JIURL play Win2k memory articles shared memory (a) ProtoPTE Author: JIURL Home: http://jiurl.yeah.net Date: 2003-7-30
Several main applications for shared memory between the memory shared Windows 2000 is that a DLL (dynamic link library) may be used by multiple processes and should be shared. A program should also be shared by a plurality of running instances. Data is transmitted through memory communication between the process implemented by the Memory Mapped file. Each process has its own 4G address space, address space through your own page directory and page table, mapping physical memory in units. Putting a page address space of two different processes to the same physical page, one page address space of the two processes implements sharing, two processes read and write to the page address space, are the same physical page Read and write. The physical page frame number of the two processes, the physical page frame number in the page, corresponding to one page address space), makes a page of the two processes to the same physical page. For example, the 0x10000-0x10FFF this page of the process 1 Map Physical Memory Page 100, the process 2 0x20000-0x20FFF This page also maps the 100 pages of physical memory, then the process 1 0x10000-0x10FFF is the process 2 0x20000- 0x20FFF is the 100 pages of physical memory. We look at the sharing of DLL in Win2K. NTDLL.DLL is usually used by all processes. We open a notepad program, a calculator program, use Softice to see if the two processes are responsible for mapping the NTDLL.DLL page entry (PTE) is the same. In the same way, you will show that the physical memory is shared, and the physical memory is not shared. Run calculator and notepad, use Softice observation.
First, look at the calculator // Transition to the CALC process using the addr command is also the address space of the calculator process: addr calc // Use the map32 -u command to see the module mapped in the user address space: map32 -uowner obj name Obj # Address Size Typecalc .text 0001 001B: 01001000 000124EE CODE ROcalc .data 0002 0023: 01014000 000010C0 IDATA RWcalc .rsrc 0003 0023: 01016000 00002B98 IDATA RONVDESK32 .text 0001 001B: 10001000 0000DB8F CODE RO ... gdi32 .reloc 0004 0023: 77F7A000 0000151C IDATA ROntdll .text 0001 001B: 77F81000 00042492 CODE ROntdll ECODE 0002 001B: 77FC4000 00004371 CODE ROntdll PAGE 0003 001B: 77FC9000 00003983 CODE ROntdll .data 0004 0023: 77FCD000 00002350 IDATA RWntdll .rsrc 0005 0023: 77FD0000 00026D08 IDATA ROntdll .reloc 0006 0023 : 77FF7000 00001DA8 Idata Ro ... msvcrt.RELOC 0005 0023: 78043000 00002600 Idata RO // See the address // of the NTDLL in the address space // code in the .Text section, the .Text section start address For 77f81000 // We see the 77f82000-77f82fff this page // this page of this page // (77F82000 >> 12) * 4 0xC0000000 = 0xc01dfE08 // Display this section page item: DD C01DFE04 L 1000010: C01DFE04 00000000 04E63005 04E4B005 04E4C005 ..... 0 .......... 0010: C01DFE14 04E4D025 04 E2E005 04E2F005 04E3000: C01DFE24 04E11005 04E12005 04E1B025 04E1C025 ..... ..% ...% ... 0010: C01DFE34 04E1D005 04DFE005 04DF025 04E80025 .. ...% ...% ... 0010: c01dfe44 04e61005 04e13005 04e14025 04e15005 ..... 0 ..% @ ... p..0010: C01DFE54 04E16005 04DF7025 04DF8025 00000000.`.% P ..% ....... 0010: c01dfe64 04e1a0050 000000000000000000000000 .................. 0010: C01DFE74 00000000 00000000 04E43025 04E44005 ........% 0 ... @ .. 0010: C01DFE84 0000000000 04E46025 00000000 00000000 ....% `............. // 0XC01DFE08 at 04E63005, where the height 20bit is the page number of the physical page , Low 12 bit is the sign // So 77F82000-77F82FFF in NTDLL .Text section This page mapped to physical page 04E63 // (physical address 04e63000-04E63FFF)
