formal requirements for virtualizable third generation architectures
Post on 19-Feb-2016
72 Views
Preview:
DESCRIPTION
TRANSCRIPT
Formal Requirements for Virtualizable Third Generation Architectures
Grad Operating System Mini-ProjectAuthors: Gerald J. Popek, and Robert P. Goldberg
Presented by: Yiji Zhang
2
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution
3
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution
4
Basic VM Concepts• Virtual Machine (VM)– efficient, isolated duplicate of the real machine– the environment created by the virtual machine monitor
VMM
VM
Hardware
The virtual machine monitor
5
Basic VM Concepts• Virtual machine monitor (VMM)– a piece of software– three properties: 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources
6
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution
7
Formal Definitions• Three formal definitions– Model of 3rd generation machine– Instruction behavior– Virtual machine monitor
8
Model of 3rd Generation Machine• Overview simplified conventional 3rd generation machine– with a processor– with linear, uniformly addressable memory– without I/O instructions– without interrupts
• Machine behaviorThe machine can exist in any one of a finite
number of states S, where S = <E, M, P, R>.
9
Model of 3rd Generation Machine• Behavior of the computer: state (S)
S=<E, M, P, R>
E: executable storage
M: processor mode P: program count
R: relocation-bounds register
10
Model of 3rd Generation Machine• Behavior of the computer: state-space (S)
S=<E, M, P, R>
M: processor mode P: program count
R: relocation-bounds register
E: executable storage• word or byte addressed memory;• E[i]: contents of the ith unit of
storage in E
11
Model of 3rd Generation Machine• Behavior of the computer: state-space (S)
S=<E, M, P, R>
E: executable storage
M: processor mode2 types• supervisor (s)• user (u)
P: program count
R: relocation-bounds register
12
Model of 3rd Generation Machine• Behavior of the computer: state-space (S)
S=<E, M, P, R>
E: executable storage
M: processor modeP: program count• address relative to register;• index
R: relocation-bounds register
13
Model of 3rd Generation Machine• Behavior of the computer: state-space (S)
S=<E, M, P, R>
E: executable storage
M: processor mode P: program count
R: relocation-bounds register R = (l, b)• relocation part l: absolute address• bound part b: absolute size of virtual
memory
14
Model of 3rd Generation Machine• Program status word (PSW)
the contents of the triple <M, P, R>– used for other definitions and proof later
• Instruction (i)a function from one set of states (C) to
another. i: C Ce.g. i(S1) = S2
i(E1, M1, P1, R1) = (E2, M2, P2, R2)
15
Model of 3rd Generation Machine• Trap 1. Definition 2. Particular kind of trap
16
• Trap 1. Definition
Model of 3rd Generation Machine
An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]
17
• Trap 1. Definition
Model of 3rd Generation Machine
An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]1. Save the
current state
2. Pass control of a pre-specified routine by changing PSW
18
Model of 3rd Generation Machine• Trap 2. Particular kind of trap: memory trap– caused by accessing an address which is over the
bounds in relocation-bounds register R(l, b) or physical memory
– micro-sequence:
where a is the address to be accessed, l is relocation, q is the total size of memory, and b is the bound
if a + l ≥ q then trap;if a ≥ b then trap
19
Formal Definitions• Three formal definitions– Model of 3rd generation machine– Instruction behavior– Virtual machine monitor
20
Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction
• innocuous instructions
21
Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction
• innocuous instructions
22
Privileged Instruction• Definition
Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.
23
• Definition
• independent of the virtualization process
Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.
Privileged Instruction
privileged instruction trap
the only difference
24
Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction
• innocuous instructions
25
Sensitive Instruction• Control sensitive
– control sensitive instructions: affect or potentially affect the control of VMM over recourses
– no isolated condition codes or other complications by which instructions can interact
An instruction i is control sensitive if there exists a state S1 = <e1, m1, p1, r1>, and i(S1) = S2 = <e2, m2, p2, r2> such that i(S1) does not memory trap, and either: (a) r1≠r2, or (b) m1 ≠ m2, or both.
26
Sensitive Instruction• Behavior sensitive…
27
Sensitive Instruction• Behavior sensitive… • First introduce new notations…– operator :⊕ r’ = r x = (l+x, b), which means the ⊕ relocation register has had its base value shifted by the value of x– E | R: which means the contents of the part of the memory which can be effected by the instruction– E | r = E’ | r x: for 0≤i≤b, E[l + i] = E’[l + x + i]⊕
28
Sensitive Instruction• Behavior sensitive (finally!)
