1 @node Project 2--User Programs, Project 3--Virtual Memory, Project 1--Threads, Top
2 @chapter Project 2: User Programs
4 Now that you've worked with Pintos and are becoming familiar with its
5 infrastructure and thread package, it's time to start working on the
6 parts of the system that allow running user programs.
7 The base code already supports loading and
8 running user programs, but no I/O or interactivity
9 is possible. In this project, you will enable programs to interact with
10 the OS via system calls.
12 You will be working out of the @file{userprog} directory for this
13 assignment. However, you will also be interacting with almost every
14 other part of the code for this assignment. We will describe the
17 You can build project 2 on top of your project 1 submission or you can
18 start with a fresh copy. No code from project 1 is required for this
19 assignment. The ``alarm clock'' functionality may be useful in
20 projects 3 and 4, but it is not strictly required.
23 * Project 2 Background::
24 * Project 2 Suggested Order of Implementation::
25 * Project 2 Requirements::
27 * 80x86 Calling Convention::
30 @node Project 2 Background
33 Up to now, all of the code you have run under Pintos has been part
34 of the operating system kernel. This means, for example, that all the
35 test code from the last assignment ran as part of the kernel, with
36 full access to privileged parts of the system. Once we start running
37 user programs on top of the operating system, this is no longer true.
38 This project deals with consequences of the change.
40 We allow more than one process to run at a time. Each process has one
41 thread (multithreaded processes are not supported). User programs are
42 written under the illusion that they have the entire machine. This
43 means that when you load and run multiple processes at a time, you must
44 manage memory, scheduling, and other state correctly to maintain this
47 In the previous project, we compiled our test code directly into your
48 kernel, so we had to require certain specific function interfaces within
49 the kernel. From now on, we will test your operating system by running
50 user programs. This gives you much greater freedom. You must make sure
51 that the user program interface meets the specifications described here,
52 but given that constraint you are free to restructure or rewrite kernel
53 code however you wish.
56 * Project 2 Source Files::
57 * Using the File System::
58 * How User Programs Work::
59 * Virtual Memory Layout::
60 * Accessing User Memory::
63 @node Project 2 Source Files
64 @subsection Source Files
66 The easiest way to get an overview of the programming you will be
67 doing is to simply go over each part you'll be working with. In
68 @file{userprog}, you'll find a small number of files, but here is
69 where the bulk of your work will be:
74 Loads ELF binaries and starts processes.
78 A simple manager for 80@var{x}86 page directories and page tables.
79 Although you probably won't want to modify this code for this project,
80 you may want to call some of its functions.
84 Whenever a user process wants to access some kernel functionality, it
85 invokes a system call. This is a skeleton system call
86 handler. Currently, it just prints a message and terminates the user
87 process. In part 2 of this project you will add code to do everything
88 else needed by system calls.
92 When a user process performs a privileged or prohibited operation, it
93 traps into the kernel as an ``exception'' or ``fault.''@footnote{We
94 will treat these terms as synonymous. There is no standard
95 distinction between them, although Intel processor manuals define
96 them slightly differently on 80@var{x}86.} These files handle
97 exceptions. Currently all exceptions simply print a message and
98 terminate the process. Some, but not all, solutions to project 2
99 require modifying @func{page_fault} in this file.
103 The 80@var{x}86 is a segmented architecture. The Global Descriptor
104 Table (GDT) is a table that describes the segments in use. These
105 files set up the GDT. @strong{You should not need to modify these
106 files for any of the projects.} You can read the code if
107 you're interested in how the GDT works.
111 The Task-State Segment (TSS) is used for 80@var{x}86 architectural
112 task switching. Pintos uses the TSS only for switching stacks when a
113 user process enters an interrupt handler, as does Linux. @strong{You
114 should not need to modify these files for any of the projects.}
115 You can read the code if you're interested in how the TSS
119 @node Using the File System
120 @subsection Using the File System
122 You will need to use some file system code for this project. First,
123 user programs are loaded from the file system. Second, many of the
124 system calls you must implement deal with the file system. However,
125 the focus of this project is not on the file system code, so we have
126 provided a simple file system in the @file{filesys} directory. You
127 will want to look over the @file{filesys.h} and @file{file.h}
128 interfaces to understand how to use the file system, and especially
129 its many limitations. @strong{You should not modify the file system
130 code for this project.} Proper use of the file system routines now
131 will make life much easier for project 4, when you improve the file
132 system implementation. Until then, you will have to put up with the
133 following limitations:
137 No synchronization. Concurrent accesses will interfere with one
138 another. You should use a global lock to ensure that only one process at a
139 time is executing file system code.
142 File size is fixed at creation time. The root directory is
143 represented as a file, so the number of files that may be created is also
147 File data is allocated as a single extent, that is, data in a single
148 file must occupy a contiguous range of sectors on disk. External
149 fragmentation can therefore become a serious problem as a file system is
156 File names are limited to 14 characters.
159 A system crash mid-operation may corrupt the disk in a way
160 that cannot be repaired automatically. There is no file system repair
164 One important feature is included:
168 Unix-like semantics for @func{filesys_remove} are implemented.
169 That is, if a file is open when it is removed, its blocks
170 are not deallocated and it may still be accessed by any
171 threads that have it open until the last one closes it. @xref{Removing
172 an Open File}, for more information.