Look at notepad // convert to notepad address space: addr notepad: map32 -uOwner Obj Name Obj # Address Size TypeNOTEPAD .text 0001 001B: 01001000 000065CA CODE RONOTEPAD .data 0002 0023: 01008000 00001944 IDATA RWNOTEPAD .rsrc 0003 0023: 0100A000 00005238 IDATA RONVDESK32 .text 0001 001B: 10001000 0000DB8F CODE RO ... gdi32 .reloc 0004 0023: 77F7A000 0000151C IDATA ROntdll .text 0001 001B: 77F81000 00042492 CODE ROntdll ECODE 0002 001B: 77FC4000 00004371 CODE ROntdll PAGE 0003 001B: 77FC9000 00003983 CODE ROntdll .data 0004 0023: 77FCD000 00002350 IDATA RWntdll .rsrc 0005 0023: 77FD0000 00026D08 IDATA ROntdll .reloc 0006 0023: 77FF7000 00001DA8 IDATA RO ... MSVCRT .reloc 0005 0023: 78043000 00002600 IDATA RO // see various sections of ntdll. The start address of the TEXT section is 77f81000 //. 77F82000-77F82FFF in TEXT section is also (77F82000 >> 12) * 4 0XC0000000 = 0xc01DFE08 // display this Some page items: DD C01DFE04 L 1000010: C01DFE04 00000000 04E63005 04E4B025 04E4C005 ..... 0 ..% ....... 0010: C01DFE14 04E4D005 04E2E005 04E2F005 04E30005 ......... .... 0010: C01DFE24 04E11005 04E 12025 04E1B005 04E1C005 ....% ........ 0010: C01DFE34 04E1D005 04DFE005 04DF025 04E80025 ........% ...% ... 0010: C01DFE44 04E61025 04E13005 04E14005 04E15025%. ... 0 ... @ ..% p..0010: C01DFE54 04E16005 04DF7005 04DF8025 00000000.` ... p ..% ....... 0010: C01DFE64 04E1A025 00F254C4 000000 0000000% .... T ........ 0010: C01DFE74 00000000 00000000 04E43005 04E44005 ......... 0 ... @ .. 0010: C01DFE84 00F254D2 00F254D4 00000000000000 .t ... T .... ......... /// 0XC01DFE08 value is 04E63005, where the height 20bit is the page number of the physical page, the low 12bit is the flag // So NTDLL .Text section 77F82000-77f82FFF this page mapped to physical Page 04E63 // (Physical Address 04E63000-04E63FFF) It can be seen that the address space 77F82000-77F82FFF of the two processes maps the same physical page.
The Prototype PTE (prototype PTE) and shared implementation have a close relationship of a data structure that is a PPN Database entry, a physical page in an Active (Valid) state, the physical page PFN Database Entry 08 At 4 bytes, it is Share Count, shared count. Below we analyze several cases of sharing physical pages between processes. Process 1 First read some content that can be shared into a physical page. So the process 1 is valid and points to this physical page. The PFN Database Entry State corresponding to the shared physical page is Active (Valid), and the Share County is 1. Process 2 The physical page needs to share this physical page, so the process 2 is valid and points to this physical page. Since this physical page is now shared by the process 1 and process 2, the value of the corresponding PFN Database Entry is 1, which is 2. Process 3 The physical page needs to share this physical page, which is valid for the corresponding PTE and points to this physical page. The value of the PFN Database Entry of this physical page is 1, which is 3. Process 2 Trust the Working Set, decide to remove the page from its own Working Set, so the corresponding PTE is invalid. The value of the PFN Database Entry of the PFN Database Entry of this physical page is reduced by 1, and it is changed to 2. The process 1 ends, the value of the PFN Database Entry of this physical page is reduced by 1, and it becomes 1. Process 2 needs to access this sharing page. So PTE is re-effect and points to this physical page. The physical page of Share Count plus 1, also becomes 2. Process 2, process 3, trimming the Working SET, all remove this page from the Working Set, so the corresponding PTE corresponding to the two processes is invalid. The SHARE COUNT of the physical page has become 0 from 2. When becoming 0, the state of the physical page becomes Standby from Active (Valid), and the STANDBY chain is chained, but the content in the physical page will not be changed. Process 2 needs to access this sharing page. Since the physical page is in the Standby chain, the content is not changed. So directly retrieve the physical page, PTE is re-effect and points to this physical page. The physical page status changes from StandBy to Active (Valid), and Share Count changes to 1. Process 2 Truncate the Working Set, decide to remove this page from its own working set, so the corresponding PTE is invalid. The value of this physical page's Share count is reduced by 0. When becoming 0, the state of the physical page becomes Standby from Active (Valid), and the STANDBY chain is chained, but the content in the physical page will not be changed. The system requires memory, and the physical page is taken away from the Standby chain. Process 2 needs to access this sharing page. There is no physical page with the original data, so a new physical page is assigned, and the data is read from the file. The process 2 is active and points to this new physical page. The PFN Database Entry status corresponding to this physical page is Active (Valid), and the Share Count value is 1.
