Coldfire AGAIN

[HenryCase]

@thread

First of all, I'd like to thank those that have responded to my memory protection posts, I've got a lot to digest there, and will do ASAP. However, it is late so I'll concentrate on bloodline's post quoted below, as it seems the most concise.

I would also like to state that I think memory protection would be useful with Coldfire, especially if we want to move away from emulating every 68k instruction.

@bloodline

bloodline wrote:

HenryCase wrote:
My challenge is this. I have a program running which has got an important string "ABCDEF" stored in memory at real location "0x001" and virtual location "0x0FF". Using your knowledge of the Amiga's API architecture, I want you to try and corrupt this data. I am confident that whatever you suggest can be dealt with without breaking AmigaOS compatibility, so try and prove me wrong.

Task A Stores "ABCDEF" at 0x0FF.
Task A sends a message to Task B.
The message simply contains 0x0FF.
Task B looks at Address 0x0FF and it doesn't find "ABCDEF".

Reason:
0x0FF are two different Physical memory locations to the separate tasks. infact Task B might even have some code at its 0x0FF, or anthing!!!

The OS has no idea that Physical address 0x0001 has to be mapped to the same place in both tasks... in fact it might not even be possible to map that physical address to the same virtual address!

Neither of the Tasks can ever know the Physical address, as their 0x0001 is mapped somewhere else... different for each task!!!

So if I understand correctly you're saying that the data cannot be read by more than one task because the OS doesn't know how to share this information?

If I have understood correctly, allow me to use your example  but fix it with the MAU (yes I am still going to use that term to avoid confusion):

Task A requests to store "ABCDEF", the MAU stores it at location 0x0001 and passes back a pointer to that location through assigning a 'virtual memory space' 0x0FF.
Task A sends a message through the MAU to Task B to look at memory space 0x0FF.
Task B makes the request to look at address 0x0FF, the MAU does not see a reason to not show this information, and fetches the string "ABCDEF" to pass on to Task B.

So in terms of memory usage, what do you have? You have one location where the string is stored in memory, a simple look up table stored in memory that is controlled by the MAU, the MAU itself which provides this abstraction layer and offers opportunities to control memory usage, and the memory spaces used by the tasks.

The address 0x0FF can be called as many times as you want (please note this virtual memory value can only be assigned to one real memory space at a time), but each time the MAU will make a decision based on certain rules to determine whether that access is given. It will also be giving programs non overlapping memory spaces to run in.

Does this explanation help?

EDIT: Should also say that I intend to separate kernel commands from the kernel itself so that its commands go through the MAU too (obviously with a high level of privileges). I thought that was worth pointing out in case you thought I was intending to do MP with the standard design Amiga kernel.

[AeroMan]

Thanks for the explanation Bloodline,

One more question:


Would it be possible to treat memory under three different areas like this:

 1) System (system structures and stuff that wasn't previously allocated) - memory has no protection and everyone can see and modify it.

 2) Code (all of it...) - only system can play around with that. Let's sacrifice self modifyable code.

 3) Data (all allocated memory) - only tasks and sub tasks may modify it.

It is not perfect, but maybe it can improve a little bit the situation. ;-)

[AJCopland]

HenryCase wrote:
Task A requests to store "ABCDEF", the MAU stores it at location 0x0001 and passes back a pointer to that location through assigning a 'virtual memory space' 0x0FF.
Task A sends a message through the MAU to Task B to look at memory space 0x0FF.
Task B makes the request to look at address 0x0FF, the MAU does not see a reason to not show this information, and fetches the string "ABCDEF" to pass on to Task B.

The reason that won't work is that there are no "requests to look at address 0x0FF" it simply does it. Theres nowhere for you to "insert" a virtual->physical memory lookup.

On systems with an MMU the hardware itself does the work of changing the address but it does this in the programs _own_ virtual memory space. Which is what brings us back to the original problem that Bloodline and I have pointed out to you, i.e. that virtual memory is _private_ to that program/task/etc.

If your MMU just let everyone read and write into the same memory space then it wouldn't be much use as an MMU because you'd still have the same linear address space that we have NOW on the AmigaOS and so you'd have no memory protection!

Your description would give things virtual memory, but it would give everyone the same virtual memory and thus it wouldn't give anything that ran in that virtual memory any memory protection.

