Providing Open Architecture High Availability Solutions

9.3.1 Memory Protection

Modern software divides computer memory up into regions, principally for program code and

several types of data. Without a hardware Memory Management Unit (MMU), these divisions are

soft, enforced only by the way that development tools lay out memory and by how programmers

follow the layout discipline. Large multi-process or multi-threaded programs further divide these

gross regions, giving each process, task, or thread of execution its own chunks of memory for code

and data. Among the hardest bugs to find are those that violate this neat structure — when

programs unintentionally modify their own code regions, accidentally corrupt data structures, or

violate the code or data regions of other threads, or even the operating system kernel itself.

Hardware-based memory protection offers greater security and robust application code by isolating

the various regions of a program and using the integrated hardware MMUs on modern

microprocessors. The MMU erects walls around code and data by defining memory segments for

each and restricting access to those segments: code segments are read-only, disallowing accidental

self-modification. Data segment access is restricted to the current executing process or via read-

only data, and may be protected in the same manner as code. Thread stacks can be laid out with

virtual comb-tooth address gaps between them, preventing inter-stack corruption through walk-

over.

When a program attempts to write over itself or violates data access restrictions, an exception

occurs, the executing program is interrupted, and the offending program location can be easily

located and repaired. In multi-process HA systems, one errant thread will be stopped from

corrupting the entire application, and may be restarted or replaced without interrupting mission-

critical operation.

Virtual Address Spaces

An operating system can accomplish this leveling process by assigning each program or process its

own MMU-enforced virtual address space. Then, each process can treat the entire computer

address space that it can see as its own. With this type of memory protection the process does not

risk corrupting the memory space of other processes in the system. The operating system maps all

program memory accesses, from the program's vision of memory (logical view) to the available

collection of system memory resources (physical view) through the MMU. This mapping is

completely transparent to the process and its programmer, focusing programming effort on

algorithm design, not implementation particulars.

9.3.2 Process Handling Overview

In a Linux/UNIX process style model, programs are executed as processes. Each process has its

own protected address space so that an access to unallocated or illegal memory is detected

immediately, not allowed to corrupt another process, and is trapped. This protection provides fault

isolation for a wide range of software faults.

Resource Recovery and Containment

The process model also keeps track of what resources are allocated on behalf of a process. When a

process or thread opens a file, allocates memory, or attaches to shared memory, resources are

allocated by the OS and then returned to the system when the process exits. A process can create

other processes that become child processes. The parent process sets limits on the amount of

resources that a child process can allocate. When a child process exits, its parent can get status

information, including why the child process exited.