Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

  • Print
  • + Share This
From the author of

Mondrian Memory Protection

Dynamic languages would often benefit from fine-grained memory protection, especially when it comes to parallelism. Since fast implementations use pointers as references (they just don't allow pointer arithmetic), this means that you want to run parallel components in the same process to be able to pass references between them. This looks like threading, but the message-passing nature of these languages gives you a bit better control over flow between threads. Ideally, you would be able to access objects from other threads only if they've been explicitly marked as visible.

A few years ago, some guys at MIT came up with a way of implementing this kind of granularity by separating the translation and protection mechanisms of virtual memory. They named this after the artist Piet Mondrian, because the memory layouts it made possible look quite similar to some of his paintings. Mondrian, by the way, was an interesting individual. He hated distractions in his workplace, and worked in a white studio. The story is told that one day, a female relative decided the place needed brightening up a bit, and left a rose on his table. She came back a few days later to discover that Mondrian had painted all of the petals white. I suspect a lot of programmers can see a little bit of themselves in him.

Another nice side-effect of having a CPU supporting Mondrian memory protection is that it makes it easier to mix code in unsafe dynamic languages (for instance, Objective-C, including pure-C parts) with code from safe languages (such as JavaScript, Smalltalk, and Io) without sacrificing any of the safety in the parts that are written in the safe languages. I've implemented a Smalltalk compiler that shares underlying representations with Objective-C, so you can add methods to Objective-C classes in Smalltalk or subclass them, and vice versa, but C code in the Objective-C part can still trample over the memory used by Smalltalk.

As well as allowing fine-grained memory protection between threads, Mondrian protection allows a form of call gate in which each call sets new permission tables and each return restores the old one. This feature allows you to enforce private access to an object's data in the CPU by having a gate for each object. When you invoke a method, you gain access to the object's internal structure, and when you exit this method (either via a return or a call somewhere else) you lose it. Code in other components can't touch it.

So far, Mondrian memory protection hasn't been incorporated into any commercial CPUs—it was only implemented in a simulated MIPS design at MIT.

  • + Share This
  • 🔖 Save To Your Account