Formal Requirements for Virtualizable Third Generation Architectures Grad Operating System Mini-Project Authors: Gerald J. Popek, and Robert P. Goldberg Presented by: Yiji Zhang
Outline Basic VM Concepts Formal Definitions Virtualization Theorems Contribution
Outline Basic VM Concepts Formal Definitions Virtualization Theorems Contribution
Basic VM Concepts Virtual Machine (VM) efficient, isolated duplicate of the real machine the environment created by the virtual machine monitor VMM Hardware VM The virtual machine monitor
Basic VM Concepts Virtual machine monitor (VMM) a piece of software three properties: 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources
Outline Basic VM Concepts Formal Definitions Virtualization Theorems Contribution
Formal Definitions Three formal definitions Model of 3rd generation machine Instruction behavior Virtual machine monitor
Model of 3rd Generation Machine Overview simplified conventional 3rd generation machine with a processor with linear, uniformly addressable memory without I/O instructions without interrupts Machine behavior The machine can exist in any one of a finite number of states S, where S = <E, M, P, R>.
Model of 3rd Generation Machine Behavior of the computer: state (S) E: executable storage R: relocation-bounds register S=<E, M, P, R> M: processor mode P: program count
Model of 3rd Generation Machine Behavior of the computer: state-space (S) E: executable storage word or byte addressed memory; E[i]: contents of the ith unit of storage in E R: relocation-bounds register S=<E, M, P, R> M: processor mode P: program count
Model of 3rd Generation Machine Behavior of the computer: state-space (S) E: executable storage R: relocation-bounds register S=<E, M, P, R> M: processor mode 2 types supervisor (s) user (u) P: program count
Model of 3rd Generation Machine Behavior of the computer: state-space (S) E: executable storage R: relocation-bounds register S=<E, M, P, R> M: processor mode P: program count address relative to register; index
Model of 3rd Generation Machine Behavior of the computer: state-space (S) E: executable storage R: relocation-bounds register R = (l, b) relocation part l: absolute address bound part b: absolute size of virtual memory S=<E, M, P, R> M: processor mode P: program count
Model of 3rd Generation Machine Program status word (PSW) the contents of the triple <M, P, R> used for other definitions and proof later Instruction (i) a function from one set of states (C) to another. i: C C e.g. i(S1) = S2 i(E1, M1, P1, R1) = (E2, M2, P2, R2)
Model of 3rd Generation Machine Trap 1. Definition 2. Particular kind of trap
Model of 3rd Generation Machine Trap 1. Definition An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]
Model of 3rd Generation Machine Trap 1. Definition An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1] 1. Save the current state 2. Pass control of a pre-specified routine by changing PSW
Model of 3rd Generation Machine Trap 2. Particular kind of trap: memory trap caused by accessing an address which is over the bounds in relocation-bounds register R(l, b) or physical memory micro-sequence: where a is the address to be accessed, l is relocation, q is the total size of memory, and b is the bound if a + l ≥ q then trap; if a ≥ b then trap
Formal Definitions Three formal definitions Model of 3rd generation machine Instruction behavior Virtual machine monitor
Instruction Behavior privileged instruction sensitive instruction control sensitive instruction behavior sensitive instruction innocuous instructions
Instruction Behavior privileged instruction sensitive instruction control sensitive instruction behavior sensitive instruction innocuous instructions
Privileged Instruction Definition Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.
Privileged Instruction Definition independent of the virtualization process the only difference Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not. privileged instruction trap
Instruction Behavior privileged instruction sensitive instruction control sensitive instruction behavior sensitive instruction innocuous instructions
Sensitive Instruction Control sensitive control sensitive instructions: affect or potentially affect the control of VMM over recourses no isolated condition codes or other complications by which instructions can interact An instruction i is control sensitive if there exists a state S1 = <e1, m1, p1, r1>, and i(S1) = S2 = <e2, m2, p2, r2> such that i(S1) does not memory trap, and either: (a) r1≠r2, or (b) m1 ≠ m2, or both.
Sensitive Instruction Behavior sensitive…
Sensitive Instruction Behavior sensitive… First introduce new notations… operator ⊕: r’ = r ⊕ x = (l+x, b), which means the relocation register has had its base value shifted by the value of x E | R: which means the contents of the part of the memory which can be effected by the instruction E | r = E’ | r ⊕ x: for 0≤i≤b, E[l + i] = E’[l + x + i]
Sensitive Instruction Behavior sensitive (finally!) the effect of the executions depends on the value of the relocation-bounds register. An instruction i is behavior sensitive if there exists an integer x and states: (a) S1 = <e | r, m1, p, r>, and (b) S2 = <e | r ⊕ x, m2, p, r ⊕ x >, where (c) i(S1) = <e1 | r, m1, p1, r>, (d) i(S2) = <e2 | r ⊕ x, m2, p2, r ⊕ x >, and (e) neither i(S1) or i(S2) memory trap, such that either (a) e1 | r ≠ e2 | r ⊕ x, or (b) p1≠ p2, or both.