175 You need to be able to create simulated disks. The
176 @command{pintos-mkdisk} program provides this functionality. From the
177 @file{userprog/build} directory, execute @code{pintos-mkdisk fs.dsk 2}.
178 This command creates a 2 MB simulated disk named @file{fs.dsk}. Then
179 format the disk by passing @option{-f -q} on the kernel's command
180 line: @code{pintos -f -q}. The @option{-f} option causes the disk to be
181 formatted, and @option{-q} causes Pintos to exit as soon as the format
184 You'll need a way to copy files in and out of the simulated file system.
185 The @code{pintos} @option{-p} (``put'') and @option{-g} (``get'')
186 options do this. To copy @file{@var{file}} into the
187 Pintos file system, use the command @file{pintos -p @var{file} -- -q}.
188 (The @samp{--} is needed because @option{-p} is for the @command{pintos}
189 script, not for the simulated kernel.) To copy it to the Pintos file
190 system under the name @file{@var{newname}}, add @option{-a
191 @var{newname}}: @file{pintos -p @var{file} -a @var{newname} -- -q}. The
192 commands for copying files out of a VM are similar, but substitute
193 @option{-g} for @option{-p}.
195 Incidentally, these commands work by passing special commands
196 @command{put} and @command{get} on the kernel's command line and copying
197 to and from a special simulated ``scratch'' disk. If you're very
198 curious, you can look at the @command{pintos} program as well as
199 @file{filesys/fsutil.c} to learn the implementation details.
201 Here's a summary of how to create and format a disk, copy the
202 @command{echo} program into the new disk, and then run @command{echo},
203 passing argument @code{x}. (Argument passing won't work until
204 you've implemented it.) It assumes
205 that you've already built the
206 examples in @file{examples} and that the current directory is
207 @file{userprog/build}:
210 pintos-mkdisk fs.dsk 2
212 pintos -p ../../examples/echo -a echo -- -q
213 pintos -q run 'echo x'
216 The three final steps can actually be combined into a single command:
219 pintos-mkdisk fs.dsk 2
220 pintos -p ../../examples/echo -a echo -- -f -q run 'echo x'
223 If you don't want to keep the file system disk around for later use or
224 inspection, you can even combine all four steps into a single command.
225 The @code{--fs-disk=2} option creates a temporary disk just for the
226 duration of the @command{pintos} run. The Pintos automatic test suite
227 makes extensive use of this syntax:
230 pintos --fs-disk=2 -p ../../examples/echo -a echo -- -f -q run 'echo x'
233 You can delete a file from the Pintos file system using the @code{rm
234 @var{file}} kernel action, e.g.@: @code{pintos -q rm @var{file}}. Also,
235 @command{ls} lists the files in the file system and @code{cat
236 @var{file}} prints a file's contents to the display.
238 @node How User Programs Work
239 @subsection How User Programs Work
241 Pintos can run normal C programs. In fact, Pintos can run any program
242 you want, as long as it's compiled into the proper file format and uses
243 only the system calls you implement. Notably, @func{malloc} cannot be
244 implemented because none of the system calls required for this project
245 allow for memory allocation. Pintos also can't run programs that use
246 floating point operations, since the kernel doesn't save and restore the
247 processor's floating-point unit when switching threads.
249 The @file{src/examples} directory contains a few sample user
250 programs. The @file{Makefile} in this directory
251 compiles the provided examples, and you can edit it
252 compile your own programs as well.
254 Pintos can load @dfn{ELF} executables with the loader provided for you
255 in @file{userprog/process.c}. ELF is a file format used by Linux,
256 Solaris, and many other operating systems for object files,
257 shared libraries, and executables. You can actually use any compiler
258 and linker that output 80@var{x}86 ELF executables to produce programs
259 for Pintos. (We've provided compilers and linkers that should do just
262 You should realize immediately that, until you copy a
263 test program to the emulated disk, Pintos will be unable to do
264 useful work. You won't be able to do
265 interesting things until you copy a variety of programs to the disk.
266 You might want to create a clean reference disk and copy that
267 over whenever you trash your @file{fs.dsk} beyond a useful state,
268 which may happen occasionally while debugging.
270 @node Virtual Memory Layout
271 @subsection Virtual Memory Layout
273 Virtual memory in Pintos is divided into two regions: user virtual
274 memory and kernel virtual memory. User virtual memory ranges from
275 virtual address 0 up to @code{PHYS_BASE}, which is defined in
276 @file{threads/mmu.h} and defaults to @t{0xc0000000} (3 GB). Kernel
277 virtual memory occupies the rest of the virtual address space, from
278 @code{PHYS_BASE} up to 4 GB.
280 User virtual memory is per-process.
281 When the kernel switches from one process to another, it
282 also switches user virtual address spaces by changing the processor's
283 page directory base register (see @func{pagedir_activate} in
284 @file{userprog/pagedir.c}). @struct{thread} contains a pointer to a
285 process's page directory.
