5.5.24 · D3 · HinglishEmbedded Systems & Real-Time Software

Worked examplesMemory protection units (MPU) — preventing stack overflow, access faults

2,562 words12 min read↑ Read in English

5.5.24 · D3 · Coding › Embedded Systems & Real-Time Software › Memory protection units (MPU) — preventing stack overflow, a

Yeh page MPU parent topic ko concrete numbers mein drill karti hai. Hum base addresses, RASR size fields, region-match winners, aur fault decisions haath se compute karenge — taaki koi bhi MPU register value kabhi magic jaisi na lage.

Kuch bhi compute karne se pehle, do symbols jo parent ne use kiye the lekin digit-by-digit kabhi spell out nahi kiye:


The scenario matrix

Har MPU question jo aap kabhi face karenge woh in cells mein se ek hogi. Neeche ke examples mein se har ek un cell(s) ke saath tagged hai jise woh cover karta hai.

Cell Case class Isme tricky kya hai
A Ek size encode karo → SIZE field offset
B Legal (aligned) base low bits zero hone chahiye
C Degenerate: misaligned base hardware silently re-align kar deta hai
D Zero / smallest region (32 B guard) floor case,
E Limiting: whole-address-space region (4 GB) ceiling case,
F Overlap — highest region number jeet ta hai priority direction
G Overlap backwards kiya gaya guard silently ignore ho jaata hai
H Access-type violation (write to RO, exec on XN, user on privileged) permission vs. access-kind
I Word problem: stack overflow catch, byte-exact pehla fault kahan lagta hai
J Exam twist: subregion disable ek hole banata hai 1/8th granularity

Example 1 — Teen region sizes encode karo (Cell A, D, E)

Forecast: padhne se pehle har SIZE value guess karo. (Hint: use karo.)

  1. 1 KB. , toh . Yeh step kyun? Size ko ke roop mein express karna hoga taaki read kar sakein. .
  2. 32 bytes. , toh , sabse chota legal region. Yeh step kyun? Yeh floor case hai (Cell D) — aap SIZE=4 se neeche nahi ja sakte. .
  3. 4 GB. , toh , poora 32-bit address space. Yeh step kyun? Ceiling case (Cell E) — ek region jo sab kuch cover karta hai. .

Verify: se wapis decode karo: ✓, ✓, bytes GB ✓. Parent ke code ne 1 KB ke liye (9<<1) aur 32 B ke liye (4<<1) use kiya — match karta hai, aur <<1 isliye hai kyunki SIZE RASR ke bits 1–5 mein baith ta hai.


Forecast: 64-byte region ke liye kitne low bits zero hone chahiye?

  1. , toh : base ke low 6 bits zero hone chahiye. Yeh step kyun? Alignment rule = "size hai ⇒ low bits zero karo."
  2. Low 6 bits dekho (last hex digit aur ek half): mask hai .
    • 0x...0000 & 0x3F = 0legal (figure mein green).
    • 0x...400x40 & 0x3F = 0legal ( jo 64 ka multiple hai).
    • 0x...100x10 & 0x3F = 0x10 = 16 ≠ 0illegal (figure mein red).
  3. Illegal ke liye hardware low 6 bits AND away karta hai: effective base . Yeh step kyun? Yeh Cell C hai — woh silent shift jiske baare mein parent ne warn kiya tha. Aap socha ki aapne 0x10–0x50 protect kiya; actually aapne 0x00–0x40 protect kiya.

Verify: general fix base = addr & ~(size-1): ✓. Aur 0x40 = 64 exactly size hai, toh region (b) 0x40–0x80 cover karta hai, adjacent aur clean.


Example 3 — 32-byte guard band, byte-exact (Cell D, I, word problem)

Forecast: stack 0x2000_0400 ke paas se shuru hota hai aur neeche grow karta hai. Tripwire kahan hai?

  1. Guard region: base 0x2000_0000, size , toh yeh 0x2000_0000 – 0x2000_0020 cover karta hai. Yeh step kyun? ; half-open interval ka matlab hai 0x2000_0020 khud guard ke bahar hai.
  2. Stack pointer 0x2000_0400 se shuru hota hai aur neeche march karta hai: ...0x3FC, 0x3F8, .... Har push ek lower address par write karta hai. Yeh step kyun? ARM par stacks lower addresses ki taraf grow karti hain — growth direction decide karta hai ki guard kis end ko protect karta hai.
  3. Guard ke andar pehla write = pehla address . Aakhri safe byte hai 0x2000_0020; pehla fault byte hai 0x2000_001F (neeche ka byte). Yeh step kyun? Yeh tripwire hai: Cell I — byte-exact overflow detection. Parent ka guard jeet ta hai kyunki yeh higher-numbered region hai (Region 1 vs Region 0).
  4. Fault par, MMFAR offending address latch karta hai, toh aapka MemManage_Handler() 0x2000_001F read karta hai aur exactly jaanta hai ki kaun sa task overran (Cell H, permission = no-access).

Verify: app ko kitna stack milta hai? bytes usable, ✓. 2048-byte array clearly 992 mein fit nahi ho sakti → fault guaranteed ✓.


Example 4 — Overlap: kaun sa region jeet ta hai? (Cell F)

Forecast: dono regions 0x2000_0010 cover karte hain. Winner guess karo.

