Outline Basic VM Concepts Formal Definitions Virtualization Theorems

Formal Requirements for Virtualizable Third Generation Architectures
Grad Operating System Mini-Project Authors: Gerald J. Popek, and Robert P. Goldberg Presented by: Yiji Zhang

Outline Basic VM Concepts Formal Definitions Virtualization Theorems
Contribution

Basic VM Concepts Virtual Machine (VM) efficient, isolated duplicate
of the real machine the environment created by the virtual machine monitor VMM Hardware VM The virtual machine monitor

Basic VM Concepts Virtual machine monitor (VMM) a piece of software
three properties: 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

Contribution

Formal Definitions Three formal definitions
Model of 3rd generation machine Instruction behavior Virtual machine monitor

Model of 3rd Generation Machine
Overview simplified conventional 3rd generation machine with a processor with linear, uniformly addressable memory without I/O instructions without interrupts Machine behavior The machine can exist in any one of a finite number of states S, where S = <E, M, P, R>.

Behavior of the computer: state (S) E: executable storage R: relocation-bounds register S=<E, M, P, R> M: processor mode P: program count

Behavior of the computer: state-space (S) E: executable storage word or byte addressed memory; E[i]: contents of the ith unit of storage in E R: relocation-bounds register S=<E, M, P, R> M: processor mode P: program count

Behavior of the computer: state-space (S) E: executable storage R: relocation-bounds register S=<E, M, P, R> M: processor mode 2 types supervisor (s) user (u) P: program count

Behavior of the computer: state-space (S) E: executable storage R: relocation-bounds register S=<E, M, P, R> M: processor mode P: program count address relative to register; index

Behavior of the computer: state-space (S) E: executable storage R: relocation-bounds register R = (l, b) relocation part l: absolute address bound part b: absolute size of virtual memory S=<E, M, P, R> M: processor mode P: program count

Program status word (PSW) the contents of the triple <M, P, R> used for other definitions and proof later Instruction (i) a function from one set of states (C) to another. i: C  C e.g. i(S1) = S2 i(E1, M1, P1, R1) = (E2, M2, P2, R2)

Trap 1. Definition 2. Particular kind of trap

Trap 1. Definition An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]

Trap 1. Definition An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1] 1. Save the current state 2. Pass control of a pre-specified routine by changing PSW

Trap 2. Particular kind of trap: memory trap caused by accessing an address which is over the bounds in relocation-bounds register R(l, b) or physical memory micro-sequence: where a is the address to be accessed, l is relocation, q is the total size of memory, and b is the bound if a + l ≥ q then trap; if a ≥ b then trap

Instruction Behavior privileged instruction sensitive instruction
control sensitive instruction behavior sensitive instruction innocuous instructions

Privileged Instruction
Definition Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.

Privileged Instruction
Definition independent of the virtualization process the only difference Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not. privileged instruction trap

Sensitive Instruction
Control sensitive control sensitive instructions: affect or potentially affect the control of VMM over recourses no isolated condition codes or other complications by which instructions can interact An instruction i is control sensitive if there exists a state S1 = <e1, m1, p1, r1>, and i(S1) = S2 = <e2, m2, p2, r2> such that i(S1) does not memory trap, and either: (a) r1≠r2, or (b) m1 ≠ m2, or both.

Behavior sensitive…

Behavior sensitive… First introduce new notations… operator ⊕: r’ = r ⊕ x = (l+x, b), which means the relocation register has had its base value shifted by the value of x E | R: which means the contents of the part of the memory which can be effected by the instruction E | r = E’ | r ⊕ x: for 0≤i≤b, E[l + i] = E’[l + x + i]

Behavior sensitive (finally!) the effect of the executions depends on the value of the relocation-bounds register. An instruction i is behavior sensitive if there exists an integer x and states: (a) S1 = <e | r, m1, p, r>, and (b) S2 = <e | r ⊕ x, m2, p, r ⊕ x >, where (c) i(S1) = <e1 | r, m1, p1, r>, (d) i(S2) = <e2 | r ⊕ x, m2, p2, r ⊕ x >, and (e) neither i(S1) or i(S2) memory trap, such that either (a) e1 | r ≠ e2 | r ⊕ x, or (b) p1≠ p2, or both.