287 Kernel virtual memory is global. It is always mapped the same way,
288 regardless of what user process or kernel thread is running. In
289 Pintos, kernel virtual memory is mapped one-to-one to physical
290 memory, starting at @code{PHYS_BASE}. That is, virtual address
291 @code{PHYS_ADDR} accesses physical
292 address 0, virtual address @code{PHYS_ADDR} + @t{0x1234} access
293 physical address @t{0x1234}, and so on up to the size of the machine's
296 A user program can only access its own user virtual memory. An attempt to
297 access kernel virtual memory causes a page fault, handled by
298 @func{page_fault} in @file{userprog/exception.c}, and the process
299 will be terminated. Kernel threads can access both kernel virtual
300 memory and, if a user process is running, the user virtual memory of
301 the running process. However, even in the kernel, an attempt to
302 access memory at a user virtual address that doesn't have a page
303 mapped into it will cause a page fault.
305 You must handle memory fragmentation gracefully, that is, a process that
306 needs @var{N} pages of user virtual memory must not require those pages
307 to be contiguous in kernel virtual memory.
310 * Typical Memory Layout::
313 @node Typical Memory Layout
314 @subsubsection Typical Memory Layout
316 Conceptually, each process is
317 free to lay out its own user virtual memory however it
318 chooses. In practice, user virtual memory is laid out like this:
325 PHYS_BASE +----------------------------------+
339 +----------------------------------+
340 | uninitialized data segment (BSS) |
341 +----------------------------------+
342 | initialized data segment |
343 +----------------------------------+
345 0x08048000 +----------------------------------+
351 0 +----------------------------------+
358 In this project, the user stack is fixed in size, but in project 3 it
359 will be allowed to grow. Traditionally, the size of the uninitialized
360 data segment can be adjusted with a system call, but you will not have
363 The code segment in Pintos starts at user virtual address
364 @t{0x08084000}, approximately 128 MB from the bottom of the address
365 space. This value is specified in @bibref{SysV-i386} and has no deep
368 The linker sets the layout of a user program in memory, as directed by a
369 ``linker script'' that tells it the names and locations of the various
370 program segments. You can learn more about linker scripts by reading
371 the ``Scripts'' chapter in the linker manual, accessible via @samp{info
374 To view the layout of a particular executable, run @command{objdump}
375 (80@var{x}86) or @command{i386-elf-objdump} (SPARC) with the @option{-p}
378 @node Accessing User Memory
379 @subsection Accessing User Memory
382 call, the kernel must often access memory through pointers provided by a user
383 program. The kernel must be very careful about doing so, because
384 the user can pass a null pointer, a pointer to
385 unmapped virtual memory, or a pointer to kernel virtual address space
386 (above @code{PHYS_BASE}). All of these types of invalid pointers must
387 be rejected without harm to the kernel or other running processes, by
388 terminating the offending process and freeing its resources.
390 There are at least two reasonable ways to do this correctly. The
391 first method is to verify
392 the validity of a user-provided pointer, then dereference it. If you
393 choose this route, you'll want to look at the functions in
394 @file{userprog/pagedir.c} and in @file{threads/mmu.h}. This is the
395 simplest way to handle user memory access.
397 The second method is to check only that a user
398 pointer points below @code{PHYS_BASE}, then dereference it.
399 An invalid user pointer will cause a ``page fault'' that you can
400 handle by modifying the code for @func{page_fault} in
401 @file{userprog/exception.cc}. This technique is normally faster
402 because it takes advantage of the processor's MMU, so it tends to be
403 used in real kernels (including Linux).
405 In either case, you need to make sure not to ``leak'' resources. For
406 example, suppose that your system call has acquired a lock or
407 allocated a page of memory. If you encounter an invalid user pointer
408 afterward, you must still be sure to release the lock or free the page
409 of memory. If you choose to verify user pointers before dereferencing
410 them, this should be straightforward. It's more difficult to handle
411 if an invalid pointer causes a page fault,
412 because there's no way to return an error code from a memory access.
413 Therefore, for those who want to try the latter technique, we'll
414 provide a little bit of helpful code:
417 /* Tries to copy a byte from user address USRC to kernel address KDST.
418 Returns true if successful, false if USRC is invalid. */
419 static inline bool get_user (uint8_t *kdst, const uint8_t *usrc) {
421 asm ("movl $1f, %%eax; movb %2, %%al; movb %%al, %0; 1:"
422 : "=m" (*kdst), "=&a" (eax) : "m" (*usrc));
426 /* Tries to write BYTE to user address UDST.
427 Returns true if successful, false if UDST is invalid. */
428 static inline bool put_user (uint8_t *udst, uint8_t byte) {
430 asm ("movl $1f, %%eax; movb %b2, %0; 1:"
431 : "=m" (*udst), "=&a" (eax) : "r" (byte));
436 Each of these functions assumes that the user address has already been
437 verified to be below @code{PHYS_BASE}. They also assume that you've
438 modified @func{page_fault} so that a page fault in the kernel causes
439 @code{eax} to be set to 0 and its former value copied into @code{eip}.
441 @node Project 2 Suggested Order of Implementation
442 @section Suggested Order of Implementation
444 We suggest first implementing the following, which can happen in
449 Argument passing (@pxref{Argument Passing}). Every user programs will
450 page fault immediately until argument passing is implemented.
452 For now, you may simply wish to change
458 *esp = PHYS_BASE - 12;
460 in @func{setup_stack}. That will work for any test program that doesn't
461 examine its arguments, although its name will be printed as
465 User memory access (@pxref{Accessing User Memory}). All system calls
466 need to read user memory. Few system calls need to write to user
470 System call infrastructure (@pxref{System Calls}). Implement enough
471 code to read the system call number from the user stack and dispatch to
472 a handler based on it.
