Windows Kernel Documentation

Virtual Memory

Overview

Virtual memory is a memory management technique implemented by the operating system (OS) that provides an "illusion" to each process that it has its own private, contiguous address space, called the virtual address space. This space is typically much larger than the physical RAM available on the system. The OS, in conjunction with hardware (specifically the Memory Management Unit - MMU), translates virtual addresses generated by the CPU into physical addresses in RAM or on disk.

Key benefits of virtual memory include:

  • Increased Address Space: Allows programs to be larger than physical memory.
  • Process Isolation: Each process has its own address space, preventing interference between processes.
  • Memory Protection: Mechanisms to control access rights (read, write, execute) for different memory regions.
  • Efficient Memory Usage: Only the actively used portions of a program need to be loaded into physical RAM.
  • Simplified Programming: Developers don't need to worry about the physical layout of memory.

Virtual Address Space Layout

The virtual address space in Windows is divided into several regions, each with specific purposes and attributes. While the exact layout can vary slightly between Windows versions and system configurations (e.g., 32-bit vs. 64-bit), the general structure remains consistent.

Common Regions (64-bit Systems):

  • Kernel Mode Space: A portion of the address space reserved for the operating system kernel. Access is restricted.
  • User Mode Space: The larger portion of the address space available to user applications.
  • System Paged Pool: Memory used by the kernel that can be paged out to disk.
  • System Nonpaged Pool: Kernel memory that must reside in physical RAM at all times.
  • Image/Code Section: Where executable code and read-only data are loaded.
  • Heap: Dynamically allocated memory for programs.
  • Stack: Used for function calls and local variables.
  • Mapped Files: Regions representing files mapped directly into the address space.

Page Tables and Translation Lookaside Buffer (TLB)

Virtual-to-physical address translation is handled by page tables, data structures maintained by the OS. The CPU's MMU uses these page tables to find the corresponding physical address for each virtual address.

To speed up this translation process, the MMU includes a cache called the Translation Lookaside Buffer (TLB). The TLB stores recent virtual-to-physical address translations. When a virtual address is accessed, the MMU first checks the TLB. If a valid translation is found (a TLB hit), the physical address is retrieved very quickly. If not (a TLB miss), the MMU must traverse the page tables in memory, which is significantly slower.

The page table entries contain not only the physical page frame number but also protection bits (read, write, execute permissions) and status bits (e.g., present, dirty, accessed).

Paging and Demand Paging

When a process accesses a virtual address whose corresponding physical page is not currently in RAM, a page fault occurs. The OS's page fault handler intercepts this event.

Demand Paging is a strategy where pages are loaded into physical memory only when they are actually needed (i.e., when a page fault occurs for that page). This significantly improves performance and reduces memory overhead.

If physical memory is full when a page fault occurs, the OS must select a page currently in RAM to evict. This page is written to disk (if it has been modified) before the required page is loaded. This process is known as paging out or swapping out.

Memory Management Structures

The Windows kernel uses several key structures to manage virtual memory:

  • VIRTUAL_ADDRESS_DESCRIPTOR: Describes regions of virtual memory.
  • _MMVAD (Virtual Address Descriptor): Represents a contiguous range of virtual addresses within a process's address space.
  • _EPROCESS: The executive process block, which contains a pointer to the process's address space management data structures.
  • Page Table Entries (PTEs): The individual entries within the page tables.

The operating system maintains a separate set of page tables for each process.

System Calls and APIs

Developers interact with the virtual memory system through Windows API functions. Some common examples include:

  • VirtualAlloc(): Reserves or commits pages in the virtual address space of the calling process.
  • VirtualFree(): Releases or decommits an area of memory.
  • VirtualProtect(): Changes the protection of an existing region of committed pages.
  • CreateFileMapping() and MapViewOfFile(): For memory-mapped files.