A portion of the logical address space is set aside for protected address spaces (sometimes called user address spaces or ring 3). This protected address space is a portion of the logical address space that has carefully controlled interaction with the server operating system. All protected address spaces use virtual memory. For general information about virtual memory, see Virtual Memory.
A key benefit of protected address spaces is that you can use them to take advantage of virtual memory or to run untried or troublesome applications. Because modules loaded into a protected address space can’t corrupt the operating system or cause server abends, the protected address space provides a safe place to run applications.
The operating system address space (ring 0) is sometimes called the OS address space or the kernel address space. The operating system itself cannot run in a protected address space.
The memory protection marshalling layer, in conjunction with the memory protection subsystem, prevents modules in a protected address space from having direct access to anything outside the address space.
In particular, the memory protection marshalling layer serves as the interface between the protected address spaces and the server operating system. These layers prevent NLM programs in protected spaces from making calls or passing parameters to the operating system that would corrupt or fault the core operating system. Likewise, programs using memory outside the boundary cannot allocate areas of memory inside the boundary.
You can load modules into a protected address space, unload modules from a space, delete a space, or kill a space. See Using Protected Address Spaces and Loading Protected Address Spaces.
Each protected address space has its own set of page translations to provide logical memory addressing. The memory management subsystem ensures that the set of page translations for each protected address space refers to a different set of physical memory addresses.
Only one set of translations is visible in the memory management subsystem at a time. When there is more than one protected address space, the memory management subsystem loads one set of page translations for a specified time and then replaces it with another.
Figure 1-2 Page Translations for Each Protected Address Space in the Memory Management System
Replacing visible page translations is part of a context switch, which takes place when the NetWare kernel changes from running one thread to running another thread.
The following NLM programs and executable files cannot be loaded into a protected space:
Server.exe
LAN and disk drivers
Hardware and LAN drivers make calls to the operating system and the processor that are not allowed from the protected address spaces.
Monitor.exe
Monitor makes calls to the operating system that are not allowed from protected address spaces.
Modules that use interrupt time processing
Modules that use direct operating system interfaces
Modules that import operating system data items
Other modules or applications that aren’t designed to run in protected address spaces