-bit address space is enabled via the Page Size
Extension (PSE-36). The paging architecture supports 4 KB or 4 MB pages.

Intel 64bit mode

Segments are fully supported in IA-32 emulation mode but are generally disabled in 64-bit
mode. Intel 64-bit mode supports three paging modes:
32-bit paging
This mode supports 32-bit virtual addresses and generates 32-40 bit physical addresses using
either 4 KB or 4 MB
pages. With 4 KB
pages (figure 4), a 2-
level page table
hierarchy is used.
The CR3 register
points to the top-
Figure 4. IA-
32 Paging with 4 KB
pages level table,
called
the page directory. It contains 1024 page directory entries (PDEs) and is indexed by
the top 10 bits of the linear address. Each page directory entry contains the base address of a
partial page table that is indexed by the next 10 bits of the linear address. This table contains
the page table entry (PTE) that contains the top 20 bits of the physical address. The bottom
12 bits are obtained from the linear (virtual) address and are the offset into the page frame.
With 4 MB
pages (figure 5), a
single paging table
is used. The CR3
points to the page
table, which
contains 1024
entries and is
indexed by the top
10 bits of the linear
address. Each entry
Figure 5. IA32 Paging with 4 MB pages in the page directory contains the page table
entry, which contains the top 18 bits of a 40 bit physical address. The bottom 22 bits are
the obtained directly from the linear address and are the offset into a 4 MB page frame.

* * *
PAE
The PAE mode emulates the Physical Address Extension mode of the IA-32 architecture. It
uses 32-bit virtual
addresses and
generates up to
52bit physical
addresses using
either 4 KB or 2 MB
pages.
With 4 KB
pages (figure 6), the
Figure 6. PAE Paging
with 4 KB pages
MMU uses a three-
level page table
hierarchy is used to
map a 32-bit virtual address to a 52-bit physical address. The topmost table is a 4-entry page
directory pointer table (PDPT) that is indexed by the top two bits of the virtual address.
An entry in the PDPT points to a partial page directory that is indexed by the next 9 bits (512
entries per partial page directory). The page directory points to a partial page table, which is
indexed by the next 9 bits (also 512 entries per partial page table). A PTE contains the top 40
 bits of the physical address. The bottom 12 bits are the obtained directly from the linear
address and are the offset into a 4 KB page frame.

* * *
IA-32e paging

Figure 7. IA32e Paging with 4 KB pag

This mode uses 48-bit virtual addresses andgenerates up 52-bit physical addresses using
either 4 KB, 2MB, or 1 GB pages. A 52 bit address
space can address 4096 terabytes of physical memory, which is considerably more than any
systems in the near future are likely to have [
The most complex is IA-32e paging with 4 KB pages (figure 7). This employs a fourlevel page table
hierarchy. The 36 high-order bits of the 48-bit virtual address are split into chunks of 9 bits each
and each offset 512-entry table that contains a pointer to the next table. The final table contains a
page table entry with a 40-bit address that is joined with 12
bits of the page frame offset from the virtual address.

Figure 9. IA32e Paging with 1 GB pages

By increasing the page size to 2MB, we reduce the number of pages the system needs to
manage by a factor of 512. This allows the MMU to use one less Figure 8. IA32e Paging with 2
MB pages level of hierarchy in the page table structure (figure 8). With 2 MB pages, three
levels of the hierarchy are used.By further increasing the page size to a whopping 1 GB, the
page table is reduced to a twolevel hierarchy with a 512entry table containing base addresse
of 512-entry partial page tables (figure 9).
Translation Lookaside Buffers (TLBs)
The structure of the TLB is similar across Intel processors, but the sizes of the caches differ. Let's take the Intel Core i7
as an example. Like the ARM MMU, the TLB has two levels. Each core's instruction and data pages maintain a TLB
containing 128 entries for instructions and 64 entries for data. It is super fast, fully associative, and allows same-cycle
main memory accesses. The second level TLB is much faster than moving to main memory, is consolidated across
cores, and contains 512 page table entries.

Demand paging
It’s not uncommon for the virtual address space to be bigger than the physical
address space. A process typically uses only a small fraction of the virtual
address space and the operating system needs to map only the parts that are
used into physical memory (page frames). What if this isn’t the case? What if a
process needs to use more memory than is available on the system? Or, since we
have a multitasking environment where we time slice execution among multiple
processes, what if the memory requirements of all of our processes are greater
than the physical memory on the system? In this case, we will have to save some
pages onto the disk and bring them back later when we need them.
Demand paging is an approach to memory management where we load pages into
memory only as they are needed by the process.
The valid/invalid bit in a page table entry (PTE) tells the memory management unit whether a
specfic page is mapped into physical memory ("valid") or is not ("invalid"). An attempt to acces
an invalid page will cause the MMU to generate a page fault. If a page is not mapped to
memory, that means that it is either an invalid (unallocated, out-of-bounds) region of the
process' address space or that it is a valid region that is not currently resident in main memory.
The operating system has to determine which one of these cases holds. The page fault handler
performs the following actions:

1. Check the memory map in the process control block for that process to see if the memory
access was indeed valid (versus out of bounds or dereferencing a null pointer)

2. If the address was not valid, terminate the process.

3. If the address was valid, we need to bring the page in:

A page that corresponds to a text or data region of memory will be read

from the program file on the disk.

