1 / 53

Formal Requirements for Virtualizable Third Generation Architectures

Formal Requirements for Virtualizable Third Generation Architectures. Authors Gerald J. Popek and Robert P. Goldberg Prepared by Fazle Elahi Faisal and Tariq Iqbal. Introduction. A virtual machine (VM) is an efficient, isolated duplicate of a real machine.

latona
Download Presentation

Formal Requirements for Virtualizable Third Generation Architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Requirements for Virtualizable Third Generation Architectures Authors Gerald J. Popek and Robert P. Goldberg Prepared by FazleElahi Faisal and Tariq Iqbal

  2. Introduction • A virtual machine (VM) is an efficient, isolated duplicate of a real machine. • A virtual machine monitor (VMM) is a piece of software which • Provides an environment for programs that are identical with the original machine • Allows programs to run an environment such that decrease in speed is insignificant • Occupies the complete control of system resources

  3. Introduction (cont) • Contribution of the paper • Model of a third generation-like computer has been developed • Precise sufficient conditions to test whether an architecture can support virtual machines have been derived

  4. Machine States S = <E, M, P, R> State Executable Storage Processor Mode Program Counter Relocation Register

  5. Machine States (cont) S = <E, M, P, R> State Executable Storage Processor Mode Program Counter Relocation Register • State • The state S is intended to specify the current state of the real computer system. • The machine can exist in any one of a finite number of states where each state has four components.

  6. Machine States (cont) S = <E, M, P, R> State Executable Storage Processor Mode Program Counter Relocation Register • Executable Storage • Executable storage is a conventional word or byte addressed memory of size q. • E[i] refers to the contents of the i-th unit of storage in E • E=E´ iffE[i]=E´[i] for any 0≤i<q

  7. Machine States (cont) S = <E, M, P, R> State Executable Storage Processor Mode Program Counter Relocation Register • Processor Mode • Operating modes of some computer architectures that place restrictions on type and scope of operations • Supervisor mode (s) • User mode (u)

  8. Machine States (cont) S = <E, M, P, R> State Executable Storage Processor Mode Program Counter Relocation Register • Processor Mode • Supervisor mode: The complete instruction repertoire is available to the processor. • User mode: The complete instruction repertoire is not available to the processor.

  9. Machine States (cont) S = <E, M, P, R> State Executable Storage Processor Mode Program Counter Relocation Register • Program Counter • Program counter P is an address relative to the contents of R (explained in the next slide), which acts as an index into E, indicating the next instruction to be executed.

  10. Machine States (cont) S = <E, M, P, R> State Executable Storage Processor Mode Program Counter Relocation Register • Relocation Register • Memory addressing is done relative to the contents of a relocation register. • Relocation register R consists of a tuple (l, b) • l = absolute address • b = absolute size

  11. Program Status Word • The contents of the triplet <M, P, R> are often referred to as the program status word (PSW). • Each PSW is assumed to be recorded in one storage location. • E[0] is assumed to store old-PSW. • E[1] is assumed to store new-PSW.

  12. Instruction • A instruction is a discrete statement of a processor that usually specify the arithmetic, addressing, or control functions of registers or memory locations. • Given a set of states C, an instruction i is a function from C to C, i:C→C. • For example, i(S1)=S2, or i(E1, M1, P1, R1) = (E2, M2, P2, R2)

  13. Traps • A trap is a type of interrupt caused by an exceptional condition, i.e. “memory trap”. • A trap automatically saves the current state of the machine and passes control of a pre-specified routine by changing M, R, P to the values specified in new-PSW location.

  14. Traps (cont) • An instruction i is said to trap if i(E1, M1, P1, R1)=(E2, M2, P2, R2) where • E2[j]=E1[j], for 0<j<q • E2[0]=(M1, P1, R1) • (M2, P2, R2)=E1[1] • The state of the machine is stored in such a way as to be reversible to the point at which the instruction causing the trap.

  15. Memory Trap • A memory trap is a trap caused as a result of an attempt by an instruction to develop an address which is greater than the bounds in R or physical memory. // an instruction produces address a if a+1≥q then memory-trap else if a≥b then memory-trap else use E[a+l]

  16. Types of Instructions • Privileged instruction • Sensitive instruction • Control sensitive • Behavior sensitive • Location sensitive • Mode sensitive • Innocuous instruction

  17. Privileged Instruction • Intuitively, if an instruction is trapped in user mode, but not trapped in supervisor mode, then the instruction is privileged.

