Formal Requirements for Virtualizable Third Generation Architectures Authors Gerald J. Popek and Robert P. Goldberg Prepared by Fazle Elahi Faisal and Tariq Iqbal
Formal Requirements for Virtualizable Third Generation Architectures
AuthorsGerald J. Popek and Robert P. Goldberg
Prepared byFazle Elahi Faisal and Tariq Iqbal
Introduction
A virtual machine (VM) is an efficient, isolated duplicate of a real machine.
A virtual machine monitor (VMM) is a piece of software which◦ Provides an environment for
programs that are identical with the original machine
◦ Allows programs to run an environment such that decrease in speed is insignificant
◦ Occupies the complete control of system resources
Introduction (cont)Contribution of the paper
◦Model of a third generation-like computer has been developed
◦Precise sufficient conditions to test whether an architecture can support virtual machines have been derived
Machine StatesS = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Machine States (cont)
State • The state S is intended to specify the
current state of the real computer system.• The machine can exist in any one of a
finite number of states where each state has four components.
S = <E, M, P, R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Executable Storage• Executable storage is a conventional word
or byte addressed memory of size q.• E[i] refers to the contents of the i-th unit of
storage in E• E=E´ iff E[i]=E´[i] for any 0≤i<q
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Processor Mode• Operating modes of some computer
architectures that place restrictions on type and scope of operations• Supervisor mode (s)• User mode (u)
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Processor Mode• Supervisor mode: The complete
instruction repertoire is available to the processor.
• User mode: The complete instruction repertoire is not available to the processor.
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Program Counter • Program counter P is an address relative to
the contents of R (explained in the next slide), which acts as an index into E, indicating the next instruction to be executed.
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Relocation Register• Memory addressing is done relative to the
contents of a relocation register.• Relocation register R consists of a tuple (l,
b)• l = absolute address • b = absolute size
Program Status WordThe contents of the triplet <M, P,
R> are often referred to as the program status word (PSW).
Each PSW is assumed to be recorded in one storage location.
E[0] is assumed to store old-PSW.E[1] is assumed to store new-
PSW.
InstructionA instruction is a discrete statement
of a processor that usually specify the arithmetic, addressing, or control functions of registers or memory locations.
Given a set of states C, an instruction i is a function from C to C, i:C→C.
For example, i(S1)=S2,
or i(E1, M1, P1, R1) = (E2, M2, P2, R2)
TrapsA trap is a type of interrupt caused by an
exceptional condition, i.e. “memory trap”.
A trap automatically saves the current state of the machine and passes control of a pre-specified routine by changing M, R, P to the values specified in new-PSW location.
Traps (cont)An instruction i is said to trap
if i(E1, M1, P1, R1)=(E2, M2, P2, R2) where◦E2[j]=E1[j], for 0<j<q
◦E2[0]=(M1, P1, R1)
◦(M2, P2, R2)=E1[1]
The state of the machine is stored in such a way as to be reversible to the point at which the instruction causing the trap.
Memory TrapA memory trap is a trap caused
as a result of an attempt by an instruction to develop an address which is greater than the bounds in R or physical memory. // an instruction produces
address a
if a+1≥q then memory-trap
else if a≥b then memory-trap
else use E[a+l]
Types of InstructionsPrivileged instructionSensitive instruction
◦Control sensitive◦Behavior sensitive Location sensitive Mode sensitive
Innocuous instruction
Privileged Instruction
Intuitively, if an instruction is trapped in user mode, but not trapped in supervisor mode, then the instruction is privileged.
Privileged Instruction (cont)Instruction i is privileged iff for a
pair of states S1=<e, s, p, r> and S2=<e, u, p, r>,◦Both i(S1) and i(S2) do not memory
trap◦i(S2) traps but i(S1) does not
// IBM System/360 LPSW
if M=s then load_PSW
else trap
// Honeywell 6000 LBAR // DEC PDP-10 DATAO APR if M=s then
load_R else
trap
Sensitive InstructionSensitive
instructions are those that interact with hardware.