Nice try but the system you've described doesn't fix any existing programs.
The only solution to this is to run the older Apps in a sandbox as someone else suggested and NEW apps can be run in a system friendly way using the MMU to gain memory protection.

The trouble is that this requires a rewrite of AmigaOS because AmigaOS itself is one of the main offenders for doing this kind of direct manipulation.

I suggest that if you want to continue this discussion we start a new thread.

Someone actually had an interesting topic going on here about the ColdFire and I was getting the impression that new versions V4e and V5 of the cores might actually have the necessary supervisor stacks to run 680x0 code using the cf68klib.

@FrenchShark
That asm listing you dumped earlier on, what version of the CF core was it for that made it necessary for you to emulate the entire instruction set?

Andy

[biggun]

My 2 cents,

* Memory protection is nearly impossible to implement under the idea of AMIGA OS.

* That AMIGA OS does not require memory protection gives it a VERY BIG speed boost.

* To secure a system CPU based memory protection can help.
But the system can still be destroyed by BLITTER or bwrongly set up DMA channels berserking through your system.
To prevent this the OS needs to forbid the direct usage of Blitter or userspace Disk DMA. If you do this you will sacrifice a huge amount of performance.
=> This is 100% the opposite of the idea and spirit of the Amiga OS.

* I would like to point out that there are other ways to stabilize a system. 99% of crashed come from bad pointer arithmetic. You can try to reduce the harm cause by the bad pointer by enforcing memory protection (for a high cost) or you can use coding styles which will not cause this problem in the first place. A would like to point out that the Amiga Oberon programs did NEVER crash!

I agree that this topic has nothing to do with the Coldfire.
And that for continues discussion opening another thread makes good sense.

Someone actually had an interesting topic going on here about the ColdFire and I was getting the impression that new versions V4e and V5 of the cores might actually have the necessary supervisor stacks to run 680x0 code using the cf68klib.

Yes, this is true.

@FrenchShark
That asm listing you dumped earlier on, what version of the CF core was it for that made it necessary for you to emulate the entire instruction set?

FrenchShark, post looked very interesting.
I would like to know if he is interested in working together in this project?

[bloodline]

-Edit- @HenryCase I would be delighted to discuss these ideas with you, but as others have suggested please start a new thread, so we don't upset anyone :-)

Reply here:
http://www.amiga.org/forums/showthread.php?t=35580

HenryCase wrote:
@thread

First of all, I'd like to thank those that have responded to my memory protection posts, I've got a lot to digest there, and will do ASAP. However, it is late so I'll concentrate on bloodline's post quoted below, as it seems the most concise.

Actually, I think AJCopland's games console story is probably the easiest to understand...

I would also like to state that I think memory protection would be useful with Coldfire, especially if we want to move away from emulating every 68k instruction.

@bloodline

bloodline wrote:

HenryCase wrote:
My challenge is this. I have a program running which has got an important string "ABCDEF" stored in memory at real location "0x001" and virtual location "0x0FF". Using your knowledge of the Amiga's API architecture, I want you to try and corrupt this data. I am confident that whatever you suggest can be dealt with without breaking AmigaOS compatibility, so try and prove me wrong.

Task A Stores "ABCDEF" at 0x0FF.
Task A sends a message to Task B.
The message simply contains 0x0FF.
Task B looks at Address 0x0FF and it doesn't find "ABCDEF".

Reason:
0x0FF are two different Physical memory locations to the separate tasks. in fact Task B might even have some code at its 0x0FF, or anything!!!

The OS has no idea that Physical address 0x0001 has to be mapped to the same place in both tasks... in fact it might not even be possible to map that physical address to the same virtual address!

Neither of the Tasks can ever know the Physical address, as their 0x0001 is mapped somewhere else... different for each task!!!

So if I understand correctly you're saying that the data cannot be read by more than one task because the OS doesn't know how to share this information?

No, The OS can easily put in place measures to share data... Due to the design of AmigaOS, the OS cannot know what data needs to be shared. The systems put in place to provide this information at Exec's design phase were never enforced, and thus ignored... Not only by Developers but by the OS design team themselves!

If I have understood correctly, allow me to use your example  but fix it with the MAU (yes I am still going to use that term to avoid confusion):

The problem is CPU's don't come with MAUs... they come with MMUs :-(

Task A requests to store "ABCDEF", the MAU stores it at location 0x0001 and passes back a pointer to that location through assigning a 'virtual memory space' 0x0FF.