  18. Privileged Instruction (cont) • Instruction i is privileged iff for a pair of states S1=<e, s, p, r> and S2=<e, u, p, r>, • Both i(S1) and i(S2) do not memory trap • i(S2) traps but i(S1) does not // IBM System/360 LPSW if M=s then load_PSW else trap // Honeywell 6000 LBAR // DEC PDP-10 DATAO APR if M=s then load_R else trap

  19. Sensitive Instruction • Sensitive instructions are those that interact with hardware. • There are two types of sensitive instruction • Control sensitive • Behavior sensitive

  20. Control Sensitive Instruction • An instruction i is control sensitive if there exists a state S1=<e1, m1, p1, r1> and i(S1)=S2=<e2, m2, p2, r2> such that • i(S1) does not memory trap • (a) r1 ≠ r2, or (b) m1 ≠ m2, or (c) both holds • Intuitively, an instruction is control sensitive if it attempts to change relocation register (R), or mode (M), or both.

  21. Behavior Sensitive Instruction • Before we define behavior sensitive instruction, we need to define the following two operators • “Å”:We define “Å” such that if r=(l, b), then r´=r Å x=(l+x, b), such that the relocation part l is shifted by the value of x. • “|”: The notation E|R means the contents of the part of the memory that can be accessed from a particular state specified in the relocation register R.

  22. Behavior Sensitive Instruction (cont) • Combining “Å” and “|” • E | rÅx represents the contents of the memory from [l+x] to [l+b+x] • E | r = E´ | rÅx means that E[l+i]=E´[l+x+i] for 0 ≤ i< b

  23. Behavior Sensitive Instruction (cont) • An instruction i is behavior sensitive if there exist an integer x and states • S1= <e|r, m1, p, r> • S2 = <e|rÅx, m2, p, rÅx> where • i(S1)=<e1|r, m1, p1, r> • i(S2)=<e2|rÅx, m2, p2, rÅx> • Neither i(S1) nor i(S2) memory trap such that, (a) e1|r ≠ e2| rÅx, or (b) p1 ≠ p2, or (c) both holds. • An instruction is behavior sensitive if the effect of its execution depends on the value of the relocation register (R), or the mode (M).

  24. Behavior Sensitive Instruction (cont) • There are two types of behavior sensitive instructions • Location sensitive: An instruction is location sensitive if its execution behavior depends on its location in real memory. • Mode sensitive: An instruction is mode sensitive if its execution behavior depends on the mode of previous instruction space.

  25. Innocuous Instruction • An instruction is innocuous if it is not sensitive.

  26. Virtual Machine Monitor • The Virtual Machine Monitor (VMM) is a particular piece of software (called as control program) that exhibits following properties • Dispatcher • Allocator • Interpreter

  27. Virtual Machine Monitor (cont) • Dispatcher (D): Dispatcher is the top level control module of the control program.

  28. Virtual Machine Monitor (cont) • Allocator (A): An allocator decides on allocating the system resources to a virtual machine (VM). • Given a VMM hosts several VMs, it is an allocator’s task to avoid giving the same resource to more than one VM concurrently.

  29. Virtual Machine Monitor (cont) • Interpreter: Interpreter simulates the effect of a privileged instruction, when it is trapped. • There exists one interpreter routine per privileged instruction. • Given vi represents a series of instructions of an interpretive routine, {vi} indicates the set of all interpretive routines, i = 1 to m, where m is the number of privileged instructions.

  30. Control Program • A control program (CP) is specified by its three parts: CP=<D, A, {vi}> • D: Dispatcher • A: Allocator • {vi}: Set of interpretive routines • CP is assumed to run in supervisor mode whereas all other programs are assumed to run in user mode.

  31. Virtual Machine Properties • There are three properties of interest when any arbitrary program is run while the control program is resident • Efficiency • Resource control • Equivalence

  32. Efficiency • A program running in VMM environment shows at worst only minor decreases in speed. • All innocuous instructions are executed by the hardware directly. • All innocuous instructions are executed without intervention on the part of the control program.

