The Alta Operating System Patrick Tullmann Masters Thesis Defense University of Utah.

The Alta Operating SystemThe Alta Operating System

Patrick Tullmann

Masters Thesis Defense

University of Utah

AltaAltaAlta is an operating system in a

Java Virtual MachineManages multiple applications on a

single JVMSupports the Fluke OS nested

process model (NPM)

Research GoalsResearch GoalsCan I change the protection

mechanism in an OS model?Can I provide safe, controlled

sharing between Java processes?

Airline DatabaseAirline Database

Public Area

Registered Agents

Motivation: Servlet EngineMotivation: Servlet Engine

MorrisUniglobe

UTUT NVNV

MotivationMotivationJava Virtual Machine provides:– Safety– Platform independence

Java-based systems need:–Multiple “user” management– Resource management– Flexible & extensible control

ApproachApproachTraditional OS a good model– Hardware provides safety mechanism– OS provides management

Fluke OS nested process model

Fluke BackgroundFluke BackgroundMicrokernel– Threads, mutexes, IPC, …–Manages CPU and memory

User-level services – File, Network, …

Nested process model– Structured–Well defined

Nested Process ModelNested Process ModelA model of how processes interactHierarchical: parent process provides

resources

Parent Process

Child BChild A

11 22

Mapping an OS into JavaMapping an OS into JavaType safety replaces hardware page

protectionsBytecodes replace simple

instructionsNative methods replace privileged

instructionsAll higher-level abstractions are

equivalent

Goals for AltaGoals for AltaSupport Fluke features for process

management–Mimic Fluke structure– Provide parent process with control

Acceptable performanceMaintain backwards compatibility– Existing Java apps should work

Design of AltaDesign of AltaFour design aspects (really seven)–Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control– IPC-based interfaces– Exportable kernel state– Kernel implementation

Design of AltaDesign of AltaFour design aspects –Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control

Design of AltaDesign of AltaFour design aspects–Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control

Per-process TypespacesPer-process TypespacesTypespace: Set of name to class

bindings in a processExtension of the NPM to JavaParent process resolves all class

names– Enables access controls– Enables code control in child process– Problems with native methods– Poses problems for sharing

Per-process TypespacesPer-process TypespacesImplies class has no fixed nameImplies there can be inconsistencies– Different notion of ‘File’– Same notion of ‘Directory’

Design of AltaDesign of AltaFour design aspects–Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control

Inter-process SharingInter-process SharingAlta allows limited inter-process

sharing– Initial sharing via IPC– Sharing through other shared objects

Processes can have inconsistent typesInter-process type inconsistencies can

destroy a JVM– pointer forging

Inter-process Type CheckingInter-process Type CheckingAlta ensures equivalent types for all

shared objectsEffective limits on shareable types:– Completely consistent field types– Only allows non-polymorphic fields

Design of AltaDesign of AltaFour design aspects–Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control

Sharing & Resource ControlSharing & Resource ControlSharing complicates resource

control– Termination of process that has

“exported” objectsAlta lets applications control sharing– Nested process model enables

constrained sharing

User-level Shared ObjectsUser-level Shared Objects

Child allocates -> Parent references– Harmless. If parent dies then child dies

– Useful. Child can pass IPC arguments

Sibling allocates -> Sibling references– Allowable. Parent trades communication

costs for separation

Parent allocates -> Child references– Standard server behavior

– Cannot deallocate without child’s cooperation

Results & EvaluationResults & EvaluationMicro-benchmark measurementsComparison with Fluke– Structure– Performance

PlatformPlatformBase system– Kaffe Java virtual machine

Platform–Measurements from a 300 Mhz PII– Java code is JIT compiled

Micro-benchmarksMicro-benchmarksAlta vs. Kaffe– Basic VM operations are ~ unchanged– 50-100 cycle overhead on object

allocation Kaffe/Alta vs. Microsoft JVM– Three (or more) times slower

Alta vs. Fluke: StructureAlta vs. Fluke: StructureUse similar internal organization– Both implement a “red line” [Back 1999]– Fully preemptible kernel

Alta allows kernel / user data sharing Alta’s kernel is almost malloc-less– Except some JVM-internal structures

Alta vs. Fluke: PerformanceAlta vs. Fluke: PerformanceAlta wins:– Null system call

• 192 cycles (vs. 302 in Fluke)

– Optimal thread switch• 185 cycles (vs. 519 in Fluke)

Fluke wins everything else, e.g., – Null IPC round trip

• 18,524 cycles (64 µs) vs. 7,519 cycles in Fluke

– Process creation:• ~11.9M cycles (39 ms) vs. 1M cycles in Fluke

Performance EvaluationPerformance EvaluationAlta hampered by poor JIT compiler– GCJ will improve this– Alta kernel is C-like– HotSpot, etc provide interesting

opportunitiesAlta can be optimized, too– Static definition of a typespace– Better kernel synchronization– Incorporate recent Fluke optimizations

Related Work: JavaRelated Work: Java [Balfanz 1998], [Bernadat 1998], [Sun 1998]J-Kernel [Hawblitzel 1998]

– Pure Java

– No inter-process sharingKaffeOS [Back 1999]

–More restrictive sharing

– Resource management focus• Per-process heaps• GC time accounting• ...

Related Work: OSRelated Work: OSPilot / Cedar / Mesa [Redell 1980],

[Swinehart 1986]Oberon / Juice [Franz 1996]Inferno [Dorward 1998]SPIN [Bershad 1995]Vino [Seltzer 1996]

Future WorkFuture WorkResource accounting & GCFormal analysis of Alta type systemFluke & Alta integrationAlta-specific applications

ContributionsContributionsAlta demonstrates applicability

of OS abstractions to JavaThe Fluke NPM with a different

protection mechanism Multiple application support in a JVMType-safe sharing between

inconsistent typespaces