# Popek & Goldberg’s notation

## Presentation on theme: "Popek & Goldberg’s notation"— Presentation transcript:

Popek & Goldberg’s notation
Haipeng Cai and Siyuan Jiang

Conventional third generation computer Virtual machine monitor(VMM)
Haipeng Cai and Siyuan Jiang

Third Generation Computer
Conventional Third Generation Computer Haipeng Cai and Siyuan Jiang

Conventional Third Generation Computer
Processor Mode M s: supervisor mode u: user mode Conventional Third Generation Computer

Conventional Third Generation Computer
No I/O instructions Conventional Third Generation Computer

Conventional Third Generation Computer
Memory as Executable storage E Linear Uniformly addressable q-1 i E[i] E Conventional Third Generation Computer

Conventional Third Generation Computer
Relocation-bounds Register R R=(l, b) An index to E l l+b E q-1 Conventional Third Generation Computer

Conventional Third Generation Computer
R=(l, b), address a is reached like: l a<b l+a l+b E q-1 a>b-1 Memorytrap (Discuss later) a+l>q-1 Memorytrap (Discuss later) Conventional Third Generation Computer

Conventional Third Generation Computer
Relocation-bounds Register R works in both processor modes supervisor mode user mode Conventional Third Generation Computer

Conventional Third Generation Computer
Program Counter P Address of next instruction Relative to R l l+b l+p E q-1 P=p Conventional Third Generation Computer

Conventional Third Generation Computer
State S=<E, M, P, R> The current state of the real computer system E: executable storage M: processor mode P: program counter R: relocation-register PSW: Program status word Conventional Third Generation Computer

Conventional Third Generation Computer
PSW=<M, P, R> Old-PSW l l+b E 1 q-1 Next-PSW Conventional Third Generation Computer

Conventional Third Generation Computer
State S=<E, M, P, R> Notation C is the finite set of states Conventional Third Generation Computer

Conventional Third Generation Computer
Instruction i is a function f: C  C C C i Conventional Third Generation Computer

Conventional Third Generation Computer
Trap (an action of instruction) trap S1=<E1, M1, P1, R1> S2,=<E2, M’, P’, R’> l1 l' l'+b' l1+b1 E2 E1 <M1, P1, R1> <M’,P’,R’> 1 q-1 Conventional Third Generation Computer

Conventional Third Generation Computer
MemoryTrap A trap that caused by an attempt to access an address which is beyond the bounds l l+b E q-1 address a>b-1 (memorytrap) a>q-1 (memorytrap) Conventional Third Generation Computer

Conventional Third Generation Computer
Privileged instruction i For any PSW=<e, p, r> that i does not memorytrap, if M=u, i traps else if M=s, i does not trap Conventional Third Generation Computer

Conventional Third Generation Computer
Sensitive instruction i Control sensitive Behavior sensitive Conventional Third Generation Computer

Conventional Third Generation Computer
Control sensitive instruction i There exists a state S1=<e1, m1, p1, r1> , note i(S1)=<e2,m2,p2,r2> such that i(S1) does not memorytrap AND (r1≠r2 OR m1≠m2) is true In other words, i is control sensitive if i intends to change one or both of R: the available memory resources M: the processor mode Conventional Third Generation Computer

Conventional Third Generation Computer
Operator Å (for Behavior sensitive instruction) l l+b E r q-1 l+x l+x+b E rÅx q-1 Conventional Third Generation Computer

Conventional Third Generation Computer
Behavior sensitive instruction i i is behavior sensitive if there exists integer x and S1, S2 where S1 has m1, r1, p1 and S2 has m2(≠m1), r2=r1Åx, p2=p1 such that i(S1) and i(S2) differ in one or both of the values of available memory the program counter Conventional Third Generation Computer

Conventional Third Generation Computer
Behavior sensitive instruction i is location sensitive, if the difference is caused by R is mode sensitive , if the difference is caused by M Behavior Sensitive Relocation-bounds Register Processor Mode Location Sensitive Mode Sensitive Conventional Third Generation Computer

Wrap Up S=<E,M,P,R> Instruction Trap
Conventional third generation computer Wrap Up S=<E,M,P,R> Executable storage PSW Processor Mode Program counter Relocation-bounds Register Instruction Trap Memorytrap Privileged instruction Sensitive instruction Control Sensitive Behavior Sensitive Conventional Third Generation Computer

Virtual Machine Monitor (VMM)

Virtual Machine Monitor
Control Program (CP) VMM is a kind of CP Virtual Machine Monitor

Virtual Machine Monitor
Control Program Assume Control Program runs in s mode Other programs run in u mode (In later discussion, ”program” represents the other programs) Virtual Machine Monitor

