Extensibility, Safety and Performance in the

Extensibility, Safety and Performance SPIN Brian N. Marc E. Operating System Bershad Stefan Savage Przemyslaw Fiuczynski David Becker Craig Department of Computer of Seattle, ~hambers paging describes performance SPIN with the motivation, provides an to safely extension change and implementation. specialize the achieve export system safe erating and This code executing run on DEC Alpha in within realtime to demands performance the op- the kernel address 1.1 in Modula-3 Goals The goal Introduction to specialized ality by to safely requirements the need mands poorly mentation tion poorly to applications by an operating A poorly an application matched interface the and functionthat from prevents present system’s matched well, it from working of disk de- implewhile buffering to operating also needs operating to of the and services. the implementations Other present system extend provide application a and characteristics and granularity nally, good of the at between of cost, an extension protected space. system SIGOPS ’95 12/95 CO, USA Q 1995 ACM 0-89791-71 5-4/9510012...$3.50 267 Enforced Modula-3 the Co-location and extension the view safe, and services at defined. Fi- system. that fast that an operatthrough to operating at the communication to have low the provide lowsystem system level system extensions the kernel virtual code of the commu- SPIN operating enables de- actions overhead our implemented Operating linked into are the that controlled low and exported Safety to the be access are infrastructure and runtime by services. extensions requires Specifically, Co-location. namically that an access which lies on four techniques language or its runtime: Permission to make digital/hard oopy of part or all of this work for personal or classroom use is granted without fee provided that mpies are not made or distributed for profit or commercial advantage, the copyright notica, the title of the publication and its date appear, and notice is given that copying is by permission of ACM, Inc. To mpy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission andlor a fee. on SPIN reflects and fine-grained, resources. Thk research was sponsored by the Advanced Research Projects Agency, the National Science Foundation (Grants no. CDA-91 23308 and CC! R-9200832) and by an equipment grant from Digital Equipment Corporation. Bershad was partially supported by a National Science Foundation Presidential Faculty Fellowship. Chambers was partially sponsored by a National Science Foundation Presidential Young Investigator Award. Sirer was supported by an IBM Graduate Student Fellowship. Fiuczynski was partially supported by a National Science Foundation GEE Fellowship. that purpose safety is determined to system can be extensible, use of language a general extensibility, of applications performance design build resources depends access requires ing system and and exposure same The at all. it the is to provides Extensibility fine-grained nication a that services applications; others, implementa- working implementations and servers, can research system termines SPIN is motivated of applications. matched be dynamically the performance support or interface. prevents For example, meet clients can 92]. approach performance. allows can perfor- et al. functional and of our operating that and of high Eicken programs, the pur- frequently extensions workstations. system and between are demands [von match interfaces interfaces SPIN is an operating the tolerant poorly match good 1 implementations result- General system, op- protecting are written that system’s the 81]. SPIN, an application better a type [Stonebraker as multimedia fault systems applications, supporting such operating database applications and Using to the for parallel to operat- into offers while SPIN and its extensions space. written linked approach services, to Eggers in modern for protocol applications, function- mechanisms interfaces are inadequate in order found performance network mance interface and link-time dynamically kernel. system system pose applica- an application of performance algorithms be inappropriate together allow system’s allow Extensions are access to system erating and and system rapid operating fine-grained services. language, that Susan Sirer Engineering ing in poor and system. infrastructure, operating level SPIN uses language ality. ing the underlying operating services, Extensions a particular inexpensively architecture SPIN, an extensible of a core set of extensible tions and Gun 98195 can paper Emin Washington WA Abstract This Pardyak Science University in the re- of the are dyaddress between cost. modularity. Extensions are written [Nelson 91], a modular programming in language for which boundaries execute not in the access tions the compiler between through kernel’s memory unless have an interface. compiler enables another with been space, given address can- system access enforced to be isolated the tensions device the ● Logzcal protection within logical protection nel namespaces terfaces. that views tected by namic linker tection the resolves to system in-kernel dy- logical pro- are Co-location, An can describe the within overhead the call safely accessed and techniques do not Ultimately, of resources and can with interfaces low overhead. that fme-grained rely is achieved operations are domains call binding ponents to manage to define and modularity protection, relationships extensions The rest and performance of this vate the cuss related need System The SPIN operating and core system kernel’s virtual extensible In the other into the kernel themselves system them. allows and requiring other Although safety within any language space. system tension the existing Once loaded, and cialized com- all runtime system conversion when within the they operating on language and Only language. code that features low-latency in system’s For example, the we have used exten- discuss against of 6 we discuss system our the that in Modula- conclusions. systems few system may run few practice, al. 92bj al. 94, Stodolsky 87, Harty Anderson al. & Cheriton et al. 93, Bershad the performance 92, synchrovirtual & mem- 91, Bershad Bershad 93, Felten 91, McNamee Fall with application’s et al. 93, them can, networking, [Draves et & runs communication, management Maeda but address management, many a spe- systems of a particular change in system behavior. to improve the performance to ensure can in ad- often degrade specialization An access safe cache et to gener- runs contrast, programs, interprocess thread balance In general requirements as to system well. most be specialized such forced A general run In and are Yuhara 92, Young & Armstrong Pasquale 94, Wheeler & Bershad 92, Romer et al. 94, Romer et al. 95, Cao et al. 94]. Unfortunately, existing system structures are not well-suited for specialization, often requiring a substantial programming effort to affect evgn a small communicating requires is written an operating dissys- core services 5 we it and the and the In Section 7 we present may et 90, provide the kernel, applications can be written ancl execute within their own virtual services protection Section systems. writing we moti- systems compare but effort, et al. integrate code. SPIN relies In specialization. well. ory can be loaded infrastructure and design, section 3 we describe of its and in Section programs, dynamic system execute motivation, 4 we describe system. operating ality specific to the applications that require SPIN is primarily written in Modula-3, which extensions to directly use system interfaces with- with to into time. packets Motivation Most export services out dress at any that the operating in terms by 2 to and of a set of extension Extensions video paper Section In Section performance nization, space. kernel buffer. describes for provided needs, services address client