formal requirements for virtualizable third generation architectures grad operating system...

Formal Requirements for Virtualizable Third Generation Architectures

Grad Operating System Mini-ProjectAuthors: Gerald J. Popek, and Robert P. Goldberg

Presented by: Yiji Zhang

2

Outline

• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution

3

Outline


4

Basic VM Concepts

• Virtual Machine (VM)– efficient, isolated duplicate of the real machine– the environment created by the virtual machine monitor

VMM

VM

Hardware

The virtual machine monitor

5

Basic VM Concepts

• Virtual machine monitor (VMM)– a piece of software– three properties: 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

6

Outline


7

Formal Definitions

• Three formal definitions– Model of 3rd generation machine– Instruction behavior– Virtual machine monitor

8

Model of 3rd Generation Machine

• Overview simplified conventional 3rd generation machine– with a processor– with linear, uniformly addressable memory– without I/O instructions– without interrupts

• Machine behaviorThe machine can exist in any one of a finite

number of states S, where S = <E, M, P, R>.

9

Model of 3rd Generation Machine• Behavior of the computer: state (S)

S=<E, M, P, R>

E: executable storage

M: processor mode P: program count

R: relocation-bounds register

10

Model of 3rd Generation Machine• Behavior of the computer: state-space (S)

S=<E, M, P, R>



E: executable storage• word or byte addressed memory;• E[i]: contents of the ith unit of

storage in E

11


S=<E, M, P, R>


M: processor mode2 types• supervisor (s)• user (u)

P: program count


12


S=<E, M, P, R>


M: processor modeP: program count• address relative to register;• index


13


S=<E, M, P, R>



R: relocation-bounds register R = (l, b)• relocation part l: absolute address• bound part b: absolute size of virtual

memory

14

Model of 3rd Generation Machine• Program status word (PSW)

the contents of the triple <M, P, R>– used for other definitions and proof later

• Instruction (i)a function from one set of states (C) to

another. i: C C

e.g. i(S1) = S2

i(E1, M1, P1, R1) = (E2, M2, P2, R2)

15


• Trap 1. Definition 2. Particular kind of trap

16

• Trap 1. Definition


An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]

17

• Trap 1. Definition


An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]

1. Save the current state

2. Pass control of a pre-specified routine by changing PSW

18


• Trap 2. Particular kind of trap: memory trap– caused by accessing an address which is over the

bounds in relocation-bounds register R(l, b) or physical memory

– micro-sequence:

where a is the address to be accessed, l is relocation, q is the total size of memory, and b is the bound

if a + l ≥ q then trap;if a ≥ b then trap

19

Formal Definitions


20

Instruction Behavior

• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction

• innocuous instructions

21




22

Privileged Instruction• Definition

Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.

23

• Definition

• independent of the virtualization process

Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.

Privileged Instruction

privileged instruction trap

the only difference

24




25

Sensitive Instruction• Control sensitive

– control sensitive instructions: affect or potentially affect the control of VMM over recourses

– no isolated condition codes or other complications by which instructions can interact

An instruction i is control sensitive if there exists a state S1 = <e1, m1, p1, r1>, and i(S1) = S2 = <e2, m2, p2, r2> such that i(S1) does not memory trap, and either: (a) r1≠r2, or (b) m1 ≠ m2, or both.

26

Sensitive Instruction• Behavior sensitive…

27

Sensitive Instruction• Behavior sensitive… • First introduce new notations…– operator :⊕ r’ = r x = (l+x, b), which means the ⊕ relocation register has had its base value shifted by the value of x– E | R: which means the contents of the part of the memory which can be effected by the instruction– E | r = E’ | r x: for 0≤i≤b, E[l + i] = E’[l + x + i]⊕

28

Sensitive Instruction• Behavior sensitive (finally!)

– the effect of the executions depends on the value of the relocation-bounds register.