But what is an MAU? Is it a piece of hardware? If so how on earth does it work? Where do we get one from?

Is it a piece of software? If so, are you really suggesting that we trap every single memory access made by a program on the off chance that something written to memory might be need to be shared? This would be so slow as to make the whole system pointless.

Task A sends a message through the MAU to Task B to look at memory space 0x0FF.
Task B makes the request to look at address 0x0FF, the MAU does not see a reason to not show this information, and fetches the string "ABCDEF" to pass on to Task B.

I have pointed out, as far as Task B is concerned 0x0FF does not relate to the same memory as What Task A sees as 0x0FF. Each task has it's own Address space... With Memory protection, each task effectively has its own computer... It has its own OS, it's own CPU and it's own memory, no other tasks exist in its universe... that is why memory protection is so safe.

Think of the Address space as being an island (imagine that the island is divided into 9 equal squares, this gives us a good 3x3 mental image, like a noughts and crosses board), and the Task as a small man living on that island.  

The tasks can talk by sending messages... message in a bottle if you like!

In AmigaOS, Both Tasks (little men) live on the same Island, if Task A puts something in square one, then Task B can find that data in square one, since Square one is the same for both tasks.

With Memory Protection:
Each Task (little man), lives in it's own address space (on it's own little island). When Task A puts something in Square one on it's own island, that data doesn't magically appear in square one on Task B's island... In fact Task B probably has something different in square one! Neither Task can ever know the layout of each other's island.

The reason for this is the way AmigaOS is designed... In operating systems that have had Memory Protection from the start, the developers have had to make sure that data that needs to be shared is done so via Operating system mandated method. In AmigaOS this was never necessary, and thus Tasks do not provide the OS with the information it needs to allow memory to be shared.

So in terms of memory usage, what do you have? You have one location where the string is stored in memory, a simple look up table stored in memory that is controlled by the MAU, the MAU itself which provides this abstraction layer and offers opportunities to control memory usage, and the memory spaces used by the tasks.

What you are suggesting is a look up table that records every memory access on the off chance that it might need to be shared... Which is massively resource heavy undertaking... both CPU cycles and Memory... and even then HOW does the OS actually know that when Task B is referring to a particual memory location that it needs to be shared with another task? The tasks are no required by AmigaOS to let anyone know what they are up to!

What you are failing to see is that you can second guess what's going on because you know all sides of the equation... Task A and Task B only care about each other and expect to be able to mess around with each other's data structures. And the operating system (with memory protection) only cares about keeping tasks from messing around with each other's data structures.

With the design of AmigaOS there has never been the need to let the OS know that it's OK for task A to interfere with Task B... Thus no software has ever provided the OS with the information it needs to allow the tasks to Share Memory, in a Memory Protected environment.

The address 0x0FF can be called as many times as you want (please note this virtual memory value can only be assigned to one real memory space at a time), but each time the MAU will make a decision based on certain rules to determine whether that access is given.

But this is just it, programs written for AmigaOS do not provide enough information to the OS/MMU/MAU to allow it to make a decision as to what is shared and what is private.

It will also be giving programs non overlapping memory spaces to run in.

Does this explanation help?

EDIT: Should also say that I intend to separate kernel commands from the kernel itself so that its commands go through the MAU too (obviously with a high level of privileges). I thought that was worth pointing out in case you thought I was intending to do MP with the standard design Amiga kernel.

It's easy to design an OS with Memory Protection, there are numerous examples... what we have with AmigaOS is a system that has a 25 year development legacy of no Memory Protection, All existing programs assume this to be the case. You add memory protection and you have put them into a new environment that is no longer AmigaOS and they won't run.

[shoggoth]

In FreeMiNT (ok, I'm from the other side of the fence, sorry), it's possible to specify the level of protection for each process through dedicated flags in the program header. In practice, this means that you can flag two apps as belonging to "global" memory, causing them to share the same address space. These two applications can then access eachothers memory freely. (Ok, it's not considered perfectly clean, but it provides some degree of compatibility for older applications). Well behaved applications can run as "private", and their memory can't be touched nor can they touch other memory belonging to other processes.

Couldn't this approach be used in AmigaOS as well?

