Formal Requirements for Virtualizable Third Generation Architectures

Formal Requirements for Virtualizable Third Generation Architectures

Grad Operating System Mini-ProjectAuthors: Gerald J. Popek, and Robert P. Goldberg

Presented by: Yiji Zhang

2

Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution

3


4

Basic VM Concepts• Virtual Machine (VM)– efficient, isolated duplicate of the real machine– the environment created by the virtual machine monitor

VMM

VM

Hardware

The virtual machine monitor

5

Basic VM Concepts• Virtual machine monitor (VMM)– a piece of software– three properties: 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

6


7

Formal Definitions• Three formal definitions– Model of 3rd generation machine– Instruction behavior– Virtual machine monitor

8

Model of 3rd Generation Machine• Overview simplified conventional 3rd generation machine– with a processor– with linear, uniformly addressable memory– without I/O instructions– without interrupts

• Machine behaviorThe machine can exist in any one of a finite

number of states S, where S = <E, M, P, R>.

9

Model of 3rd Generation Machine• Behavior of the computer: state (S)

S=<E, M, P, R>

E: executable storage

M: processor mode P: program count

R: relocation-bounds register

10

Model of 3rd Generation Machine• Behavior of the computer: state-space (S)

S=<E, M, P, R>



E: executable storage• word or byte addressed memory;• E[i]: contents of the ith unit of

storage in E

11


S=<E, M, P, R>


M: processor mode2 types• supervisor (s)• user (u)

P: program count


12


S=<E, M, P, R>


M: processor modeP: program count• address relative to register;• index


13


S=<E, M, P, R>



R: relocation-bounds register R = (l, b)• relocation part l: absolute address• bound part b: absolute size of virtual

memory

14

Model of 3rd Generation Machine• Program status word (PSW)

the contents of the triple <M, P, R>– used for other definitions and proof later

• Instruction (i)a function from one set of states (C) to

another. i: C Ce.g. i(S1) = S2

i(E1, M1, P1, R1) = (E2, M2, P2, R2)

15

Model of 3rd Generation Machine• Trap 1. Definition 2. Particular kind of trap

16

• Trap 1. Definition

Model of 3rd Generation Machine

An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]

17

• Trap 1. Definition

Model of 3rd Generation Machine

An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]1. Save the

current state

2. Pass control of a pre-specified routine by changing PSW

18

Model of 3rd Generation Machine• Trap 2. Particular kind of trap: memory trap– caused by accessing an address which is over the

bounds in relocation-bounds register R(l, b) or physical memory

– micro-sequence:

where a is the address to be accessed, l is relocation, q is the total size of memory, and b is the bound

if a + l ≥ q then trap;if a ≥ b then trap

19


20

Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction

• innocuous instructions

21



22

Privileged Instruction• Definition

Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.

23

• Definition

• independent of the virtualization process

Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.

Privileged Instruction

privileged instruction trap

the only difference

24



25

Sensitive Instruction• Control sensitive

– control sensitive instructions: affect or potentially affect the control of VMM over recourses

– no isolated condition codes or other complications by which instructions can interact

An instruction i is control sensitive if there exists a state S1 = <e1, m1, p1, r1>, and i(S1) = S2 = <e2, m2, p2, r2> such that i(S1) does not memory trap, and either: (a) r1≠r2, or (b) m1 ≠ m2, or both.

26

Sensitive Instruction• Behavior sensitive…

27

Sensitive Instruction• Behavior sensitive… • First introduce new notations…– operator :⊕ r’ = r x = (l+x, b), which means the ⊕ relocation register has had its base value shifted by the value of x– E | R: which means the contents of the part of the memory which can be effected by the instruction– E | r = E’ | r x: for 0≤i≤b, E[l + i] = E’[l + x + i]⊕

28

Sensitive Instruction• Behavior sensitive (finally!)

– the effect of the executions depends on the value of the relocation-bounds register.

