Lecture: system calls

preparation

• read xv6 §3, Traps, interrupts, and drivers

labs & questions

• lab 3 is out
  • submit part A by next Tuesday
  • we will grade when part B is in (in two weeks)
• why the value of a variable is non-zero in gdb while it is zero (using printf)?
  • use printf (or cprintf in JOS)
  • change -O1 (or -O2) to -O0 in makefile
• from last lecture: what values can cause an exception for a / b (both of int)?
  • division by zero
  • signed division overflow
• do the CPU alarm exercise

overview

• interrupt sources: exceptions, device interrupts, software interrupts (int)
• setup
  • IDT register %idtr: point to the base address of IDT
    • each IDT entry corresponds to struct gatedesc (defined in mmu.h)
    • contains address to vector
  • task register %tr: we only use ss0 & esp0
    • user → kernel: switch to kernel stack (no need for kernel → kernel)
    • CPU: push data to stack
    • xv6 vm.c: switchuvm() - ss0 and esp0
• what does CPU do for user → kernel transition
  • switch cpu to kernel mode & switch stack
  • push data to the stack
  • find interrupt handler from IDT
• what does iret do
  • switch back to user mode
  • what IP address to return to?

exceptions

• div 1 0: user → kernel w/o error code
  • set a breakpoint at idivl again
  • b vector0
  • x/6x $esp when entering kernel
  • CPU pushes old eip/cs/eflags/esp/ss; no error code
  • kernel pushes more data for struct trapframe
  • Unix: often translate into signals - man signal
• page fault: user → kernel w/ error code
  • inject page fault in div.c: memset something
  • b vector14
  • x/6x $esp
  • CPU pushes one extra error code
  • see error code summary or JOS kern/trap.c
• div trap in kernel (kernel → kernel)
  • inject bug: append int z = 0; ticks = ticks / z; to idtinit()
  • b vector0
  • x/6x $esp
  • CPU pushes old eip/cs/eflags; no ss/esp for kernel → kernel

device interrupts

• hardware
  • Intel 8259A, Figure 3b, or photo
  • Intel 82093AA, Figure 2
• example: timer interrupt
  • used to implement preemption
  • search for T_IRQ0 + IRQ_TIMER in xv6
    • setup: lapicinit() in lapic.c
    • handling: trap() in trap.c
  • is this possible: too many timer interrupts come in and overflow the kernel stack?

software interrupts

• used to implement syscalls
• what’s the calling convention for xv6/JOS/Linux?
• example: xv6
  • int $0x40 (64)
  • usys.S (user) and syscall.c (kernel)
• example: Linux x86-32
  • gcc -nostdlib -m32
  • try strace
• can user space use int $0 to confuse the kernel with division by zero?
• can user space use division by zero or page fault as a way to invoke syscalls?

#include <sys/syscall.h>
#include <unistd.h>
// syscall number: %eax
// syscall parameters %ebx, %ecx, %edx, %esi, %edi, %ebp
void _start(void)
{
        int fd = 1;
        char buf[] = "hello world!\n";
        size_t count = sizeof(buf) - 1;
        asm volatile ("int $0x80"
                : /* ignore output */
                : "a"(__NR_write), "b"(fd), "c"(buf), "d"(count)
                : "cc", "edi", "esi", "memory"
        );
        asm volatile ("int $0x80"
                : /* no output */
                : "a"(__NR_exit), "b"(0)
        );
}