There are two types of sensitive instruction◦Control sensitive◦Behavior sensitive
Control Sensitive InstructionAn instruction i is control sensitive if
there exists a state S1=<e1, m1, p1, r1> and i(S1)=S2=<e2, m2, p2, r2> such that◦i(S1) does not memory trap
◦(a) r1 ≠ r2, or (b) m1 ≠ m2, or (c) both holds
Intuitively, an instruction is control sensitive if it attempts to change relocation register (R), or mode (M), or both.
Behavior Sensitive InstructionBefore we define behavior sensitive
instruction, we need to define the following two operators◦“Å”: We define “Å” such that if r=(l, b),
then r´=r Å x=(l+x, b), such that the relocation part l is shifted by the value of x.
◦“|”: The notation E|R means the contents of the part of the memory that can be accessed from a particular state specified in the relocation register R.
Behavior Sensitive Instruction (cont)Combining “Å” and “|”
◦E | r Å x represents the contents of the memory from [l+x] to [l+b+x]
◦E | r = E´ | r Å x means that E[l+i]=E´[l+x+i] for 0 ≤ i < b
Behavior Sensitive Instruction (cont)An instruction i is behavior sensitive if there exist
an integer x and states◦ S1= <e|r, m1, p, r>
◦ S2 = <e|r Å x, m2, p, r Å x>
where◦ i(S1)=<e1|r, m1, p1, r>
◦ i(S2)=<e2|r Å x, m2, p2, r Å x>
◦ Neither i(S1) nor i(S2) memory trap
such that, (a) e1|r ≠ e2| r Å x, or (b) p1 ≠ p2, or (c) both holds.
An instruction is behavior sensitive if the effect of its execution depends on the value of the relocation register (R), or the mode (M).
Behavior Sensitive Instruction (cont)There are two types of behavior
sensitive instructions◦Location sensitive: An instruction is
location sensitive if its execution behavior depends on its location in real memory.
◦Mode sensitive: An instruction is mode sensitive if its execution behavior depends on the mode of previous instruction space.
Innocuous InstructionAn instruction
is innocuous if it is not sensitive.
Virtual Machine MonitorThe Virtual Machine Monitor
(VMM) is a particular piece of software (called as control program) that exhibits following properties◦Dispatcher◦Allocator◦Interpreter
Virtual Machine Monitor (cont)Dispatcher (D): Dispatcher is the
top level control module of the control program.
Virtual Machine Monitor (cont)Allocator (A): An allocator
decides on allocating the system resources to a virtual machine (VM).
Given a VMM hosts several VMs, it is an allocator’s task to avoid giving the same resource to more than one VM concurrently.
Virtual Machine Monitor (cont)Interpreter: Interpreter simulates the
effect of a privileged instruction, when it is trapped.
There exists one interpreter routine per privileged instruction.
Given vi represents a series of instructions of an interpretive routine, {vi} indicates the set of all interpretive routines, i = 1 to m, where m is the number of privileged instructions.
Control ProgramA control program (CP)
is specified by its three parts: CP=<D, A, {vi}>◦ D: Dispatcher◦ A: Allocator◦ {vi}: Set of interpretive
routinesCP is assumed to run in
supervisor mode whereas all other programs are assumed to run in user mode.
Virtual Machine PropertiesThere are three properties of
interest when any arbitrary program is run while the control program is resident◦Efficiency◦Resource control◦Equivalence
EfficiencyA program running in VMM
environment shows at worst only minor decreases in speed.
All innocuous instructions are executed by the hardware directly.
All innocuous instructions are executed without intervention on the part of the control program.
Resource ControlVMM is in complete control of
system resources.An arbitrary program can not
effect the system resources, i.e. memory.
The allocator of the control program is to be invoked upon any attempt to effect system resources.
EquivalenceVMM provides an environment for
programs which is essentially identical with the original machine.
More specifically, a program K executing with a CP resident performs in a manner indistinguishable from the case when CP does not exist.
Exceptions to Equivalence PropertyTiming
◦Because of the occasional intervention of CP, certain instruction sequences in K may take longer to execute.
Resource availability◦The allocator does not satisfy a
request to attempt to change relocation register (R).
Virtual MachineThe environment which any
program sees when running with a virtual machine monitor present is called a virtual machine (VM).
It is composed of the original real machine and the VMM.
