Code and heap data regions can be associated with a protection domain, and are typically owned by one domain and exported to others. Stack storage must be managed differently, however, because stacks are used by threads that move between protection domains. In our MMP OS design, stack storage is owned by the memory supervisor. To get stack storage, a thread manager in a protection domain calls mmp_alloc(stack). The stack flag tells the supervisor that this is a stack segment, a fact which the supervisor records while maintaining ownership of the storage.
The memory supervisor only owns and manages the stack space for each thread. Other details about the thread, like its control block and the scheduling policy that govern it, are determined by the kernel or an arbitrary thread-managing domain.
Stack permissions are managed by the supervisor call mmp_supr_set_perm(ptr, length, perm, exclusive, PD-ID), which is like the mmp_set_perm call, but the mmp_set_perm call only works for memory that is owned by the caller. The mmp_supr_set_perm call requests that the supervisor make a permissions change on memory that it owns. Of course, the supervisor range checks the address and refuses action if the request is inappropriate. The exclusive flag requests that all permissions for other PDs be revoked.
When a stack segment is allocated, the supervisor records the creating protection domain, and a stack-ID, which is just the base address of the stack segment. When a thread is scheduled on a CPU, the thread manager must make the supervisor call mmp_set_stack(stack_seg, cpuid) to tell it that a certain stack is now active on a certain CPU. The supervisor checks that this thread manager has permissions to make this stack segment active. When the supervisor receives a call to set stack permissions, it checks that the request is for the active stack.
Although this scheme prevents one thread changing permissions on
another thread's stack, when multiple threads run in the same
protection domain they can still potentially access each other's stack
frames. This is a minor protection violation, as the code in the
domain has already been trusted with the stack frames. But we can
eliminate this violation by adding another hardware mechanism,
discussed in Section ![[Cross-domain calls]](crossref.png)
.