Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,

Extensibility, Safety and Extensibility, Safety and Performance in the Performance in the

SPIN Operating SPIN Operating SystemSystem

B. N. Bershad, S. Savage, P. B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Pardyak, E. G. Sirer, M. E.

Fiuczyski, D. Becker, C. Chambers, Fiuczyski, D. Becker, C. Chambers, S. EggersS. Eggers

Presenter: Judy FischbachPresenter: Judy Fischbach

ContributionsContributions

New extensible OS system (SPIN)New extensible OS system (SPIN) It allows applications to change OSIt allows applications to change OS

– InterfaceInterface– ImplementationImplementation

It uses languages and link-time mechanismsIt uses languages and link-time mechanisms– To export fine grain interfacesTo export fine grain interfaces

Type safe language used for extensionsType safe language used for extensions Extensions dynamically linked into OS Extensions dynamically linked into OS

kernelkernel

IntroductionIntroduction

Desire: To match applications with Desire: To match applications with operating system implementation or operating system implementation or interfaceinterface

[Von Eicken et al ’92][Von Eicken et al ’92]– High performance parallel apps don’t High performance parallel apps don’t

work well with network protocol work well with network protocol implementations.implementations.

[Stonebraker ’81] [Stonebraker ’81] – Database apps perform poorly with disk Database apps perform poorly with disk

buffering/paging algorithms in OSbuffering/paging algorithms in OS

Goals and ApproachGoals and Approach

Spin relies on four techniques:Spin relies on four techniques:– Co-locationCo-location– Enforced modularityEnforced modularity– Logical protection domainsLogical protection domains– Dynamic call bindingDynamic call binding

The language and runtime provide The language and runtime provide support for these techniquessupport for these techniques

SPIN System OverviewSPIN System Overview

Executes in kernel’s virtual Executes in kernel’s virtual address spaceaddress space

Provides a set of extension and Provides a set of extension and core system servicescore system services

Dynamically loads into kernel Dynamically loads into kernel Written in Modula-3Written in Modula-3

MotivationMotivation

System structures are not setup System structures are not setup well for specialization and can be well for specialization and can be costlycostly

Why extensible?Why extensible?– The system can be dynamically be The system can be dynamically be

changed to meet needs of a specific changed to meet needs of a specific applicationapplication

Related WorkRelated Work

Hydra [Wulf et al ’81]Hydra [Wulf et al ’81] Microkernels [Bershad et al ‘90]Microkernels [Bershad et al ‘90] Cross-Domain Communication Cross-Domain Communication

[Hamilton & Kourgiouris ’93][Hamilton & Kourgiouris ’93] ““Little Languages” [Lee et al ’94]Little Languages” [Lee et al ’94] Code install in kernel at runtime Code install in kernel at runtime

[Heidemann & Popek ’94][Heidemann & Popek ’94]

Related WorkRelated Work

Software Fault Isolation [Wahbe Software Fault Isolation [Wahbe et al ’93]et al ’93]

Aegis [Engler et al ’95]Aegis [Engler et al ’95] Systems using language features Systems using language features

(like SPIN) to extend operating (like SPIN) to extend operating system services [Cooper et al ’91]system services [Cooper et al ’91]

SPIN ArchitectureSPIN Architecture

Two Models

Protection Extension

Protection ModelProtection Model

Controls set of operations that Controls set of operations that can be used with resourcescan be used with resources

Capabilites, what are they?Capabilites, what are they?– Definition: Definition:

An unforged reference to a resource An unforged reference to a resource

– Implemented using PointersImplemented using Pointers– Pointer Definition: Pointer Definition:

A reference to a memory block whose A reference to a memory block whose type is defined within an interfacetype is defined within an interface

Example: Definition and use Example: Definition and use of interfaces/capabilities in of interfaces/capabilities in

SPINSPINref: Figure 1 of SPIN paperref: Figure 1 of SPIN paper

INTERFACE Console; (* An Interface. *)TYPE T <: REFANY; (* Read as “Console.T is opaque” *)

CONST InterfaceName = “ConsoleService” (* A global name *)

PROCEDURE Open(): T; (* Open returns a capability for the console. *)PROCEDURE Write(t: T; msgs: TEXT);PROCEDURE Read(t: VAR; msg: TEXT);PROCEDURE Close(t: T);END Console;

MODULE Console; (* An Implementation module *)

(* The implementation of Console.T *)TYPE Buf = ARRAY [0..31] OF CHAR;REVEAL T = BRANDED REF RECORD (* T is a pointer *)

inputQ: Buf; (* to a record *)outputQ: Buf;(* device specific info *)

END;

(* Implementations of interface functions *)(* have direct access to the revealed type *)PROCEDURE Open(): T = …END Console;

MODULE Gatekeeper; (* A client *)IMPORT Console;

VAR c: Console.T; (* A capability for *) (* the console device *)

PROCEDURE IntruderAlert() = BEGIN c := Console.Open(); Console.Write(c, “Intruder Alert”); Console.Close(c); END IntruderAlert;

BEGINEND Gatekeeper;

Protection DomainsProtection Domains

Generally, it is the set of accessible Generally, it is the set of accessible names available to an execution names available to an execution contextcontext

But different for SPINBut different for SPIN– Name and protection interface is at Name and protection interface is at

language level, not at virtual memorylanguage level, not at virtual memory– A protection domain defines the set of A protection domain defines the set of

names that can be referenced by code names that can be referenced by code with access to that domainwith access to that domain

