Split RMA

Thinking of the zero page protection and the issues with BASIC, got me thinking of other vulnerable parts of RISC OS.

A real big problem is the need to retain a high degree of backwards compatibility. While I’m certainly an advocate of that (it is one of RISC OS’s strengths), it is also a severe weakness when we are looking at things that “made sense in the day” but appear like a spectacularly bad decision now.

As from the subject, you’ll guess that – for once – I’m not slapping down CLib. ;-) This time it is the entire RMA in the firing line.

Just as a “throw it out there and see how many people freak out”, I wonder if the RMA shouldn’t just be inaccessible to user mode code?

The apparent fatal flaw here would be the fact that RMA chunks claimed using OS_Module would fail as the program that requested the memory would then not be able to access it without jumping through hoops.
Solution?
There is a solution. Quite a simple one.
The RMA is a section of memory set aside as a Dynamic Area (in older RISC OS it was just a block in the memory map that wasn’t touched, same difference). Inside this block of memory is a huge OS_Heap structure that is the RMA.¹
Therefore, blocks of memory claimed in the “RMA” can be directed to a second Heap which is in a secondary dynamic area, say “RMA data” as opposed to RMA (code).

The benefits? Less problem of fragmentation of RMA, as this is 2015 and generally when a module is loaded, it tends to remain resident. Data block claims and releases happen frequently, because the original RISC OS had no concept of dynamic areas so the only “safe” way to have always-paged-in memory was to horribly pollute the RMA. If an application messes up its memory access, it’ll trash the data of some adjacent block of memory. It won’t affect code. The code, in fact, can be made either inaccessible or at least read-only to user mode software.

Downsides? If the RMA proper (code area) is inaccessible to USR mode, some APIs that return data within the module itself may fault; however if the module itself legally claims RMA workspace, this workspace should be in the read/write data area and not in the code area (this would need to be tested on a live system to see).

…otherwise? I can imagine it would be a potential headache for low level code that tries stuff like evaluating the RMA, plus the likes of Aemulor; however for other applications, it ought to be transparent in use. When you call OS_Module 6/7 to Claim/Free memory, you are expected to receive and work with the pointer given and not make lots of assumptions.

If anybody takes this idea seriously, then there is one other thing I would like to add. The word at should contain a reference to what created the memory request. As ARM code is word aligned, the lower two bits can hold flags, so, for example, the record could be as follows:

• word = address, low bits %00 = code of unknown origin requested block, address points back to calling routine; potentially could use address &FFFFFFFD to flag claims by low level kernel?
• word = address, low bits %01 = block requested by a module, address is base of module
• word = value, low bits %10 = block requested by a task, value is task handle
• word = ??, low bits %11 = (for future use)

Just an idea…

¹ To see this in action:

>SYS "OS_DynamicArea", 2, 1 TO ,,,base%,,,,,name$
>PRINT name$
Module area
>PRINT ~base%
  20000000
>*Memory 20000000 +8

Address  :     3 2 1 0    7 6 5 4  |-|  :    ASCII Data
20000000 :    70616548   002092EC  |-|  : Heapì< .
>

(memory display snipped at |-| to trim out unused data for better display here)

We can now demonstrate some of the problem:

>a% = base%!0
>base%!0 = a%

What would happen if I set a% to something else?

What would happen if I set a% to something else?

Unfortunately, I’m the kind of person that would. Been like that ever since I was old enough to wield a screwdriver and poke it into things – fans, electric sockets¹², you name it…

I set base% to be a specific four letter word. Now, there are many four letter words in the English language, “four” is itself a four letter word. So is “five”, so nerr.

The word chosen appropriately reflects the suitable response to what happens when the word at base% no longer says “Heap”.

One of two things will happen. Stuff may report an erroneous error about not having enough memory (I guess the standard reason why a memory claim fails is because you’ve run out of it…); and other stuff reports that there’s a bad heap block.
Your task window command line? Frozen. Your application? Frozen (or in the process of dying ungracefully). Your desktop, every other application, everything everywhere? Blown away.
You might be able to recover if you had a low level debugger that talked via serial (and RISC OS could do with one of these!), but otherwise your current session is history. You’ve basically just nobbled the entire RMA (and utterly brought down the machine) with one simple line of code. In BASIC. Need I say any more?

¹ Protip #1 – If you want to live a happy life, do not cause the electric fuse board to explode on Easter Sunday, or any other day that repairmen will heap on a holiday working supplement.

² Protip #2 – Just don’t.³ Remember those Fighting Fantasy books where practically every other page was YOU DIE HORRIBLY ? Well, that’s the usual outcome of “playing” with mains electricity as an eight year old.