Instruction Behavior privileged instruction sensitive instruction control sensitive instruction behavior sensitive instruction innocuous instructions
Innocuous Instructions The instructions which are neither privileged instruction nor sensitive instructions.
Formal Definitions Three formal definitions Model of 3rd generation machine Instruction behavior Virtual machine monitor
Virtual Machine Monitor VMM a particular piece of software, called a control program, that exhibits certain properties
Virtual Machine Monitor Control program modules CP = <D, A, {vi}> Control Program (CP) Dispatcher (D) Allocator (A) Interpreters
Virtual Machine Monitor Control program modules CP = <D, A, {vi}> Control Program (CP) top level module decide which module to call Dispatcher (D) Allocator (A) Interpreters
Virtual Machine Monitor Control program modules CP = <D, A, {vi}> Control Program (CP) invoked by dispatcher when an attempted execution is to change the resources Dispatcher (D) Allocator (A) Interpreters
Virtual Machine Monitor Control program modules CP = <D, A, {vi}> Control Program (CP) one interpreter routine per privileged instruction to simulate the effect of trapped instruction Dispatcher (D) Allocator (A) Interpreters
Virtual Machine Monitor Control program modules CP = <D, A, {vi}> Control Program (CP) one interpreter routine per privileged instruction to simulate the effect of trapped instructions Dispatcher (D) Allocator (A) Interpreters vi: set of interpretive routines
Virtual Machine Monitor VMM properties Recall Basic VM Concept… three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources
Virtual Machine Monitor VMM properties Recall Basic VM Concept… three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources Now more formally...
Virtual Machine Monitor VMM properties (formally) 1) Equivalence: Any program K executing with a control program resident, with two possible exceptions, performs in a manner indistinguishable from the case when the control program did not exist and K had whatever freedom of access to privileged instructions that the programmer had intended.
Virtual Machine Monitor VMM properties (formally) 1) Equivalence (even more formally) Two machines : S1 and S1' = f(S1) “equivalent” iff: for any state S1, if the real machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)
Virtual Machine Monitor VMM properties (formally) 1) Equivalence (even more formally) Two machines : S1 and S1' = f(S1) “equivalent” iff: for any state S1, if the real machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2) Virtual Machine Map (VM MAP)
Virtual Machine Monitor Virtual machine Map (VM Map) f: Cr Cv is a one-one homomorphism w.r.t all the operators ei in the instruction sequence set I. where Cr is the set of possible states of the real machine without a VMM, and Cv is the set with VMM. The virtual machine map
Virtual Machine Monitor VMM properties (formally) 2) Efficiency: All innocuous instructions are executed by the hardware directly, with no intervention at all on the part of the control program.
Virtual Machine Monitor VMM properties (formally) 3) Resource control: It must be impossible for that arbitrary program to affect the system resources, i.e. memory, available to it; the allocator of the control program is to be invoked upon any attempt.
Outline Basic VM Concepts Formal Definitions Virtualization Theorems Conclusion
Visualization Theorem THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
Visualization Theorem THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. which implies all assumptions for: relocation mechanisms, supervisor/user mode, and trap mechanisms the instruction set is of general purpose to support dispatcher, allocator, and table lookup procedure
Visualization Theorem THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. which 1) means: to build a VMM it is sufficient that all instructions that could affect the correct functioning of the VMM always trap and pass control to the VMM
Visualization Theorem THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. which 2) guarantees: the resource control property, and equivalence property
Visualization Theorem THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. which 3) provides: a simple technique for implementing a VMM, called trap-and-emulate virtualization
Visualization Theorem THEOREM 2. A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.
Visualization Theorem THEOREM 2. A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it. Exceptions: 1) programs with resource bound The theorem limits the number of nested VMMs of the recursion. 2) programs that have time dependencies
Visualization Theorem THEOREM 3. A hybrid virtual machine monitor may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.
Visualization Theorem THEOREM 3. A hybrid virtual machine monitor may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions. user sensitive instruction: there exists a state S = (E, u, P, R) for which instructions i is control sensitive or behavior sensitive.
Visualization Theorem THEOREM 3. A hybrid virtual machine monitor may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions. user control sensitive: the definition given earlier for control sensitivity holds, with ml in that definition set to user. user behavior sensitive: the definition for location sensitivity holds with the mode of states S1 and S2 equal to user.
Outline Basic VM Concepts Formal Definitions Virtualization Theorems Contribution
Contribution A formal model of a 3rd generation computer system Necessary and sufficient conditions to determine whether a particular 3rd generation machine can support a VMM
Reference Gerald J. Popek and Robert P. Goldberg. 1974. Formal requirements for virtualizable third generation architectures. Commun. ACM 17, 7 (July 1974), 412-421.