One thing that needs to be emphasized is that only the shared physical page is reduced to 0, it can be moved to the Standby chain, and then used to do other things. If Share Count is not 0, it will show that there is a process in using this physical page. If this physical page is moved to the Standby chain, it may have a very serious consequence. For example, a physical page that is shared by the program code that is shared, is shared by multiple processes, and one of them ends, Share Count minus 1 but not 0, then if this physical page is shifted into the Standby chain, the system will put this again The physical page is cleared to the zeroed chain. At this time, the corresponding PTE of several other processes is still valid, and points to this physical page that is the program code. When these processes do the code here, it will be completely mistaken. If Share Count is 0, all PTEs corresponding to all processes are already invalid. There is still a problem with the sharing mechanism. A shared physical page Share Count is 0, and has been used to do other things, and all PTEs corresponding to all processes are already invalid. When a process accesses the address space corresponding to the corresponding PTE, the system assigns a new physical page, read the data from the new physical page, the corresponding PTE is valid, and points to this new physical page, so this process can Access this sharing page. But other processes cannot know this new physical page, their corresponding PTE is still invalid. If they also re-accepted this sharing page, how will they recognize the new physical page to fill in PTE? Win2K uses prototype PTE to solve this problem. For an application that loads memory, load the memory dynamic link library, or a file mapping, they are all likely to be shared. For example, one possible thing that may be shared, mapped to address space, requires 100 pages, then there is a corresponding prototype PTE (4 bytes) per page. A process maps this 100-page shared thing to address space and needs to use 100 PTEs. In this 100 PTE, a valid PTE points to the shared physical page, invalid PTE will point to the corresponding prototype PTE, prototype PTE points to the physical page. In this way, when you encounter the previous problem, a process re-accesses a shared page, and this shared page The physical page of this shared page has been made, the system allocates a new physical page, pointing the PTE corresponding to the new physical page. And the PTEPE PTE points to the new physical page after turning the PTE. When other processes re-accented this shared page, their PTE is invalid, and pointing to Prototype PTE, and Prototype PTE has points to the new physical page, so they can point the corresponding PTE to the new physical page. And turn the PTE to be valid. Loading a memory application, loading a dynamic link library of memory, or a file mapping, they are all in the user address space. To describe, we call these things. A shared thing will have a Segment structure in the system address space, which is placed in the protoptes array of this Segment structure in this Segment structure. For example, a shared thing, mapping to address space requires 100 pages, then there are 100 prototype ptes in its segment architecture array, and its page 0 corresponding to Prototype PTE in array 0 items, Its PROTOTYPE PTE in the first page is in the first item of the array.
The Segment structure is 0x38 bytes, which is more important to offset the 4-word Dragon PROTOPTES at 34. Protoptes is the first address of the protoptes array, but in general, the Protoptes array is followed by the SEGMENT structure of the 0x38 byte. SEGMENT Structural Offset 8 4-word Dragon Total PTES indicates the number of elements in the protoptes array. Segment Structure Offset 0 Different Controlararea, is a pointer to the Controlrea structure. The ControlArase structure is a very important structure. With it we can find the corresponding file object, the ControlArea structure also refers to Segment Segment Structure pointer. Several structures with close relationships are mapped a shared thing to a process address space, this space VAD typef struct _vad_header {/ * 00 * / pvoid startvpn; / * 04 * / pvoid endvpn; / * 08 * / _VAD_HEADER * PARENTLINK; / * 0C * / _VAD_HEADER * LEFTLINK; / * 10 * / _VAD_HEADER * RIGHTLINK; / * 14 * / ULONG Commitcharge: 20; / * 14 * / ulong flags: 12; / * 18 * / pvoid control / * 1c * / pvoid firstprotopte; / * 20 * / pvoid lastpte; / * 24 * / ulong unknown; / * 28 * / list_entry second; / * 30 * /} VAD_HEADER, * PVAD_HEADER; VAD structure offset 18 4 bytes of Controlarea are pointers that point to the ControlAea structure. Shared physical page PfnDataBaseEntry Zeroed 0x00Free 0x01Standby 0x02Modified 0x03Modified no-write 0x04Bad 0x05Active (Valid) 0x06Transition 0x07struct PfnDataBaseEntry (the size of 24 bytes, i.e., byte 0x18) / * 00 * / uint32 flink / * 04 * / uint32 pteaddress / * 08 * / uint32 blink / share count / * 0c * / byte flag / * 0D * / byte page state / * 0e * / uint16 reference count / * 10 * / uint32 restore PTE / * 14 * / uint32 containing page is in Active (VALID) Status, the PFNDatabaseEntry structure of the shared physical page offset 4 4 bytes of PteadDress is the address of the prototype PTE. Implementation mechanism For a shared page, PTE is valid, when the PTE is active, the CPU is accessed by the page table, and the page table converts the virtual address into a physical address to access the memory. When PTE is invalid, use the Prototype PTE to ensure the correctness of the sharing mechanism. When PTE is invalid, the system sets the Prototype flag of the invalid PTE. This is when a process accesses this page, because PTE is invalid, so it will cause the Page-Fault anomalous. Thus, the CPU turned to perform an exception handler, and the exception handler checks the PTE discovery that the prototype flag is set, and the PTE is re-enables the PTE, and points to the correct physical page.