Control Program CP=<D, A, {vi}> Dispatcher D Allocator A
Interpreters {vi} Virtual Machine Monitor

Virtual Machine Monitor
Dispatcher D D decides which module to call. E[1] has P set to D l l+b E q-1 1 PSWnext=<M, P->D, R> Virtual Machine Monitor

Virtual Machine Monitor
Allocator A A decides what resource(s) are to be provided. Virtual Machine Monitor

Virtual Machine Monitor
Interpreters {vi} One interpreter routine vi for one privileged instruction i Virtual Machine Monitor

Virtual Machine Monitor
Control Program Assume Control Program run in s mode which means: E[1] (PSWnext) has mode set to s E[1] has P set to the first location of the dispatcher Virtual Machine Monitor

Virtual Machine Monitor
A CP with three properties: Efficiency property Resource control property Equivalence property Virtual Machine Monitor

Virtual Machine Monitor
Efficiency property: All innocuous instructions are executed by hardware directly (with no intervention on the part of the control program) Virtual Machine Monitor

Virtual Machine Monitor
Resource control property: Programs cannot affect the system resources. (Whenever an attempt to affect system resources, A is to be invoked.) Virtual Machine Monitor

Virtual Machine Monitor
Equivalence property: With two exceptions(listed in the next slide), any program k performs in a manner indistinguishable from: CP does not exist k has freedom of access to privileged instructions Virtual Machine Monitor

Exceptions for equivalence property:
The length of time required for execution changes when program runs with a CP present (2) A may not satisfy a particular request for space, then k will not execute in a same manner Virtual Machine Monitor

Virtual Machine Monitor
The environment which any program sees when running with a VMM present Virtual Machine Monitor

Wrap up Control Program (CP) Virtual machine monitor properties
Dispatcher Allocator Interpreters{vi} Virtual machine monitor properties Efficiency Resource control Equivalence Virtual Machine Monitor

for Conventional Third Generation Computer to be Virtualizable
Formal Requirements for Conventional Third Generation Computer to be Virtualizable Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
Theorem 1 For any conventional third generation computer, a VMM can be constructed, if the set of sensitive instructions (for that computer) is a subset of the set of privileged instructions Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
Construct a VMM (in conventional 3rd generation computer) VM Map Define “Equivalence property” VM Map that satisfies three VMM properties Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
VM Map is a function f: Cr->Cv which is a one-one homomorphism that is for any Si, ei, there exists a e’i, such that f(ei(Si))=e’i(f(Si)) Cr(states without VMM) Cv (states with VMM) f Si S’i ei e'i f Sj S’j Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
VM Map VM Map only maps states: after the completion of one instruction in the real machine before the beginning of the next instruction Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
Equivalence (Formal) Assume a real machine runs from S1, VM runs from f(S1). The VM is equivalent to the real machine, if and only if, for any S1, if the real machine halts in S2, then the VM halts in f(S2). Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
Standard VM Map(detail in next slide) Sr l l+b E Standard VM Map w-1 Sv same <m’=s, p’=CP, r’=(0,q-1)> l+k l+k+b E’ CP <m, p, r> <m’, p’, r’> 2 k w+k-1 set by trap handler Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
Standard VM Map Sr<E,M,P,R>Sv<E’, M’, P’, R’> where R=(l, b), |E|=w, |CP|=k-2 E’[i+k]  E[i], for i=0, w-1 E’[i]  CP, for i=2 to k-1 E’[1]  <m’, p’, r’> where m’=s, p’=1st location of CP, r’=(0, q-1) E’[0]  <m, p, r> as last set by trap handler M’ u, P’P, R’(l+k, b) Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
Standard VM Map It can satisfies three properties if the sensitive instructions are all privileged instructions in third generation computer Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
Overall Wrap up Conventional third generation computer Virtual machine monitor (control program) The condition under which VMM can be built in the conventional third generation computer Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
Related results: Recursive virtualization Can a VM run a copy of the VMM? Theorem 2: A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
Relax VMM definition: Hybrid VMM Relax VMM definition so that more third generation computers can be virtualizable Theorem 3: A hybrid VMM may be constructed for any conventional third generation computer where user sensitive instructions are privileged. Note1: in Theorem 1, it is all ”sensitive instructions” Note2: user sensitive instructions are defined in next slide Formal requirements for virtualizable third generation computer

Formal requirements for virtualizable third generation computer
User Sensitive Instructions Def. i is said to be user sensitive, if there exists a state S=<E, u, P, R>, for which i is sensitive In other words, i is user sensitive if i is sensitive under user mode Formal requirements for virtualizable third generation computer

Reference [1] G. Popek, R. Goldberg, “Formal requirements for virtualizable third generation architectures”, Commun. ACM, vol. 17, pp , 1974.