Third Generation ComputerA third generation
computer consists of the following operations:◦Relocation
mechanisms◦Supervisor/user
mode◦Trap mechanisms
Third Generation Computer
Theorem 1: For any conventional third generation computer, a virtual machine monitor may be constructed if the set of
sensitive instructions for that computer is a subset of the set of privileged instructions.
Set of Machine StatesC: The set of machine statesCv: The set of states for which
the VMM is present in memoryCr: The set of states of the real
machine without a VMM
Set of Instruction SequencesI is the set of instruction
sequences, where each instruction sequence en(S1)=ij…k(S1)=S2 has n instructions.
Virtual Machine Map
A virtual machine map (VM map) f:Cr → Cv is a one-one homomorphism with respect to all the operators ei in the instruction sequence I.
Intuitively, for any state Si ϵ Cr and any instruction sequence ei, there exists an instruction sequence ei
´ such that f(ei(Si)=ei´(f(Si)).
Virtual Machine MapProperties
◦Mathematical existence of a particular mapping from the states of the real machine to the virtual machine system.
◦Actual existence of instruction sequences ei´ on the Cv domain that correspond to the sequences ei on the Cr domain.
Virtual Machine Map
Essentially identical effect◦Two machines are
started, one in state S1, the other in state S1´=f(S1)
◦VMM is equivalent to the real machine iff for any state S1, if the real machine halts in state S2; then the VM halts in state S2´=f(S2)
A Demonstration of a VM Map
Assumptions◦Control program occupies the first k
locations of physical memory◦VM occupies next w locations◦f(E, M, P, R)=(E´, M´, P´, R´), where
S=<E, M, P, R> is the machine without a VMM present
A Demonstration of a VM MapVM map
◦E´[i+k]= E[i], for i = 0, w – 1◦E´[i] = the control program, for i = 2 to k – 1◦E´[i] = <m´, p´, r´>, where m´ = supervisor p´ = first location of the control program r´ = (0, q-1)
◦E´[0] = <m, p, r> as last set by trap handler◦M´ = u (user)◦P´ = p◦R´ = (l+k, b), where R = (l, b)
Recursive Virtualization
Intuitively, a machine is recursively virtualizable, if1. The virtual machine system can run under itself
a copy of the VMM so that the copy exhibits all the properties of VMM.
2. Procedure 1 can be repeated until the resources of the system are consumed.
Theorem 2: A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for
it.
Recursive VirtualizationA VMM is guaranteed to produce an environment
in which a large class of programs run with effect identical to that on the real machine.
The performance of the VMM running on the real machine and under other VMMs will be indistinguishable.
J. Smith, et al.,Virtual Machines: Versatile Platforms for Systems and Processes
Hybrid Virtual MachinesVery few third generation
architectures are virtualizable.The definition of third generation
architecture has been relaxed to more general, but less efficient form that is labeled as hybrid virtual machine (HVM) system.
More instructions are interpreted rather than being directly executed in HVM.
Hybrid Virtual MachinesAn instruction i is said to be user
sensitive if there exists a state S=<E, u, P, R> for which i is control sensitive or behavior sensitive.
User sensitivity is only applicable in user mode.
Intuitively, the user sensitive instructions are the instructions that cause difficulty when executed from user mode.
Hybrid Virtual MachinesAn instruction i is said to be
supervisor sensitive if there exists a state S=<E, s, P, R> for which i is control sensitive or behavior sensitive.
Supervisor sensitivity is only applicable in supervisor mode.
Hybrid Virtual Machines
VM and HVM are identical except that all instructions in virtual supervisor mode will be interpreted in HVM.
Theorem 3: A hybrid virtual machine monitor may be constructed for any
conventional third generation machine in which the set of user sensitive instructions
are a subset of the set of privileged instructions.
ConclusionFormal model of a third generation
computer has been developed.Necessary and sufficient conditions
have been derived to determine whether a third generation machine can support VMM.
I/O resources and instructions, asynchronous events, or more complex memory mapping schemes can be added as straight-forward extensions to the basic model.
Reference
[1] G. Popek, R. Goldberg, “Formal requirements for virtualizable third generation architectures”, Commun. ACM, vol. 17, pp. 412-421, 1974.