Finally, the CPU re-executed instructions caused by anomalies. At this time, the virtual address accessed accessed is already the correct shared physical page, and the PTE of the virtual address is also valid, so it can be performed smoothly. Let's do more detailed descriptions for the X86 CPU. The X86 CPU invalid page item is defined as the following struct _hardware_pte_x86 (sizeof = 4) Bits0-0 ValidBits1-31 Reserved first, this format is defined by the CPU, the CPU will be explained by this definition Then determine how to handle it. For invalid pages, the CPU only defines BITS0-0 to determine if it is valid. The bits0-0 value of 0 value is 0. Others are left to the operating system. Win2K uses BITS10-10 prototype to indicate whether it is using prototype, which is 0 indicates that it is used to use it. When a page list item is invalid, and set Prototype, when a command accesses this page, such as instruction MOV EAX, AddressInPrototyPage, the CPU automatically converts the virtual address AddressInPrototyPEPAGE to the page table table. Being a physical address, during the address conversion process, the CPU will make a page protection check while the physical page address is obtained from the page table, such as whether the page entry is valid, whether it is only readable. The page table item of the address in our instructions is invalid, so it will lead to an exception. Exception is also achieved by the CPU. What caused here is a Page Fault anomaly, its interrupt number is 0xe (decimal 14), you need to pay attention to the interrupt number of Page Fault is 0xe is defined by the CPU (x86 CPU from 0 - 31 this 32 interrupts are The CPU will work according to this definition by the CPU). When an exception occurs, the CPU automatically presses some registers into the stack, then according to the interrupt number, (find the interrupt descriptor table by idtr), find the corresponding interrupt descriptor in the interrupt descriptor, according to the address in the interrupt descriptor, transfer To the exception handler. The interrupt descriptor is set by Win2K, and the exception handler is also determined by Win2k. For Win2K Build 2195, the interrupt 0xe's handler is NTOSKRNL! Kitrap0E address at 804648A4.
When transferred to Kitrap0E, the CPU has embraced the following content in the stack | ------------- | | EFLAGS || ------------- | | CS || ------------- || Eip || ------------- || Error Code || --------- ---- | <---- [ESP] Page-fault unusual (#PF) Error Code definition is as follows (CPU definition) | 3 | 2 | 1 | 0 | ---------- ----------------------------------------- | RESERVED | RSVD | U / S | R / W | P | ------------------------------------------ --------- P 0 Error By invalid page 1 error 1 error By violating page protection caused W / R 0 caused error memory access is reading 1 caused error memory is written when writing U / S 0 access error The processor is in the management mode 1 Access error When the processor is in the user mode, it is necessary to explain that the embedded EIP in the stack is an instruction address that causes an exception, and will re-execute the instruction according to this address in the future. The register CR2 is an address that is accessed when an exception is thrown. #PF exception handler Kitrap0e (provided by Win2K) will call Ntoskrnl! MmaccessFault, MMAccessFault to calculate the corresponding PDE, PTE address, check the PDE, PTE address, check the PTETYPE flag (this flag is defined by Win2k) It is also handled by it), eventually call NTOSKRNL! MIRESOLVEPROTOPTEFAULT to complete the PROTOTYPE. Point PTE to the correct shared physical page and reset the PTE to valid. After performing an exception handler, the CPU re-executes an instruction that causes an exception, and the instruction can be executed normally. This prototype has been implemented. We do more detailed descriptions for MMAccessFault. By analyzing assembly code, you can know that MMAccessFault calculates the corresponding PDE, PTE address based on causing an abnormal access address, and discovers the PTETYPE flag. Check the PTE, if the PTE is 20 bit is not 0xffff, it will calculate prototypepteaddress according to the formula prototypepteaddress = 0xE1000000 (PTE & 0xFF) * 2; PROTOTYPEPTEADDRESS. Note that in this formula, the value of the value of (PTE >> 2) & 0x3fffe00) and the value of the value of PTE & 0xFF * 2. Since it is invalid PTE, the lowest bit itself is 0, and the lowest value of (PTE & 0xFF) * 2 will be 0, which also guarantees that prototypepteaddress is bounded by 4 bytes. If the PTE's high 20 bit is 0xffff, MicheckVirtualAddress () will be called. MiLocateAddress () is called MILOCATEADDRESS (). MILOCATEADDRESS () will return the address of the VAD in the range of InvalidadDress.