475 The @code{exit} system call. Every user program that finishes in the
476 normal way calls @code{exit}. Even a program that returns from
477 @func{main} calls @code{exit} indirectly (see @func{_start} in
478 @file{lib/user/entry.c}).
481 The @code{write} system call for writing to fd 1, the system console.
482 All of our test programs write to the console (the user process version
483 of @func{printf} is implemented this way), so they will all malfunction
484 until @code{write} is available.
487 For now, change @func{process_wait} to an infinite loop (one that waits
488 forever). The provided implementation returns immediately, so Pintos
489 will power off before any processes actually get to run. You will
490 eventually need to provide a correct implementation.
493 After the above are implemented, user processes should work minimally.
494 At the very least, they can write to the console and exit correctly.
495 You can then refine your implementation so that some of the tests start
498 @node Project 2 Requirements
499 @section Requirements
502 * Project 2 Design Document::
503 * Process Termination Messages::
506 * Denying Writes to Executables::
509 @node Project 2 Design Document
510 @subsection Design Document
512 Before you turn in your project, you must copy @uref{userprog.tmpl, ,
513 the project 2 design document template} into your source tree under the
514 name @file{pintos/src/userprog/DESIGNDOC} and fill it in. We recommend
515 that you read the design document template before you start working on
516 the project. @xref{Project Documentation}, for a sample design document
517 that goes along with a fictitious project.
519 @node Process Termination Messages
520 @subsection Process Termination Messages
522 Whenever a user process terminates, because it called @code{exit}
523 or for any other reason, print the process's name
524 and exit code, formatted as if printed by @code{printf ("%s:
525 exit(%d)\n", @dots{});}. The name printed should be the full name
526 passed to @func{process_execute}, omitting command-line arguments.
527 Do not print these messages when a kernel thread that is not a user
528 process terminates, or
529 when the @code{halt} system call is invoked. The message is optional
530 when a process fails to load.
532 Aside from this, don't print any other
533 messages that Pintos as provided doesn't already print. You may find
534 extra messages useful during debugging, but they will confuse the
535 grading scripts and thus lower your score.
537 @node Argument Passing
538 @subsection Argument Passing
540 Currently, @func{process_execute} does not support passing arguments to
541 new processes. Implement this functionality, by extending
542 @func{process_execute} so that instead of simply taking a program file
543 name as its argument, it divides it into words at spaces. The first
544 word is the program name, the second word is the first argument, and so
545 on. That is, @code{process_execute("grep foo bar")} should run
546 @command{grep} passing two arguments @code{foo} and @code{bar}.
548 Within a command line, multiple spaces are equivalent to a single space,
549 so that @code{process_execute("grep foo bar")} is equivalent to our
550 original example. You can impose a reasonable limit on the length of
551 the command line arguments. For example, you could limit the arguments
552 to those that will fit in a single page (4 kB). (There is an unrelated
553 limit of 128 bytes on command-line arguments that the @command{pintos}
554 utility can pass to the kernel.)
556 You can parse argument strings any way you like. If you're lost,
557 look at @func{strtok_r}, prototyped in @file{lib/string.h} and
558 implemented with thorough comments in @file{lib/string.c}. You can
559 find more about it by looking at the man page (run @code{man strtok_r}
562 @xref{Program Startup Details}, for information on exactly how you
563 need to set up the stack.
566 @subsection System Calls
568 Implement the system call handler in @file{userprog/syscall.c}. The
569 skeleton implementation we provide ``handles'' system calls by
570 terminating the process. It will need to retrieve the system call
571 number, then any system call arguments, and carry appropriate actions.
573 Implement the following system calls. The prototypes listed are those
574 seen by a user program that includes @file{lib/user/syscall.h}. (This
575 header and all other files in @file{lib/user} are for use by user
576 programs only.) System call numbers for each system call are defined in
577 @file{lib/syscall-nr.h}:
579 @deftypefn {System Call} void halt (void)
580 Terminates Pintos by calling @func{power_off} (declared in
581 @file{threads/init.h}). This should be seldom used, because you lose
582 some information about possible deadlock situations, etc.
585 @deftypefn {System Call} void exit (int @var{status})
586 Terminates the current user program, returning @var{status} to the
587 kernel. If the process's parent @code{wait}s for it (see below), this
589 that will be returned. Conventionally, a @var{status} of 0 indicates
590 success and nonzero values indicate errors.
593 @deftypefn {System Call} pid_t exec (const char *@var{cmd_line})
594 Runs the executable whose name is given in @var{cmd_line}, passing any
595 given arguments, and returns the new process's program id (pid). Must
596 return pid -1, which otherwise should not be a valid pid, if
597 the program cannot load or run for any reason.