New stack and heap pages have no contents will not require reading
contents from the disk.

If the page maps to an existing stack or heap region and was saved onto
the disk in the past because we didn't have enough pages, it will be read from a page
file on the disk.

4. Find a free frame in memory.

5. Schedule a disk read to bring the page to the frame.

6. Context switch, since we need to wait for the contents to be read. This, of course is not
needed for newly-allocated pages.

7. When the disk read is complete, modify page table for the process. The page table entry
will now be flagged as valid and will contain the address of the page frame into which we
read the page.

8. Restart the instruction that generated the fault.

Cost of paging from a disk

A disk is much, much slower than memory, so reading a page from a disk does not come
without a performance burden. To get a very rough idea of just what this burden is, we can
consider a few numbers. A memory access takes approximately 100 nanoseconds. Handling a
page fault exception may take around 400 microseconds. That's a 4,000x penalty just for
handling the trap associated with the page fault, not counting the disk operation to get the data.
A disk seek and read may take around 10 milliseconds. That's around 100,000 slower than a
memory access!
Clearly, page faults are things we would like to avoid whenever possible. Given the
100,000fold performance penalty, if we want to ensure that our application does not degrade
in performance by over 10%, we need to hope that we have no more than one page fault per
million memory accesses.

Page replacement
1. Ideally, the operating system would have many unused page frames, and the page fault
handler would pick one of them, load the page, and map it into the requesting process's
page table. What if all the page frames are in use by the process? In this case, we need to
replace the pages in memory with the pages on disk. The order of operations is as
follows:Pick a page to evict.
2. Save the contents of the page onto the paging file on the disk if the page has been
modified (the dirty bit in the page table entry is set). If the page has not been modified
(e.g., it's a static data or code page) then we can always re-read it from the program file.

3. Change the page table for the process whose page we evicted to show that the
corresponding page is no longer valid.

What we don't want to do is evict a page that is likely to be used again because then we'll have to
go through the same sequence of operations just to get it back. We need a good page
replacement policy to ensure that we can still maintain good performance. Let's examine a few
replacement policies.

FIFO (First In, First Out) replacement

Common sense may tell us that this is a good algorithm. The oldest memory pages are likely to
be a program's initialization code that is no longer needed. Unfortunately, some of these early
("first in") pages may contain frequently-used libraries or global variables. Getting rid of these
pages is definitely something we don't want to do.

Least Recently Used (LRU)

What you really want to do is select the least recently used pages, assuming they are least
likely to be reused. This allows you to distinguish between pages containing important recently
used libraries and pages containing initialization code (least used), even if they are older than
other pages. To implement LRU, each page must be timestamped on each access. If you need to
delete a page, find the page frame with the oldest timestamp..

References

Understanding the Linux Virtual Memory Manager

(http://ptgmedia.pearsoncmg.com/images/0131453483/downloads/gorman_book.pdf) , Mel
Gorman, 2004 Prentice Hall.
John R. Levine, Linkers and Loaders (http://www.iecc.com/linker/), Morgan-Kauffman,

October 1999, ISBN 1-55860-496-0. Linkers and Loaders (http://www.iecc.com/linker/),

John R. Levine
Intel Software Developer's Manual (Download site)

(http://www.intel.com/products/processor/manuals/)
(http://www.intel.com/products/processor/manuals/)

(http://www.intel.com/products/processor/manuals/) ARM1176JZ-S Technical Reference

Manual (http://infocenter.arm.com/help/index.jsp?
topic=/com.arm.doc.ddi0333h/index.html) , Revision r0p7, Chapter 6: Memory
Management Unit.
(pdf version
(http://infocenter.arm.com/help/topic/com.arm.doc.ddi0333h/DDI0333H_arm1176jzs_r0p7_trm.pdf) )

Physical Address Extension (http://en.wikipedia.org/wiki/Physical_Address_Extension) ,

Wikipedia article
x86-64 (http://en.wikipedia.org/wiki/X86-64), Wikipedia article
Four-level page tables merged (http://lwn.net/Articles/117749/) , LWN.net article Also, see:
4level page tables merged into mainline (http://lwn.net/Articles/117783/), LWN discussion
Anatomy of a program in memory(http://duartes.org/gustavo/blog/post/anatomy-of-a-
program-in-memory) , Gustavo Duarte, Jan 2009.

© 20032012 Paul Krzyzanowski. All rights reserved.

For questions or comments about this site, contact Paul Krzyzanowski, webinfo@pk.org
The entire contents of this site are protected by copyright under national and international law. No part of this site may be copied, reproduced, stored in a retrieval
system, or transmitted, in any form, or by any means whether electronic, mechanical or otherwise without the prior written consent of the copyright holder. If there is
something on this page that you want to use, please let me know.
Any opinions expressed on this page do not necessarily reflect the opinions of my employers and may not even reflect mine own.
Last updated: February 3, 2012