7
edits
Changes
Jump to navigation
Jump to search
Added info about heap architecture and some thread info. Will do more when I get the time.
Line 264:
Line 264:
0x54: owner_pid
0x54: owner_pid
0x58: thread_id
0x58: thread_id
− 0x5C: ?????
+ 0x5C: flags
0x60: ?????
0x60: ?????
0x64: ?????
0x64: ?????
Line 289:
Line 289:
0xB8: user_stack_size
0xB8: user_stack_size
0xBC: ipc_buffer_pool
0xBC: ipc_buffer_pool
− 0xC0: ?????
+ 0xC0: profiled_count
− 0xC4: ?????
+ 0xC4: profiled_time
} thread_t; // sizeof() = 0xC8
} thread_t; // sizeof() = 0xC8
Line 303:
Line 303:
0x06 -> Faulted
0x06 -> Faulted
0x07 -> Unknown
0x07 -> Unknown
+
+Bit 2 in the flags determines whether or not the thread has an IPC buffer pool.
+
+===Heaps===
+The IOSU is able to create and handle up to 0x30 heaps. Each heap has a corresponding descriptor structure stored in the kernel's BSS section (0x08150008 in firmware 5.5.1).
+
+ // Heap descriptor
+ struct
+ {
+ 0x00: base
+ 0x04: owner_pid
+ 0x08: size
+ 0x0C: first_free
+ 0x10: (???) insufficient_memory_error_count
+ 0x14: ?????
+ 0x18: (???) error_count
+ 0x1C: invalid_chunk_count
+ 0x20: flags
+ 0x24: total_allocated_size
+ 0x28: (???) smallest_chunk_size
+ 0x2C: (???) total_allocation_count
+ 0x30: total_chunks_freed
+ 0x34: (???) double_free_error_count
+ 0x38: ?????
+ 0x3C: (???) heap_id
+ } heap_descriptor_t; // sizeof() = 0x40
+
+All accesses to heaps are verified using owner PID and active PID. Heaps are referenced using IDs that are used as indices into the heap descriptor array. There are 3 special heap IDs:
+
+{| class="wikitable"
+|-
+! Heap ID
+! Purpose
+|-
+| 0x0001
+| Shared heap
+|-
+| 0xCAFE
+| Local process heap for active PID
+|-
+| 0xCAFF
+| Cross process heap for active PID
+|}
+
+Access to special heap IDs is redirected to the appropriate heap.
+
+Each process can allocate a cross process heap for multiple processes to use and a local process heap for itself. These are kept tracked of using two arrays following the heap descriptor array in kernel BSS:
+
+ int32 local_process_heaps[14];
+ int32 cross_process_heaps[14];
+
+They are initialized to IOS_ERROR_INVALID within the IOSU kernel and are set to the appropriate heap ID when created using IOS_CreateLocalProcessHeap or IOS_CreateCrossProcessHeap. There may only be one cross/local process heap for each PID.
+
+Each heap descriptor contains a flag field that contains information about the heap:
+ 0x1: Local process heap
+ 0x2: Cross process heap
+
+Each heap is created from memory of the shared heap. It is initialized as one big seperate memory chunk. Memory chunks have the following structure:
+
+ // Heap descriptor
+ struct
+ {
+ 0x00: magic
+ 0x04: size
+ 0x08: back
+ 0x0C: next
+ } heap_chunk_header_t; // sizeof() = 0x10
+
+There are 3 valid magic values:
+
+{| class="wikitable"
+|-
+! Magic
+! Meaning
+|-
+| 0xBABE0000
+| Chunk is free
+|-
+| 0xBABE0001
+| Chunks is used
+|-
+| 0xBABE0002
+| Chunk is inner chunk and used
+|}
+
+When memory is allocated to a heap, the linked list (terminated using nullptr's) is traversed to find a large enough chunk, chunks are split and back and forward pointers are cleared for the allocated chunk. When a chunk is allocated aligned, a chunk bigger than the needed one may be allocated. Inside this chunk, a second heap chunk is set up in a fashion that the beginning of the memory block described by this "inner" chunk is aligned according to the specified alignment. It's magic is set to 0xBABE0002 and the back pointer is set to the chunk containing it. These inner chunks can not be expanded.
===IPC===
===IPC===