Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P....
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P....
![Page 1: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/1.jpg)
Extensibility, Safety and Extensibility, Safety and Performance in the Performance in the
SPIN Operating SPIN Operating SystemSystem
B. N. Bershad, S. Savage, P. B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Pardyak, E. G. Sirer, M. E.
Fiuczyski, D. Becker, C. Chambers, Fiuczyski, D. Becker, C. Chambers, S. EggersS. Eggers
Presenter: Judy FischbachPresenter: Judy Fischbach
![Page 2: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/2.jpg)
ContributionsContributions
New extensible OS system (SPIN)New extensible OS system (SPIN) It allows applications to change OSIt allows applications to change OS
– InterfaceInterface– ImplementationImplementation
It uses languages and link-time mechanismsIt uses languages and link-time mechanisms– To export fine grain interfacesTo export fine grain interfaces
Type safe language used for extensionsType safe language used for extensions Extensions dynamically linked into OS Extensions dynamically linked into OS
kernelkernel
![Page 3: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/3.jpg)
IntroductionIntroduction
Desire: To match applications with Desire: To match applications with operating system implementation or operating system implementation or interfaceinterface
[Von Eicken et al ’92][Von Eicken et al ’92]– High performance parallel apps don’t High performance parallel apps don’t
work well with network protocol work well with network protocol implementations.implementations.
[Stonebraker ’81] [Stonebraker ’81] – Database apps perform poorly with disk Database apps perform poorly with disk
buffering/paging algorithms in OSbuffering/paging algorithms in OS
![Page 4: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/4.jpg)
Goals and ApproachGoals and Approach
Spin relies on four techniques:Spin relies on four techniques:– Co-locationCo-location– Enforced modularityEnforced modularity– Logical protection domainsLogical protection domains– Dynamic call bindingDynamic call binding
The language and runtime provide The language and runtime provide support for these techniquessupport for these techniques
![Page 5: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/5.jpg)
SPIN System OverviewSPIN System Overview
Executes in kernel’s virtual Executes in kernel’s virtual address spaceaddress space
Provides a set of extension and Provides a set of extension and core system servicescore system services
Dynamically loads into kernel Dynamically loads into kernel Written in Modula-3Written in Modula-3
![Page 6: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/6.jpg)
MotivationMotivation
System structures are not setup System structures are not setup well for specialization and can be well for specialization and can be costlycostly
Why extensible?Why extensible?– The system can be dynamically be The system can be dynamically be
changed to meet needs of a specific changed to meet needs of a specific applicationapplication
![Page 7: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/7.jpg)
Related WorkRelated Work
Hydra [Wulf et al ’81]Hydra [Wulf et al ’81] Microkernels [Bershad et al ‘90]Microkernels [Bershad et al ‘90] Cross-Domain Communication Cross-Domain Communication
[Hamilton & Kourgiouris ’93][Hamilton & Kourgiouris ’93] ““Little Languages” [Lee et al ’94]Little Languages” [Lee et al ’94] Code install in kernel at runtime Code install in kernel at runtime
[Heidemann & Popek ’94][Heidemann & Popek ’94]
![Page 8: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/8.jpg)
Related WorkRelated Work
Software Fault Isolation [Wahbe Software Fault Isolation [Wahbe et al ’93]et al ’93]
Aegis [Engler et al ’95]Aegis [Engler et al ’95] Systems using language features Systems using language features
(like SPIN) to extend operating (like SPIN) to extend operating system services [Cooper et al ’91]system services [Cooper et al ’91]
![Page 9: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/9.jpg)
SPIN ArchitectureSPIN Architecture
Two Models
Protection Extension
![Page 10: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/10.jpg)
Protection ModelProtection Model
Controls set of operations that Controls set of operations that can be used with resourcescan be used with resources
Capabilites, what are they?Capabilites, what are they?– Definition: Definition:
An unforged reference to a resource An unforged reference to a resource
– Implemented using PointersImplemented using Pointers– Pointer Definition: Pointer Definition:
A reference to a memory block whose A reference to a memory block whose type is defined within an interfacetype is defined within an interface
![Page 11: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/11.jpg)
Example: Definition and use Example: Definition and use of interfaces/capabilities in of interfaces/capabilities in
SPINSPINref: Figure 1 of SPIN paperref: Figure 1 of SPIN paper
INTERFACE Console; (* An Interface. *)TYPE T <: REFANY; (* Read as “Console.T is opaque” *)
CONST InterfaceName = “ConsoleService” (* A global name *)
PROCEDURE Open(): T; (* Open returns a capability for the console. *)PROCEDURE Write(t: T; msgs: TEXT);PROCEDURE Read(t: VAR; msg: TEXT);PROCEDURE Close(t: T);END Console;
MODULE Console; (* An Implementation module *)
(* The implementation of Console.T *)TYPE Buf = ARRAY [0..31] OF CHAR;REVEAL T = BRANDED REF RECORD (* T is a pointer *)
inputQ: Buf; (* to a record *)outputQ: Buf;(* device specific info *)
END;
(* Implementations of interface functions *)(* have direct access to the revealed type *)PROCEDURE Open(): T = …END Console;
MODULE Gatekeeper; (* A client *)IMPORT Console;
VAR c: Console.T; (* A capability for *) (* the console device *)
PROCEDURE IntruderAlert() = BEGIN c := Console.Open(); Console.Write(c, “Intruder Alert”); Console.Close(c); END IntruderAlert;
BEGINEND Gatekeeper;
![Page 12: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/12.jpg)
Protection DomainsProtection Domains
Generally, it is the set of accessible Generally, it is the set of accessible names available to an execution names available to an execution contextcontext
But different for SPINBut different for SPIN– Name and protection interface is at Name and protection interface is at
language level, not at virtual memorylanguage level, not at virtual memory– A protection domain defines the set of A protection domain defines the set of
names that can be referenced by code names that can be referenced by code with access to that domainwith access to that domain
![Page 13: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/13.jpg)
More about DomainsMore about Domains
Domain can be intersecting or Domain can be intersecting or disjointdisjoint
OperationsOperations– Create: Initializes domainCreate: Initializes domain– Resolve: Matches symbols between Resolve: Matches symbols between
target and those exported from sourcetarget and those exported from source– Combine: Creates linkable namespaces Combine: Creates linkable namespaces
that consist of union of existing domainsthat consist of union of existing domains
![Page 14: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/14.jpg)
Domain Interface Domain Interface ref: Figure 2 of SPIN paperref: Figure 2 of SPIN paper
INTERFACE Domain;
TYPE T <: REFANY; (* Domain.T is opaque *)
PROCEDURE Create (coff:CoffFile.T):T;
PROCEDURE CreateFromModule():T;
PROCEDURE Resolve(source, target: T);
PROCEDURE Combine (d1, d2: T): T;
END Domain.
![Page 15: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/15.jpg)
Extension ModelExtension Model
Provides Provides – controlled communication between controlled communication between
extension and systemextension and system As an example, extension could…As an example, extension could…
– Monitor system activityMonitor system activity– Send peformance information to Send peformance information to
applications applications Extensions = Events + HandlersExtensions = Events + Handlers
![Page 16: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/16.jpg)
More about Extensions…More about Extensions…
Central Dispatcher
Extension
RegistersEvent Handler with
Event Name
Message sent to announce change in
system state or
To request service
Event
Primary Implementation
Module
OtherModules
Passes Event Name
If allowed,GUARD can be associated with
handler
Can request to install addl handlers or replace primary
handler
![Page 17: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/17.jpg)
SPIN Core ServicesSPIN Core Services
Extensible Memory ManagementExtensible Memory Management– Physical storagePhysical storage– NamingNaming– TranslationTranslation
Extensible Thread ManagementExtensible Thread Management– StrandsStrands
![Page 18: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/18.jpg)
Physical Address ServicePhysical Address Service
Controls use and allocation of pagesControls use and allocation of pages AllocateAllocate eventevent
– Requests physical memory Requests physical memory – Size specifiedSize specified– Optional attributes specifiedOptional attributes specified
DeallocateDeallocate eventevent– Given pointer p to memory, frees physical Given pointer p to memory, frees physical