[bloodline]

shoggoth wrote:
In FreeMiNT (ok, I'm from the other side of the fence, sorry), it's possible to specify the level of protection for each process through dedicated flags in the program header. In practice, this means that you can flag two apps as belonging to "global" memory, causing them to share the same address space. These two applications can then access eachothers memory freely. (Ok, it's not considered perfectly clean, but it provides some degree of compatibility for older applications). Well behaved applications can run as "private", and their memory can't be touched nor can they touch other memory belonging to other processes.

Couldn't this approach be used in AmigaOS as well?

Reply in new thread!

http://www.amiga.org/forums/showthread.php?t=35580

[Einstein]

biggun wrote:
My 2 cents,

* Memory protection is nearly impossible to implement under the idea of AMIGA OS.

So apple fans don't regard MacOSX as Mac(OS) ?

* That AMIGA OS does not require memory protection gives it a VERY BIG speed boost.

What is the performance boost useful for when you will *not* use it for anything meaninful when slightest bug in any running task can destroy, say, the CD/DVD I was burning. Now it's (the CD/DVD) just useless and intended for the garbage can, and I'm now loading XP to do it the *safe* way, sheesh!

[/quote]* To secure a system CPU based memory protection can help.
But the system can still be destroyed by BLITTER or bwrongly set up DMA channels berserking through your system.
To prevent this the OS needs to forbid the direct usage of Blitter or userspace Disk DMA. If you do this you will sacrifice a huge amount of performance.[/quote]

Read my reply above.

=> This is 100% the opposite of the idea and spirit of the Amiga OS.

The spirit gets its rear end kicked by spiritless OSs!

* I would like to point out that there are other ways to stabilize a system. 99% of crashed come from bad pointer arithmetic. You can try to reduce the harm cause by the bad pointer by enforcing memory protection (for a high cost) or you can use coding styles which will not cause this problem in the first place. A would like to point out that the Amiga Oberon programs did NEVER crash!

It's like saying we don't need Police Departments, only if people behave than we could rid of'em have gain an economic boost, but unfortunately this is not reality.

I agree that this topic has nothing to do with the Coldfire.
And that for continues discussion opening another thread makes good sense.

Well, claims need to be answered, on spot, sorry about that.

[biggun]

Einstein wrote:

* I would like to point out that there are other ways to stabilize a system. 99% of crashed come from bad pointer arithmetic. You can try to reduce the harm cause by the bad pointer by enforcing memory protection (for a high cost) or you can use coding styles which will not cause this problem in the first place. A would like to point out that the Amiga Oberon programs did NEVER crash!

It's like saying we don't need Police Departments, only if people behave than we could rid of'em have gain an economic boost, but unfortunately this is not reality.

Your post clearly shows that you are NOT understanding the concept of AMIGA OS.


Memory protection on CLASSIC AMIGA is impossible and useless ! That's a fact which is obvious to those with some programming experience.
 
If you want to argue about useless things ok.
But please use another thread for this

[Einstein]

biggun wrote:


Your post clearly shows that you are NOT understanding the concept of AMIGA OS.

What makes you think that ? trust me I know enough to understand *one cannot just add MP to exec while leaving the (future) userland modules in the same condition*, seems you have not been reading my posts.

And FWIW, I have read Andrew Tanenbaums Modern Operating Systems. Lets not post strange replies out of frustration

Memory protection on CLASSIC AMIGA is impossible and useless ! That's a fact which is obvious to those with some programming experience.

Great, I just started programming an hour ago, happy now ? no more frustration ?
Yes MP on classic Amiga as in A500 is impossible as 68000 lacks a MMU, if you mean classic AmigaOS though (should have added "OS" in that case) then it's impossible also, unless you rewrite *and* sandbox the a whole environment including the applications (preferably UAE style if one wants to run HW banging stuff, note HW banging does not necessarily imply apps that bypass the OS at boot time, but those that does it *while in the OS*)
 

If you want to argue about useless things ok.
But please use another thread for this

What useless things ? the only thing useless is AmigaOS ' glorified performance BS and your ridiculous claims.

[biggun]

Its not about glorifying. Its about facts!

For "proper" protection you need to sandbox and abstract all and everything.

This means no direct access to Blitter or any HW anymore!

This is the opposite direction of the original AMIGA and the NATAMI or Coldfire designs.

Asking for memory protection makes only sense for people and systems that are willing to trade a lot of performance for abstraction.