Then calculate prototypepteaddress = (invalidaddress >> 0xa) & 0x3fffc -tart.startvpn << 0x2) thevad.firstprotopte is the virtual page number of InvalidAddress, minus VAD, using the invalidaddress virtual page number. In fact, the virtual page number is found, then find the address of the corresponding item in the protoptes array, find prototypepteaddress. The mmaccessfault then calls mireesolveprotoptefault () with 7 parameters such as Invaladdress, InvalidadDress_pteaddress, InvalidadDress_PrototyPteadDress. MIRESOLVEPROTOPTEFAULT () will do different processing according to various signs of Prototypepte. For PrototypePte is 1, PrototypePte is valid. Indicates that the physical page number in prototypepte is the correct page number of the correctly shared physical page. Call micrompleteprotoptefault (), set the physical page number in PrototyPepte to PTE, and turn the PTE to be valid. For PrototypePte is 0, PrototypePte is invalid. Just check Prototypepte, see if the shared physical page is placed in the Standby chain, if yes, pass the physical page shift back, turn the prototypepte to effectively, point the PTE to this physics Page, putting the PTE also varies. If the physical page that is shared is completely, it is not there. If you apply for a new physical page, you will re-read the shared content from the file, point prototypepte to this new physical page, and turn the prototypepte to effectively, put the PTE Point to this physical page and turn the PTE to be valid. Below we use Softice to observe several different situations because all protoptefault calls MIRESOLVEPROTOPTEFAULT (), so we will break down in this function. For the establishment of a stack frame, the three important parameters of MIRESOLVEPROTOPTEFAULT () are located in EBP 0C INVALIDDRESS, EBP 10 INVALIDDRESS_PTEADDRESS, EBP 14 Invalidaddress_PrototypePteaddress. Use kd disassemble MiResolveProtoPteFault (the specific address only for Win2k Build 2195) u MiResolveProtoPteFaultntoskrnl MiResolveProtoPteFault:! 8043f6ab 55 push ebp8043f6ac 8bec mov ebp, esp8043f6ae 51 push ecx8043f6af 51 push ecx ... can be seen in 8043f6ae, the stack frame was built over I will break the point on this address. : BL00) * BPX # 0008: 8043F6AE DO "DD EBP CL 10; DD EBP-> 10 L 10; DD EBP-> 14 L 10;" ... and disconnected, display EBP C content, It is the value of three important parameters.
Displays the contents of EBP-> 10, the contents of the Invaladdress_pteaddress address, Invalidaddress_pte. Display the contents of the EPB-> 14, the contents of the Invaladdress_PrototypePteaddress address, Invalidaddress_Prototypepte. According to the value of the PTE and Protopte displayed, Protoptefault is easy to make, and there are many, we can choose the appropriate PTE and Protopte to analyze. 1 process PTE and Protoptes array Break Due to bpx # 0008: 8043F6AE Do "DD EBP CL 10; DD EBP-> 10 L 10; DD EBP-> 14 L10;" (et = 388.52 microseconds 0010: EBA24CC4 77D3C3A7 C01DF4F0 E17C19F0 EBA24CFC ... W ... | ..l ..// invalidaddress = 77d3c3a7 // pteaddress = c01df4f0 // protopteaddress = E17C19F000: C01DF4F0 01F064F8 01F064FA 01F064FC 01F064FE .d ... D ... D. ..d ..// Pte0010: E17C19F0 076A7121 07648121 075E9121 075CA121 qj d ^ ./.// ProtoPte:!.!..!..! query 77d3c3a7Context Address Range Flags MMCI PTE NameExplorer 77D20000-77D8E000 07100001 810F3908 E17C1980 rpcrt4.dll // Use the query command to find the VAD where INVALIDDRESS is located. // where MMCI is Controlarea, PTE is Firstprotopte to see 4 PTEs at C01DF4F0 are invalid, and the BITS10-10 prototype flag is 1, and 20bit is not 0xFFFF. So using prototypepteaddress = 0xE1000000 (PTE >> 2) & 0x3fffe00) (PTE & 0xFF) * 2 can calculate the address of their corresponding Protopte. The E17C19F0, E17C19F4, E17C19F8, E17C19FC were obtained. From this we can see that they are in order.
