Formal Requirements for Virtualizable Third Generation Architectures
description
Transcript of Formal Requirements for Virtualizable Third Generation Architectures
![Page 1: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/1.jpg)
Formal Requirements for Virtualizable Third Generation Architectures
AuthorsGerald J. Popek and Robert P. Goldberg
Prepared byFazle Elahi Faisal and Tariq Iqbal
![Page 2: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/2.jpg)
IntroductionA virtual machine (VM) is an
efficient, isolated duplicate of a real machine.
A virtual machine monitor (VMM) is a piece of software which◦ Provides an environment for
programs that are identical with the original machine
◦ Allows programs to run an environment such that decrease in speed is insignificant
◦ Occupies the complete control of system resources
![Page 3: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/3.jpg)
Introduction (cont)Contribution of the paper
◦Model of a third generation-like computer has been developed
◦Precise sufficient conditions to test whether an architecture can support virtual machines have been derived
![Page 4: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/4.jpg)
Machine StatesS = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
![Page 5: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/5.jpg)
Machine States (cont)
State • The state S is intended to specify the
current state of the real computer system.• The machine can exist in any one of a
finite number of states where each state has four components.
S = <E, M, P, R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
![Page 6: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/6.jpg)
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Executable Storage• Executable storage is a conventional word
or byte addressed memory of size q.• E[i] refers to the contents of the i-th unit of
storage in E• E=E´ iff E[i]=E´[i] for any 0≤i<q
![Page 7: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/7.jpg)
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Processor Mode• Operating modes of some computer
architectures that place restrictions on type and scope of operations• Supervisor mode (s)• User mode (u)
![Page 8: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/8.jpg)
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Processor Mode• Supervisor mode: The complete
instruction repertoire is available to the processor.
• User mode: The complete instruction repertoire is not available to the processor.
![Page 9: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/9.jpg)
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Program Counter • Program counter P is an address relative to
the contents of R (explained in the next slide), which acts as an index into E, indicating the next instruction to be executed.
![Page 10: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/10.jpg)
Machine States (cont)S = <E, M, P,
R>
Processor Mode
Program Counter
Relocation
Register
Executable
StorageState
Relocation Register• Memory addressing is done relative to the
contents of a relocation register.• Relocation register R consists of a tuple (l,
b)• l = absolute address • b = absolute size
![Page 11: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/11.jpg)
Program Status WordThe contents of the triplet <M, P,
R> are often referred to as the program status word (PSW).
Each PSW is assumed to be recorded in one storage location.
E[0] is assumed to store old-PSW.E[1] is assumed to store new-
PSW.
![Page 12: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/12.jpg)
InstructionA instruction is a discrete statement
of a processor that usually specify the arithmetic, addressing, or control functions of registers or memory locations.
Given a set of states C, an instruction i is a function from C to C, i:C→C.
For example, i(S1)=S2, or i(E1, M1, P1, R1) = (E2, M2, P2, R2)
![Page 13: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/13.jpg)
TrapsA trap is a type of interrupt caused by an
exceptional condition, i.e. “memory trap”.A trap automatically saves the current
state of the machine and passes control of a pre-specified routine by changing M, R, P to the values specified in new-PSW location.
![Page 14: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/14.jpg)
Traps (cont)An instruction i is said to trap
if i(E1, M1, P1, R1)=(E2, M2, P2, R2) where◦E2[j]=E1[j], for 0<j<q◦E2[0]=(M1, P1, R1)◦(M2, P2, R2)=E1[1]
The state of the machine is stored in such a way as to be reversible to the point at which the instruction causing the trap.
![Page 15: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/15.jpg)
Memory TrapA memory trap is a trap caused
as a result of an attempt by an instruction to develop an address which is greater than the bounds in R or physical memory. // an instruction produces
address a
if a+1≥q then memory-trap
else if a≥b then memory-trap
else use E[a+l]
![Page 16: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/16.jpg)
Types of InstructionsPrivileged instructionSensitive instruction
◦Control sensitive◦Behavior sensitive Location sensitive Mode sensitive
Innocuous instruction
![Page 17: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/17.jpg)
Privileged InstructionIntuitively, if an
instruction is trapped in user mode, but not trapped in supervisor mode, then the instruction is privileged.
![Page 18: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/18.jpg)
Privileged Instruction (cont)Instruction i is privileged iff for a
pair of states S1=<e, s, p, r> and S2=<e, u, p, r>,◦Both i(S1) and i(S2) do not memory
trap◦i(S2) traps but i(S1) does not
// IBM System/360 LPSW
if M=s then load_PSW
else trap
// Honeywell 6000 LBAR // DEC PDP-10 DATAO APR if M=s then
load_R else
trap
![Page 19: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/19.jpg)
Sensitive InstructionSensitive
instructions are those that interact with hardware.