600 @deftypefn {System Call} int wait (pid_t @var{pid})
601 Waits for process @var{pid} to die and returns the status it passed to
602 @code{exit}. Returns -1 if @var{pid}
603 was terminated by the kernel (e.g.@: killed due to an exception). If
604 @var{pid} is does not refer to a child of the
605 calling thread, or if @code{wait} has already been successfully
606 called for the given @var{pid}, returns -1 immediately, without
609 You must ensure that Pintos does not terminate until the initial
610 process exits. The supplied Pintos code tries to do this by calling
611 @func{process_wait} (in @file{userprog/process.c}) from @func{main}
612 (in @file{threads/init.c}). We suggest that you implement
613 @func{process_wait} according to the comment at the top of the
614 function and then implement the @code{wait} system call in terms of
617 All of a process's resources, including its @struct{thread}, must be
618 freed whether its parent ever waits for it or not, and regardless of
619 whether the child exits before or after its parent.
621 Children are not inherited: if @var{A} has child @var{B} and
622 @var{B} has child @var{C}, then @code{wait(C)} always returns immediately
623 when called from @var{A}, even if @var{B} is dead.
625 Consider all the ways a wait can occur: nested waits (@var{A} waits
626 for @var{B}, then @var{B} waits for @var{C}), multiple waits (@var{A}
627 waits for @var{B}, then @var{A} waits for @var{C}), and so on.
630 @deftypefn {System Call} bool create (const char *@var{file}, unsigned @var{initial_size})
631 Creates a new file called @var{file} initially @var{initial_size} bytes
632 in size. Returns true if successful, false otherwise.
634 Consider implementing this function in terms of @func{filesys_create}.
637 @deftypefn {System Call} bool remove (const char *@var{file})
638 Deletes the file called @var{file}. Returns true if successful, false
641 Consider implementing this function in terms of @func{filesys_remove}.
644 @deftypefn {System Call} int open (const char *@var{file})
645 Opens the file called @var{file}. Returns a nonnegative integer handle
646 called a ``file descriptor'' (fd), or -1 if the file could not be
647 opened. All open files associated with a process should be closed
648 when the process exits or is terminated.
650 File descriptors numbered 0 and 1 are reserved for the console: fd 0
651 is standard input (@code{stdin}), fd 1 is standard output
652 (@code{stdout}). These special file descriptors are valid as system
653 call arguments only as explicitly described below.
655 Consider implementing this function in terms of @func{filesys_open}.
658 @deftypefn {System Call} int filesize (int @var{fd})
659 Returns the size, in bytes, of the file open as @var{fd}.
661 Consider implementing this function in terms of @func{file_length}.
664 @deftypefn {System Call} int read (int @var{fd}, void *@var{buffer}, unsigned @var{size})
665 Reads @var{size} bytes from the file open as @var{fd} into
666 @var{buffer}. Returns the number of bytes actually read (0 at end of
667 file), or -1 if the file could not be read (due to a condition other
668 than end of file). Fd 0 reads from the keyboard using
669 @func{kbd_getc}. (Keyboard input will not work if you pass the
670 @option{-v} option to @command{pintos}.)
672 Consider implementing this function in terms of @func{file_read}.
675 @deftypefn {System Call} int write (int @var{fd}, const void *@var{buffer}, unsigned @var{size})
676 Writes @var{size} bytes from @var{buffer} to the open file @var{fd}.
677 Returns the number of bytes actually written, or -1 if the file could
680 Writing past end-of-file would normally extend the file, but file growth
681 is not implemented by the basic file system. The expected behavior is
682 to write as many bytes as possible up to end-of-file and return the
683 actual number written, or -1 if no bytes could be written at all.
685 Fd 1 writes to the console. Your code to write to the console should
686 write all of @var{buffer} in one call to @func{putbuf}, at least as
687 long as @var{size} is not bigger than a few hundred bytes. (It is
688 reasonable to break up larger buffers.) Otherwise,
689 lines of text output by different processes may end up interleaved on
690 the console, confusing both human readers and our grading scripts.
692 Consider implementing this function in terms of @func{file_write}.
695 @deftypefn {System Call} void seek (int @var{fd}, unsigned @var{position})
696 Changes the next byte to be read or written in open file @var{fd} to
697 @var{position}, expressed in bytes from the beginning of the file.
698 (Thus, a @var{position} of 0 is the file's start.)
700 A seek past the current end of a file is not an error. A later read
701 obtains 0 bytes, indicating end of file. A later write extends the
702 file, filling any unwritten gap with zeros. (However, in Pintos files
703 have a fixed length until project 4 is complete, so writes past end of
704 file will return an error.) These semantics are implemented in the
705 file system and do not require any special effort in system call
708 Consider implementing this function in terms of @func{file_seek}.
711 @deftypefn {System Call} unsigned tell (int @var{fd})
712 Returns the position of the next byte to be read or written in open
713 file @var{fd}, expressed in bytes from the beginning of the file.
715 Consider implementing this function in terms of @func{file_tell}.
718 @deftypefn {System Call} void close (int @var{fd})
719 Closes file descriptor @var{fd}.
721 Consider implementing this function in terms of @func{file_close}.
724 The file defines other syscalls. Ignore them for now. You will
725 implement some of them in project 3 and the rest in project 4, so be
726 sure to design your system with extensibility in mind.
728 To implement syscalls, you need to provide ways to read and write data
729 in user virtual address space.
730 You need this ability before you can
731 even obtain the system call number, because the system call number is
732 on the user's stack in the user's virtual address space.