Break Due to BPX # 0008: 8043F6AE Do "DD EBP CL 10; DD EBP-> 10 L10; DD EBP-> 14 L10;" (ET = 4.80 MilliseConds) 0010: EB73FC4 75B05CA1 C01D6C14 E356E214 EB73FCFC ./.ul. ..V ... S.0010: C01D6C14 095B8C0A 04A8C025 04A2A025 04AEC025 .. [.% ...% ...% ... // PTE0010: E356E214 04A6E121 04A8C121 04A2A121 04AEC121! ...! ...!. ..! ... // Protopte: Query 75B05CA1CONText Address Range Flags MMCI PTE NameNotepad 75A90000-75CD2000 0710000F 810802C8 E356E040 MSHTML.DLL For effective PTE, and effective protopte, they point to the same physical page. (Effective PTE, Protopte, high 20 bits of physical page number) 2 PTE is invalid, high 20bit is not equal to 0xFFFF. Protopte is valid. Break Due to BPX # 0008: 8043F6AE Do "DD EBP CL 10; DD EBP-> 10 L10; DD EBP-> 14 L10" (ET = 314.65 microseconds 0010: EBA00CC4 77F90333 C01DFE40 E13C9560 EBA00CFC 3..w @. . ..` <..... // InValidAddress = 77F903330010: C01DFE40 00F254B0 04E61025 04E13025 04E14025 .T ..% ...% 0 ..% @ .. // Pte = 00F254B00010: E13C9560 04E80121 04E61121 04E13121 04E14121!. ..! ...! 1 ..! A ..// protopte = 04e80121 physical page frame number 04E80 According to the physical page frame number in Protopte, PFNDATABASEENTRY to find the physical page in PFN Database is Win2k Build 2195 The first address of PfnDatabase at 81456000. : DD 81456000 4e80 * 18 L 180010: 814CBC00 00000011 E13C9560 0000000A 00010608 .... `. <....... 0010: 814CBC10 93E6A478 00001D79 0000003C E13C95DC X ... Y ... <... .. <. You can see the PFNDATABASEENTRY / * 04 * / PteadDress value is E13C9560. It is the address of Protopte. Shared count / * 08 * / share count is 0000000A, indicating that 10 processes are using this shared physical page. / * 0d * / byte page state is 06, indicating that the physical page is in the Active (Valid) state.
: Query 77f90333Context Address Range Flags MMCI PTE NameExplorer 77F80000-77FF8000 07100003 813E6A08 E13C9520 ntdll.dll ... // we start from the breakpoint continue MiCompleteProtoPteFault () // see the implementation of the MiCompleteProtoPteFault () ... // until MiResolveProtoPteFault () Returned. : DD C01DFE40 L 100010: C01DFE40 04E80025 04E61025 04E13025 04E14025% ...% ...% 0 ..% @ .. // You can see that PTE has point to physical pages poined in Protopte, and PTE is valid. : Dd e13c9560 l 100010: E13C9560 04E80121 04E61121 04E13121 04E14121 ... ... 1 .. A .. look at the physical page PfnDataBaseEntry:!!!! Dd 81456000 4e80 * 18 l 180010: 814CBC00 00000011 E13C9560 0000000B 00010608 .... `. <....... 0010: 814CBC10 93E6A478 00001D79 0000003C E13C95DC X ... Y ... <..... <.// shared count plus 1, from 0000000A This is a process of 0000000B is that a process removes the shared page out of the working set, so the corresponding PTE is invalid, but this shared physical page is still used by other processes, so this physical page will not be moved into the Standby chain, protopte is effective And still point to this physical page. This process once again accesses this sharing page, just re-pointing the PTE to this physical page. MicompleTeptefault () The role is to set the physical page in Protopte to the PTE and set the low 12-bit flag of the PTE. 3 PTE is invalid, high 20bit is not equal to 0xFFFF. Protopte is invalid. Break Due To BPX # 0008: 8043F6AE Do "DD EBP CL 10; DD EBP-> 10 L10; DD EBP-> 14 L10" (ET = 22.20 MilliseConds) 0010: EB6A7CC4 75951A3F C01D6544 E17BC2C4 EB6A7CFC? .. ude .. .. {.. | j.// INVALIDADDRESS = 75951A3F0010: C01D6544 01EF0C62 00000000 00000000 0000000000 B ............... // PTE = 01ef0c620010: E17BC2C4 07889860 0784A860 000000A0 90F4C430 `... `....... 0 ... // Protopte = 07889860 Observing the physical page 7889 PfndatabaseEntry: DD 81456000 7889 * 18 L 180010: 8150ACD8 000060C7 00000208 ... {..` .. .... 0010: 8150ACE8 90F4C460 00004E5C 0000790B E2EF088C `... / n ... y ... / * 04 * / Pteaddress value is E17BC2C4, it is the address of Protopte. / * 0D * / page state value is 02, indicating that this physical page status is Standby. This situation is that the corresponding PTE of all the processes of this physical page is already invalid.
