Popek & Goldberg’s notation

1. Popek & Goldberg’s notation Haipeng Cai and Siyuan Jiang

2. Conventional third generation computer • Virtual machine monitor(VMM) Haipeng Cai and Siyuan Jiang

3. Conventional Third Generation Computer Haipeng Cai and Siyuan Jiang

4. Processor Mode M • s: supervisor mode • u: user mode Conventional Third Generation Computer

5. No I/O instructions Conventional Third Generation Computer

6. Memory as • Executable storage E • Linear • Uniformly addressable E … … E[i] i 0 q-1 Conventional Third Generation Computer

7. Relocation-bounds Register R • R=(l, b) • An index to E l l+b E … … 0 q-1 Conventional Third Generation Computer

8. R=(l, b), address a is reached like: l l+b E … … l+a 0 q-1 a>b-1 a+l>q-1 Memorytrap (Discuss later) Memorytrap (Discuss later) a<b Conventional Third Generation Computer

9. Relocation-bounds Register R • works in both processor modes • supervisor mode • user mode Conventional Third Generation Computer

10. Program Counter P • Address of next instruction • Relative to R l l+b l+p E … … 0 q-1 P=p Conventional Third Generation Computer

11. State S=<E, M, P, R> • The current state of the real computer system • E: executable storage • M: processor mode • P: program counter • R: relocation-register PSW: Program status word Conventional Third Generation Computer

12. PSW=<M, P, R> Old-PSW l l+b E … … 0 1 q-1 Next-PSW Conventional Third Generation Computer

13. State S=<E, M, P, R> • Notation C • is the finite set of states Conventional Third Generation Computer

14. Instruction i • is a function f: CC C C i Conventional Third Generation Computer

15. Trap (an action of instruction) trap S2,=<E2, M’, P’, R’> S1=<E1, M1, P1, R1> l' l'+b' l1 l1+b1 E1 E2 … … <M1, P1, R1> <M’,P’,R’> 1 0 q-1 Conventional Third Generation Computer

16. MemoryTrap • A trap that caused by an attempt • to access an address • which is beyond the bounds l l+b E … … 0 q-1 address a>b-1 (memorytrap) a>q-1 (memorytrap) Conventional Third Generation Computer

17. Privileged instruction i • For any PSW=<e, p, r> that i does not memorytrap, • if M=u, i traps • else if M=s, i does not trap Conventional Third Generation Computer

18. Sensitive instruction i • Control sensitive • Behavior sensitive Conventional Third Generation Computer

19. Control sensitive instruction i There exists a state S1=<e1, m1, p1, r1> , note i(S1)=<e2,m2,p2,r2> such that i(S1) does not memorytrap AND (r1≠r2 OR m1≠m2) is true • In other words, i is control sensitive • if i intends to change one or both of • R: the available memory resources • M: the processor mode Conventional Third Generation Computer

20. Operator Å(for Behavior sensitive instruction) l l+b E … … 0 q-1 r l+x l+x+b E … … 0 q-1 rÅx Conventional Third Generation Computer

21. Behavior sensitive instruction i • i is behavior sensitive • if there exists integer x and S1, S2 • where S1 has m1, r1, p1 • and S2 has m2(≠m1), r2=r1Åx, p2=p1 • such that i(S1) and i(S2) differ in one or both of • the values of available memory • the program counter Conventional Third Generation Computer

22. Behavior sensitive instruction i • is location sensitive, if the difference is caused byR • is mode sensitive , if the difference is caused by M Behavior Sensitive Relocation-bounds Register Processor Mode Location Sensitive Mode Sensitive Conventional Third Generation Computer

23. Conventional third generation computer Wrap Up • S=<E,M,P,R> • Executable storage • PSW • Processor Mode • Program counter • Relocation-boundsRegister • Instruction • Trap • Memorytrap • Privileged instruction • Sensitive instruction • Control Sensitive • Behavior Sensitive Conventional Third Generation Computer

24. Virtual Machine Monitor (VMM) Virtual Machine Monitor

25. Control Program (CP) VMM is a kind of CP Virtual Machine Monitor

26. Control Program • Assume • Control Program runs in s mode • Other programs run in u mode • (In later discussion, ”program” represents the other programs) Virtual Machine Monitor

27. Control Program CP=<D, A, {vi}> • Dispatcher D • Allocator A • Interpreters {vi} Virtual Machine Monitor

28. Dispatcher D D decides which module to call. E[1] has P set to D l l+b E … … q-1 0 1 PSWnext=<M, P->D, R> Virtual Machine Monitor

