Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Popek & Goldberg’s notation Haipeng Cai and.

Similar presentations


Presentation on theme: "Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Popek & Goldberg’s notation Haipeng Cai and."— Presentation transcript:

1 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Popek & Goldberg’s notation Haipeng Cai and Siyuan Jiang 1

2 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional third generation computer Virtual machine monitor(VMM) Haipeng Cai and Siyuan Jiang 2

3 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Haipeng Cai and Siyuan Jiang 3

4 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Processor Mode M s: supervisor mode u: user mode Conventional Third Generation Computer 4

5 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg No I/O instructions Conventional Third Generation Computer 5

6 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Memory as Executable storage E Linear Uniformly addressable 0q-1 … … i E[i] E Conventional Third Generation Computer 6

7 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Relocation-bounds Register R R=( l, b ) An index to E 0q-1 … … E l l+b Conventional Third Generation Computer 7

8 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg R=( l, b ), address a is reached like: 0q-1 … … E l l+b ab-1 Memorytrap (Discuss later) a+ l > q-1 Memorytrap (Discuss later) Conventional Third Generation Computer 8

9 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Relocation-bounds Register R works in both processor modes supervisor mode user mode 9

10 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Program Counter P Address of next instruction Relative to R 0q-1 … … E l l+b P= p l+p Conventional Third Generation Computer 10

11 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg State S= The current state of the real computer system E: executable storage M: processor mode P: program counter R: relocation-register PSW: Program status word Conventional Third Generation Computer 11

12 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg PSW= 0q-1 … … E l l+b 1 Old-PSW Next-PSW Conventional Third Generation Computer 12

13 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg State S= Notation C is the finite set of states Conventional Third Generation Computer 13

14 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Instruction i is a function f: C  C CC i 14

15 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Trap (an action of instruction) 0q-1 … … E1E1 l1 l1+b1 1 S1= trap S2,= E2 l' l'+b' 15

16 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer MemoryTrap A trap that caused by an attempt to access an address which is beyond the bounds 0q-1 … … E l l+b address a>b-1 (memorytrap) a>q-1 (memorytrap) 16

17 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Privileged instruction i For any PSW= that i does not memorytrap, if M=u, i traps else if M=s, i does not trap 17

18 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Sensitive instruction i Control sensitive Behavior sensitive 18

19 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Control sensitive instruction i There exists a state S1=, note i(S1)= such that i(S1) does not memorytrap AND (r1≠r2 OR m1≠m2) is true In other words, i is control sensitive if i intends to change one or both of R: the available memory resources M: the processor mode 19

20 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Operator  (for Behavior sensitive instruction) 0q-1 … … E l l+b r 0q-1 … … E l+x l+x+b rxrx 20

21 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Behavior sensitive instruction i i is behavior sensitive if there exists integer x and S1, S2 where S1 has m1, r1, p1 and S2 has m2(≠m1), r2=r1  x, p2=p1 such that i(S1) and i(S2) differ in one or both of the values of available memory the program counter 21

22 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional Third Generation Computer Behavior sensitive instruction i is location sensitive, if the difference is caused by R is mode sensitive, if the difference is caused by M 22 Behavior Sensitive Location Sensitive Mode Sensitive Relocation-bounds Register Processor Mode

23 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Conventional third generation computer Wrap Up 23 Conventional Third Generation Computer S= E xecutable storage PSW Processor M ode P rogram counter R elocation-bounds Register Instruction Trap Memorytrap Privileged instruction Sensitive instruction Control Sensitive Behavior Sensitive

24 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Virtual Machine Monitor (VMM) Virtual Machine Monitor 24

25 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Control Program (CP) VMM is a kind of CP Virtual Machine Monitor 25

26 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Control Program Assume Control Program runs in s mode Other programs run in u mode (In later discussion, ”program” represents the other programs) Virtual Machine Monitor 26

27 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Control Program CP= Dispatcher D Allocator A Interpreters {v i } Virtual Machine Monitor 27

28 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Dispatcher D Virtual Machine Monitor D decides which module to call. E[1] has P set to D 0 q-1 … … E l l+b 1 PSW next = D, R> 28

29 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Allocator A Virtual Machine Monitor A decides what resource(s) are to be provided. 29

30 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Interpreters {v i } Virtual Machine Monitor One interpreter routine v i for one privileged instruction i 30

31 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Control Program Assume Control Program run in s mode which means: (1)E[1] (PSW next ) has mode set to s (2)E[1] has P set to the first location of the dispatcher Virtual Machine Monitor 31