  33. Resource Control • VMM is in complete control of system resources. • An arbitrary program can not effect the system resources, i.e. memory. • The allocator of the control program is to be invoked upon any attempt to effect system resources.

  34. Equivalence • VMM provides an environment for programs which is essentially identical with the original machine. • More specifically, a program K executing with a CP resident performs in a manner indistinguishable from the case when CP does not exist.

  35. Exceptions to Equivalence Property • Timing • Because of the occasional intervention of CP, certain instruction sequences in K may take longer to execute. • Resource availability • The allocator does not satisfy a request to attempt to change relocation register (R).

  36. Virtual Machine • The environment which any program sees when running with a virtual machine monitor present is called a virtual machine (VM). • It is composed of the original real machine and the VMM.

  37. Third Generation Computer • A third generation computer consists of the following operations: • Relocation mechanisms • Supervisor/user mode • Trap mechanisms

  38. Third Generation Computer Theorem 1: For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

  39. Set of Machine States • C: The set of machine states • Cv: The set of states for which the VMM is present in memory • Cr: The set of states of the real machine without a VMM

  40. Set of Instruction Sequences • I is the set of instruction sequences, where each instruction sequence en(S1)=ij…k(S1)=S2 has n instructions.

  41. Virtual Machine Map • A virtual machine map (VM map) f:Cr → Cv is a one-one homomorphism with respect to all the operators ei in the instruction sequence I. • Intuitively, for any state Si ϵ Cr and any instruction sequence ei, there exists an instruction sequence ei´ such that f(ei(Si)=ei´(f(Si)).

  42. Virtual Machine Map • Properties • Mathematical existence of a particular mapping from the states of the real machine to the virtual machine system. • Actual existence of instruction sequences ei´ on the Cv domain that correspond to the sequences ei on the Cr domain.

  43. Virtual Machine Map • Essentially identical effect • Two machines are started, one in state S1, the other in state S1´=f(S1) • VMM is equivalent to the real machine iff for any state S1, if the real machine halts in state S2; then the VM halts in state S2´=f(S2)

  44. A Demonstration of a VM Map • Assumptions • Control program occupies the first k locations of physical memory • VM occupies next w locations • f(E, M, P, R)=(E´, M´, P´, R´), where S=<E, M, P, R> is the machine without a VMM present

  45. A Demonstration of a VM Map • VM map • E´[i+k]= E[i], for i = 0, w – 1 • E´[i] = the control program, for i = 2 to k – 1 • E´[i] = <m´, p´, r´>, where • m´ = supervisor • p´ = first location of the control program • r´ = (0, q-1) • E´[0] = <m, p, r> as last set by trap handler • M´ = u (user) • P´ = p • R´ = (l+k, b), where R = (l, b)

  46. Recursive Virtualization • Intuitively, a machine is recursively virtualizable, if • The virtual machine system can run under itself a copy of the VMM so that the copy exhibits all the properties of VMM. • Procedure 1 can be repeated until the resources of the system are consumed. Theorem 2: A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.

  47. Recursive Virtualization • A VMM is guaranteed to produce an environment in which a large class of programs run with effect identical to that on the real machine. • The performance of the VMM running on the real machine and under other VMMs will be indistinguishable. J. Smith, et al., Virtual Machines: Versatile Platforms for Systems and Processes

  48. Hybrid Virtual Machines • Very few third generation architectures are virtualizable. • The definition of third generation architecture has been relaxed to more general, but less efficient form that is labeled as hybrid virtual machine (HVM) system. • More instructions are interpreted rather than being directly executed in HVM.

  49. Hybrid Virtual Machines • An instruction i is said to be user sensitive if there exists a state S=<E, u, P, R> for which i is control sensitive or behavior sensitive. • User sensitivity is only applicable in user mode. • Intuitively, the user sensitive instructions are the instructions that cause difficulty when executed from user mode.

  50. Hybrid Virtual Machines • An instruction i is said to be supervisor sensitive if there exists a state S=<E, s, P, R> for which i is control sensitive or behavior sensitive. • Supervisor sensitivity is only applicable in supervisor mode.

More Related