733 This can be a bit tricky: what if the user provides an invalid
734 pointer, a pointer into kernel memory, or a block
735 partially in one of those regions? You should handle these cases by
736 terminating the user process. We recommend
737 writing and testing this code before implementing any other system
740 You must synchronize system calls so that
741 any number of user processes can make them at once. In particular, it
742 is not safe to call into the file system code provided in the
743 @file{filesys} directory from multiple threads at once. For now, we
744 recommend adding a single lock that controls access to the file system
745 code. You should acquire this lock before calling any functions in
746 the @file{filesys} directory, and release it afterward. Don't forget
747 that @func{process_execute} also accesses files. @strong{For now, we
748 recommend against modifying code in the @file{filesys} directory.}
750 We have provided you a user-level function for each system call in
751 @file{lib/user/syscall.c}. These provide a way for user processes to
752 invoke each system call from a C program. Each uses a little inline
753 assembly code to invoke the system call and (if appropriate) returns the
754 system call's return value.
756 When you're done with this part, and forevermore, Pintos should be
757 bulletproof. Nothing that a user program can do should ever cause the
758 OS to crash, panic, fail an assertion, or otherwise malfunction. It is
759 important to emphasize this point: our tests will try to break your
760 system calls in many, many ways. You need to think of all the corner
761 cases and handle them. The sole way a user program should be able to
762 cause the OS to halt is by invoking the @code{halt} system call.
764 If a system call is passed an invalid argument, acceptable options
765 include returning an error value (for those calls that return a
766 value), returning an undefined value, or terminating the process.
768 @xref{System Call Details}, for details on how system calls work.
770 @node Denying Writes to Executables
771 @subsection Denying Writes to Executables
773 Add code to deny writes to files in use as executables. Many OSes do
774 this because of the unpredictable results if a process tried to run code
775 that was in the midst of being changed on disk. This is especially
776 important once virtual memory is implemented in project 3, but it can't
779 You can use @func{file_deny_write} to prevent writes to an open file.
780 Calling @func{file_allow_write} on the file will re-enable them (unless
781 the file is denied writes by another opener). Closing a file will also
782 re-enable writes. Thus, to deny writes to process's executable, you
783 must keep it open as long as the process is still running.
789 @item How much code will I need to write?
791 Here's a summary of our reference solution, produced by the
792 @command{diffstat} program. The final row gives total lines inserted
793 and deleted; a changed line counts as both an insertion and a deletion.
796 threads/thread.c | 13
797 threads/thread.h | 26 +
798 userprog/exception.c | 8
799 userprog/process.c | 247 ++++++++++++++--
800 userprog/syscall.c | 468 ++++++++++++++++++++++++++++++-
801 userprog/syscall.h | 1
802 6 files changed, 725 insertions(+), 38 deletions(-)
805 @item The kernel always panics when I run @code{pintos -p @var{file} -- -q}.
807 Did you format the disk (with @samp{pintos -f})?
809 Is your file name too long? The file system limits file names to 14
810 characters. A command like @samp{pintos -p ../../examples/echo -- -q}
811 will exceed the limit. Use @samp{pintos -p ../../examples/echo -a echo
812 -- -q} to put the file under the name @file{echo} instead.
814 Is the file system full?
816 Does the file system already contain 16 files? The base Pintos file
817 system has a 16-file limit.
819 The file system may be so fragmented that there's not enough contiguous
822 @item When I run @code{pintos -p ../file --}, @file{file} isn't copied.
824 Files are written under the name you refer to them, by default, so in
825 this case the file copied in would be named @file{../file}. You
826 probably want to run @code{pintos -p ../file -a file --} instead.
828 @item All my user programs die with page faults.
830 This will happen if you haven't implemented argument passing
831 (or haven't done so correctly). The basic C library for user programs tries
832 to read @var{argc} and @var{argv} off the stack. If the stack
833 isn't properly set up, this causes a page fault.
835 @item All my user programs die with @code{system call!}
837 You'll have to implement system calls before you see anything else.
838 Every reasonable program tries to make at least one system call
839 (@func{exit}) and most programs make more than that. Notably,
840 @func{printf} invokes the @code{write} system call. The default system
841 call handler just prints @samp{system call!} and terminates the program.
842 Until then, you can use @func{hex_dump} to convince yourself that
843 argument passing is implemented correctly (@pxref{Program Startup Details}).
845 @item How can I can disassemble user programs?
847 The @command{objdump} (80@var{x}86) or @command{i386-elf-objdump}
848 (SPARC) utility can disassemble entire user
849 programs or object files. Invoke it as @code{objdump -d
850 @var{file}}. You can use @code{gdb}'s
851 @command{disassemble} command to disassemble individual functions
854 @item Why do many C include files not work in Pintos programs?
856 The C library we provide is very limited. It does not include many of
857 the features that are expected of a real operating system's C library.
858 The C library must be built specifically for the operating system (and
859 architecture), since it must make system calls for I/O and memory
860 allocation. (Not all functions do, of course, but usually the library
861 is compiled as a unit.)
863 @item Can I use lib@var{foo} in my Pintos programs?
865 The chances are good that lib@var{foo} uses parts of the C library
866 that Pintos doesn't implement. It will probably take at least some
867 porting effort to make it work under Pintos. Notably, the Pintos
868 user program C library does not have a @func{malloc} implementation.
870 @item How do I compile new user programs?
872 Modify @file{src/examples/Makefile}, then run @command{make}.
874 @item Can I run user programs under a debugger?
