Presentation of Singularity

OS Seminar, winter 2005by Jacob Munk-Stander

November 23rd, 2005

Overview of Singularity

• Singularity is a new research operating system from Microsoft Research– Written almost entirely in managed code Sing# (extension of

C#)– Microkernel

• Primary goal of dependability– “Dependability thus includes as special cases such attributes

as reliability, availability, safety, security.”• Participants

– Cambridge, Silicon Valley and Redmond.– A dozen people are the core contributors (of which two are

from DIKU). In total 40-50 people are working on Singularity.– Research groups include Operating Systems, Programming

Languages, Compilers, Tools.– In total 11-12 research groups, largest in the history of

Microsoft Research.

Dependability

• Dependability realized by:– Managed code, i.e. type safety– Software-Isolated Processes, i.e. no

shared memory between processes

Low Level Invariants of Singularity

• Memory Independence Invariant:– A process does not hold a reference into another

process’s object space.

• State Isolation Invariant:– A process cannot alter the state of another

process using the ABI.

• Ownership Invariant:– Ownership of messages are passed from the

sender to the receiver.

• Exchange Heap Invariant:– Does not contain pointers into any process GC

heap.

Managed Code

• C# is the base managed programming language

• Spec# - an extension of C# developed in Microsoft Research.– Adds support for specifying program behavior,

which can be verified either statically or with run-time tests.

• Singularity is written in Sing# - an extension of Spec#.– Adds support for channels and low-level

constructs.

Managed Code, cont.

• Code in Singularity is either verified or trusted:– Verified code’s type and memory safety is checked by a

compiler– Trusted code must be trusted by the system

• Most of the kernel is verifiably safe, but portions are written in trusted assembler, C++ and unsafe C#.

• The rest is written in safe managed code using Sing#

• Currently: Sing# -> MSIL -> x86 code– Code is verified at each step– Uses Bartok compiler for MSIL -> x86 code

• Future: Typed Assembly Language will be used to verify output of compiler.

Managed Code, cont.

• Base managed code has performance somewhat comparable to C/C++.

• Given safety invariants of the language, tools can perform additional optimizations not possible with unsafe code, e.g.– due to no dynamic code loading

=> complete compile time static analysis– no pointers into other process

=> no memory hardware protection

Software-Isolated Processes

• Self-contained units, providing:– Information hiding– Failure isolation– Strong interfaces

• Run independently, allowing different GCs, etc.

• Created and terminated by the OS, allowing for efficient reclamation of resources.

• All processes in one protection domain, leading to an order of magnitude better context switch times.

SIPs, cont.

• SIPs are used throughout the OS, in drivers and application software.

• Application Binary Interfaces maintains system-wide state isolation invariant, i.e. a process cannot alter the state of another process using the ABI.

Channels

• Communication between SIPs through bidirectional, strongly typed, higher-order channels, specified using contracts.

• Messages on channels are passed between processes using the Exchange Heap, allowing for zero-copy message passing.

Channels, cont.

• Integrated into the language, checked at compile time

• Contracts– Import Channels– Export Channels– State Machine

• Enforces the ownership invariant• Sending messages is asynchronous• Receiving message is blocking

Installation Time

• Metadata in applications manifest• Internal properties

– Verifies application’s assemblies exists and are type and memory safe

– Verifies channel contracts– Verifies ABI versions

• External dependencies– Verifies that hardware resources used do not conflict– Verifies that all channels exist and do not conflict with

other applications’

• Policies for conflicts, i.e. only one video driver

Performance

• Singularity has not been optimized yet

• Micro benchmarks:

Performance, cont.

• Dynamic memory usage:

• SPECweb99, average response time– Cassini web server: 23 conn. of 322 millisec./op.– Windows 2003, IIS: 25 conn. 304 millisec./op.

Additional Information

• Video interview with lead researchers Jim Larus and Galen Hunt at Channel 9, includes a discussion forum where they answer additional questions.

• Singularity website.

• Bartok website.

• Software Productivity Tools.