the define overview services The into SPIN. In the next of system’s some consists this paper architecture 3. Finally, at runtime. system of work. and functional 1.2 a direct network. frame move SPIN Using implements the exthat as images network video For system screen. an extension incoming rest our experiences ex- and logical between video that and installs to the The several exported to efficiently enforced disk SPIN to specialize transfers an extension and through which that on co-location operations, protection them data memory, programs. to the client’s the decompresses tem’s How- SPIN provides a set of interfaces to applications. core system services, such as memory management scheduling, application sion facilities. to the system’s themselves, be call. protection enable guarantee interfaces and logical extensibility service as a virtual of a procedure binding re- of a thread. interfaces, modularity, clynamic such scheduling declared be defined tensibility. viewer and OSF/1 SPIN ex- of a pro- in with ever, these or defines between to a client/server disk consists of virtual application control server server. extensions built stream displays execute event used the server’s that cross-domain Extensions in the system, fault enforcecl and few thread, bulk its own the DEC number by the of individual the server are pro- the overhead events. action dispatched set enabling requires the The within The a small required also server. implements and provide we have 1.3 page Events the An have needs from units, that in separate with btndtng. any potential memory system code at runtime, call sponse the in- interface, that ample, call. Dynamtc domains, ker- resources system. to occur are and exported are language-level operating communication ● which exist which code on system domains cedure domains, contain Interfaces, represent Extensions domatns. of code that interfaces We cost. system in C, and executes (as do applications). body call one by from operating is written space of a large instruc- explicit a UNIX of the server which privileged Modularity modules low address execute implement interface Extensions, virtual or they enforces modules. extensible namically ex- SPIN to for 268 that is a costly system to meet extensibility Moreover, changes intended of one class of applications of others. and is one that the needs in operating As error-prone can a result, be changed of an application. systems system process. is shown The dyneed clearly by systems tosh such as MS-DOS, Operating not System. designed to mechanisms directly be have modify code [Schulman tions have Windows, Although extensible, allowed et their 92]. from data While this of safe interfaces to either operating operating extension services system configuration “chaos” [Draves protection to structures individual level svstems. . were programmers system al. Macin- systems weak application operating benefited or the these of freedom, system design, mentation with times and ware the lack a cross-domain services or system su~~ort .. Related Previous of about 10 procedure considered Some strated the safety 81] to kernel defined plemented the the Hydra’s high due with to its allocating those highly weighty “large objects” resources influential, the system as the basic programming effort even the a Researchers have tems [Black et & Zwaenepoel 88]. A al. 92, microkernel combined services nately, level a microkernel’s tations & Weihl a the nel service 91], few 90, Draves ponents, grained Unfortu- substantial 94, Davis changes for extending 91, Abrossimov so extended. communication et al. 91, Chen mostly & Bershad to coarse-grained Stevenson protected & Julin interaction occurs extensions, We overhead frequently can believe this 93], 95, Bricker between lim- the performance cation has improved ton Kougiouris & it still does couraging not of cross-domain substantially 93, Hildebrand approach the construction that system nism for to of a procedure fac- and communi- call, rest in- overhead that kernel enable can arbitrary at runtime 88]. In [Heide- these systems because system; any application- et al. 95, Small that Software and data the where degree mecha- segments. is appropriate It for extensions may addition, soft- In model al- hardware. a protection an extension determine memory checks segments of segments. is only on as a co-location sharing, ad- memory if the mechanism number virtual These code & isolacode, on a binary checks memory .~romise isolated isolation define relies protected fine-grained a large fault kernel’s explicit on virtual though, the isolation instructions. shows with into define relatively [Engler on et al. efficient such hardware tional mechanism or the to which a and service inter- a system tion same & en- goals ferent. non-extensible nel from 269 to handling can to its as Aegis can needs. although SPIN uses language extensions and TLB Instead, as libraries space. System be changed by SPIN shares its facilities implements approach that hardware such as virtual are implemented a library and 95]. services, address system ex~ort manage- The system itself minimally provided Kaashoek system scheduling, according redirection to applications. beyond those [Engler in 95] is an operating tra~ as exce~tion operating executing in recent years [Hamil92, Engler et al. 95], of monolithic, the system possible. inserts branch in an application’s the range between and is restricted Fault that relying services, tor. Although data the interface 94, Engler lamzua-ge, and ment, directly no abstractions fine- performance being and making the entire [Lucco ~oftw~re tool Aegis [Golub with any isolation relies et al, 91]. system com- in a system be a limiting is be- which in fault faces et al. services et al. be extended. et al. [Bershad the et al. is not projects space. does not any ker- 89, Forin extensibility access facilities nearly et al. 94, Rozier down system 93, Wald- communication the extensions is unclear, to for limi- et al. control limit use systems languages, therefore interfaces into can bring ware microkernel’s which interfaces. provide to define without occur to compensate [Lee et al. been extensions et al. 90, Otherwise, kernel’s [Lee These interpretation right low programs. a microkernel the ex- the kernel 94]. narrow, extension references can operating user-level in require infrastructure have systems rewriting spaces, was to safely environment Finally, & Popek dress 94]. [Barrera of high address the Second. to be installed writt>n et al. number abstractions and Seltzer 94] are exploring the use of software fault tion [Wahbe et al. 93] to safely link application Cheriton conventional implementation Although cause often 90, a small These as of the in interfaces provide threads, extensions applications spurger include implemented the al. of 85], orcler performance. Several sys- 94, Thacker exports more use extensible et & Duda support Application-specific at or above Mullender channels. to the building typically that communication system investigated for 83, Cheriton abstractions and recently as a vehicle extensions. difficult. specific extension. and is generally Many blocks, affect in First, cumbersome, of the mann had the through of arbitrary programming de- [Colwell et al. problems. the’ language’s prowas building to the expression code on languages” runs three had capability-based that from system of hard- transfer, interface 87, Yuhara make limit resources. “little little, tegration im- on code of ~ossible The themselves managing Consequently, a large microkernels its for et al. call a point provided overhead system suffer structures applications policies. processes although mechanism. signed for the policies overhead requiring be and [Wulf allowed multi-level mechanism demon- extensibility, Hydra that through architecture, tection small For example, processes, have between an infrastructure resources between systems