876 Yes, with some limitations. @xref{Debugging User Programs}.
878 @item What's the difference between @code{tid_t} and @code{pid_t}?
880 A @code{tid_t} identifies a kernel thread, which may have a user
881 process running in it (if created with @func{process_execute}) or not
882 (if created with @func{thread_create}). It is a data type used only
885 A @code{pid_t} identifies a user process. It is used by user
886 processes and the kernel in the @code{exec} and @code{wait} system
889 You can choose whatever suitable types you like for @code{tid_t} and
890 @code{pid_t}. By default, they're both @code{int}. You can make them
891 a one-to-one mapping, so that the same values in both identify the
892 same process, or you can use a more complex mapping. It's up to you.
894 @item Keyboard input doesn't work with @command{pintos} option @option{-v}.
896 Serial input isn't implemented. Don't use @option{-v} if you
897 want to use the shell or otherwise need keyboard input.
901 * Argument Passing FAQ::
905 @node Argument Passing FAQ
906 @subsection Argument Passing FAQ
909 @item Isn't the top of stack off the top of user virtual memory?
911 The top of stack is at @code{PHYS_BASE}, typically @t{0xc0000000}, which
912 is also where kernel virtual memory starts.
913 But when the processor pushes data on the stack, it decrements the stack
914 pointer first. Thus, the first (4-byte) value pushed on the stack
915 will be at address @t{0xbffffffc}.
917 @item Is @code{PHYS_BASE} fixed?
919 No. You should be able to support @code{PHYS_BASE} values that are
920 any multiple of @t{0x10000000} from @t{0x80000000} to @t{0xf0000000},
921 simply via recompilation.
924 @node System Calls FAQ
925 @subsection System Calls FAQ
928 @item Can I just cast a @code{struct file *} to get a file descriptor?
929 @itemx Can I just cast a @code{struct thread *} to a @code{pid_t}?
931 You will have to make these design decisions yourself.
932 Most operating systems do distinguish between file
933 descriptors (or pids) and the addresses of their kernel data
934 structures. You might want to give some thought as to why they do so
935 before committing yourself.
937 @item Can I set a maximum number of open files per process?
939 It is better not to set an arbitrary limit. You may impose a limit of
940 128 open files per process, if necessary.
942 @item What happens when an open file is removed?
943 @anchor{Removing an Open File}
945 You should implement the standard Unix semantics for files. That is, when
946 a file is removed any process which has a file descriptor for that file
947 may continue to use that descriptor. This means that
948 they can read and write from the file. The file will not have a name,
949 and no other processes will be able to open it, but it will continue
950 to exist until all file descriptors referring to the file are closed
951 or the machine shuts down.
953 @item How can I run user programs that need more than 4 kB stack space?
955 You may modify the stack setup code to allocate more than one page of
956 stack space for each process. In the next project, you will implement a
960 @node 80x86 Calling Convention
961 @section 80@var{x}86 Calling Convention
963 This section summarizes important points of the convention used for
964 normal function calls on 32-bit 80@var{x}86 implementations of Unix.
965 Some details are omitted for brevity. If you do want all the details,
966 you can refer to @bibref{SysV-i386}.
968 The basic calling convention works like this:
972 The caller pushes each of the function's arguments on the stack one by
973 one, normally using the @code{PUSH} assembly language instruction.
974 Arguments are pushed in right-to-left order.
977 The caller pushes the address of its next instruction (the @dfn{return
978 address}) on the stack and jumps to the first instruction of the callee.
979 A single 80@var{x}86 instruction, @code{CALL}, does both.
982 The callee executes. When it takes control, the stack pointer points to
983 the return address, the first argument is just above it, the second
984 argument is just above the first argument, and so on.
987 If the callee has a return value, it stores it into register @code{EAX}.
990 The callee returns by popping the return address from the stack and
991 jumping to the location it specifies, using the 80@var{x}86 @code{RET}
995 The caller pops the arguments off the stack.
998 Consider a function @func{f} that takes three @code{int} arguments.
999 This diagram shows a sample stack frame as seen by the callee at the
1000 beginning of step 3 above, supposing that @func{f} is invoked as
1001 @code{f(1, 2, 3)}. The stack addresses are arbitrary:
1014 stack pointer --> 0xbffffe70 | return address |
1022 * Program Startup Details::
1023 * System Call Details::
1026 @node Program Startup Details
1027 @subsection Program Startup Details
1029 The Pintos C library for user programs designates @func{_start}, in
1030 @file{lib/user/entry.c}, as the entry point for user programs. This
1031 function is a wrapper around @func{main} that calls @func{exit} if
1032 @func{main} returns:
1036 _start (int argc, char *argv[])
1038 exit (main (argc, argv));
1042 The kernel is responsible for setting up the arguments for the initial
1043 function on the stack, in accordance with the calling convention
1044 explained in the preceding section, before it allows the user program to
1047 Consider the following example command: @samp{/bin/ls -l foo bar}.
1048 First, the kernel must break the command into words, as @samp{/bin/ls},
1049 @samp{-l}, @samp{foo}, and @samp{bar}, and place them at the top of the
1050 stack. Order doesn't matter, because they will be referenced through
1053 Then, push the address of each string plus a null pointer sentinel, on
1054 the stack, in right-to-left order. These are the elements of
1055 @code{argv}. The order ensure that @code{argv[0]} is at the lowest
1056 virtual address. Word-aligned accesses are faster than unaligned
1057 accesses, so for best performance round the stack pointer down to a
1058 multiple of 4 before the first push.
