Implement the method for protection to specifying process private data district and stack area
Technical field
The present invention relates to a kind of method of in the multitask embedded system, protection being implemented in the private data district and the stack area of appointment process.
Background technology
In the multitask embedded system, in order to increase reliability, prevent that private data district, the stack area of code zone and process from being rewritten by other process, need take corresponding memory protect mechanism usually.Memory protect mechanism; generally all based on the method for operating of par-ticular processor (CPU) memory management unit (MMU) and the relevant principle of actual situation map addresses; set up the mapping page table; by the attribute bit of relevant page table list item is set, realize the private data district to code segment, process, the isolation and the protection of stack area.
It is the memory block of unit that memory management unit (MMU) is divided into memory headroom with the page or leaf, and what the size of page or leaf can be among 1K, 4K, 16K, 512K, the 8M is a kind of, determines by related register and secondary mapping item are set.When MMU enabled (enable), the address that is occurred in the program all was the virtual address, had access to certain list item of certain secondary page table by this virtual address, just can obtain the pairing physical page address in this virtual address, thereby realized the actual situation address translation.
The memory management module of multitask embedded system is given the storehouse and the data field of the whole page or leaf of each course allocation, wherein the dependency structure variable that process oneself is used is deposited in the data field, this structure variable only uses for process oneself, does not allow other process unauthorized access and modification.When operation, revise the access attribute of page table relevant entries according to the residing position of current control (in task or in process), thereby reach each process of control the memory range that can visit and the purpose of access mode, the isolation of address space between implementation process.
In the multitask embedded system, the number of the process of operation is generally more.System with field of telecommunications is an example, and in a foreground call treatment veneer, the process number of operation can be up to about 3000.After implementing the MMU protection, will carry out frequent page table switching and page properties and revise.
But, in existing scheme, behind the unlatching MMU, will protect private data district, the stack area of all processes.If the number of processes of multitask embedded system is more, CPU will take much time in the page table switching and revise on the page properties, cause cpu busy percentage sharply to rise.When serious, will cause the real-time of embedded system to seriously influence.
In Chinese patent application number is in 01129334.9, has proposed the guard method of task process in another multiple task operating system.This method has been set up one and has been guarded chained list, leaf node of preserving the nonrecoverable ergodic algorithm of this task process of registration under the host node of this chained list.Its feature is to protect a plurality of task process of shared data, but not to the protection in the private data zone of individual process.
Summary of the invention
Technical matters to be solved by this invention is: prior art can cause cpu busy percentage sharply to rise to private data district and stack area enforcement protection, influences the real-time of embedded system.
For addressing the above problem, the invention provides a kind of method that protection is implemented in the private data district and the stack area of appointment process, mainly comprise:
(1) creates system-level page table, finish the system initialization process, and an exception handler is set;
(2) judge whether and to implement protection to the appointment process: as needs, then create the process level page table, and Process Protection information is specified in configuration; As not needing, then directly finish;
(3) when system's control during, judges whether pending process needs protection earlier before switching from other process switching to pending process: as need protection, data field, the stack area page properties of then revising this pending process is read-write effective; As not needing protection, then directly finish;
(4) when system's control when firm executive process switches to other process, judges whether firm executive process needs protection earlier before switching: as need protection, data field, the stack area page properties of then revising this firm executive process are read-only; As not needing protection, then directly finish;
(5) rewritten when unusual condition takes place by other processes attempts are illegal when the stack area of protected process, data field, system can enter exception handler immediately: at first, the number of times that recording exceptional takes place, obtain the current task or the progress information that cause that this is unusual, preserve related register information, and to the background printing abnormal information; Judge whether to belong to the severely subnormal type subsequently: if severely subnormal, then reply the value of register, and resetting system; If not severely subnormal, then do not deal with, directly finish to return.
In the said method step (2), configuration specifies Process Protection information can adopt one of following dual mode: first kind is that this appointment process is implemented protection; Second kind is that this appointment process is not protected, and other processes are then implemented protection.
Said method is judged whether the appointment process needs protection and further be may further comprise the steps:
A) judge whether this process has started defencive function: do not need protection if be not activated promptly, then directly return; If started defencive function, execution in step b then);
B) judge whether this process specifies the process of implementing protection:, or be read-only with data field, the stack area page properties of firm executive process if then data field, the stack area page properties with pending process is read-write; If not, execution in step c then);
C) judge whether this process belongs to the process of rejecting protection: if, then do not deal with, directly return; If not, then data field, the stack area page properties with pending process is read-write, or is read-only with data field, the stack area page properties of firm executive process.
Therefore; after adopting method of the present invention that the appointment process is protected; only under the situation that the appointment process need be protected, just can revise its page properties; can not take too many cpu resource; the situation of avoiding the CPU occupation rate sharply to rise; both reached the appointment process had been implemented protection, prevented illegal purpose of rewriting that the performance to system did not produce tangible influence again.
Description of drawings
When Fig. 1 is system initialization the appointment process configuration is protected the process flow diagram of information;
Fig. 2 is the processing flow chart of system's control before from other process switching to pending process;
To be system's control switch to processing flow chart before other process from firm executive process to Fig. 3;
Fig. 4 is that the processing flow chart when unusual takes place for stack area, the data field of illegally rewriting other protected process.