tension and performance. manage of extensible rely et al. As 811, which times its imple- procedure 90]. cross-domain call with call unacceptable operating 94, Mogul three-way defined systems the of interpreted to build ~rotected 100 Int communication generally 93]. work efforts for 93, 432 [Int even procedure of nearly Liedtke the Intel applica- has created 92, comparison, the L3 microkernel. has a protected overhead [Liedtke tend 2.1 For examDle. ,, aggressive defines by the convenmemory executing service the code applica- many of the is quite dif- to protect the protected commu- ker- nication using procedure SPIN provides tensible services. protected nel systems lied on system et that al, an such of the code are used not and the Redell 3.1 In just for the services kernel. can be applied model tual sys- ment only to ex- address for The protection safely system model cess control ables of resources, extensions procedure wards to call. All and on makes that demands dynamic Relevant general of the resources which its and purpose programming The for key type objects, safety, generic the task The safety only; of constructing design and safety, module, automatic module are hidden. tion at compile-time. accessing memory operations must first restriction ond is enforced and run-time defines The memory be checked through checks. inter- in the enforces this and array bounds a combination Automatic views to on the et al. at its type. which are is a reference within definition mesca- supported to a block an interface. and of Fig- use of interfaces SPIN. in prevents dereferenced There al. prob- SPIN implements compile-tame, or et 81], 94], or protected 92], pointers, the [Carter et al. in a pointer a way is no run-time inconsis- overhead for access the from pointer or its the kernel be assumed An to referent. A pointer to a user-level application, be type externalized table safe, reference that contains as an can externalized is an.index type be which into a safe references to in-kernel data structures. The references can later be recovered using the index. Kernel services that intend to pass a reference out to user level externalize the in- reference through this table and instead pass out the index. Protection indexing domains A protection The available and the sec- erating of compile-time storage In- protected on capabilities, [Wulf is declared forged per-application restric- violation. at compile-time, based hardware (pointers) compiler, reference. safety prevents code from A pointer may only refor capabilities passed the implementation type, 1 demonstrates to simplify language’s listed systems only access. using a pointer, passing it across an interface, or dereferencing it, other than the overhead of going to memory storage management. of an implemen- compiler referent’s is enforced and different A pointer type and with are to have et al. using ure tent resources given interfaces [Engler [Black whose storage is a and reference been mechanisms directly being or a of these Individual have a re- interface, extensions special-purpose protection The to services. operating channels cannot on the extensions language. from for obfor aes- features items slow by capabil- of each system. of by the in the parts the and an interface, allocation that collections memory include threads, specifically within Type arbitrarily. of its only visible definitions a system. automatic the which other these mechanisms; and All to objects that a large declares terface. fer abilistic object, page they on 94], virtual sage Modula-3, language interfaces, SPIN depends of encapsulation faces, type An interface tation we find manage- create reference example memory other rely An to which different which relies designed of the and to SPIN are referenced in to ensure and Unlike SPIN exceptions. We rely on the language’s support jects, generic interfaces, threads, and exceptions reasons virtual set of available typechecking in language features interfaces, management, thetic allow low- instead as static written of vir- are frequently 81]. a physical resources en- of Modula-3 are a process range protection can be a system page, pabilities extensions that though, is an unforgeable of interfaces. entire terfaces to- with Consequently, such that a protection ensures expensive et al. of operations a particular spaces, being A capability acof a is biased be implemented hardware, services, model granularity architecture can properties 1990’s. support the spaces within fine-grained [Lazowska kernel the linking. SPIN and early at address the are protected code. fine-grained extension processors. on language-level and clefined system’s conventional few the infrastruc- application efficient, while be The mechanisms cost supports and example, Address for physical a software system set Capabilities ities. combining of spaces the ture from an object In contrast, operating provides the For of resources, to access SPIN Architecture SPIN architecture for controls on inadequate for one another. The referent reused model access memory collection The pointer’s and to resources. addresses. source 3 model based can only protection applies Tjirtual the a live protection A protection [Geschke language The al. space general, on the by heap type. re- system Mesa its extensions. isolate et operating depended system from those SPIN, have in used to the the ker- which a single-address written on language to otherwise programs extend was system, within 91, like of Modula-3. have in the operating tension to ancestor SPIN’s reliance from memory returned a different on hardware by al. 73] programs as Pilot all protection et inst ante, ran 77], tems for relies manner Organick features Pilot, being or applied. 94, language services. prevents infrastructure, a core set of ex- extensions the [Cooper Mossenbock this and Aegis to isolate unspecified are defined Several Using model contrast, calls leaves extensions 80, In system and call. an extension management ing 270 domain defines to an execution system, virtual a protection address spaces. the set of accessible context. domain A name names In a conventional op- is implemented us- within one domain, a virtual address, in another sharing has no relationship domain. operations meaningful Only through is it possible between to that explicit for protection same name mapping and names to creates an instance a module become creates domains. a type error IIi’TERFACE T <: Console; (* An REFAIJY; (* Read interface. as *) “Console. T is opaque. ” *) InterfaceName (* A global PROCEDURE (* a Write PROCEDURE Read(t: Close for T; msg: TEXT); VAR msg: TEXT); (t: the console. *) this names would model for cilities for creating, since are visible introduce ming the system. in the error. The extensions into an procedures, to programmers, an overly program- SPIN and context we felt restrictive Instead, to type modules, coordinating, namespaces IMTERFACE Domain; TYPE REFAMY ; Create (coff: T <: PROCEDURE Returns a file TYPE but variable (* (* Console; An implementation implementation Buf REVEAL space, in all it provides linking fa- program- of protection domains. of = ARRAY = BRAHDED input Q: T output (* OF REF module. Console. [0..31] *) Domain .T is opaque T (* to is a a pointer *) info domain standard This export : T; the specified object file object format) . *) :T; containing module. and from interfaces function allows themselves at runt defined by modules to ime. the *) *) record PROCEDURE *) (* specific a a name (* J > is CreateFromModuleo Create T) created (* CHAR; RECORD ‘coff calling Buf; device (’ CoffFile. domain PROCEDURE T *) Buf; Q: (* T); Console; The module results placing passes original “ConsoleService”; capability (t: PROCEDURE (* by and the of *) returns PROCEDURE MODULE that avoided and type, T Openo:T; Open END = name conflict that level COIJST new a Console. be could a global TYPE of the expecting *) Resolve (source Resolve any undefined against any expOrted ,target: T) symbols ; in symbOls the from target the domain source. *) END ; (* Implementations (* have direct PROCEDURE EIID of interface access Openo:T to = functions the *) revealed type. PROCEDURE Combine(dl (* a Create interfaces *) END Gatekeeper; IMPORT Console; VAR Console. (* A client Figure *) PROCEDURE (* A (* the IntruderAlert capability for console () device The Console .Openo .Write(c, Console .Close(c) ; “Intruder Alert”) Domain symbols and is used keeper. is Gatekeeper through the IntruderAlert unable executes to module within the the fields same interacts Console objects within virtual with interface. mampulate. access the of type object, address SPIN’s Although Console. even space Con- the the level of the naming and language, system. Consequently, occur at the language c is an instance of the Console. T occupy pace. An extension Domain operates b.v t.vpe interface as addresses domain that as T, though it is must on safe in- point- unsafe with manipulate directly. the Console protection not of the interface virtual is at file been signed asserts their files than Any ject 271 OSF/1 “safe share symbols file are services using with exported exported the the ‘to the the object file level device interface interface vendor drivers are written we prefer tend to be [Dig 93], into the in C, the kernel by assertion” to avoid rather to be the using than by source of of bum. can be intersecting to share to ex~orted compiler, driver link as they fair corresponds Modula-3 assert In general, are verification, their the or with by a capability, and one or more lowest the driv~rs safety. that main is created tializes a domain a portion of some symbolic namesConsole. T, that redefines the type DEC ‘Althoug~ plications by SPIN’s to the by code is safe if it is unknown us to dynamically Domains must name c and with can otherwise example, object more memory namespace management level. For example, if the T, then both type Console. files obje;t a set of names. named linking, has kernel. it A domain, An For defines be referenced dynamic safe obiect but allowimz it can interfaces. compiler SPIN the interface described semantics, program to control is identical Gate- module. In are the kernel safe. ‘The of s~mbols, or if the kernel 1: exports *) This which memory access to the domain. ; Gatekeeper; service that domains. interface. T, ~rotection program ; IntruderAlert; Figure :T; = BEGI?J sole T) domain given Domain. Modula-3 one or more EUD the implementation to linker *) The type A SPIN := Console END of respect *) BEGIN c of 2: stances T; d2 : Domain. ers. c: , aggregate . . . Console; MODULE new or o; disjoint, enabling define ones. Create contents new apA do- operation, which of a safe obiect by interfaces defined in”the from the domain, and any inifile. obinl- ported symbols correspond to domain for are left unresolved. interfaces imported which Unresolved by implementations symbols code have and within the yet been not linking. It resolves text domain, and data the cause linking, and in resolved, memory a common idiom, to occurs in the through dlers a pair The that operation Combzne are the bind union of existing together example, the public domain and of related a single domain 2 summarizes the domain or export exports interface particular and nameserver. dinate The the constant exported and ~rocedure system’s exporters on will be called the has low with the interact through many to event sys- ules handler; request, a importer, importer exporter, to when- and the 3.2 The extension model An extension vides or changes service. All another, mines but the extensions allows and ment. can and provide is base In other Extensions with ,’5’PIN facility such it PacketArrived a that model to ap- hints as page to the replace- sys- entirely replace with export stance. A event, further There of events 272 be closure allows service. can be any also passed a single to stack the dewhich The constructs in this the header to 1P ~ach of types does not event mards ill- on “ of handlers installed an on a implementation a handler handler wav, for 1P of the invocation. default handler Packet), additional its allows the processing installation, In number The to be example, is received. interface constraining dispatcher to context. may at a man- the set of 1P protocol a se~arate event. closure For field the events implementation type If then is ignored. allowing IP. each the against handler may 1 The application. terms handler to particular a packet the have activity, offer in the incoming invocation. 1P layer the default upon defines is evaluated handler PacketArrived(pkt: compares guard is raised, basis. If ala guard access to events 1P packet bv the fails. that handler’s each or ~llow provide The event implements an For ~rovided can the mod- implemen- c~n deny the a per-instance for additional installation name, module Other primary the event defines the 1. name the event, ~roce- install handler. to the the handler. the the the event, that for module module otherwise IP. handlers. p~imary to restrict that a is restricted as a procedure, the for event Figure event when whenever which a guard such may raises module, which for the as a scheduler, defined way extension the event model allowing system to a specific are fines between information may prodeter- extension monitor an extension service, appropriate in efficiency example, operations, cases, system one that while For performance extensions certain one more system, in model SPIN’s styles. a system extensible and to passively Other which communication up-to-date to guide in extension be applied. the extensions an existing new is the of interaction plications. tem software it a controlled variety way ease, transparency, an extension provides the on as a direct handler exnorts module prior than dispatched SPIN the with are used dispatcher to the dis~atcher If denied, is invoked; finer in the implementation is true The raise e~am~le, cent acts expressed Guards ularity the ~assin~ dispatcher handler calls. an For irnplem&tation predicate the procedure module shown that be associated the raiser stat’icallv remove installation. a any one implementation dispatcher The by the autho- event. the default reauest a predicate, control by module, lowed, that fine-grained procedure the ac- narneserver of the This direct restrict can register handle Openo the tation the to that or &en installer. devices, the may event implementation is the that the disp~tcher uses dynamic & Proebsting 94] to construct module Console. The 1 defines exporter with named Console coor- 94]. default is the dure which RPC Figure for An identity the its of a service. is imported. because interface, the which can use to uniquely as those procedure interface cost in importers for is used as in to that A by the In fact, and is onlv from right type. to the right procedure. SPIN, there ~aths primar~ is equivalent to optimize where call ‘ The import an in-kernel 90, Brockschmldt of the import. authorization ever interface, version such to a domain through faceName and interfaces, cess at the time rizer call its han- ensuring is also an event. similarity is defined and ~rocessor. in ~iven event. Otherwise, code generation [Engler ex- A module of the import Inter a particular Some the & Burrows Console. identify an this machinery event is preemptive, by the by an interface exploits For to are named An specified a procedur~ can be used used creates domain name within export that the exported [Schroeder name to call event to handlers. arguments the bv throug~ the same over indistinguishable operations interfaces. explicitly exports be specified tems right the having the kernel take two available commonly named an interface interface, is 1 The cannot o~timized The with receives domain an interface as procedures ser- on an event events from a for