29. Allocator A A decides what resource(s) are to be provided. Virtual Machine Monitor

30. Interpreters {vi} One interpreter routine vifor one privileged instruction i Virtual Machine Monitor

31. Virtual Machine Monitor • A CP with three properties: • Efficiency property • Resource control property • Equivalence property Virtual Machine Monitor

32. Efficiency property: All innocuous instructions are executed by hardware directly (with no intervention on the part of the control program) Virtual Machine Monitor

33. Resource control property: Programs cannot affect the system resources. (Whenever an attempt to affect system resources, A is to be invoked.) Virtual Machine Monitor

34. Equivalence property: With two exceptions(listed in the next slide), any program k performs in a manner indistinguishable from: CP does not exist k has freedom of access to privileged instructions Virtual Machine Monitor

35. Exceptions for equivalence property: The length of time required for execution changes when program runs with a CP present (2) A may not satisfy a particular request for space, then k will not execute in a same manner Virtual Machine Monitor

36. Virtual Machine The environment which any program sees when running with a VMM present Virtual Machine Monitor

37. Virtual machine monitor Wrap up • Control Program (CP) • Dispatcher • Allocator • Interpreters{vi} • Virtual machine monitor properties • Efficiency • Resource control • Equivalence Virtual Machine Monitor

38. Formal Requirements for Conventional Third Generation Computer to be Virtualizable Formal requirements for virtualizable third generation computer

39. Theorem 1 For any conventional third generation computer, a VMM can be constructed, if the set of sensitive instructions (for that computer) is a subset of the set of privileged instructions Formal requirements for virtualizable third generation computer

40. Construct a VMM • (in conventional 3rd generation computer) • VM Map • Define “Equivalence property” • VM Map that satisfies three VMM properties Formal requirements for virtualizable third generation computer

41. VM Map • is a function f: Cr->Cv which is a one-one homomorphism • that is for any Si, ei, there exists a e’i, such that f(ei(Si))=e’i(f(Si)) Cv Cr(states without VMM) (states with VMM) f Si S’i ei e'i f S’j Sj Formal requirements for virtualizable third generation computer

42. VM Map • VM Map only maps states: • after the completion of one instruction in the real machine • before the beginning of the next instruction Formal requirements for virtualizable third generation computer

43. Equivalence (Formal) Assume a real machine runs from S1, VM runs from f(S1). The VM is equivalent to the real machine, if and only if, for any S1, if the real machine halts in S2, then the VM halts in f(S2). Formal requirements for virtualizable third generation computer

44. Standard VM Map(detail in next slide) Sr l l+b E Standard VM Map … … 0 w-1 Sv same <m’=s, p’=CP, r’=(0,q-1)> l+k l+k+b E’ … … … CP <m’, p’, r’> <m, p, r> 2 k 0 w+k-1 set by trap handler Formal requirements for virtualizable third generation computer

45. Standard VM Map • Sr<E,M,P,R>Sv<E’, M’, P’, R’> • where R=(l, b), |E|=w, |CP|=k-2 • E’[i+k]  E[i], for i=0, w-1 • E’[i]  CP, for i=2 to k-1 • E’[1]  <m’, p’, r’> • where m’=s, p’=1st location of CP, r’=(0, q-1) • E’[0]  <m, p, r> as last set by trap handler • M’ u, P’P, R’(l+k, b) Formal requirements for virtualizable third generation computer

46. Standard VM Map It can satisfies three properties if the sensitive instructions are all privileged instructions in third generation computer Formal requirements for virtualizable third generation computer

47. Overall Wrap up • Conventional third generation computer • Virtual machine monitor (control program) • The condition under which • VMM can be built • in the conventional third generation computer Formal requirements for virtualizable third generation computer

48. Related results: Recursive virtualization • Can a VM run a copy of the VMM? • Theorem 2: A conventional third generation computer is recursively virtualizable if it is: • (a) virtualizable, and • (b) a VMM without any timing dependencies can be constructed for it Formal requirements for virtualizable third generation computer

49. Relax VMM definition: Hybrid VMM • Relax VMM definition so that more third generation computers can be virtualizable • Theorem 3: A hybrid VMM may be constructed for any conventional third generation computer whereuser sensitive instructions are privileged. Note1: in Theorem 1, it is all ”sensitive instructions” Note2: user sensitive instructions are defined in next slide Formal requirements for virtualizable third generation computer

50. User Sensitive Instructions • Def. i is said to be user sensitive, if there exists a state S=<E, u, P, R>, for which i is sensitive • In other words, i is user sensitive if i is sensitive under user mode Formal requirements for virtualizable third generation computer