popek & goldberg’s notation

1

Formal Requirements for Virtualizable Third Generation

ArchitectureGerald J. Popek and Robert P. Goldberg

Popek & Goldberg’s notation

Haipeng Cai and Siyuan Jiang

2



•Conventional third generation computer•Virtual machine monitor(VMM)


3



ConventionalThird Generation Computer


4



Processor Mode M•s: supervisor mode•u: user mode

Conventional Third Generation Computer

5



No I/O instructions


6



Memory as Executable storage E• Linear• Uniformly addressable

0 q-1… …

iE[i]

E


7



Relocation-bounds Register R• R=(l, b)• An index to E

0 q-1… …E

l l+b


8



R=(l, b),address a is reached like:

0 q-1… …E

l l+b

a<b

l+a

a>b-1Memorytrap(Discuss later)

a+l>q-1Memorytrap

(Discuss later)


9




Relocation-bounds Register Rworks in both processor modes• supervisor mode• user mode

10



Program Counter PAddress of next instruction• Relative to R

0 q-1… …E

l l+b

P=p

l+p


11



State S=<E, M, P, R>The current state of the real computer system• E: executable storage• M: processor mode• P: program counter• R: relocation-register

PSW:Program status word


12



PSW=<M, P, R>

0 q-1… …E

l l+b

1

Old-PSW

Next-PSWConventional Third Generation

Computer

13



State S=<E, M, P, R>Notation C • is the finite set of states


14




Instruction i• is a function f: C C

C Ci

15




Trap(an action of instruction)

0 q-1… …E1

l1 l1+b1

1

S1=<E1, M1, P1, R1>

<M’,P’,R’>

trap

<M1, P1, R1>

S2,=<E2, M’, P’, R’>

E2 l' l'+b'

16




MemoryTrap• A trap that caused by an attempt to access an address which is beyond the bounds

0 q-1… …E

l l+b

address a>b-1(memorytrap)

a>q-1(memorytrap)

17




Privileged instruction i• For any PSW=<e, p, r> that i does

not memorytrap, • if M=u, i traps • else if M=s, i does not trap

18




Sensitive instruction i• Control sensitive• Behavior

sensitive

19




Control sensitive instruction iThere exists a state S1=<e1, m1, p1, r1> , note i(S1)=<e2,m2,p2,r2>such that i(S1) does not memorytrap AND (r1≠r2 OR m1≠m2) is true

In other words, i is control sensitive if i intends to change one or both of• R: the available memory resources• M: the processor mode

20




Operator Å (for Behavior sensitive instruction)

0 q-1… …E

l l+b

r

0 q-1……E

l+x l+x+b

rÅx

21




Behavior sensitive instruction ii is behavior sensitive if there exists integer x and S1, S2 where S1 has m1, r1, p1 and S2 has m2(≠m1), r2=r1Åx, p2=p1such that i(S1) and i(S2) differ in one or both of• the values of available memory• the program counter

22




Behavior sensitive instruction i• is location sensitive, if the difference is caused by R• is mode sensitive , if the difference is caused by M

Behavior

Sensitive

Location

Sensitive

Mode Sensitiv

e

Relocation-bounds Register Processor Mode

23



Conventional third generation computerWrap Up


• S=<E,M,P,R>• Executable storage• PSW• Processor Mode• Program counter• Relocation-bounds

Register

• Instruction• Trap• Memorytrap

• Privileged instruction

• Sensitive instruction• Control Sensitive• Behavior Sensitive

24



Virtual Machine Monitor(VMM)

Virtual Machine Monitor

25



Control Program(CP)

VMM is a kind of CP


26



Control ProgramAssume• Control Program runs in s mode• Other programs run in u mode(In later discussion, ”program” represents the other programs)


27



Control Program CP=<D, A, {vi}>• Dispatcher D• Allocator A• Interpreters {vi}


28



Dispatcher D


D decides which module to call.E[1] has P set to D

0 q-1… …E

l l+b

1PSWnext=<M, P->D, R>

29



Allocator A


A decides what resource(s) are to be provided.