the event by the section. exported namespaces domains. can raiser. routes previous the the major that to raise interfaces. combines SpanPublic into Figure linkable domains, collections interfaces tensions. creates dispatcher are protected announces that with is invoked The of Re- operations. solve is a procedure the handler in the handler Cross- that or a request registering are defined event it does system a handler names handler only exported. handler extension as a procedure are able is a message of the installs described target symbols; be explic~ly Event reso- Resolution undefined symbols An event state event a central and During An message. domain domains speed. domain’s additional target are patched once dynamic domain, the the source. symbols at for a source from that, target as the basis symbols exported resources resolves to a target ensuring share serves unresolved symbols lution, not takes any against to operation Resolve An in the vice. found. The handlers. change during be used to specify event within module an additional processing, more than The one may constrain a handler asynchronously, order with respect Each of these constraints trust between the dler. For example, quantum cute may a handler execute thread handler to back event a procedure final result [Pardyak mimics handlers der, 4 The The scribed previous These though, manage are similar to the in conventional is straightforward to page, two. Because and then the overhead operations is low vide them as interfaces build up gregate 4.1 A the cost cialized between made it possible and complex ag- simpler interprets physical two, the two. Other performance memory through system. is responsible physical systems have improvements management interfaces Some example, unallocated to manipulate large events that mem- interfaces have such The portance as en- If page, it 91], accesses an the al- Transla- Implementors such or access Transla- abstractions et al. that to the then is raised. events of can as demand 87], distributed concurrent use pag- shared garbage col- & Li 91]. page memory interface than between conditions. . address. services, service the may by raising allows an alternative ultimately attempts [Rashid physical physical menlvirtual processor’s of program management et al. the re- both the a set is raised. define [Carter [Appel volunteer vice to copy-on-write The event. policies objects, these address mappings MMU event memory to into raises virtual PageNotPresent level claim event a length, the ph~sical exceptional memorv unmapped capability’s is used to ex~ress and ca- (MMU). a user virtual but higher spe- if BadAddress lection demon- from various the makes mappings service to an memory the and by the exposed of these for addresses, translation for allocates address, that clients a capability references unit directly Instead, service constructs the management For ing, installs a unit purposes, addressed addresses addresses, and most where servace service This that such represents receive identifier ory. located, ab- space with parameters be a virtual virtual tion, ones, of Clients of attributes program. addresses, decon- memory for address between The com- not service translation correspond to may vtrtual virtual The is not, memory pages. page It a user composed ab- serwce physical A physical The an address address specific and these interface, of physical machine address for physical for or trans- memorv of the series entity memory. virtual service to request storage. physical with an optional an extension is The lati~nship to pro- systems to the speed memory management system addresses, “tuned” management access memory significant or more or contiguity. high and the direct operating as color the of these it is feasible preferences and interact components allocation and by processors, addresses, level a separate event of tion. management are accessible a abstractions, into of repeated page, between each through traditional it high. of virtual mappings strated call), abstractions Extensible memory a mapping use and size uniaue. SPIN virtual the Allocate and simple In the raise referent found provide of accessing abstractions is too allocation ory level simpler stractions create to separate By contrast, because a single (a procedure higher position. they trols 3. physicorrespond spaces. basic by Figure pabilities kernel interfaces of objects. allocate the in the inter- three scribed of the be- service of the a nameable with as address is provided from resources. within internal set core interfaces the systems; a small the of communicate general, secondary over to export to extensions operating functionality physical In are exported processor events and extensions, operations. that and and such exported higher system’s decomposes These services to define the components: virtual re- system services. translation. addresses, system reflect concerned a set services by interface resources Application-specific a certain ker- memory lations. Each for the as memory provides memory use within and con- resources protection basic from memory is enabled three physical or- a framework ultimately such SPIN which system fine-grained faces are Consequently, the provide services resources services, tween section basic memory management [Romer entirely fine-grained virtual and into naming, stractions, de- and namely three executed. mechanisms services to the executes handler extension between Applications, that be the dis- and control, memory SPIN virtual pages 94], for fast, SPIN’s invocation cal storage, the in undefined of the final and manipulating services By default, semantics, The with determines such memory services interfaces processor. can and as cache et al. allowed physical low-overhead the have such [Bala by applications. provides A handlers result the objects, entries None over quired to exe- associating to completion, the result in the 94]. call it multiple ultimately trol han- isolating a single of long. small 94] or TLB the kernel. by a time causes by event. the too raiser, raiser & Bershad protection managing with the that core SP1iV nel. an event, synchronously, and returns which When procedure and bounded the over relatively et al. degree if it executes from to each patcher maybe latency. in response communicated a different implementation it is aborted or arbitrary for the same reflects be asynchronous, from synchronously or in some handlers default in a separate raiser execute time, to other so that handler to in bounded the handler page, candidate invalidates at any time the Ph ysAddr, which page. for may The any mappings do not define this re- R,eclazm event to be of less imtranslation ser- to a reclaimed tire address spaces [Young et al. 87, Khalidi & Nelson 93], or to direct expensive operations, for example page- page. out [Harty & Cheriton 91, McNamee & Armstrong 90], entirely from user level. Others have enabled control model directly, but can be used to implement a range of models using a variety of optimization techniques. The 273 SPIN core services an address space INTERFACE PhysAddr; INTERFACE IMPORT TYPE T <: REFANY; (* PhysAddr Allocate (size: .T is opaque (* Allocate some attributes. Size; physical attrib: memory Attrib) with : Deallocate PROCEDURE Reclaim (p: T) T <: REFAHY; particular PROCEDURE Createo PROCEDURE Destroy (* or Create Request may to handle T) a this alternative END (candidate: reclaim : : to T page. Clients (* <: (* PROCEDURE Allocate (size: PROCEDURE Deallocate example, we UNIX exports For 3: have address and for T) built Add [V with is opaque attrib: *) Attrib) : address from Another management et al. into ,P] the the specified (. A few (* illegal and the system’s physical BadAddress PROCEDURE Protect allocation a memory task may own [Cooper with interfaces use these addresses, virtual : T; v: Virt Addr. T) ; T; Protection ; *) (v: (v: T) thread T) ; ; (v: T) ; and translations. the threads. those and because SPIN and et al. user-level it is not et al. which are an systems Cooper Draves performance is unable 88] have integrated strand can provide that executes high 93]. its within not define semantics multi- an applica- and to the processor define a thread the to impleand thread underlying other that are packages. for an This structure raised or handled A scheduler multi- resources among strands. A strand is similar operating systems in traditional context. has no minimal An rests. model on which processing called processor structure model a set of events Unlike kernel application-specific of the com- in that a thread or requisite an implementation the to signal ser- application scheduler raised aci!