32 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Virtual Machine Monitor A CP with three properties: Efficiency property Resource control property Equivalence property Virtual Machine Monitor 32

33 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Efficiency property: All innocuous instructions are executed by hardware directly (with no intervention on the part of the control program) Virtual Machine Monitor 33

34 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Resource control property: Programs cannot affect the system resources. (Whenever an attempt to affect system resources, A is to be invoked.) Virtual Machine Monitor 34

35 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Equivalence property: With two exceptions (listed in the next slide), any program k performs in a manner indistinguishable from: (1)CP does not exist (2)k has freedom of access to privileged instructions Virtual Machine Monitor 35

36 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Exceptions for equivalence property: (1)The length of time required for execution changes when program runs with a CP present (2) A may not satisfy a particular request for space, then k will not execute in a same manner Virtual Machine Monitor 36

37 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Virtual Machine The environment which any program sees when running with a VMM present Virtual Machine Monitor 37

38 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Virtual machine monitor Wrap up 38 Control Program (CP) Dispatcher Allocator Interpreters{v i } Virtual machine monitor properties Efficiency Resource control Equivalence Virtual Machine Monitor

39 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Formal Requirements for Conventional Third Generation Computer to be Virtualizable Formal requirements for virtualizable third generation computer 39

40 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Theorem 1 For any conventional third generation computer, a VMM can be constructed, if the set of sensitive instructions (for that computer) is a subset of the set of privileged instructions 40 Formal requirements for virtualizable third generation computer

41 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 41 Formal requirements for virtualizable third generation computer Construct a VMM (in conventional 3 rd generation computer) VM Map Define “Equivalence property” VM Map that satisfies three VMM properties

42 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 42 Formal requirements for virtualizable third generation computer VM Map is a function f: C r ->C v which is a one-one homomorphism that is for any S i, e i, there exists a e’ i, such that f(e i (S i ))=e’ i (f(S i )) C r (states without VMM) CvCv f (states with VMM) SiSi S’ i S’ j SjSj f eiei e' i

43 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 43 Formal requirements for virtualizable third generation computer VM Map VM Map only maps states: after the completion of one instruction in the real machine before the beginning of the next instruction

44 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 44 Formal requirements for virtualizable third generation computer Equivalence (Formal) Assume a real machine runs from S1, VM runs from f(S1). The VM is equivalent to the real machine, if and only if, for any S1, if the real machine halts in S2, then the VM halts in f(S2).

45 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 45 Formal requirements for virtualizable third generation computer Standard VM Map (detail in next slide) 0w-1 … … E l l+b 0w+k-1 … … E’ l+k l+k+b SrSr SvSv … k CP 2 Standard VM Map same set by trap handler

46 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 46 Formal requirements for virtualizable third generation computer Standard VM Map S r  S v where R=( l, b ), |E|=w, |CP|=k-2 E’[i+k]  E[i], for i=0, w-1 E’[i]  CP, for i=2 to k-1 E’[1]  where m’=s, p’=1 st location of CP, r’=(0, q-1) E’[ 0 ]  as last set by trap handler M’  u, P’  P, R’  ( l+k, b )

47 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 47 Formal requirements for virtualizable third generation computer Standard VM Map It can satisfies three properties if the sensitive instructions are all privileged instructions in third generation computer

48 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 48 Formal requirements for virtualizable third generation computer Overall Wrap up Conventional third generation computer Virtual machine monitor (control program) The condition under which VMM can be built in the conventional third generation computer

49 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 49 Formal requirements for virtualizable third generation computer Related results: Recursive virtualization Can a VM run a copy of the VMM? Theorem 2: A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it

50 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 50 Formal requirements for virtualizable third generation computer Relax VMM definition: Hybrid VMM Relax VMM definition so that more third generation computers can be virtualizable Theorem 3: A hybrid VMM may be constructed for any conventional third generation computer where user sensitive instructions are privileged. Note1: in Theorem 1, it is all ”sensitive instructions” Note2: user sensitive instructions are defined in next slide

51 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg 51 Formal requirements for virtualizable third generation computer User Sensitive Instructions Def. i is said to be user sensitive, if there exists a state S=, for which i is sensitive In other words, i is user sensitive if i is sensitive under user mode

52 Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Haipeng Cai and Siyuan Jiang  [1] G. Popek, R. Goldberg, “Formal requirements for virtualizable third generation architectures”, Commun. ACM, vol. 17, pp , Reference


Download ppt "Formal Requirements for Virtualizable Third Generation Architecture Gerald J. Popek and Robert P. Goldberg Popek & Goldberg’s notation Haipeng Cai and."

Similar presentations


Ads by Google