.. mode: -*- rst -*-

SunOS 4 protection module
=========================

:Tag: design.mps.protsu
:Author: David Jones
:Date: 1997-03-20
:Status: incomplete document
:Revision: $Id: //info.ravenbrook.com/project/mps/version/1.113/design/protsu.txt#1 $
:Copyright: See `Copyright and License`_.
:Index terms:
   pair: SunOS 4; protection interface design
   pair: SunOS 4 protection interface; design


.. warning::

    As of 2013-05-26, the MPS is no longer supported on SunOS, so
    this document is only of historical interest.


Introduction
------------

_`.readership`: Any MPS developer.

_`.intro`: This is the design of the SunOS 4 implementation of the
protection module. It is intended to be used only in SunOS 4 (os.su).
It makes use of various services provided by SunOS 4.


Requirements
------------

_`.req.general`: Required to implement the general protection
interface defined in design.mps.prot.if.*.


Overview
--------

Uses ``mprotect()``.


Misc
----

_`.improve.sig-stack`: Currently we do not handle signals on a
separate signal stack. If we handled signals on our own stack then we
could guarantee not to run out of stack while we were handling the
signal. This would be useful (it may even be required). We would have
to use ``sigvec(2)`` rather than ``signal(3)`` (set the ``SV_ONSTACK``
flag and use ``sigstack(2)``). This has drawbacks as the signal stack
is not grown automatically, so we would have to to frig the stacks
back if we wanted to pass on the signal to some other handler as that
handler may require arbitrary amounts of stack.

_`.improve.sigvec`: Note 1 of ``ProtSetup()`` notes that we can't
honour the ``sigvec(2)`` entries of the next handler in the chain.
What if when we want to pass on the signal instead of calling the
handler we call ``sigvec()`` with the old entry and use kill to send
the signal to ourselves and then restore our handler using sigvec
again.


Data structures
---------------

_`.data.signext`: This is static. Because that is the only
communications channel available to signal handlers. [write a little
more here]


Functions
---------

_`.fun.setup`: ``ProtSetup()``. The setup involves installing a signal
handler for the signal ``SIGSEGV`` to catch and handle protection
faults (this handler is the function ``sigHandle()``). The previous
handler is recorded (in the variable ``sigNext``, see
`.data.signext`_) so that it can be reached from ``sigHandle()`` if it
fails to handle the fault.

The problem with this approach is that we can't honor the wishes of the 
``sigvec(2)`` entry for the previous handler (in terms of masks in particular).

Obviously it would be okay to always chain the previous signal handler
onto ``sigNext``, however in the case where the previous handler is
the one we've just installed (that is, ``sigHandle``) then it is not
necessary to chain the handler, so we don't.

_`.fun.set`: ``ProtSet()``

_`.fun.set.convert`: The requested protection (which is expressed in
the mode parameter, see design.mps.prot.if.set) is translated into an
operating system protection. If read accesses are to be forbidden then
all accesses are forbidden, this is done by setting the protection of
the page to ``PROT_NONE``. If write access are to be forbidden (and
not read accesses) then write accesses are forbidden and read accesses
are allowed, this is done by setting the protection of the page to
``PROT_READ | PROT_EXEC``. Otherwise (all access are okay), the
protection is set to ``PROT_READ | PROT_WRITE | PROT_EXEC``.

_`.fun.set.assume.mprotect`: We assume that the call to ``mprotect()``
always succeeds. This is because we should always call the function
with valid arguments (aligned, references to mapped pages, and with an
access that is compatible with the access of the underlying object).

_`.fun.sync`: ``ProtSync()``. This does nothing in this implementation
as ProtSet sets the protection without any delay.

_`.fun.tramp`: ``ProtTramp()``. The protection trampoline is trivial
under SunOS, as there is nothing that needs to be done in the dynamic
context of the mutator in order to catch faults. (Contrast this with
Win32 Structured Exception Handling.)


Document History
----------------

- 1997-03-20 David Jones. incomplete document

- 2002-06-07 RB_ Converted from MMInfo database design document.

- 2013-05-23 GDR_ Converted to reStructuredText.

.. _RB: http://www.ravenbrook.com/consultants/rb/
.. _GDR: http://www.ravenbrook.com/consultants/gdr/


Copyright and License
---------------------

Copyright © 2013-2014 Ravenbrook Limited. All rights reserved.
<http://www.ravenbrook.com/>. This is an open source license. Contact
Ravenbrook for commercial licensing options.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:

#. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.

#. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.

#. Redistributions in any form must be accompanied by information on how
   to obtain complete source code for this software and any
   accompanying software that uses this software.  The source code must
   either be included in the distribution or be available for no more than
   the cost of distribution plus a nominal fee, and must be freely
   redistributable under reasonable conditions.  For an executable file,
   complete source code means the source code for all modules it contains.
   It does not include source code for modules or files that typically
   accompany the major components of the operating system on which the
   executable file runs.

**This software is provided by the copyright holders and contributors
"as is" and any express or implied warranties, including, but not
limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement, are disclaimed.  In no event
shall the copyright holders and contributors be liable for any direct,
indirect, incidental, special, exemplary, or consequential damages
(including, but not limited to, procurement of substitute goods or
services; loss of use, data, or profits; or business interruption)
however caused and on any theory of liability, whether in contract,
strict liability, or tort (including negligence or otherwise) arising in
any way out of the use of this software, even if advised of the
possibility of such damage.**