³ The fact that the “you will die” option comes second ought to indicate the level of punishment involved. This wasn’t a “go to bed without your dinner” thing. This was the whole fire and brimstone would be better style riot act. And to top it off, mom still recounts the story, only she seems pretty good at forgetting certain details, like I was eight at the time. I guess this is the geek equivalent of showing the [boy|girl]friend all your embarrassing⁴ baby photos…

⁴ I don’t have many baby photos, but then I was a toddler in the mid ‘70s so it is probably just as well. I haven’t scanned any baby photos yet (I don’t think?) but here’s one from the early ’80s: http://www.heyrick.co.uk/historical/canberra.jpeg

You’ve basically just nobbled the entire RMA (and utterly brought down the machine) with one simple line of code. In BASIC. Need I say any more?

Nope, we know it’s all easy to bomb things out. There is probably a list of things that need changing to stabilise things. It’s odds on you’ve named something further down the list than the zero page stuff.

When annoyed with your flatmate for playing Wishbone Ash […] and it’s the same LP each time.

And there I was thinking Wishbone Ash was going to be some sort of sword/sorcery game. <sigh>

Probably handy that genius boy hadn’t used a nail.

I’ve seen what can happen. Faulty washing machine (or was it a drier?) shorted to earth. Wall “fuse” was a nail, plug “fuse” was a big bit of wire wrapped around. It was hooked to that pee-poor British obscenity known as “the ring main”. For a few short moments, a ring around the ground floor got rather warm. The cheap plasterboard didn’t like it. They managed to save one of the neighbours and some of the opposite side, such as were sixties style council houses. The local fire brigade salvaged the equipment and the so-called fuses and showed them (plus photos, not that we needed that) at the next school open day. Quite a lot of dads went white-faced, so I guess “bang a nail in there” was the standard “fix”?

Do they even have such protective devices in France?

Long before the UK. The one here trips at 660mA but deals with three phase and is pretty sensitive, but mostly deals with leakages to earth, so I’m not sure how it would handle electrocution on a two phase supply. It is date stamped 1976.

Not only do they have current trips, but any electrical installation not performed by a cowboy will be a mass of standard trip switches. Ring mains are not only banned, people found installing them (usually clueless Brits using each other instead of local tradesmen) will be disconnected from the supply until their wiring is up to spec (France’s electricians generally view the ring main as a Lovecraftian abomination). Here, a spur is fused, each and every one, with three sockets maximum, to supply a 3500W load (though I think it might be “one one or more sockets”, rather than 3×3500W).

Here’s an EDF photo. This is not a joke. I’ve seen a converted farm with a fuseboard not unlike this:

Oh, and I should add, the price of electricity depends upon “special tariff” and wattage. We are on a 9kW regular tariff. We can freely use up to 9kW but over that and the meter master trip will cut out. We used to be on 6kW, but with a 2kW pump and a 2kW kettle, lights, fridge, etc, it didn’t leave much room for anything else. You couldn’t make tea while using the washing machine, for instance. So we had it increased. And it nearly doubled the standing charge. We could go to 12kW but that’s yet more expensive, and no really necessary – we don’t have those sorts of loads.

Um… On topic… On topic…

Gee – imagine how many RPis could be run on 12kW! (^_^)

Edit: Here’s a potential Pi application? French smart meters modulate status information on to the line, and the French being the French have not only documented it, a variety of homebrew gadgets have been built to make use of the information.
Spec – http://sigrok.org/wiki/EDF_Teleinfo (English)
Demodulator – vesta.homelinux.free.fr/wiki/demodulateur_teleinformation_edf.html (link on above site is incorrect) (French)

Gee – imagine how many RPis could be run on 12kW

12000 / 5 = 2400 (headless)

Of course if you want pure self contained provision you’d need a display on one and VNC to the others (lose 25W for the display) then you need to network them all. Which makes things slightly more complicated.
30W per 48 port switch, 5W per Pi unit, 25W for a display

(48/30)z +(5*z) + 25 = 12000
So z = ?

Edit: Had a beer or two so that might need checking.

Wouldn’t this would break the Start entry and as a consequence any Modules that are also Applications?

Interestingly, one of the biggest fragmentors of the RMA is the OS itself, which is constantly allocating and deallocating RMA space whilst in the Wimp. I’d look at recoding them to use private DA’s first before breaking more software with major functional changes like this.

And there I was thinking Wishbone Ash was going to be some sort of sword/sorcery game.

In 1977 ?. Slightly beyond TV tennis(pong) was the state of play. Pre-BBC micro even.

The first band I ever saw in concert. About 1973 at the Theatre Royal in Norwich.

Your original post didn’t mention a date – it would be implied if you knew the band (which I didn’t). It was the LP reference that gave it away…

Therefore, blocks of memory claimed in the “RMA” can be directed to a second Heap which is in a secondary dynamic area, say “RMA data” as opposed to RMA (code).

I agree for two dynamic areas. I could add that more OS parts should be in dynamic areas (caches, ramdisc, etc.), with different levels of protection (code only / data + read/write / non permanent caches – all under MMU supervision). A good way too to support PAE mode, and so more than 4 GB of memory (will be very common with 64bit platforms). I remember that Jeffrey has some plans around this…