1060 Then, push @code{argv} (the address of @code{argv[0]}) and @code{argc},
1061 in that order. Finally, push a fake ``return address'': although the
1062 entry function will never return, its stack frame must have the same
1063 structure as any other.
1065 The table below show the state of the stack and the relevant registers
1066 right before the beginning of the user program, assuming
1067 @code{PHYS_BASE} is @t{0xc0000000}:
1072 @multitable {@t{0xbfffffff}} {return address} {@t{/bin/ls\0}} {@code{void (*) ()}}
1073 @item Address @tab Name @tab Data @tab Type
1074 @item @t{0xbffffffc} @tab @code{argv[3][@dots{}]} @tab @samp{bar\0} @tab @code{char[4]}
1075 @item @t{0xbffffff8} @tab @code{argv[2][@dots{}]} @tab @samp{foo\0} @tab @code{char[4]}
1076 @item @t{0xbffffff5} @tab @code{argv[1][@dots{}]} @tab @samp{-l\0} @tab @code{char[3]}
1077 @item @t{0xbfffffed} @tab @code{argv[0][@dots{}]} @tab @samp{/bin/ls\0} @tab @code{char[8]}
1078 @item @t{0xbfffffec} @tab word-align @tab 0 @tab @code{uint8_t}
1079 @item @t{0xbfffffe8} @tab @code{argv[4]} @tab @t{0} @tab @code{char *}
1080 @item @t{0xbfffffe4} @tab @code{argv[3]} @tab @t{0xbffffffc} @tab @code{char *}
1081 @item @t{0xbfffffe0} @tab @code{argv[2]} @tab @t{0xbffffff8} @tab @code{char *}
1082 @item @t{0xbfffffdc} @tab @code{argv[1]} @tab @t{0xbffffff5} @tab @code{char *}
1083 @item @t{0xbfffffd8} @tab @code{argv[0]} @tab @t{0xbfffffed} @tab @code{char *}
1084 @item @t{0xbfffffd4} @tab @code{argv} @tab @t{0xbfffffd8} @tab @code{char **}
1085 @item @t{0xbfffffd0} @tab @code{argc} @tab 4 @tab @code{int}
1086 @item @t{0xbfffffcc} @tab return address @tab 0 @tab @code{void (*) ()}
1092 In this example, the stack pointer would be initialized to
1095 As shown above, your code should start the stack at the very top of
1096 the user virtual address space, in the page just below virtual address
1097 @code{PHYS_BASE} (defined in @file{threads/mmu.h}).
1099 You may find the non-standard @func{hex_dump} function, declared in
1100 @file{<stdio.h>}, useful for debugging your argument passing code.
1101 Here's what it would show in the above example:
1104 bfffffc0 00 00 00 00 | ....|
1105 bfffffd0 04 00 00 00 d8 ff ff bf-ed ff ff bf f5 ff ff bf |................|
1106 bfffffe0 f8 ff ff bf fc ff ff bf-00 00 00 00 00 2f 62 69 |............./bi|
1107 bffffff0 6e 2f 6c 73 00 2d 6c 00-66 6f 6f 00 62 61 72 00 |n/ls.-l.foo.bar.|
1110 @node System Call Details
1111 @subsection System Call Details
1113 The first project already dealt with one way that the operating system
1114 can regain control from a user program: interrupts from timers and I/O
1115 devices. These are ``external'' interrupts, because they are caused
1116 by entities outside the CPU (@pxref{External Interrupt Handling}).
1118 The operating system also deals with software exceptions, which are
1119 events that occur in program code (@pxref{Internal Interrupt
1120 Handling}). These can be errors such as a page fault or division by
1121 zero. Exceptions are also the means by which a user program
1122 can request services (``system calls'') from the operating system.
1124 In the 80@var{x}86 architecture, the @samp{int} instruction is the
1125 most commonly used means for invoking system calls. This instruction
1126 is handled in the same way as other software exceptions. In Pintos,
1127 user programs invoke @samp{int $0x30} to make a system call. The
1128 system call number and any additional arguments are expected to be
1129 pushed on the stack in the normal fashion before invoking the
1132 Thus, when the system call handler @func{syscall_handler} gets control,
1133 the system call number is in the 32-bit word at the caller's stack
1134 pointer, the first argument is in the 32-bit word at the next higher
1135 address, and so on. The caller's stack pointer is accessible to
1136 @func{syscall_handler} as the @samp{esp} member of the
1137 @struct{intr_frame} passed to it. (@struct{intr_frame} is on the kernel
1140 The 80@var{x}86 convention for function return values is to place them
1141 in the @code{EAX} register. System calls that return a value can do
1142 so by modifying the @samp{eax} member of @struct{intr_frame}.
1144 You should try to avoid writing large amounts of repetitive code for
1145 implementing system calls. Each system call argument, whether an
1146 integer or a pointer, takes up 4 bytes on the stack. You should be able
1147 to take advantage of this to avoid writing much near-identical code for
1148 retrieving each system call's arguments from the stack.