– the effect of the executions depends on the value of the relocation-bounds register.
An instruction i is behavior sensitive if there exists an integer x and states:(a) S1 = <e | r, m1, p, r>, and (b) S2 = <e | r ⊕ x, m2, p, r ⊕ x >,where(c) i(S1) = <e1 | r, m1, p1, r>,(d) i(S2) = <e2 | r ⊕ x, m2, p2, r ⊕ x >, and (e) neither i(S1) or i(S2) memory trap,such that either(a) e1 | r ≠ e2 | r x⊕ , or(b) p1≠ p2, or both.
29
Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction
• innocuous instructions
30
Innocuous Instructions• The instructions which are neither privileged
instruction nor sensitive instructions.
31
Formal Definitions• Three formal definitions– Model of 3rd generation machine– Instruction behavior– Virtual machine monitor
32
Virtual Machine Monitor• VMM
a particular piece of software, called a control program, that exhibits certain
properties
33
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
34
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
• top level module• decide which module
to call
35
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
• invoked by dispatcherwhen an attempted execution is to change the resources
36
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
• one interpreter routine per privileged instruction
• to simulate the effect of trapped instruction
37
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
• one interpreter routine per privileged instruction
• to simulate the effect of trapped instructions
• vi: set of interpretive routines
38
Virtual Machine Monitor• VMM properties
Recall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources
39
Virtual Machine Monitor• VMM properties
Recall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources
Now more formally...
40
Virtual Machine Monitor• VMM properties (formally) 1) Equivalence:
Any program K executing with a control program resident, with two possible exceptions, performs in a manner indistinguishable from the case when the control program did not exist and K had whatever freedom of access to privileged instructions that the programmer had intended.
41
Virtual Machine Monitor• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)– “equivalent” iff: for any state S1, if the real
machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)
42
Virtual Machine Monitor• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)– “equivalent” iff: for any state S1, if the real
machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)
Virtual Machine Map (VM MAP)
43
Virtual Machine Monitor• Virtual machine Map (VM Map)
f: Cr Cv is a one-one homomorphism w.r.t all the operators ei in the instruction sequence set I.
where Cr is the set of possible states of the real machine without a VMM, and Cv is the set with VMM.
The virtual machine map
44
Virtual Machine Monitor• VMM properties (formally) 2) Efficiency:
All innocuous instructions are executed by the hardware directly, with no intervention at all on the part of the control program.
45
Virtual Machine Monitor• VMM properties (formally) 3) Resource control:
It must be impossible for that arbitrary program to affect the system resources, i.e. memory, available to it; the allocator of the control program is to be invoked upon any attempt.
46
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Conclusion
47
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
48
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
which implies all assumptions for: • relocation mechanisms, supervisor/user mode, and trap
mechanisms• the instruction set is of general purpose to support
dispatcher, allocator, and table lookup procedure
49
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
which 1) means:to build a VMM it is sufficient that all instructions that could affect the correct functioning of the VMM always trap and pass control to the VMM
50
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
which 2) guarantees:the resource control property, and equivalence property
51
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
which 3) provides:a simple technique for implementing a VMM, called trap-and-emulate virtualization
52
Visualization Theorem• THEOREM 2. A conventional third generation
computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.
53
Visualization Theorem• THEOREM 2. A conventional third generation
computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.
• Exceptions:1) programs with resource bound
–The theorem limits the number of nested VMMs of the recursion.
2) programs that have time dependencies
54
Visualization Theorem• THEOREM 3. A hybrid virtual machine monitor
may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.
55
Visualization Theorem• THEOREM 3. A hybrid virtual machine monitor
may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.user sensitive instruction: there exists a state S = (E, u, P, R) for which instructions i is
control sensitive or behavior
sensitive.
56
Visualization Theorem• THEOREM 3. A hybrid virtual machine monitor
may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.user control sensitive: the definition given earlier for
control sensitivity holds, with ml in that definition set to user.
user behavior sensitive: the definition for locationsensitivity
holds with the mode of states S1 and S2 equal to user.
57
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution
58
Contribution• A formal model of a 3rd generation computer
system • Necessary and sufficient conditions to
determine whether a particular 3rd generation machine can support a VMM
59
Reference• Gerald J. Popek and Robert P. Goldberg. 1974.
Formal requirements for virtualizable third generation architectures. Commun. ACM 17, 7 (July 1974), 412-421.
top related