Presentation of Singularity OS Seminar, winter 2005 by Jacob Munk-Stander November 23 rd, 2005.
-
Upload
thomasine-copeland -
Category
Documents
-
view
213 -
download
1
Transcript of Presentation of Singularity OS Seminar, winter 2005 by Jacob Munk-Stander November 23 rd, 2005.
Presentation of Singularity
OS Seminar, winter 2005by Jacob Munk-Stander
November 23rd, 2005
Overview of Singularity
• Singularity is a new research operating system from Microsoft Research– Written almost entirely in managed code Sing# (extension of
C#)– Microkernel
• Primary goal of dependability– “Dependability thus includes as special cases such attributes
as reliability, availability, safety, security.”• Participants
– Cambridge, Silicon Valley and Redmond.– A dozen people are the core contributors (of which two are
from DIKU). In total 40-50 people are working on Singularity.– Research groups include Operating Systems, Programming
Languages, Compilers, Tools.– In total 11-12 research groups, largest in the history of
Microsoft Research.
Dependability
• Dependability realized by:– Managed code, i.e. type safety– Software-Isolated Processes, i.e. no
shared memory between processes
Low Level Invariants of Singularity
• Memory Independence Invariant:– A process does not hold a reference into another
process’s object space.
• State Isolation Invariant:– A process cannot alter the state of another
process using the ABI.
• Ownership Invariant:– Ownership of messages are passed from the
sender to the receiver.
• Exchange Heap Invariant:– Does not contain pointers into any process GC
heap.
Managed Code
• C# is the base managed programming language
• Spec# - an extension of C# developed in Microsoft Research.– Adds support for specifying program behavior,
which can be verified either statically or with run-time tests.
• Singularity is written in Sing# - an extension of Spec#.– Adds support for channels and low-level
constructs.
Managed Code, cont.
• Code in Singularity is either verified or trusted:– Verified code’s type and memory safety is checked by a
compiler– Trusted code must be trusted by the system
• Most of the kernel is verifiably safe, but portions are written in trusted assembler, C++ and unsafe C#.
• The rest is written in safe managed code using Sing#
• Currently: Sing# -> MSIL -> x86 code– Code is verified at each step– Uses Bartok compiler for MSIL -> x86 code
• Future: Typed Assembly Language will be used to verify output of compiler.
Managed Code, cont.
• Base managed code has performance somewhat comparable to C/C++.
• Given safety invariants of the language, tools can perform additional optimizations not possible with unsafe code, e.g.– due to no dynamic code loading
=> complete compile time static analysis– no pointers into other process
=> no memory hardware protection
Software-Isolated Processes
• Self-contained units, providing:– Information hiding– Failure isolation– Strong interfaces
• Run independently, allowing different GCs, etc.
• Created and terminated by the OS, allowing for efficient reclamation of resources.
• All processes in one protection domain, leading to an order of magnitude better context switch times.
SIPs, cont.
• SIPs are used throughout the OS, in drivers and application software.
• Application Binary Interfaces maintains system-wide state isolation invariant, i.e. a process cannot alter the state of another process using the ABI.
Channels
• Communication between SIPs through bidirectional, strongly typed, higher-order channels, specified using contracts.
• Messages on channels are passed between processes using the Exchange Heap, allowing for zero-copy message passing.
Channels, cont.
• Integrated into the language, checked at compile time
• Contracts– Import Channels– Export Channels– State Machine
• Enforces the ownership invariant• Sending messages is asynchronous• Receiving message is blocking
Installation Time
• Metadata in applications manifest• Internal properties
– Verifies application’s assemblies exists and are type and memory safe
– Verifies channel contracts– Verifies ABI versions
• External dependencies– Verifies that hardware resources used do not conflict– Verifies that all channels exist and do not conflict with
other applications’
• Policies for conflicts, i.e. only one video driver
Performance
• Singularity has not been optimized yet
• Micro benchmarks:
Performance, cont.
• Dynamic memory usage:
• SPECweb99, average response time– Cassini web server: 23 conn. of 322 millisec./op.– Windows 2003, IIS: 25 conn. 304 millisec./op.
Additional Information
• Video interview with lead researchers Jim Larus and Galen Hunt at Channel 9, includes a discussion forum where they answer additional questions.
• Singularity website.
• Bartok website.
• Software Productivity Tools.