Presentation is loading. Please wait.

Presentation is loading. Please wait.

Language Support for Fast and Reliable Message-based Communication in Singularity Manuel Fähndrich, Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt,

Published byNyla Maxcy Modified over 9 years ago

Similar presentations

Presentation on theme: "Language Support for Fast and Reliable Message-based Communication in Singularity Manuel Fähndrich, Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt,"— Presentation transcript:

1 Language Support for Fast and Reliable Message-based Communication in Singularity Manuel Fähndrich, Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt, James R. Larus, and Steven Levi Microsoft Research EUROSYS 2006

2 Manuel FähndrichMicrosoft Research2 Singularity Research goal –Leverage state of the art to build more reliable software High-level languages, memory and type safety Advanced type systems, formal verification Optimizing compilers and typed assembly language –Don’t sacrifice performance, unless safety requires it The Singularity OS –Micro-kernel architecture separate processes for services (drivers) processes and kernel communicate solely via channels no shared memory –Ideal research platform –Written in Sing# (a C# extension) This talk: –Programming language support for Singularity’s process isolation

3 Manuel FähndrichMicrosoft Research3 VolMgr Process Isolation Isolation guarantee stems from static memory safety –No hardware protection –All code runs in ring0 on x86 processor –Each process has own heap + garbage collector Channels are sole form of communication –point-to-point –serve as APIs (default Kernel API is minimal) Kernel DiskDevFS NS App

4 Manuel FähndrichMicrosoft Research4 Challenges Pervasive message passing –Difficult programming model What’s the protocol? Are we sending the right message at the right time? Are we handling all messages? –Perceived as expensive Copying of message content between processes limits performance –Situation worse in Singularity due to fine grained isolation Queue, memory management Cost of using a high-level language and GC –Another talk

5 Manuel FähndrichMicrosoft Research5 Sing#: Easy message passing Know thy protocol –Explicit channel contracts describe messages message arguments valid message sequences (finite state machine) –Enables compile-time checking exhaustiveness of selects sends in correct state finite buffering requirement Pass ownership of message data, not a copy … but prove its correctness Direct support for channels in programming language

6 Manuel FähndrichMicrosoft Research6 Outline Motivation Channels Data ownership Implementation Performance Conclusion

7 Manuel FähndrichMicrosoft Research7 Channels Consist of two endpoints (point-to-point) Each endpoint owned by at most one thread at any time Communication is asynchronous, delivery in order –Sends never block (nor fail) –Receives can block (or indicate channel closure) Endpoints can be passed as messages –Network configuration evolves dynamically Governed by channel contract –Messages –Message arguments –Valid message sequences

8 Manuel FähndrichMicrosoft Research8 Channel model in pictures Kernel Name Server I III II create channel Kernel IV spawn

9 Manuel FähndrichMicrosoft Research9 P1 Kernel creates a process I IIIIV II Kernel Name Server Kernel Name Server Kernel Name Server send a over b a b Kernel Name Server spawn

10 Manuel FähndrichMicrosoft Research10 Channel contracts contract NIC { // Network device interface in message NICParameters(…); in message Buffer(char[] in ExHeap buf); in message Reconfigure(); in message Exit(); out message BufferAck(int count); out message Configured(); out message BadParameters(); state START: one { NICParameters?  CONFIGURING; } state CONFIGURING: one { Configured!  READY; BadParameters!  START; } state READY: one { Buffer?  BufferAck!  READY; Reconfigure?  START; Exit?  DONE; } state DONE: ; } START CONFREADY DONE RDY$0 NICParameters? BadParameters! ReConfigure? Configured! Exit? BufferAck! Buffer?

11 Manuel FähndrichMicrosoft Research11 Channel operations Endpoint types NIC.Imp (importing side) NIC.Exp (exporting side) Channel creation NIC.NewChannel( out Nic.Imp imp, out Nic.Exp exp); Sends are methods on endpoints Receive patterns block until a case is satisfied NIC.Exp:READY client; ServiceProvider.Exp:START provider; … switch receive { case client.Buffer(buf): queue.Add(buf); client.SendBufferAck(queue.Size); break; case client.Reconfigure(): … case client.ChannelClosed() && provider.ChannelClosed(): … break; … }

12 Manuel FähndrichMicrosoft Research12 B Ownership transfer Only exchangeable data can be sent Ownership invariant –Exchangeable data is owned by exactly one thread at any time. Transfer by pointer, not copy (but semantically equiv.) –Proof obligations No use after ownership transfer (e.g. free or send) No leaks (missing free/send) –Like manual memory management –Compiler checks invariant statically A A B

