Free Transactions with Rio Vista Landon Cox April 15, 2016

advertisement
Free Transactions with Rio
Vista
Landon Cox
April 15, 2016
Basic assumptions
• On-disk data is durable and has integrity
• But slow to access
• In-memory data is fast to access
• But not durable and may lack integrity
• What is the difference between durability and
integrity?
• Durability: data survives faults (crashes and power loss)
• Integrity: data is correct in face of faults
Basic assumption
• Why does disk data have durability and integrity?
•
•
•
•
•
•
Disk content survives power loss
Disk data has integrity because of software interfaces
Interface to disk is “explicit and complex”
Requires interacting with disk drivers
Unlikely to randomly duplicate driver functionality
Driver calls are checked for errors
• Is the interface to memory explicit and complex?
• No, any store instruction modifies the state of memory
• Any store instruction can modify any writable memory address
Enter: battery-backed memory
• NVRAM: non-volatile RAM
• NVRAM is fast
• NVRAM makes memory durable
• NVRAM does not ensure data integrity
• Same simple interface as volatile RAM
• Random stores can corrupt in-memory data
• Question: how to ensure integrity of in-memory data?
• This becomes a protection question
Protection and NVRAM
• Previously in protection
• Language-level guarantees (Java)
• Instrumented code (Speculative execution)
• Virtual memory (Micro-kernels, etc.)
• Disadvantages of languages and instrumentation?
•
•
•
•
Languages constrain programmer choice
Languages do not support existing code in other languages
Instrumentation can be slow
Instrumentation requires interposing on all accesses
Rio file cache
• A file system interface in front of NVRAM
• Allows “warm reboot”
• Cache persists across reboots
• Inspect content, sync with disk
• No need to write synchronously
• No need to maintain dependencies
• May still want to maintain a journal
• Only flush when needed (no timers)
Rio file cache
• A file system interface in front of NVRAM
• Can apps corrupt cache?
• Unlikely to randomly generate write
• Can randomly store to mmap region
• Do we care about bad mmap stores?
• No, apps can corrupt their own data
• Take that risk when using mmap
• What about kernel stores?
• Failing kernel can still corrupt cache
• How to protect cache?
• Mark pages read-only unless accessed by FS
• Corruption must occur while cache is writable
Kinds of kernel failures
• Random bit flips in kernel address space
• To simulate, randomly flip memory bits
• Faulty instructions in kernel text
• To simulate, change src/dst registers of instructions
• Programming errors
•
•
•
•
Delete initialization code
Corrupt pointer variables
Randomly free allocated data
Overwrite data structures
Methodology
•
•
•
•
Run benchmarks
Randomly inject errors
Wait for crash …
Check to see if data has been corrupted
Rio results
What we were
afraid of.
Protections
remove the risk.
Rio file cache
• How else can we use Rio?
• What about transactions?
• Transactions are great, but
• Rarely used outside of databases
• Synchronous writes are slow
• Can be hard to reason about aborts
• Rio can help make transactions fast
• 2,000 times faster!
Recoverable memory
RVM: CMU library for recoverable
memory
Copy of
initial
memory
region.
Copy of
updated
memory
region.
In whose address space is the recoverable memory?
In the application’s
Recoverable memory
RVM: CMU library for recoverable
memory
How many times is data copied?
3: to undo log, to redo log, to database
Recoverable memory
RVM: CMU library for recoverable
memory
What is the undo log used for?
User-initiated aborts
Recoverable memory
RVM: CMU library for recoverable
memory
What action commits the transaction?
Write commit record to redo log
Recoverable memory
RVM: CMU library for recoverable
memory
Which ACID properties does this provide?
Durability and atomicity
Vista recoverable memory
Vista: library for recoverable memory on
Rio
Why don’t we need the redo log?Can just use persistent undo log to recover
Vista recoverable memory
Vista: library for recoverable memory on
Rio
Interface to Vista is a malloc-like heap manager
Vista recoverable memory
Vista: library for recoverable memory on
Rio
What needs to be protected?Heap management, undo log
Vista recoverable memory
Vista: library for recoverable memory on
Rio
Why aren’t Rio protections sufficient?
Data lives in app address space
Syscalls to alter protections  slow
Vista recoverable memory
Vista: library for recoverable memory on
Rio
How is Vista protected?
Create a moat around important data
Protecting Vista
Evaluation
Why the drop off
here?
Evaluation
Why the drop off
here?
Download