There are two types of sensitive instruction◦Control sensitive◦Behavior sensitive
![Page 20: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/20.jpg)
Control Sensitive InstructionAn instruction i is control sensitive if
there exists a state S1=<e1, m1, p1, r1> and i(S1)=S2=<e2, m2, p2, r2> such that◦i(S1) does not memory trap◦(a) r1 ≠ r2, or (b) m1 ≠ m2, or (c) both holds
Intuitively, an instruction is control sensitive if it attempts to change relocation register (R), or mode (M), or both.
![Page 21: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/21.jpg)
Behavior Sensitive InstructionBefore we define behavior sensitive
instruction, we need to define the following two operators◦“Å”: We define “Å” such that if r=(l, b),
then r´=r Å x=(l+x, b), such that the relocation part l is shifted by the value of x.
◦“|”: The notation E|R means the contents of the part of the memory that can be accessed from a particular state specified in the relocation register R.
![Page 22: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/22.jpg)
Behavior Sensitive Instruction (cont)Combining “Å” and “|”
◦E | r Å x represents the contents of the memory from [l+x] to [l+b+x]
◦E | r = E´ | r Å x means that E[l+i]=E´[l+x+i] for 0 ≤ i < b
![Page 23: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/23.jpg)
Behavior Sensitive Instruction (cont)An instruction i is behavior sensitive if there exist
an integer x and states◦ S1= <e|r, m1, p, r>◦ S2 = <e|r Å x, m2, p, r Å x>where◦ i(S1)=<e1|r, m1, p1, r>◦ i(S2)=<e2|r Å x, m2, p2, r Å x>◦ Neither i(S1) nor i(S2) memory trapsuch that, (a) e1|r ≠ e2| r Å x, or (b) p1 ≠ p2, or (c) both holds.
An instruction is behavior sensitive if the effect of its execution depends on the value of the relocation register (R), or the mode (M).
![Page 24: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/24.jpg)
Behavior Sensitive Instruction (cont)There are two types of behavior
sensitive instructions◦Location sensitive: An instruction is
location sensitive if its execution behavior depends on its location in real memory.
◦Mode sensitive: An instruction is mode sensitive if its execution behavior depends on the mode of previous instruction space.
![Page 25: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/25.jpg)
Innocuous InstructionAn instruction
is innocuous if it is not sensitive.
![Page 26: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/26.jpg)
Virtual Machine MonitorThe Virtual Machine Monitor
(VMM) is a particular piece of software (called as control program) that exhibits following properties◦Dispatcher◦Allocator◦Interpreter
![Page 27: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/27.jpg)
Virtual Machine Monitor (cont)Dispatcher (D): Dispatcher is the
top level control module of the control program.
![Page 28: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/28.jpg)
Virtual Machine Monitor (cont)Allocator (A): An allocator
decides on allocating the system resources to a virtual machine (VM).
Given a VMM hosts several VMs, it is an allocator’s task to avoid giving the same resource to more than one VM concurrently.
![Page 29: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/29.jpg)
Virtual Machine Monitor (cont)Interpreter: Interpreter simulates the
effect of a privileged instruction, when it is trapped.
There exists one interpreter routine per privileged instruction.
Given vi represents a series of instructions of an interpretive routine, {vi} indicates the set of all interpretive routines, i = 1 to m, where m is the number of privileged instructions.
![Page 30: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/30.jpg)
Control ProgramA control program (CP)
is specified by its three parts: CP=<D, A, {vi}>◦ D: Dispatcher◦ A: Allocator◦ {vi}: Set of interpretive
routinesCP is assumed to run in
supervisor mode whereas all other programs are assumed to run in user mode.
![Page 31: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/31.jpg)
Virtual Machine PropertiesThere are three properties of
interest when any arbitrary program is run while the control program is resident◦Efficiency◦Resource control◦Equivalence
![Page 32: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/32.jpg)
EfficiencyA program running in VMM
environment shows at worst only minor decreases in speed.
All innocuous instructions are executed by the hardware directly.
All innocuous instructions are executed without intervention on the part of the control program.
![Page 33: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/33.jpg)
Resource ControlVMM is in complete control of
system resources.An arbitrary program can not
effect the system resources, i.e. memory.
The allocator of the control program is to be invoked upon any attempt to effect system resources.
![Page 34: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/34.jpg)
EquivalenceVMM provides an environment for
programs which is essentially identical with the original machine.
More specifically, a program K executing with a CP resident performs in a manner indistinguishable from the case when CP does not exist.
![Page 35: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/35.jpg)
Exceptions to Equivalence PropertyTiming
◦Because of the occasional intervention of CP, certain instruction sequences in K may take longer to execute.
Resource availability◦The allocator does not satisfy a
request to attempt to change relocation register (R).
![Page 36: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/36.jpg)
Virtual MachineThe environment which any
program sees when running with a virtual machine monitor present is called a virtual machine (VM).
It is composed of the original real machine and the VMM.