13 Manuel FähndrichMicrosoft Research13 Tracked Data Challenge: statically prove correct memory management Segregate tracked and non-tracked data Tracked types –ExHeap pointers: S* in ExHeap –ExHeap vectors: char[] in ExHeap –rep structs S: do not contain GC pointers Strongly typed at MSIL level –allows runtime bounds checking for vectors

14 Manuel FähndrichMicrosoft Research14 Ownership Tracking Method parameters –either borrowed for the call duration void FillBuffer(byte[] in ExHeap b); –or claimed void SendBuffer([Claims] byte[] in ExHeap b); void Free([Claims] void* in ExHeap b); Method result –ownership always passes to caller Complications –Data structures and vectors –Nested pointers owned by containing structure –Restricted to tree structures to make tractable

15 Manuel FähndrichMicrosoft Research15 Where are the efficiency gains? Channel endpoint invariants –Single owner: no locking on send/receives Channel contract invariants –Finite queue size: no allocation on send or receive –Endpoint passing: no complicated locking/races Data ownership invariants –No copying of data: pass by pointers Programmer productivity –Simple message passing model and contract enforcement

16 Manuel FähndrichMicrosoft Research16 Channel Implementation Pre-allocate space to hold message arguments in endpoints Channel= cross-linked structure in memory Send= write into peer + signal event Receive= check tag + read arguments CStates state; C.Exp* peer; M mbuffer0; M mbuffer1; N nbuffer0; CTags tag0; CTags tag1; … C.Imp CStates state; C.Imp* peer; … C.Exp

17 Manuel FähndrichMicrosoft Research17 Message size benchmark

18 Manuel FähndrichMicrosoft Research18 Summary and Future Work Singularity uses message passing pervasively –So far, channels have not been our performance bottle neck –Programmers have stopped complaining Channel contracts help specify interfaces > 43 distinct channel contracts with 135 distinct states > 500 distinct messages 146 messages transferring pointers 42 messages transferring endpoints Static verification of ownership invariant successful –Dangling pointer accesses, double frees or leaks not been a problem. Future work –Ownership and protocol verification on exception paths –Programmer defined asynchronous abstractions –Pre-condition, post-conditions and invariant verification

19 Manuel FähndrichMicrosoft Research19 Questions?

20 Manuel FähndrichMicrosoft Research20 Backups

21 Manuel FähndrichMicrosoft Research21 Transfer of ownership Transfer by pointer, not copy (but semantically equiv.) Proof obligations –No use after ownership transfer (e.g. free or send) –No leaks (missing free/send) Like manual memory management Process Heaps (GC) Exchange Heap (manual)

22 Manuel FähndrichMicrosoft Research22 Transfer of ownership Transfer by pointer, not copy (but semantically equiv.) Proof obligations –No use after ownership transfer (e.g. free or send) –No leaks (missing free/send) Like manual memory management Process Heaps (GC) Exchange Heap (manual)

23 Manuel FähndrichMicrosoft Research23 Endpoint Abstractions ESet and EMap Sets of endpoints in the same state Can add endpoint to sets void ESet.Add([Claims] E ep); Can wait for messages on any endpoint in a set ESet eset; switch receive { case ep.M(x) in eset: … // ep and x bound

24 Manuel FähndrichMicrosoft Research24 P1 2 processes connect I IIIIV II Kernel Name Server P2 P1 Kernel Name Server P2 P1 Kernel Name Server P2 P1 Kernel Name Server P2

Download ppt "Language Support for Fast and Reliable Message-based Communication in Singularity Manuel Fähndrich, Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt,"

Similar presentations

1 Symbian Client Server Architecture. 2 Client, who (a software module) needs service from service provider (another software module) Server, who provide.

1 Symbian Client Server Architecture. 2 Client, who (a software module) needs service from service provider (another software module) Server, who provide.
Operating Systems Components of OS

Operating Systems Components of OS
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
MPI Message Passing Interface

MPI Message Passing Interface
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Remote Procedure Call (RPC)

Remote Procedure Call (RPC)
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Remote Procedure CallCS-4513, D-Term 20071 Remote Procedure Call CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

Remote Procedure CallCS-4513, D-Term Remote Procedure Call CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
G22.3250-001 Robert Grimm New York University Extensibility: SPIN and exokernels.

G Robert Grimm New York University Extensibility: SPIN and exokernels.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.

3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.

Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.
3.5 Interprocess Communication

3.5 Interprocess Communication
Improving IPC by Kernel Design Jochen Liedtke Shane Matthews Portland State University.

Improving IPC by Kernel Design Jochen Liedtke Shane Matthews Portland State University.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
1/28/2004CSCI 315 Operating Systems Design1 Operating System Structures & Processes Notice: The slides for this lecture have been largely based on those.

1/28/2004CSCI 315 Operating Systems Design1 Operating System Structures & Processes Notice: The slides for this lecture have been largely based on those.

Similar presentations

Ads by Google