An instruction i is behavior sensitive if there exists an integer x and states:(a) S1 = <e | r, m1, p, r>, and (b) S2 = <e | r ⊕ x, m2, p, r ⊕ x >,where(c) i(S1) = <e1 | r, m1, p1, r>,(d) i(S2) = <e2 | r ⊕ x, m2, p2, r ⊕ x >, and (e) neither i(S1) or i(S2) memory trap,such that either(a) e1 | r ≠ e2 | r x⊕ , or(b) p1≠ p2, or both.

29



30

Innocuous Instructions• The instructions which are neither privileged

instruction nor sensitive instructions.

31


32

Virtual Machine Monitor• VMM

a particular piece of software, called a control program, that exhibits certain

properties

33

Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>

Control Program (CP)

Dispatcher (D)

Allocator (A) Interpreters

34



Dispatcher (D)


• top level module• decide which module

to call

35



Dispatcher (D)


• invoked by dispatcherwhen an attempted execution is to change the resources

36



Dispatcher (D)


• one interpreter routine per privileged instruction

• to simulate the effect of trapped instruction

37



Dispatcher (D)


• one interpreter routine per privileged instruction

• to simulate the effect of trapped instructions

• vi: set of interpretive routines

38

Virtual Machine Monitor• VMM properties

Recall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

39

Virtual Machine Monitor• VMM properties

Recall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

Now more formally...

40

Virtual Machine Monitor• VMM properties (formally) 1) Equivalence:

Any program K executing with a control program resident, with two possible exceptions, performs in a manner indistinguishable from the case when the control program did not exist and K had whatever freedom of access to privileged instructions that the programmer had intended.

41

Virtual Machine Monitor• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)– “equivalent” iff: for any state S1, if the real

machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)

42

Virtual Machine Monitor• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)– “equivalent” iff: for any state S1, if the real

machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)

Virtual Machine Map (VM MAP)

43

Virtual Machine Monitor• Virtual machine Map (VM Map)

f: Cr Cv is a one-one homomorphism w.r.t all the operators ei in the instruction sequence set I.

where Cr is the set of possible states of the real machine without a VMM, and Cv is the set with VMM.

The virtual machine map

44

Virtual Machine Monitor• VMM properties (formally) 2) Efficiency:

All innocuous instructions are executed by the hardware directly, with no intervention at all on the part of the control program.

45

Virtual Machine Monitor• VMM properties (formally) 3) Resource control:

It must be impossible for that arbitrary program to affect the system resources, i.e. memory, available to it; the allocator of the control program is to be invoked upon any attempt.

46

Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Conclusion

47

Visualization Theorem• THEOREM 1. For any conventional third

generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

48



which implies all assumptions for: • relocation mechanisms, supervisor/user mode, and trap

mechanisms• the instruction set is of general purpose to support

dispatcher, allocator, and table lookup procedure

49



which 1) means:to build a VMM it is sufficient that all instructions that could affect the correct functioning of the VMM always trap and pass control to the VMM

50



which 2) guarantees:the resource control property, and equivalence property

51



which 3) provides:a simple technique for implementing a VMM, called trap-and-emulate virtualization

52

Visualization Theorem• THEOREM 2. A conventional third generation

computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.

53

Visualization Theorem• THEOREM 2. A conventional third generation

computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.

• Exceptions:1) programs with resource bound

–The theorem limits the number of nested VMMs of the recursion.

2) programs that have time dependencies

54

Visualization Theorem• THEOREM 3. A hybrid virtual machine monitor

may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.

55


may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.user sensitive instruction: there exists a state S = (E, u, P, R) for which instructions i is

control sensitive or behavior

sensitive.

56


may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.user control sensitive: the definition given earlier for

control sensitivity holds, with ml in that definition set to user.

user behavior sensitive: the definition for locationsensitivity

holds with the mode of states S1 and S2 equal to user.

57


58

Contribution• A formal model of a 3rd generation computer

system • Necessary and sufficient conditions to

determine whether a particular 3rd generation machine can support a VMM

59

Reference• Gerald J. Popek and Robert P. Goldberg. 1974.

Formal requirements for virtualizable third generation architectures. Commun. ACM 17, 7 (July 1974), 412-421.

Documents

Formal Requirements for Virtualizable Third Generation Architectures