~- et al. does and Together, kernel [Davis allow though, state thread strand to it re- other package interface for its thread package and the scheduler implement the control flow mechanisms for user-space conthis interface. The interface texts. Figure 4 describes contains two events, Block and Unblockj that can be contrast, scheduler with the kernel, have overhead scheduler across threads. disk with by a name. be- In thread of a thread some defines a processor packages close does contexts, own User- anomalous it the than 92], but only partially. C-Threads implemencan arbitrary semantics SPIN a strand have addressed this & Draves 88, Marsh well-integrated 92]. that to deliver. these execution The services. flects can application’s of the Together to define is defined concur- the constructs. multiplexing by schedulers pro- defines synchronization implementation in- though, package and a thread for scheduling, addresses, Although of the system Applications, system & [Anderson package *) during ionFault applications, abstrac- in terms management of functionality communication In ; context Translation. kernel management thread et al. 91, Anderson For example, Mach’s vations, .T; *) PageEotPresent ment ad- defines Mach’s their synchronization. levels havior raised PROCEDURE tion a context memory Applications level thread management mismatch [Wulf et al. 81, vices VirtAddr Protection) context: .T) translations plexes management tation *) translation ext: Addr PROCEDURE ple one. allocates This and extension thread applications require Virt events controls services. operating thread : protection. ExamineHapping( model address within extension virtual define Extensible rency, v: prot named PROCEDURE peting vides T; RemoveHapping(cont The imple- applications. service. with physical that for memory supporting may managing an existing the from 87]. for extension copying kernel or they lower-level in interface [Young an translation obtained resources interfaces space, the dress services. An context : T; PhysAddr. PROCEDURE EIiD additional filled 4.2 ; addressing T; ; semantics for is subsequently tion .T Size; The space allocating new context terfaces, VirtAddr (v: an interface each *) VirtAddr. Figure new opaque *) VirtAddr; REFANY; EED space, is PhysAddr. TYPE It : T) an AddMapping(context p: nominate candidates. INTERFACE For T T; (context v : ments Translation. destroy T; candidate event (* ; PROCEDURE (* Addr; T; *) PROCEDURE ion; Virt *) TYPE PROCEDURE Translat PhysAddr, driver during dler can unblock 1/0 operation. uler can own thread aging the kernel. allowing 274 the changes can direct an 1/0 operation, a strand with using the package execution to block and to signal In response communicate strand in a strand’s a scheduler state. the an interrupt the completion to these events, the thread Checkpoint and to save and restore the package Resume execution A current hanof the schedmanevents, state. ments a round-robin, We INTERFACE have kernel Strand; T <: REFAEY PROCEDURE Block(s (* to Signal ; (* Strand. :T) a T is opaque *) not runnable. The that s is from Unblock (* to Signal (s: a T) scheduler PROCEDURE Checkpoint (* Signal that should save that (s: s is T) s is runnable. *) interface us to incorporate rectly into rescheduled processor and state rescheduling. that required it for *) the our interface a trusted thread Modula-3 PROCEDURE Resume (* that Signal T) is it should that a (s: s prior to placed on any Checkpoint a processor state saved 4.3 processor scheduling the events kernel. install affecting handlers on This control A flow events, trusted possess not that of can install are handlers be and strands for that terface specification. vices access must step behalf of pro- ensure which of control of the ity for nel belongs user mode the global cessor mode, thread allocation global to relinquish the global of the using scheduler uler can schedule nals that the its Mach the C- kernel, implements the services a Because resources, and of the scheduler package. that strands, while new by the ser- and protection on the and section proper are by the extension could not management services applications that at times enforced mediate and trusted ac- extensions by the SPIN extension an interface (and correctly any others threads. to respect, or at implied by the only the be affected. no more deliv- in the least this runtime are in order the handler’s not interfere this by to start or best in- with, is not package example, handled may the enforced. ignore the thread is runnable, using thread package the than libraries For user-level way, catastrophic that event, thread application In is in the it). packages it a particular to on events thread Although that rely raises application-specific but is isolated that scheduler SPIN event itself the failure the failure found will of an extension of code in conventional is executing systems. sched- Checkpoint reclaimed in- the use An top Resume The the services their services, failure to semantics Drocessor. pres~nts the to because facilities trusted of trusted In designing the interfaces for SPIN’s we have worked to ensure that an extension’s stop Additional Checkpoint control is being trust according previous rely instances interfaces to hardwhich are trusted, model the in the as they application-specific proon trust, hardware. the blocked placed are two is required protection described safely, terests be perform cess to physical itself behalf. primary strands. indicates its own processor and the the as a thread event on kernel, can or receive Resume kerfrom is resumed. is, an ap~lication-specific to the the transfers kernel between scheduler out- checkpointed the schedulers events erv is implements policy of the That it leaves scheduler application-specific the kernel. responsibil- within a thread in thread application-specific -A As executes Modula-3 the services hardware the Without function do manipulate executing reasons, synchronization kernel. kernel thread only threads safety and the to Modula-3 As For scheduling to packages for application kernel. di- 91]. trusted Trust underlying mechanisms that they must side for must outside language. of the thread they within a capability. Application-specific the flow scheduler [Nelson and memory means packages scheduler operations, on on and the raised thread raised package these describes and which thread implementations do interface schedulers these strands. default extensions not Interface. Application-specific particular vide Strand uses Within core services, which provide mechanisms. The core services ware The and Implications SPIN’s 4: which interface threads drivers *) Strand. Figure 1 kernel implementation concurrency. package thread di- of others. and during The El?D server, for built top device C-Threads C- ; being reestablish call UNIX Threads OSF/ 93], threads. are on vendor’s The [Dig interfaces DEC as inter- Modula-3 layered the kernel. threads and these not supporting allows supports ; being any subsequent ; of and implement management kernel 88], policy. to of thread OSF/1 strands priority interface & Draves implementations The PROCEDURE DEC [Cooper rectly .) strand a variety including Threads ; scheduler preemptive, the extensions faces TYPE used sigglobal 5 System performance scheduler. The Block scheduled by the and Unblock disp~tch~r mentation. This implemented and allows new integrated it cannot cation, its current into global be replaced replacement implementation, can on strands In this are routed to compose scheduling scheduling policy the raised schedulers. a~propriate replaceable, and when to the that an application-specific lVhile the global policy. the events, by a~~lication-s~ecific the policies ~ernel, does not the global services be that performance we show system that services SPIN in order enables applications to define perform well. Specifically, of SPIN from four new kernel we evaluate the perspectives: provided is System sue. The size of the system of code and object size demonstrates runtime appli- effects. scheduler . with policy by an arbitrary global to conflict scheduling have imple- section In ating imple- services system the size of the 275 do not kernel necessarily of excessive system’s extensions in terms of lines that advanced create size. In shows an operaddition, that they can be implemented with reasonable amounts more of mundane bles, code. etc. ) kernel. Micro ● bench tem such services, thread SPIN’S protected The system and cross-address have overheads memory, architecture ventional also mechanisms, such con- SCSI with low cliffs that con- show protected Measurements protocols of a suite demonstrate that architecture enables the performance network protocols. End-to-end performance. end-to-end application unit call, hardware in con- that use system the by of we new can without system at 74 SPECint a 512KB 300 disk-drive, card and only & two our machine Each We systems running on tend to scale sons [Anderson 1: and a pair for operating runs stations. sys, a variety 91]. All systems Ethernet inter- agement, adapter The of hosts The system rt, component, ery, domains, ory and section, of svstem while us to track file DEC increas- the vendor’s we port to each ,$PIN salj of five counter, core, scheduling as well as device file implements services Alpha management, system, and classes memory management component, the Modula-3 libraries and handles 23.4 37690 57.4 411065 50.7 227259 50.8 65652 100 810550 100 447274 100 shows the and The the size rt column DEC of different components components contain labeled SRC of the “lines” Modula-3 reveal the a protected does compiler, overhead procedure memory. They and the interfaces not include release measured with averaxe 3..5. define the manbounds a framework internal number op~imistic for presented Alpha’s of a large system thread Times the be overly et al. of basic call, ~rovide operations. in cycle of iterations, regarding cache 92a]. and operating extensions first system enables calls The second and services that to amortize cost two cross-address kernel either not space between part of these of calls. to inappli- the kernel. mechanisms system’s is the extensibility. frequent interaction, from coarse-grained of communication ser- protected services interaction are in a conventional the applications, using and enables of using factor and applications cations overhead system, communicate High overhead discourages ing that a system be built mem- [Re- and exception and Y 5.; communication limiting over requirinterfaces large operations. previous debugger kb, includes I 20.0 [Bershad for SPIN’S extension model protected communication. automatic fourth \ 22397 89586 teract. The component The first a disk-based a network I 104738 a conventional The work- virtual in 5.; 21.8 therefore Protected components, the I mode. different described 42182 size rea- sys, implements the extensibility machinnaming, linking, and dispatching. The component, 2.:1 Data bytes Y/ 21.0 are the may effects are taken main support I 176171 larger mechanisms: that size bytes 170380 virtual section, and as benchmarks on DEC Text Y] performance rather than tion between standard the 21.7 use and this of architectural kernel size [ core such deliver operating in single-user We rt, contains a version of dell 88]. The third component, the DEC SRC hlodula-3 runtime system that supports The approach, that dozen from 16.5 extensions. understanding vices consists and lib network-based ing. a few files “get 22 from 14216 table sys, FORE [Brustoloni with of service. Table 1 shows the size of each in source lines, object bytes, and percentages. second block 10866 Microbenchmarks functions, measurements run of components as a standalone core, entry,” “read Microbenchmarks C2247- maximally hardware 5.2 are 64 MBs ATM comparisons different et al. System SPIN table offering is a DEC which switch. can to an HP 155 Mb/see between avoid poorly Lance This The visible In 5.1 This allows a low- MMU, is a on has cache, ASX-200 1/0 which measurements external Source ke’rne( comments. SPIN 3.0 which 92. TCA-1OO on three V2.1 Mach workstations, to a FORE 93]. the OSF/1 and a 10 Mb/see 53 Mb/see Bershad while the of the requiring 1646 Total appli- platform: 3000/400 use programmed about implements and ta- system Ed4klLu that benefit of operations DEC unified a FORE connected cards sal, sai by applying tree. hash configuration. S’vs Table on the same system, AXP memory, lGB source operating and subset hnes extensions. JVe collected 133 MHz face, run 1995), operating microkernel. rated that August monolithic Alpha We build queues, any a page console,” a small Component high- show describing performance systems of as “install the extension implementation performance architecture compare (VO.4 O.” kernel system. We from drivers ing the size of the kernel, of network- SPIN’S Finally, SPINS cations operating component, to device against OSF/1 call procedure to those final (lists, by systems. Networking. from us to structures required such a character as a system are comparable The interface that services space level functionality show enables measurements that sys- communication, and virtual extension ventional ● of low-level communication-intensive overhead. ing as management struct ● Measurements m arks. data generally process- system calls, can be used for communicaextensions and the core system. Similarly, simple procedure calls, a subset of the cedure calls, be many of the applications 276 offers a third mechanism Simple procedure calls, can and other rather used for services than cross-address communication installed into pro- between the kernel. In Table ferent voking 2 we compare protected the “null The and SPIN. and returns trol transfer. that this test null the in-kernel as a procedure call not System measure the trap call system and handler through dispatcher, call (written in raises patched to a Modula-3 The third OSF/1 line SUN to cross-domain control between calls with Modula-3 thread ent for systems. mes- procedure uses system kernel the kernel and to trans- and in-kernel System na call na .13 7 5 call Cross-address s~ace 845 call signals the the communication Protected OSF/1 nor Mach in-l<ernel protected munication. The table illustrates two points about structure. First, the overhead be that com~unication for in extensions in in-kernel Mach, ~amely to te~sible the an does communication kernel performance and SPIN’S the ‘to execute arbitrary not preclude OSF/ code SPIN’s the other mechanisms time then for a the first the second and Mach, program table kernel that calls. thread exports The and is integrated rest of extensible a performance ones, the when The C-Threads version with when as inter- uses the The SPIN’S scheduling table shows does compared integrated sec- is structured implementation penalty even ” the kernel. thread first extensions interface. latter of for The is implemented “integrated, interface, SPIN’s ” super- SPIN. on a set of kernel labeled system C-Threads measurements on “layered, layered