Full memory protection => No more direct access to blitter.
A Coldfire with SuperAGA will be very fast but
if you ask for MP then you it will crawl.

Please understand that Coldfire and MP are mutually exclusive.
If you want to argue for MP DON'T do it in the Coldfire thread.  

[Einstein]

biggun wrote:

Its not about glorifying.
Its about facts.

I don't consider an airplane elegant if something as small as a fly sneezes at it causing the plane to go down taking all the passengers with it.

For "proper" protection you need to sandbox and abstract all and everything.

This means no direct access to Blitter anymore!

Yup, thats one of the points.

This is the opposite direction of what NATAMI or Coldfire design.

The issue isn't what NATAMI project wants to achieve, it can be a refrigerator as far as I'm concerned, my "useless" posts were simply aimed at a claim.

A Coldfire with SuperAGA will be very fast but
if you ask for MP then you it will crawl.

I'm not asking anything regarding ColdNAT, read above.

Please understand that Coldfire and MP are mutually exclusive.
If you want to argue for MP DON'T do it in the Coldfire thread.

Just counter arguments to your claims. If you claim something you cannot seriously demand not to receive a reply, are you kidding me ?

And please stop typing in bold, there you have a useless action.

Thank you, and good luck with your project.

[AJCopland]

biggun wrote:

Someone actually had an interesting topic going on here about the ColdFire and I was getting the impression that new versions V4e and V5 of the cores might actually have the necessary supervisor stacks to run 680x0 code using the cf68klib.

Yes, this is true.

Have you got your developer board yet so that this could be tested in some way? I'm not initially interested in the performance merely in the compatibility of the actual V4e/V5 cores. Speed can come later for me, I doubt that at 266MHz it'll be much slower than an 040/40.

For speed, for the games that won't run or are just unplayable then I'd be willing to learn ColdFire/68k asm again just to contribute WHDLoad based fixes! :-D
(I can already do some MIPS and x86 but it's been almost 15 years since I did any serious 68k! :-o )

@FrenchShark
That asm listing you dumped earlier on, what version of the CF core was it for that made it necessary for you to emulate the entire instruction set?

FrenchShark, post looked very interesting.
I would like to know if he is interested in working together in this project?

Yeah I'm curious about what the listing was for if the core is now meant to be so close to being compatible.
I hasten to add that I'm not saying it isn't necessary I'm just wondering what it is that makes full emulation of the 68k necessary on the coldfire.

Andy

[AeroMan]

@ biggun

  Some posts ago, before the discussions about MP and related stuff, I´ve made a post asking about the feasibility to preview the use of many Coldfires connected together to speed up the things....
  The idea is to make it scalable, so it could go from a really small and cheap device up to a desktop with some software compatibility between then
  Do you think it is possible ? (please, check my post...)

[bloodline]

AeroMan wrote:
@ biggun

  Some posts ago, before the discussions about MP and related stuff, I´ve made a post asking about the feasibility to preview the use of many Coldfires connected together to speed up the things....
  The idea is to make it scalable, so it could go from a really small and cheap device up to a desktop with some software compatibility between then
  Do you think it is possible ? (please, check my post...)

I don't think Coldfire has support for Multiprocessing, so you'd have to build some complex arbitration hardware and software... Certainly AmigaOS doesn't support multiprocessor environments...

[FrenchShark]

@BigGun, AJCopland

Hello,

the software is intended for the 5282 coldfire which has a USP and SSP like the V4 even if it is a V2 core.
The CPU only has 60 MIPS of computing power.

My idea is to emulate all the instructions for maximum compatibility and to rewrite the OS in native ColdFire.
Then, the memory must be divided in two : one part for 68k application (running with the emlator), one part for the CF application. The CF and 68k areas are created by using the special debugging registers, no need for an MMU.
I already rewrote exec.library and partly timer.device in native ColdFire (exec multitasking needs timer to work).
As I said in some previous posts, the biggest issue seems to be the non-atomic access with a CF to IDNestCnt (TDNestCnt is not an issue since it is updated by the taskswitching routine).

I do not want to take any commitment about helping since I do not have a lot of time.

I am also doing some FPGA development, I have a nice idea to make a killing 2D video pipeline with up to 8 independant layers, colorspace conversion, fully configurable DMA scheduler, etc...

Regards,

Frederic