Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc Fiuczynski, Craig Chambers, Susan Eggers Brian BershadStefan SavagePrzemyslaw PardyakEmin Gun SirerDavid BeckerMarc FiuczynskiCraig ChambersSusan Eggers Presented By Ninad Palsule

Motivation General purpose OS Specialized OS Application needs a resource control – Ex. DBMS Hard: Support specialization in general purpose OS Kernel User DBMS Data page buffer Log page 1 2 Storage

Why it is hard? Ref: Fig from presentation prepared by Author from

SPIN Design Goals – Extensibility Incremental changes – Safety Correctness – Good performance Efficiency

SPIN Approach – Language and compiler support – Runtime facility Techniques – Co-location Requires dynamic linking Provides low cost communication – Enforced modularity Modula – 3 Compiler enforce interface between modules Can’t access memory or execute privileged instruction unless access given through interface Modularity enforced by the compiler enables modules – Logical protection domains Dynamic linker resolve code in different logical protection domain – Dynamic call binding System Events

Extensibility

Extension model Property of Extension – Easy to apply – Transparent – Efficient Dynamically linked to Kernel address space Provide controlled communication between Extension and Base system Extensions defined in terms of Event and Handler

Extension model Event raised Dispatcher call guards and handlers Evaluating guards If guard true then call handler Safety issues – Type checking Access Control Denial of service – Runaway handlers – Too many handlers Ref: Fig from paper 2 in Reference

Example: System call Ref: From presentation prepared by Author of paper 2.

Programmer’s view Ref: From presentation prepared by Author of paper 2.

SPIN structure Ref: Fig from presentation prepared by Author from

Application: Video system components Ref: Fig from Author presentation from

Safety

Modula – 3 support for SPIN Type Safety – Array index checks (static & dynamic) – Pointer-safe casting “VIEW” used to safe cast – Size of input should match with typed structure – Alignment should match Isolation of untrusted code – Terminating untrusted code “EPHEMERAL” procedure tag for killable procedures – Isolating errors in untrusted code Implicit exception for unhandled exception Enforce modularity – Interface, Modules and procedures Automatic storage management

Protection model Control set of operations on resource Conventional OS uses Address space as a protection model SPIN – Capabilities – Protection domain

Capabilities Implemented using pointers Pointer is a reference to block of memory whose type is declared within interface. Externalized Reference before sending to user space Unforgeable reference to resources (system object and interfaces) Extension reference resources for which they have valid access Interfaces protected to allow different extensions to have different views on services

Protection domains Set of accessible names available for execution context Naming and protection interface at level of language – Name ‘c’ is a instance of type ‘Console.T’ Domains can be intersecting or disjoint

Domain interface

Export/Import domain at run-time Fig from paper [2]

Core Services

Manages Memory and Processor resources Export interfaces for Extensions Extensible Memory management – Three components: Physical storage, Naming(virtual address) and Translation Extensible thread management – Strands – No state, share processor – Application provide its own thread package – Scheduler runs in Kernel – Checkpoint and Resume events – Block / Unblock Events

Performance

Methodology Comparative study – SPIN V0.4 – DEC OSF/1 V2.1 (Monolithic OS) – Mach 3.0 (Micro-kernel) Hardware – DEC Alpha 133 MHz AXP 3000/400 workstation, 64 MB RAM, 512 KB unified external cache Tests – Micro benchmarks – End-to-end performance – Networking

Micro benchmark – Protected communication NULL procedure call Protected in-kernel : SPIN’s cross domain procedure call Cross Address space call: SPIN’s extension Protected communication overhead in microseconds

Micro benchmark: Thread Management overhead

Network Latency and Bandwidth

End-to-end performance

Conclusion It is possible to achieve all three in single OS (Extensibility, Safety and Performance) Extend easily with dynamic linking Use of language and compile with Event facility for safety Communication cost is low Issues – Dispatcher performance? – Does it solve all Safety issues? How do we test correctness? – Language restrictions, changes in Modula - 3

References 1. Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc Fiuczynski, Craig Chambers, Susan Eggers Brian BershadStefan SavagePrzemyslaw PardyakEmin Gun SirerDavid BeckerMarc FiuczynskiCraig ChambersSusan Eggers 2. Dynamic Binding for an Extensible System, Przemyslaw Pardyak and Brian Bershad 3. Safe Dynamic Linking in an Extensible Operating System, Emin Sirer, Marc Fiucynski, Przemyslaw Pardyak, Brian Bershad 4. Language Support For Extensible Operating System, Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian Bershad 5. SPIN Operating System web site: Documentation and source code