The physical page is then moved into the Standby chain, but the content in the physical page remains unchanged. Protopte still points to this physical page, but Protopte is invalid. : Query 75951a3fContext Address Range Flags MMCI PTE NameNOTEPAD 75950000-75955000 07100001 810F4BA8 E17BC2C0 lz32.dll execution resumes ... MiResolveTransitionFault () MiCompleteProtoPteFault () ... until MiResolveProtoPteFault () Returns at: dd c01d6544 l 100010: C01D6544 07889025 00000000 00000000 0000000% ............. // PTE is effective, and it is the physical page 7889 that has been placed on the Standby chain. : DD E17BC2C4 L 1000: E17BC2C4 07889121 0784A860 000000A0 90F4C430! ... `....... 0 ... // Protopte is effective. Point to physical page 7889. Observe the physical page 7889 PFNDATABASEENTRY: DD 81456000 7889 * 18 L 180010: 8150ACD8 00000001 00010608 J ..... {....... 0010: 8150ACE8 90F4C460 00004E5C 0000790B E2EF088C `... / n ... y ... State from 02 to 06, that is, from Standby to Active (Valid). The shared count has also changed to 1. This is, all the processes of all shared the physical page remove the shared page from its own working set, and the physical page is transferred to the Standby chain. When a process is re-accessed, only the information in Protopte is required. Move the physical page back from the Standby chain. 4 PTE is invalid, 20bit is equal to 0xFFFF. Protopte is valid.
Break Due to BPX # 0008: 8043F6AE Do "DD EBP CL 10; DD EBP-> 10 L10; DD EBP-> 14 L10" (ET = 2.38 seconds) 0010: EBAD5D44 003C0612 C0000F00 E2F5D0C0 EBAD5D7C .. <... ... |] .. 0010: C0000F00 FFFF460 04483025 04440025 04423005 `...% 0H.%. D..0B.0010: E2F5D0C0 043BF163 04483163 04440163 04423163 C.; C1h.cdc1b.:dd 81456000 43BF * 18 L 180010: 814BB9E8 00002B23 E2F5D0C0 00000002 00010609 # .............. 0010: 814BB9F8 000000C0 0000782A 000000D0 C0004F38 ... * x ... 8o .. : query 3c0612Context Address Range Flags MMCI PTE NameNOTEPAD 003A0000-0069F000 03400000 810C3D68 E2F5D040 Heap (mapped) ... MiCompleteProtoPteFault ...: dd c0000f00 l 100010: c0000F00 043BF025 04483025 04440025 04423005%;% 0H% D..0B.... : DD E2F5D0C0 L 1000: E2F5D0C0 043BF163 04483163 044440163 044233 044440163 04423163 c.;. C1H.CDC1B .: DD 81456000 43BF * 18 L 180010: 814BB9E8 00002B23 E2F5D0C0 00000003 00010609 # .......... ..0010: 814BB9F8 000000C0 0000782A 000000D0 C0004F38 ... * x ... 8o .. and PTE invalid high 20bit is not equal to 0xFFFFF, protopte is valid. 5 PTE is invalid, 20bit is equal to 0xFFFF. Protopte is invalid.
Break Due To BPX # 0008: 8043F6AE Do "DD EBP CL 10; DD EBP-> 10 L10; DD EBP-> 14 L10" (ET = 16.16 MilliseConds 0010: EF0B55D4 09C2AA8 C00270A8 E35C7AA8 EF0B560C ..... P ... z / .. v .... c00270a8 ffffff420 000000000000000000000000000000000000000000000000 ............. 0010: E35C7AA8 04D4E8C2 04D4F8C2 04D508C0 04D518C0 ........... .....: DD 81456000 4D4E * 18 L 180010: 814C9F50 00004D4F E35C7AA8 000068A1 00000208 om ... z / .. h ... 0010: 814C9F60 C79314D8 000048D9 00004D53 E35C7AAC ..... h .. SM ... z / .: query 9c2ace8Context Address Range Flags MMCI PTE NameNOTEPAD 09C20000-09C33000 01000000 84793128 E35C7A80 shdocvw.dll ... MiResolveTransitionFaultMiCompleteProtoPteFault ...: dd c00270a8 l 100010: C00270A8 04D4E025 00000000 00000000 00000000% ...... .........: DD E35C7AA8 L 1000: E35C7AA8 04D4E123 04D4F8C2 04D508C0 04D518C0 # ................ DD 81456000 4D4E * 18 L 180010: 814C9F50 000004B3 E35C7AA8 00000001 00010608 ..... Z / ....... 0010: 814C9F60 C79314D8 000048D9 00004D53 E35C7AAC ..... h..m ... z /. And PTE invalid high 20bit is not equal to 0xffff, protopte invalid The situation is the same. PTE is invalid, 20bit is equal to 0xFFFF. Another case where protopte is invalid.