memorymemory ReclaimReclaim eventevent
– Reclaims a candidate pageReclaims a candidate page
![Page 19: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/19.jpg)
Virtual Address ServiceVirtual Address Service
Allocates capabilities for virtual Allocates capabilities for virtual addressesaddresses
Capability’s referent hasCapability’s referent has– Virtual addressVirtual address– LengthLength– Address Space IdentifierAddress Space Identifier
Interface has procedures Interface has procedures AllocateAllocate and and DeallocateDeallocate
![Page 20: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/20.jpg)
Translation ServiceTranslation Service
Expresses relationship between Expresses relationship between virtual address and physical virtual address and physical memorymemory
Interprets 2 referencesInterprets 2 references– to virtual addressesto virtual addresses– to physical addressesto physical addresses
Constructs a map between themConstructs a map between them Installs this map in the MMUInstalls this map in the MMU
![Page 21: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/21.jpg)
StrandsStrandsref: Figure 4 of SPIN paperref: Figure 4 of SPIN paper
INTERFACE Strand;
TYPE T <: REFANY; (* Strand.T is opaque *)
PROCEDURE Block (s:T);
PROCEDURE UnBlock(s:T);
PROCEDURE Checkpoint(s:T);
PROCEDURE Resume (s:T);
END Domain.
![Page 22: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/22.jpg)
System PerformanceSystem Performance
Four Perspectives:Four Perspectives: System SizeSystem Size MicrobenchmarksMicrobenchmarks Networking Networking End-to-end performaneEnd-to-end performane
![Page 23: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/23.jpg)
System component sizesSystem component sizes
![Page 24: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/24.jpg)
Microbenchmarks: Microbenchmarks: Protected communicationProtected communication
![Page 25: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/25.jpg)
Microbenchmarks: Microbenchmarks: Thread ManagementThread Management
![Page 26: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/26.jpg)
Microbenchmarks: Microbenchmarks: Virtual MemoryVirtual Memory
![Page 27: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/27.jpg)
Structure of Network Structure of Network StacksStacks
![Page 28: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/28.jpg)
Microbenchmarks: Microbenchmarks: Network Latency and Network Latency and
BandwidthBandwidth
Ethernet and ATM applications using UDP/IP for both OSF/1 and SPIN
![Page 29: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/29.jpg)
Microbenchmarks: Microbenchmarks: Network Protocol Network Protocol
ForwardingForwarding
![Page 30: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/30.jpg)
End to End PerformanceEnd to End Performance
![Page 31: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/31.jpg)
Other Issues: Other Issues: Scaling and DispatchScaling and Dispatch
Roundtrip Ethernet latencyRoundtrip Ethernet latency– Measures 565 Measures 565 μμss
50 GUARDs register interest in UDP 50 GUARDs register interest in UDP pkt and all GUARDs evaluate to falsepkt and all GUARDs evaluate to false– Measures 585 Measures 585 μμss
These same 50 GUARDs evaluate to These same 50 GUARDs evaluate to truetrue– Measures 637 Measures 637 μμss
![Page 32: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/32.jpg)
Other Issues:Other Issues:Automatic Storage Automatic Storage
ManagementManagement SPIN uses trace-based mostly-SPIN uses trace-based mostly-
copying garbage collectorcopying garbage collector
None of previous measurement None of previous measurement benchmarks change if garbage benchmarks change if garbage collection disabledcollection disabled
![Page 33: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/33.jpg)
Other Issues: Extension Other Issues: Extension SizesSizes
![Page 34: Extensibility, Safety and Performance in the SPIN Operating System B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczyski, D. Becker, C. Chambers,](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d3a5503460f94a14638/html5/thumbnails/34.jpg)
ConclusionsConclusions
SPIN achieves performance, without SPIN achieves performance, without sacrificing safetysacrificing safety
Enables an efficient way to extend Enables an efficient way to extend services along with basic set of core services along with basic set of core services services
Programming languages with the Programming languages with the appropriate feature support can be appropriate feature support can be used to construct future operating used to construct future operating systemssystems