Post on 19-Dec-2015
transcript
The Alta Operating SystemThe Alta Operating System
Patrick Tullmann
Masters Thesis Defense
University of Utah
AltaAltaAlta is an operating system in a
Java Virtual MachineManages multiple applications on a
single JVMSupports the Fluke OS nested
process model (NPM)
Research GoalsResearch GoalsCan I change the protection
mechanism in an OS model?Can I provide safe, controlled
sharing between Java processes?
Airline DatabaseAirline Database
Public Area
Registered Agents
Motivation: Servlet EngineMotivation: Servlet Engine
MorrisUniglobe
UTUT NVNV
MotivationMotivationJava Virtual Machine provides:– Safety– Platform independence
Java-based systems need:–Multiple “user” management– Resource management– Flexible & extensible control
ApproachApproachTraditional OS a good model– Hardware provides safety mechanism– OS provides management
Fluke OS nested process model
Fluke BackgroundFluke BackgroundMicrokernel– Threads, mutexes, IPC, …–Manages CPU and memory
User-level services – File, Network, …
Nested process model– Structured–Well defined
Nested Process ModelNested Process ModelA model of how processes interactHierarchical: parent process provides
resources
Parent Process
Child BChild A
11 22
Mapping an OS into JavaMapping an OS into JavaType safety replaces hardware page
protectionsBytecodes replace simple
instructionsNative methods replace privileged
instructionsAll higher-level abstractions are
equivalent
Goals for AltaGoals for AltaSupport Fluke features for process
management–Mimic Fluke structure– Provide parent process with control
Acceptable performanceMaintain backwards compatibility– Existing Java apps should work
Design of AltaDesign of AltaFour design aspects (really seven)–Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control– IPC-based interfaces– Exportable kernel state– Kernel implementation
Design of AltaDesign of AltaFour design aspects –Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control
Design of AltaDesign of AltaFour design aspects–Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control
Per-process TypespacesPer-process TypespacesTypespace: Set of name to class
bindings in a processExtension of the NPM to JavaParent process resolves all class
names– Enables access controls– Enables code control in child process– Problems with native methods– Poses problems for sharing
Per-process TypespacesPer-process TypespacesImplies class has no fixed nameImplies there can be inconsistencies– Different notion of ‘File’– Same notion of ‘Directory’
Design of AltaDesign of AltaFour design aspects–Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control
Inter-process SharingInter-process SharingAlta allows limited inter-process
sharing– Initial sharing via IPC– Sharing through other shared objects
Processes can have inconsistent typesInter-process type inconsistencies can
destroy a JVM– pointer forging
Inter-process Type CheckingInter-process Type CheckingAlta ensures equivalent types for all
shared objectsEffective limits on shareable types:– Completely consistent field types– Only allows non-polymorphic fields
Design of AltaDesign of AltaFour design aspects–Maintain “whole JVM” illusion– Per-process, flexible typespaces– Inter-process sharing– Sharing & resource control
Sharing & Resource ControlSharing & Resource ControlSharing complicates resource
control– Termination of process that has
“exported” objectsAlta lets applications control sharing– Nested process model enables
constrained sharing
User-level Shared ObjectsUser-level Shared Objects
Child allocates -> Parent references– Harmless. If parent dies then child dies
– Useful. Child can pass IPC arguments
Sibling allocates -> Sibling references– Allowable. Parent trades communication
costs for separation
Parent allocates -> Child references– Standard server behavior
– Cannot deallocate without child’s cooperation
Results & EvaluationResults & EvaluationMicro-benchmark measurementsComparison with Fluke– Structure– Performance
PlatformPlatformBase system– Kaffe Java virtual machine
Platform–Measurements from a 300 Mhz PII– Java code is JIT compiled
Micro-benchmarksMicro-benchmarksAlta vs. Kaffe– Basic VM operations are ~ unchanged– 50-100 cycle overhead on object
allocation Kaffe/Alta vs. Microsoft JVM– Three (or more) times slower
Alta vs. Fluke: StructureAlta vs. Fluke: StructureUse similar internal organization– Both implement a “red line” [Back 1999]– Fully preemptible kernel
Alta allows kernel / user data sharing Alta’s kernel is almost malloc-less– Except some JVM-internal structures
Alta vs. Fluke: PerformanceAlta vs. Fluke: PerformanceAlta wins:– Null system call
• 192 cycles (vs. 302 in Fluke)
– Optimal thread switch• 185 cycles (vs. 519 in Fluke)
Fluke wins everything else, e.g., – Null IPC round trip
• 18,524 cycles (64 µs) vs. 7,519 cycles in Fluke
– Process creation:• ~11.9M cycles (39 ms) vs. 1M cycles in Fluke
Performance EvaluationPerformance EvaluationAlta hampered by poor JIT compiler– GCJ will improve this– Alta kernel is C-like– HotSpot, etc provide interesting
opportunitiesAlta can be optimized, too– Static definition of a typespace– Better kernel synchronization– Incorporate recent Fluke optimizations
Related Work: JavaRelated Work: Java [Balfanz 1998], [Bernadat 1998], [Sun 1998]J-Kernel [Hawblitzel 1998]
– Pure Java
– No inter-process sharingKaffeOS [Back 1999]
–More restrictive sharing
– Resource management focus• Per-process heaps• GC time accounting• ...
Related Work: OSRelated Work: OSPilot / Cedar / Mesa [Redell 1980],
[Swinehart 1986]Oberon / Juice [Franz 1996]Inferno [Dorward 1998]SPIN [Bershad 1995]Vino [Seltzer 1996]
Future WorkFuture WorkResource accounting & GCFormal analysis of Alta type systemFluke & Alta integrationAlta-specific applications