![Page 37: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/37.jpg)
Third Generation ComputerA third generation
computer consists of the following operations:◦Relocation
mechanisms◦Supervisor/user
mode◦Trap mechanisms
![Page 38: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/38.jpg)
Third Generation Computer
Theorem 1: For any conventional third generation computer, a virtual machine monitor may be constructed if the set of
sensitive instructions for that computer is a subset of the set of privileged instructions.
![Page 39: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/39.jpg)
Set of Machine StatesC: The set of machine statesCv: The set of states for which
the VMM is present in memoryCr: The set of states of the real
machine without a VMM
![Page 40: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/40.jpg)
Set of Instruction SequencesI is the set of instruction
sequences, where each instruction sequence en(S1)=ij…k(S1)=S2 has n instructions.
![Page 41: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/41.jpg)
Virtual Machine MapA virtual machine map
(VM map) f:Cr → Cv is a one-one homomorphism with respect to all the operators ei in the instruction sequence I.
Intuitively, for any state Si ϵ Cr and any instruction sequence ei, there exists an instruction sequence ei´ such that f(ei(Si)=ei´(f(Si)).
![Page 42: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/42.jpg)
Virtual Machine MapProperties
◦Mathematical existence of a particular mapping from the states of the real machine to the virtual machine system.
◦Actual existence of instruction sequences ei´ on the Cv domain that correspond to the sequences ei on the Cr domain.
![Page 43: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/43.jpg)
Virtual Machine MapEssentially identical
effect◦Two machines are
started, one in state S1, the other in state S1´=f(S1)
◦VMM is equivalent to the real machine iff for any state S1, if the real machine halts in state S2; then the VM halts in state S2´=f(S2)
![Page 44: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/44.jpg)
A Demonstration of a VM Map
Assumptions◦Control program occupies the first k
locations of physical memory◦VM occupies next w locations◦f(E, M, P, R)=(E´, M´, P´, R´), where
S=<E, M, P, R> is the machine without a VMM present
![Page 45: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/45.jpg)
A Demonstration of a VM MapVM map
◦E´[i+k]= E[i], for i = 0, w – 1◦E´[i] = the control program, for i = 2 to k – 1◦E´[i] = <m´, p´, r´>, where m´ = supervisor p´ = first location of the control program r´ = (0, q-1)
◦E´[0] = <m, p, r> as last set by trap handler◦M´ = u (user)◦P´ = p◦R´ = (l+k, b), where R = (l, b)
![Page 46: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/46.jpg)
Recursive Virtualization
Intuitively, a machine is recursively virtualizable, if1. The virtual machine system can run under itself a
copy of the VMM so that the copy exhibits all the properties of VMM.
2. Procedure 1 can be repeated until the resources of the system are consumed.
Theorem 2: A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for
it.
![Page 47: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/47.jpg)
Recursive VirtualizationA VMM is guaranteed to produce an environment
in which a large class of programs run with effect identical to that on the real machine.
The performance of the VMM running on the real machine and under other VMMs will be indistinguishable.
J. Smith, et al.,Virtual Machines: Versatile Platforms for Systems and Processes
![Page 48: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/48.jpg)
Hybrid Virtual MachinesVery few third generation
architectures are virtualizable.The definition of third generation
architecture has been relaxed to more general, but less efficient form that is labeled as hybrid virtual machine (HVM) system.
More instructions are interpreted rather than being directly executed in HVM.
![Page 49: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/49.jpg)
Hybrid Virtual MachinesAn instruction i is said to be user
sensitive if there exists a state S=<E, u, P, R> for which i is control sensitive or behavior sensitive.
User sensitivity is only applicable in user mode.
Intuitively, the user sensitive instructions are the instructions that cause difficulty when executed from user mode.
![Page 50: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/50.jpg)
Hybrid Virtual MachinesAn instruction i is said to be
supervisor sensitive if there exists a state S=<E, s, P, R> for which i is control sensitive or behavior sensitive.
Supervisor sensitivity is only applicable in supervisor mode.
![Page 51: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/51.jpg)
Hybrid Virtual Machines
VM and HVM are identical except that all instructions in virtual supervisor mode will be interpreted in HVM.
Theorem 3: A hybrid virtual machine monitor may be constructed for any
conventional third generation machine in which the set of user sensitive instructions
are a subset of the set of privileged instructions.
![Page 52: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/52.jpg)
ConclusionFormal model of a third generation
computer has been developed.Necessary and sufficient conditions
have been derived to determine whether a third generation machine can support VMM.
I/O resources and instructions, asynchronous events, or more complex memory mapping schemes can be added as straight-forward extensions to the basic model.
![Page 53: Formal Requirements for Virtualizable Third Generation Architectures](https://reader036.fdocuments.us/reader036/viewer/2022082212/56815f5f550346895dce449b/html5/thumbnails/53.jpg)
Reference[1] G. Popek, R. Goldberg, “Formal
requirements for virtualizable third generation architectures”, Commun. ACM, vol. 17, pp. 412-421, 1974.