On Space and Mode
Sometimes I see engineers use memory “space” and protection “mode” terms interchangeably although, in my opinion, there is a big difference between them. They are independent from each other (orthogonal). For example, a thread may access a user space address but be running in a kernel protected mode. Even it is possible to call a user space function from a kernel space thread (that function shouldn’t try to call Windows API). The following combinations are possible:
user space / user mode
kernel space / kernel mode
user space / kernel mode
Most of the time space and mode coincide (blue - user, red - kernel):
ChildEBP RetAddr
b6046c50 80833e95 nt!KiSwapContext+0×26
b6046c7c 8082b72b nt!KiSwapThread+0×2e5
b6046cc4 808ef652 nt!KeRemoveQueue+0×417
b6046d48 8088b19c nt!NtRemoveIoCompletion+0xdc
b6046d48 7c94860c nt!KiFastCallEntry+0xfc
00bfff70 7c9477f9 ntdll!KiFastSystemCallRet
00bfff74 7c959f68 ntdll!NtRemoveIoCompletion+0xc
00bfffb8 7c82482f ntdll!RtlpWorkerThread+0×3d
00bfffec 00000000 kernel32!BaseThreadStart+0×34
I personally prefer to talk about ”spaces” when I analyze complete memory dumps and almost never talk about “modes”.
- Dmitry Vostokov @ DumpAnalysis.org -
July 20th, 2009 at 5:04 pm
[…] system architecture (p. 36) - I personally prefer space than mode partitioning or indicate both: http://www.dumpanalysis.org/blog/index.php/2009/07/17/on-space-and-mode/ and show user space at the bottom to highlight lower virtual addresses. Here is one example, UML […]
July 27th, 2010 at 4:45 pm
[…] value the most or use the most. However, the reason I put Kernel on top is because I value Space over Mode in depicting memory and dependencies. In stack traces from complete memory dumps you have kernel […]