An instruction i is behavior sensitive if there exists an integer x and states:(a) S1 = <e | r, m1, p, r>, and (b) S2 = <e | r ⊕ x, m2, p, r ⊕ x >,where(c) i(S1) = <e1 | r, m1, p1, r>,(d) i(S2) = <e2 | r ⊕ x, m2, p2, r ⊕ x >, and (e) neither i(S1) or i(S2) memory trap,such that either(a) e1 | r ≠ e2 | r x⊕ , or(b) p1≠ p2, or both.

29




30

Innocuous Instructions

• The instructions which are neither privileged instruction nor sensitive instructions.

31

Formal Definitions


32

Virtual Machine Monitor

• VMM a particular piece of software, called a control program, that exhibits certain

properties

33


• Control program modules CP = <D, A, {vi}>

Control Program (CP)

Dispatcher (D)

Allocator (A) Interpreters

34




Dispatcher (D)


• top level module• decide which module

to call

35




Dispatcher (D)


• invoked by dispatcherwhen an attempted execution is to change the resources

36




Dispatcher (D)


• one interpreter routine per privileged instruction

• to simulate the effect of trapped instruction

37




Dispatcher (D)


• one interpreter routine per privileged instruction

• to simulate the effect of trapped instructions

• vi: set of interpretive routines

38


• VMM propertiesRecall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on

the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

39


• VMM propertiesRecall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on

the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

Now more formally...

40


• VMM properties (formally) 1) Equivalence:

Any program K executing with a control program resident, with two possible exceptions, performs in a manner indistinguishable from the case when the control program did not exist and K had whatever freedom of access to privileged instructions that the programmer had intended.

41


• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)

– “equivalent” iff: for any state S1, if the real machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)

42


• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)

– “equivalent” iff: for any state S1, if the real machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)

Virtual Machine Map (VM MAP)

43


• Virtual machine Map (VM Map)f: Cr Cv is a one-one homomorphism w.r.t all the operators ei in the instruction

sequence set I.

where Cr is the set of

possible states of the real machine without a VMM, and Cv is the set with

VMM.

The virtual machine map

44


• VMM properties (formally) 2) Efficiency:

All innocuous instructions are executed by the hardware directly, with no intervention at all on the part of the control program.

45


• VMM properties (formally) 3) Resource control:

It must be impossible for that arbitrary program to affect the system resources, i.e. memory, available to it; the allocator of the control program is to be invoked upon any attempt.

46

Outline

• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Conclusion

47

Visualization Theorem

• THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

48



which implies all assumptions for: • relocation mechanisms, supervisor/user mode, and trap

mechanisms• the instruction set is of general purpose to support

dispatcher, allocator, and table lookup procedure

49



which 1) means:to build a VMM it is sufficient that all instructions that could affect the correct functioning of the VMM always trap and pass control to the VMM

50



which 2) guarantees:the resource control property, and equivalence property

51



which 3) provides:a simple technique for implementing a VMM, called trap-and-emulate virtualization

52


• THEOREM 2. A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.

53


• THEOREM 2. A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.

• Exceptions:1) programs with resource bound

–The theorem limits the number of nested VMMs of the recursion.

2) programs that have time dependencies

54


• THEOREM 3. A hybrid virtual machine monitor may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.

55



user sensitive instruction: there exists a state S = (E, u, P, R) for which instructions i is

control sensitive or behavior

sensitive.

56



user control sensitive: the definition given earlier for

control sensitivity holds, with ml in that definition set to user.

user behavior sensitive: the definition for locationsensitivity

holds with the mode of states S1 and S2 equal to user.

57

Outline


58

Contribution

• A formal model of a 3rd generation computer system

• Necessary and sufficient conditions to determine whether a particular 3rd generation machine can support a VMM

59

Reference

• Gerald J. Popek and Robert P. Goldberg. 1974. Formal requirements for virtualizable third generation architectures. Commun. ACM 17, 7 (July 1974), 412-421.

formal requirements for virtualizable third generation architectures grad operating system...

Documents