  1. Region 0 0x0000 – 0x0400 cover karta hai: kya 0x0010 andar hai? haan, match karta hai.
  2. Region 1 0x0000 – 0x0020 cover karta hai: kya 0x0010 andar hai? haan, match karta hai. Yeh step kyun? Dono match karte hain, toh priority decide karta hai.
  3. ARM rule: highest-numbered matching region jeet ta hai → Region 1 jeet ta hai → no access → fault. Yeh step kyun? Yeh exactly parent ka guard trick hai (Cell F): restrictive rule higher slot mein baith ta hai.

Verify: address 0x2000_0300 (guard ke bahar, stack ke andar): sirf Region 0 match karta hai → RW → write allowed ✓. Toh guard 0x00–0x20 protect karta hai aur 0x20–0x400 writable chhod deta hai — sahi 32-byte fence.


Example 5 — Wahi overlap, ulta numbered (Cell G)

Forecast: kya numbers swap karne se kuch badla?

  1. Dono regions abhi bhi 0x2000_0010 match karte hain (same intervals jaise Example 4 mein).
  2. Highest-numbered matching region = Region 1 = broad RW stack → jeet ta hai. Yeh step kyun? Priority number follow karta hai, intent nahi. Cell G — classic silent bug.
  3. Result: write allowed hai. Guard completely ignore ho jaata hai. Overflows undetected rehte hain → silent corruption wapis aa jaata hai.

Verify: Example 4 se contrast karo — identical addresses, opposite outcome, purely isliye kyunki winning region "no access" se "RW" mein flip ho gaya. Yaad karne wala rule: restrictive region ka number higher hona chahiye. ✓ (Consistency: Example 4 ne fault kiya, yeh wala pass ho gaya; sirf region index badla tha.)


Example 6 — Permission vs. access-kind table (Cell H)

Forecast: RO = read-only, XN = execute-never. Kaun teen fault karte hain?

  1. (i) read — RO reads allow karta hai → pass.
  2. (ii) write — RO writes forbid karta hai → fault. Kyun? Access kind (write) ko AP bits ke against check kiya jaata hai.
  3. (iii) execute — XN ka matlab "execute-never" hai; yahan instruction fetch → fault. Kyun? Yeh shellcode defense hai: even agar data corrupt ho jaaye, aap ise run nahi kar sakte.
  4. (iv) privileged write — abhi bhi RO hai. Read-only matlab sabke liye read-only; privilege sirf "unprivileged-allowed" axis ko gate karta hai, RW axis ko nahi → fault. Yeh step kyun? Do independent axes: RW vs RO aur privileged vs user. Inhe mix mat karo.

Verify: faults ki count = 4 mein se 3 (sirf read pass hota hai). Cross-check karo ki privilege axis orthogonal hai: ek privileged read bhi pass hoga (RO privilege se regardless reads allow karta hai).


Example 7 — Peripheral protection, bada region (Cell E, H)

Forecast: MB .

  1. , toh . Yeh step kyun? read off karo taaki SIZE mil sake.
  2. (parent ke code ne (28<<1) use kiya ✓).
  3. Alignment: ek region ko base ke low 29 bits zero chahiye. , low 29 bits zero hain → aligned ✓. Yeh step kyun? Region par trust karne se pehle confirm karo.
  4. Ek user task jo *UART_TXREG = data karta hai (unprivileged mode se write) privileged-only rule hit karta hai → fault (Cell H).

Verify: kya region block ke top tak actually pahunchta hai? , yaani 0x5FFF_FFFF inclusive tak cover karta hai ✓. Exactly peripheral window.


Example 8 — Subregion disable ek hole banata hai (Cell J, exam twist)

Forecast: 1 KB ko 8 equal subregions mein split karo — har ek kitna bada hai?

  1. Har region ≥ 256 B 8 equal subregions mein split hoti hai. bytes each. Yeh step kyun? Subregion granularity hamesha region ka exactly ek-aathwan hoti hai.
  2. 8 subregions, low→high: SR0 0x000–0x080, SR1 0x080–0x100, … SR7 0x380–0x400. Yeh step kyun? SR0 lowest addresses hai = bottom = jahan ek downward stack overflow hota hai.
  3. SR0 ko disable karne ke liye, 8-bit SRD ka bit 0 set karo: . Yeh step kyun? Har SRD bit ek subregion se map hota hai; set bit ka matlab "yeh eighth off / no access hai."
  4. Hole hai 0x2000_0000 – 0x2000_0080 (128 bytes) — ek guard band bina doosre region ki zaroorat ke. Yeh step kyun? Exam twist (Cell J): parent ne hint diya tha ki aap subregion disable ek alag higher-numbered guard region ki jagah use kar sakte hain.

Verify: hole size ✓. SRD value exactly ek subregion disable karta hai. Agar aap top eighth (SR7) chahte the, toh bit 7 set karte: ✓.


Recall Quick self-test

Ek 256-byte region ko base ke kitne low bits zero chahiye? ::: (kyunki ). 4 KB region ke liye SIZE field kya hai? ::: , toh . Do regions overlap karte hain; restrictive wala Region 3 hai, broad wala Region 5. Overlapping address par kaun jeet ta hai? ::: Region 5 (higher number) — restrictive wala ignore ho jaata hai; yeh ek bug hai. 1 KB stack par 32 B guard ke baad usable stack bytes kitne? ::: bytes. XN region par kaun sa access fault karta hai? ::: ek instruction fetch / execute usse.

Related: RTOS task switching har task ke liye MPU regions reprogram karta hai; Memory faults and exception handling cover karta hai ki MemManage_Handler() MMFAR ke saath kya karta hai; Memory-mapped IO isliye hai kyun peripherals ko privileged-only regions chahiye.