Break Due to BPX # 0008: 8043F6AE Do "DD EBP CL 10; DD EBP-> 10 L10; DD EBP-> 14 L10" (ET = 297.11 microseconds 0010: EB9315D4 07E00200 C001F800 E134A040 EB93160C ... .. @. 4 ..... // invalidaddress = 07e002000010: C001F800 FFFFF480 FFFFFF480 FFFFF480 FFFFF480 ................ // PTE = fffff4800010: E134A040 90B20CD8 00000000 000E01CE 00000003 .. ............ // protopte = 90b20cd8 My physical memory is 128m, so there will be no 90b20 so large physical page frame number to see 81456000 90b20 * 18 address content: dd 81456000 90b20 * 18 l 180010: 821E6B00 006E006F 00740069 0072006F 8B550000 onitor..U.0010: 821E6B10 08EC81EC 56000002 5610758B FF0C75FF ....... vuVu clearly not PfnDataBaseEntry:. query 7e00200Context Address Range Flags MMCI PTE NameNOTEPAD 07E00000 -07E7F000 04000000 810B20A8 E134A040 ~ DFD8D0.tmp continues from the breakpoint ... MiResolveMappedFileFault () ... until MiResolveProtoPteFault () returns at: dd c001f800 l 100010: c001F800 FFFFF480 FFFFF480 FFFFF480 FFFFF480 ........... .....: DD E134A040 L 1000: E134A040 067A18C0 00000000 000E01CE 00000003 ..z ......................................................................................................................................................................... 3E7348 E134A040 00000000 0001000A HS>. @. 4 ....... 0010: 814f1728 90B20CD8 00001BB2 0000242B E2BB014C ........ $ .. l ... PTE is still invalid, protopte has pointed out A true physical page 67A1, the PFNDATABASEENTRY state of the physical page 67A1 is 00, namely Zeroed, / * 04 * / PteadDress is E134A040. Back from MIRESOLVEPROTOPTEFAULT () to MIDISPATCHFAULT (), continue.
... IoPageRead () MiCompleteProtoPteFault () ...: dd c001f800 l 100010: C001F800 067A1067 FFFFF480 FFFFF480 FFFFF480 gz ............: dd e134a040 l 100010: E134A040 067A1163 00000000 000E01CE 00000003 cz .. ........: DD 81456000 67A1 * 18 L 180010: 814f1718 0000078E E134A040 00000001 000109 .... @. 4 ....... 0010: 814f1728 90b20cd8 00001bb2 0000242b E2BB014C. ... $ .. l ... I saw micrompleteprotoptefault (), set the physical page of Protopte to PTE and turned PTE. The sharing count of physical page 67A1 also changes to 1.6 PTE invalid, high 20 bit is equal to 0xFFFF. PROTOPTE is invalid, and 20Break Due to bpx # 0008: 8043F6AE do "DD EBP CL 10; DD EBP-> 10 L10; DD EBP-> 14 L10" (et = 1.78 milliseconds) 0010: EB6675D4 07CA0000 C001F280 E354CDE0 EB66760C ........ t..vf.0010: C001F280 FFFFFF480 000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000 ... ............. // protopte = 00000080 However, the high 20-bit high of Protopte is not a page number number of shared physical pages: DD 81456000 0 * 18 L 180010: 81456000 00000000 C0200000 00000001 00010600. ..... ....... 0010: 81456010 @000000 00000032 00000000 C0200004 .... 2 ................................................. Pteaddress is C0200000 instead of E354CDE0. : Query 7ca0000Context Address Range Flags MMCI PTE NameNOTEPAD 07CA0000-07CA0000 04000000 810B7CC8 E354CDE0 ... MiResolveDemandZeroFaultMiCompleteProtoPteFault ...: dd c001f280 l 100010: C001F280 068CA067 00000000 00000000 00000000 g ...............: DD E354CDE0 L 1000: E354CDE0 068CA163 0000000000000000000000000000 C .................: DD 81456000 68CA * 18 L 180010: 814f32f0 000005ed E354cDe0 00000001 00010609 ... T.. ..... 0010: 814F3300 00000080 00004465 0000000080 00004465 000068EC E2BAE934 ... ED ... H..4 ... Last PTE and Protopte become effective, point to physical page 068ca. 7 PTE is invalid, high 20bit is not equal to 0xFFFF.