More about DomainsMore about Domains

Domain can be intersecting or Domain can be intersecting or disjointdisjoint

OperationsOperations– Create: Initializes domainCreate: Initializes domain– Resolve: Matches symbols between Resolve: Matches symbols between

target and those exported from sourcetarget and those exported from source– Combine: Creates linkable namespaces Combine: Creates linkable namespaces

that consist of union of existing domainsthat consist of union of existing domains

Domain Interface Domain Interface ref: Figure 2 of SPIN paperref: Figure 2 of SPIN paper

INTERFACE Domain;

TYPE T <: REFANY; (* Domain.T is opaque *)

PROCEDURE Create (coff:CoffFile.T):T;

PROCEDURE CreateFromModule():T;

PROCEDURE Resolve(source, target: T);

PROCEDURE Combine (d1, d2: T): T;

END Domain.

Extension ModelExtension Model

Provides Provides – controlled communication between controlled communication between

extension and systemextension and system As an example, extension could…As an example, extension could…

– Monitor system activityMonitor system activity– Send peformance information to Send peformance information to

applications applications Extensions = Events + HandlersExtensions = Events + Handlers

More about Extensions…More about Extensions…

Central Dispatcher

Extension

RegistersEvent Handler with

Event Name

Message sent to announce change in

system state or

To request service

Event

Primary Implementation

Module

OtherModules

Passes Event Name

If allowed,GUARD can be associated with

handler

Can request to install addl handlers or replace primary

handler

SPIN Core ServicesSPIN Core Services

Extensible Memory ManagementExtensible Memory Management– Physical storagePhysical storage– NamingNaming– TranslationTranslation

Extensible Thread ManagementExtensible Thread Management– StrandsStrands

Physical Address ServicePhysical Address Service

Controls use and allocation of pagesControls use and allocation of pages AllocateAllocate eventevent

– Requests physical memory Requests physical memory – Size specifiedSize specified– Optional attributes specifiedOptional attributes specified

DeallocateDeallocate eventevent– Given pointer p to memory, frees physical Given pointer p to memory, frees physical

memorymemory ReclaimReclaim eventevent

– Reclaims a candidate pageReclaims a candidate page

Virtual Address ServiceVirtual Address Service

Allocates capabilities for virtual Allocates capabilities for virtual addressesaddresses

Capability’s referent hasCapability’s referent has– Virtual addressVirtual address– LengthLength– Address Space IdentifierAddress Space Identifier

Interface has procedures Interface has procedures AllocateAllocate and and DeallocateDeallocate

Translation ServiceTranslation Service

Expresses relationship between Expresses relationship between virtual address and physical virtual address and physical memorymemory

Interprets 2 referencesInterprets 2 references– to virtual addressesto virtual addresses– to physical addressesto physical addresses

Constructs a map between themConstructs a map between them Installs this map in the MMUInstalls this map in the MMU

StrandsStrandsref: Figure 4 of SPIN paperref: Figure 4 of SPIN paper

INTERFACE Strand;

TYPE T <: REFANY; (* Strand.T is opaque *)

PROCEDURE Block (s:T);

PROCEDURE UnBlock(s:T);

PROCEDURE Checkpoint(s:T);

PROCEDURE Resume (s:T);

END Domain.

System PerformanceSystem Performance

Four Perspectives:Four Perspectives: System SizeSystem Size MicrobenchmarksMicrobenchmarks Networking Networking End-to-end performaneEnd-to-end performane

System component sizesSystem component sizes

Microbenchmarks: Microbenchmarks: Protected communicationProtected communication

Microbenchmarks: Microbenchmarks: Thread ManagementThread Management

Microbenchmarks: Microbenchmarks: Virtual MemoryVirtual Memory

Structure of Network Structure of Network StacksStacks

Microbenchmarks: Microbenchmarks: Network Latency and Network Latency and

BandwidthBandwidth

Ethernet and ATM applications using UDP/IP for both OSF/1 and SPIN

Microbenchmarks: Microbenchmarks: Network Protocol Network Protocol

ForwardingForwarding

End to End PerformanceEnd to End Performance

Other Issues: Other Issues: Scaling and DispatchScaling and Dispatch

Roundtrip Ethernet latencyRoundtrip Ethernet latency– Measures 565 Measures 565 μμss

50 GUARDs register interest in UDP 50 GUARDs register interest in UDP pkt and all GUARDs evaluate to falsepkt and all GUARDs evaluate to false– Measures 585 Measures 585 μμss

These same 50 GUARDs evaluate to These same 50 GUARDs evaluate to truetrue– Measures 637 Measures 637 μμss

Other Issues:Other Issues:Automatic Storage Automatic Storage

ManagementManagement SPIN uses trace-based mostly-SPIN uses trace-based mostly-

copying garbage collectorcopying garbage collector

None of previous measurement None of previous measurement benchmarks change if garbage benchmarks change if garbage collection disabledcollection disabled

Other Issues: Extension Other Issues: Extension SizesSizes

ConclusionsConclusions

SPIN achieves performance, without SPIN achieves performance, without sacrificing safetysacrificing safety

Enables an efficient way to extend Enables an efficient way to extend services along with basic set of core services along with basic set of core services services

Programming languages with the Programming languages with the appropriate feature support can be appropriate feature support can be used to construct future operating used to construct future operating systemssystems