30



Interpreters {vi}


One interpreter routine vi for one privileged instruction i

32



Virtual Machine MonitorA CP with three properties:• Efficiency property• Resource control property• Equivalence property


33



Efficiency property:All innocuous instructions are executed by hardware directly(with no intervention on the part of the control program)


34



Resource control property:Programs cannot affect the system resources.(Whenever an attempt to affect system resources, A is to be invoked.)


35



Equivalence property:With two exceptions(listed in the next slide), any program k performs in a manner indistinguishable from:(1)CP does not exist(2)k has freedom of access to privileged instructions


36



Exceptions for equivalence property:(1) The length of time required for execution changes when program runs with a CP present(2) A may not satisfy a particular request for space, then k will not execute in a same manner


37



Virtual MachineThe environment

which any program sees when running with a VMM present


38



Virtual machine monitorWrap up

• Control Program (CP)• Dispatcher• Allocator• Interpreters{vi}

• Virtual machine monitor properties• Efficiency• Resource control• Equivalence


39



Formal Requirements for Conventional Third Generation Computer

to be Virtualizable

Formal requirements for virtualizable third generation computer

40



Theorem 1For any conventional third generation computer,a VMM can be constructed, if the set of sensitive instructions (for that computer) is a subset of the set of privileged instructions


41




Construct a VMM (in conventional 3rd generation computer)• VM Map• Define “Equivalence property”• VM Map that satisfies three VMM properties

42




VM Map • is a function f: Cr->Cv which is a one-one homomorphism that is for any Si, ei, there exists a e’i, such that f(ei(Si))=e’i(f(Si))

Cr(states without VMM) Cvf(states with VMM)

Si S’i

S’jSjf

ei e'i

43




VM MapVM Map only maps states:• after the completion of one instruction in the real machine• before the beginning of the next instruction

44




Equivalence (Formal)Assume a real machine runs from S1, VM runs from f(S1).The VM is equivalent to the real machine, if and only if, for any S1,if the real machine halts in S2, then the VM halts in f(S2).

45




Standard VM Map(detail in next slide)

0 w-1… …

E l l+b

0 w+k-1… …E’

l+k l+k+b

Sr

Sv

…k

CP2

<m’, p’, r’>

Standard VM Map

<m, p, r>

<m’=s, p’=CP, r’=(0,q-1)>same

set by trap handler

46




Standard VM MapSr<E,M,P,R>Sv<E’, M’, P’, R’>where R=(l, b), |E|=w, |CP|=k-2• E’[i+k] E[i], for i=0, w-1• E’[i] CP, for i=2 to k-1• E’[1] <m’, p’, r’>

where m’=s, p’=1st location of CP, r’=(0, q-1)• E’[0] <m, p, r> as last set by trap handler• M’ u, P’P, R’(l+k, b)

47




Standard VM MapIt can satisfies three propertiesif the sensitive instructions are all privileged instructionsin third generation computer

48




Overall Wrap up• Conventional third generation computer• Virtual machine monitor (control program)• The condition under which

VMM can be built in the conventional third generation computer

49




Related results: Recursive virtualization• Can a VM run a copy of the VMM?• Theorem 2: A conventional third

generation computer is recursively virtualizable if it is:

(a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it

50




Relax VMM definition: Hybrid VMM• Relax VMM definition so that more

third generation computers can be virtualizable

• Theorem 3: A hybrid VMM may be constructed for any conventional third generation computer where user sensitive instructions are privileged.Note1: in Theorem 1, it is all ”sensitive instructions”

Note2: user sensitive instructions are defined in next slide

51




User Sensitive Instructions• Def. i is said to be user sensitive, if there

exists a state S=<E, u, P, R>, for which i is sensitive

• In other words, i is user sensitive if i is sensitive under user mode



Haipeng Cai and Siyuan Jiang 5

2Haipeng Cai and Siyuan Jiang

[1] G. Popek, R. Goldberg, “Formal requirements for virtualizable third generation architectures”, Commun. ACM, vol. 17, pp. 412-421, 1974.

Reference

popek & goldberg’s notation

Documents

generation architecturegerald

goldbergformal requirements

goldberghaipeng cai

siyuan jiangmemory

siyuan jiangrelocationbounds

siyuan jiangprocessor

ell bp

ell bconventional