Embodiment
The invention will be further described below in conjunction with the drawings and specific embodiments.In this example, the multitask embedded OS adopts pSos, and CPU adopts MPC860, and page size is 4K.But the present invention is not limited to only be applicable to the said system configuration.
As Fig. 1, need mainly may further comprise the steps specifying process configuration protection information during system initialization:
At first, create system-level page table, finish the system initialization process, comprise memory management, file management, scheduling processing etc., create all tasks and process, enable (enable) MMU.System-level page table is to use for operating system itself, and all pages all are read-write in system-level page table.After creating system-level page table; also exception handler can be set; field data when this exception handler record generation is unusual; comprise Exception Type, related register value, the relevant information that unusual task and process etc. help localization of fault takes place; with when the handover process when the private data district of protected process or stack area are illegally rewritten; can carry out corresponding abnormality processing, this will introduce in detail in conjunction with Fig. 4 subsequently.
Then, judge whether and to implement protection to the appointment process: as needs, then create the process level page table, and Process Protection information is specified in configuration; As not needing, then directly finish.The process level page table uses for process, and in process page table, the page properties of private data district and stack area is that the process of read only attribute is protected, and other attribute is that read-write process is then not protected.The protection information of configuration appointment process can dispose on the foreground, also can dispose on the backstage; and connect by network and to be transferred to the foreground; the foreground receives that the backstage passes the configuration information come, and will carry out validity checking to it, and comes into force when task or process switching next time.The protection information that disposes this appointment process can adopt one of following dual mode to describe: first kind is that this appointment process is implemented the MMU protection; Second kind is that this appointment process is not done the MMU protection, and other processes are then implemented protection.For with a kind of process, can only there be a kind of describing mode, promptly specify protection or reject one of protection.
When system's control during,, judges whether pending process needs protection earlier before switching as Fig. 2 from other process switching to pending process: as need protection, data field, the stack area page properties of then revising this pending process are read-write; As not needing protection, then directly finish to return, do not deal with.Consider compatibility, the stability of CPU; under the situation of pending process that needs protection; can earlier this pending process switching be arrived system-level page table; be read-write with related pages attribute modification that should the appointment process in the process level page table again; be equivalent to that the process level page table is used as common memory headroom this moment revises, and subsequently pending process switching is arrived amended process level page table.
When system's control when firm executive process switches to other pending process, as shown in Figure 3, judges whether firm executive process needs protection earlier before switching: as need protection, data field, the stack area page properties of then revising this firm executive process are read-only; As not needing protection, then do not do any processing and directly finish to return.Be revised as read-onlyly for the firm executive process page properties that needs protection, promptly change a read states into by current read-write state.
As shown in Figure 4; when the stack area of protected process, when the data field by the illegal rewriting of other process attempts unusual condition is taken place; system can enter exception handler immediately; field data when unusual takes place in this exception handler record, comprise Exception Type, related register value, the relevant information that unusual task and process etc. help localization of fault takes place.At first, the number of times that recording exceptional takes place obtains the current task or the progress information that cause that this is unusual, preserves related register information, and to the background printing abnormal information, is convenient to operating personnel and handles accordingly according to different situations; Judge whether to belong to the severely subnormal type subsequently: if severely subnormal, then reply the value of register, and resetting system; If not severely subnormal, then do not deal with, return.
What this was worth special instruction be; above-mentioned before process switching; comprise system's control from other process switching to pending process and system's control switch to two kinds of situations of other pending process from firm executive process, judge that whether need protection may further include following steps to appointment process (pending process or just executive process):
A) judge whether this process has started defencive function: do not need protection if be not activated promptly, then directly return; If started defencive function, execution in step b then);
B) judge whether this process specifies the process of implementing protection:, or be read-only with data field, the stack area page properties of firm executive process if then data field, the stack area page properties with pending process is read-write; If not, execution in step c then);
C) judge whether this process belongs to the process of rejecting protection: if, then do not deal with, directly return; If not, then data field, the stack area page properties with pending process is read-write, or is read-only with data field, the stack area page properties of firm executive process.
This is because for any one process, may have one of following three kinds of situations: specify this process is implemented the MMU protection; Appointment is not done the MMU protection to this process, and other unspecified processes are then implemented protection; Both do not specified and implemented protection, and do not specified yet and do not protect.So, need do the judgement of above three kinds of situations respectively to same process.Certainly; also can take unified configuration mode to all processes; promptly all process unifications are taked to specify and implement to protect (unspecified process is not then implemented protection); perhaps all process unifications are taked to specify to reject and protect (unspecified process is then implemented protection); obviously, this moment, above-mentioned determining step only need be done simply to change to get final product.Above-mentioned situation undoubtedly all should be equivalents of the present invention, still belong to protection scope of the present invention.
Comprehensive the above; because guard method of the present invention is only implemented protection to the appointment process; only under the situation that the appointment process need be protected, just can revise its page properties; so; even in a lot of multitask embedded system of the number of the process of moving; revise the page table property operations and only limit to shielded process; reduced the utilization factor of CPU widely; the situation of avoiding the CPU occupation rate sharply to rise; both reached the appointment process had been implemented protection, prevented illegal purpose of rewriting that the performance to system did not produce tangible influence again.