Innocuous Instructions
The instructions which are neither privileged instruction nor sensitive instructions.

Virtual Machine Monitor
VMM a particular piece of software, called a control program, that exhibits certain properties

Control program modules CP = <D, A, {vi}> Control Program (CP) Dispatcher (D) Allocator (A) Interpreters

Control program modules CP = <D, A, {vi}> Control Program (CP) top level module decide which module to call Dispatcher (D) Allocator (A) Interpreters

Control program modules CP = <D, A, {vi}> Control Program (CP) invoked by dispatcher when an attempted execution is to change the resources Dispatcher (D) Allocator (A) Interpreters

Control program modules CP = <D, A, {vi}> Control Program (CP) one interpreter routine per privileged instruction to simulate the effect of trapped instruction Dispatcher (D) Allocator (A) Interpreters

Control program modules CP = <D, A, {vi}> Control Program (CP) one interpreter routine per privileged instruction to simulate the effect of trapped instructions Dispatcher (D) Allocator (A) Interpreters vi: set of interpretive routines

VMM properties Recall Basic VM Concept… three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

VMM properties Recall Basic VM Concept… three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources Now more formally...

VMM properties (formally) 1) Equivalence: Any program K executing with a control program resident, with two possible exceptions, performs in a manner indistinguishable from the case when the control program did not exist and K had whatever freedom of access to privileged instructions that the programmer had intended.

VMM properties (formally) 1) Equivalence (even more formally) Two machines : S1 and S1' = f(S1) “equivalent” iff: for any state S1, if the real machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)

VMM properties (formally) 1) Equivalence (even more formally) Two machines : S1 and S1' = f(S1) “equivalent” iff: for any state S1, if the real machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2) Virtual Machine Map (VM MAP)

Virtual machine Map (VM Map) f: Cr  Cv is a one-one homomorphism w.r.t all the operators ei in the instruction sequence set I. where Cr is the set of possible states of the real machine without a VMM, and Cv is the set with VMM. The virtual machine map

VMM properties (formally) 2) Efficiency: All innocuous instructions are executed by the hardware directly, with no intervention at all on the part of the control program.

VMM properties (formally) 3) Resource control: It must be impossible for that arbitrary program to affect the system resources, i.e. memory, available to it; the allocator of the control program is to be invoked upon any attempt.

Conclusion

Visualization Theorem
THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. which implies all assumptions for: relocation mechanisms, supervisor/user mode, and trap mechanisms the instruction set is of general purpose to support dispatcher, allocator, and table lookup procedure

THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. which 1) means: to build a VMM it is sufficient that all instructions that could affect the correct functioning of the VMM always trap and pass control to the VMM

THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. which 2) guarantees: the resource control property, and equivalence property

THEOREM 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. which 3) provides: a simple technique for implementing a VMM, called trap-and-emulate virtualization

THEOREM 2. A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.

THEOREM 2. A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it. Exceptions: 1) programs with resource bound The theorem limits the number of nested VMMs of the recursion. 2) programs that have time dependencies

THEOREM 3. A hybrid virtual machine monitor may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.

THEOREM 3. A hybrid virtual machine monitor may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions. user sensitive instruction: there exists a state S = (E, u, P, R) for which instructions i is control sensitive or behavior sensitive.

THEOREM 3. A hybrid virtual machine monitor may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions. user control sensitive: the definition given earlier for control sensitivity holds, with ml in that definition set to user. user behavior sensitive: the definition for location sensitivity holds with the mode of states S1 and S2 equal to user.

Contribution

Contribution A formal model of a 3rd generation computer system
Necessary and sufficient conditions to determine whether a particular 3rd generation machine can support a VMM

Reference Gerald J. Popek and Robert P. Goldberg Formal requirements for virtualizable third generation architectures. Commun. ACM 17, 7 (July 1974),

Outline Basic VM Concepts Formal Definitions Virtualization Theorems

Similar presentations

Presentation on theme: "Outline Basic VM Concepts Formal Definitions Virtualization Theorems"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Outline Basic VM Concepts Formal Definitions Virtualization Theorems

Similar presentations

Presentation on theme: "Outline Basic VM Concepts Formal Definitions Virtualization Theorems"— Presentation transcript:

Similar presentations

About project

Feedback