and Performance in the and Performance in the SPIN Operating SPIN Operating System System B. N. Bershad, S. Savage, P. B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Fiuczyski, D. Becker, C. Chambers, S. Eggers Chambers, S. Eggers Presenter: Judy Fischbach Presenter: Judy Fischbach
34
Embed
Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Extensibility, Safety and Extensibility, Safety and Performance in the Performance in the
SPIN Operating SPIN Operating SystemSystem
B. N. Bershad, S. Savage, P. B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Pardyak, E. G. Sirer, M. E.
Fiuczyski, D. Becker, C. Chambers, Fiuczyski, D. Becker, C. Chambers, S. EggersS. Eggers
It uses languages and link-time mechanismsIt uses languages and link-time mechanisms– To export fine grain interfacesTo export fine grain interfaces
Type safe language used for extensionsType safe language used for extensions Extensions dynamically linked into OS Extensions dynamically linked into OS
kernelkernel
IntroductionIntroduction
Desire: To match applications with Desire: To match applications with operating system implementation or operating system implementation or interfaceinterface
[Von Eicken et al ’92][Von Eicken et al ’92]– High performance parallel apps don’t High performance parallel apps don’t
work well with network protocol work well with network protocol implementations.implementations.
[Stonebraker ’81] [Stonebraker ’81] – Database apps perform poorly with disk Database apps perform poorly with disk
buffering/paging algorithms in OSbuffering/paging algorithms in OS
Goals and ApproachGoals and Approach
Spin relies on four techniques:Spin relies on four techniques:– Co-locationCo-location– Enforced modularityEnforced modularity– Logical protection domainsLogical protection domains– Dynamic call bindingDynamic call binding
The language and runtime provide The language and runtime provide support for these techniquessupport for these techniques
SPIN System OverviewSPIN System Overview
Executes in kernel’s virtual Executes in kernel’s virtual address spaceaddress space
Provides a set of extension and Provides a set of extension and core system servicescore system services
Dynamically loads into kernel Dynamically loads into kernel Written in Modula-3Written in Modula-3
MotivationMotivation
System structures are not setup System structures are not setup well for specialization and can be well for specialization and can be costlycostly
Why extensible?Why extensible?– The system can be dynamically be The system can be dynamically be
changed to meet needs of a specific changed to meet needs of a specific applicationapplication
Related WorkRelated Work
Hydra [Wulf et al ’81]Hydra [Wulf et al ’81] Microkernels [Bershad et al ‘90]Microkernels [Bershad et al ‘90] Cross-Domain Communication Cross-Domain Communication
[Hamilton & Kourgiouris ’93][Hamilton & Kourgiouris ’93] ““Little Languages” [Lee et al ’94]Little Languages” [Lee et al ’94] Code install in kernel at runtime Code install in kernel at runtime
[Heidemann & Popek ’94][Heidemann & Popek ’94]
Related WorkRelated Work
Software Fault Isolation [Wahbe Software Fault Isolation [Wahbe et al ’93]et al ’93]
Aegis [Engler et al ’95]Aegis [Engler et al ’95] Systems using language features Systems using language features
(like SPIN) to extend operating (like SPIN) to extend operating system services [Cooper et al ’91]system services [Cooper et al ’91]
SPIN ArchitectureSPIN Architecture
Two Models
Protection Extension
Protection ModelProtection Model
Controls set of operations that Controls set of operations that can be used with resourcescan be used with resources
Capabilites, what are they?Capabilites, what are they?– Definition: Definition:
An unforged reference to a resource An unforged reference to a resource
– Implemented using PointersImplemented using Pointers– Pointer Definition: Pointer Definition:
A reference to a memory block whose A reference to a memory block whose type is defined within an interfacetype is defined within an interface
Example: Definition and use Example: Definition and use of interfaces/capabilities in of interfaces/capabilities in
SPINSPINref: Figure 1 of SPIN paperref: Figure 1 of SPIN paper
INTERFACE Console; (* An Interface. *)TYPE T <: REFANY; (* Read as “Console.T is opaque” *)
CONST InterfaceName = “ConsoleService” (* A global name *)
PROCEDURE Open(): T; (* Open returns a capability for the console. *)PROCEDURE Write(t: T; msgs: TEXT);PROCEDURE Read(t: VAR; msg: TEXT);PROCEDURE Close(t: T);END Console;
MODULE Console; (* An Implementation module *)
(* The implementation of Console.T *)TYPE Buf = ARRAY [0..31] OF CHAR;REVEAL T = BRANDED REF RECORD (* T is a pointer *)
inputQ: Buf; (* to a record *)outputQ: Buf;(* device specific info *)
END;
(* Implementations of interface functions *)(* have direct access to the revealed type *)PROCEDURE Open(): T = …END Console;
MODULE Gatekeeper; (* A client *)IMPORT Console;
VAR c: Console.T; (* A capability for *) (* the console device *)
PROCEDURE IntruderAlert() = BEGIN c := Console.Open(); Console.Write(c, “Intruder Alert”); Console.Close(c); END IntruderAlert;
BEGINEND Gatekeeper;
Protection DomainsProtection Domains
Generally, it is the set of accessible Generally, it is the set of accessible names available to an execution names available to an execution contextcontext
But different for SPINBut different for SPIN– Name and protection interface is at Name and protection interface is at
language level, not at virtual memorylanguage level, not at virtual memory– A protection domain defines the set of A protection domain defines the set of
names that can be referenced by code names that can be referenced by code with access to that domainwith access to that domain
More about DomainsMore about Domains
Domain can be intersecting or Domain can be intersecting or disjointdisjoint
OperationsOperations– Create: Initializes domainCreate: Initializes domain– Resolve: Matches symbols between Resolve: Matches symbols between
target and those exported from sourcetarget and those exported from source– Combine: Creates linkable namespaces Combine: Creates linkable namespaces
that consist of union of existing domainsthat consist of union of existing domains
Domain Interface Domain Interface ref: Figure 2 of SPIN paperref: Figure 2 of SPIN paper
INTERFACE Domain;
TYPE T <: REFANY; (* Domain.T is opaque *)
PROCEDURE Create (coff:CoffFile.T):T;
PROCEDURE CreateFromModule():T;
PROCEDURE Resolve(source, target: T);
PROCEDURE Combine (d1, d2: T): T;
END Domain.
Extension ModelExtension Model
Provides Provides – controlled communication between controlled communication between
extension and systemextension and system As an example, extension could…As an example, extension could…
– Monitor system activityMonitor system activity– Send peformance information to Send peformance information to
50 GUARDs register interest in UDP 50 GUARDs register interest in UDP pkt and all GUARDs evaluate to falsepkt and all GUARDs evaluate to false– Measures 585 Measures 585 μμss
These same 50 GUARDs evaluate to These same 50 GUARDs evaluate to truetrue– Measures 637 Measures 637 μμss
Other Issues:Other Issues:Automatic Storage Automatic Storage
None of previous measurement None of previous measurement benchmarks change if garbage benchmarks change if garbage collection disabledcollection disabled
Other Issues: Extension Other Issues: Extension SizesSizes
ConclusionsConclusions
SPIN achieves performance, without SPIN achieves performance, without sacrificing safetysacrificing safety
Enables an efficient way to extend Enables an efficient way to extend services along with basic set of core services along with basic set of core services services
Programming languages with the Programming languages with the appropriate feature support can be appropriate feature support can be used to construct future operating used to construct future operating systemssystems