Mach’s the using shows with we measure a C-Threads of C-Threads labeled and locks user-level, with not, to non- kernel services. in exDEC user SPIN Mach OSF/1 lernel performance encourages. blocks, P-Threads, 1. The extension using extensible and reflects the one another; At same and library the ‘use of tradi- having of the SPIN, implement incur func- OSF/1 Second. that space. same in DEC call. mechanisms kernel user kernel user layered Operation Fork-Join Ping-POng mtegrat e{ 198 1230 101 338 22 262 111 21 264 71 115 17 159 85 the use extensions. in-kernel servative. provide call measures and in SPIN). implementations behavior to that in non-extensible svstems. However. between the performance”of a protected in: call and of in-kernel address calls ability of procjdure synchronizing Ping-Pong OSF/1 strand of ~rotected kernel’s space a~nlicat,ion’s architect~~e comparable the disparity the calls as cross-address remonse tional can executing protected SPIN’s tionality which ,SPIN communication create, in DEC variables as a kernel svstem differ- to thread.wakeup face and the time blocks. ond implementation, com- management thread overheads using the naand by each kernel ( thread.sleep that in microseconds. overhead support concurrent kernel provided a user-level Table 2: Neither DE(2 level, granular- JVe measure tive primitives implementation, 89 to im- user using thread, with second and the thread. and thread first threads a new simals two 4 104 the of thread another to synchronize set, on DEC SPIN terminate p“air of threads condition Mach kernel determines measures overhead, using in the At user Fork-Join synchronization us- the exten- operations. overhead and with the Protected the kernel the termination call As are im- exporting can be used to control schedule, DEC threads package executing overhead threads services. Application-specific concurrent call. space OSF/1 own to perform an optimized that thread interface. 3 shows on Mach DEC pro- operations. operations dis- a trusted which Table trap spaces. Operation of the concurrency kernel in-kernel SPIN’s management user-level as a handler. of the within semantics the system’s implement underlying on threads their ity. with sys- using mentioned. also rely thread from is procedure out sions packages operations plement re- requested time extension address ~lemente~ ref- kernel’s provides and ar- by fixed, communication in procedure fer control the cross-address as an transfer large flow procedure space space is implemented calls shows Mach SPIN’S mreviouslv which installed space RPC. cross-address 94]. the management overhead and the event procedure the change management Thread do- to cross calls but Thread control time to SPIN, cross-address and sages [Draves call In table the there ,Syst em Call in the supports for C). Trap. cross-address ing sockets path a two a procedure a generic, from not model. Although even 1, system to and handler a protected, OSF/ affect therefore SPIN be passed reflects do not and will tection of conin the domains, execute DEC call between can optimizations language “ cost linked. they overhead These ilif- no ar~uments the transfer, between because call only data boundary, In Mach tem reflects dynamically arguments user-kernel turn. takes protected is small erence. call The does of passing .~rocedure been of the mechanisms when inon DEC OSF/1, Mach, it have guments, performance no results; is implemented mains the communication procedure call” Our protected Modula-3 an intermodule intramodule call. compiler corrects piler does tant optimization not procedure compiler call is roughly A more recent this disparity. perform when inlining, calling call time generates twice is code as slow Table con- 3: overhead in microseconds for Virtual which Applications can be an imporsmall management as an version of the Modula-3 In addition, our commany Thread to extend procedures. 277 memory can exploit system services the virtual [Appel memory & Li 91]. fault path For example, concurrent write and faults generational to information. has been There dling each the [Thekkath are two sources a user user/kernel ventional faces that can perform face’s functionality applications sions to to plement must for pay 4 shows the virtual memory et 95]. The time for table measures status nor the of a particular Mach table provide is for svstem: this an additional is required to measures the latency when a handler of the access from It measures cation, enable resume to the the increase the and Prot100 and access decrease Mach’s o~eration l~zily evalua\e traps and the the fault in the handler. fault (Appe12 access faces described time define the in the the First, and the trast, DEC! OSF/ signal and memory, nal and pager plementations, SPIN’s Mach interface nor external tionality 1 requires mprotect pagers, requires [Young though, as the [Thekkath dominance focus & Levy is that that that and 87]. use 94]. each virtual / 382 819 39 351 608 29 second structure of the user stack. Each protocol for packets extension the The on a specific implements et a server by splicing and the al. the a di- network to forwarding profor the HTTP Transport within quickly Proto- the to HTTP stack and the support extension Finally, a re[von provides TCP/IP protocol it for messages extensions directly to respond together copy transport HyperText 94] or extensions, Forward port. by can pro- A.M. the TCP “pulled” graph active from “pushed” kernel, and are except placed is extension and UDP/IP [Berners-Lee the and packets UDP which 89] and of the network video protocols.2 arriving events R,PC package video transparent by within The The stacks, packet at the top implement and 5 il- to be dynamically graph The imple- Figure et al. incoming entirely to Ethernet 96]. protocol code handlers call for [Hutchinson permits 92]. stacks & Bershad z-kernel’s message architecture protocol [Fiuczynski Internet vides in extension SPIN’S The path enabling kernel, requests the local file system. uses pro- Latency Table width han- Bandwidth the volves signals im- a trap where it has 2W. currently func- reason the round trip latency and reliable bandtwo applications using UDP/IP on DEC and several copy for extension, event, C, 278 is safe. and low-latency use manually the access DEC assert to both OSF/1 that the application packet sent in- operations moves across the user/kernel boundary. application code executes as an extension exter- efficient 5 shows between For DEC OSF/1, OSF/1 and SPIN. code executes at user level, and each virtual the memory and inter- use is generalized The 213 Appe12 et al. page). install Neither have especially of each I 1792 I system to manage they et al. 1041 16 Appell procedure the virtual calls applications interfaces 7 106 214 example, rect Protecf~onFault events that occur dlers for Translation. within the application’s virtual address space. In con- UNIX 185 4.5 302 the col memory section, 2 29 1016 the in the SPIN The physical previous UnprOt100 framebuffer. 100 fault application-specific management. virtual I PrOt100 the Eicken resolve to protect on to 260 PrO~l to the mote of page cost per memory to paxe, -. another reasons. Trap to an application. for the benchmark Appell average two 415 SPIN out access as re- systems extensions vide the other for 329 handlers. does not as the benchmarks virtual since is shown memory Fault networks cess the a combination resolving na used through of 100 pages. one, the for the and time increase extension protect SPIN Mach OSF/1 na ATM within Similarly, to protection enables measures outperforms calls page. a range The DEC a set of network lustrates appli- the time measure and time a handler, measures on each SPIN kernel to in on a protected handler, Appe12 and handler the to fault Tra~ and the fault within SPIN’S changes. time level, have that Iazilv: DEC events or messages. Dirty ment thread. than ~ut We time) of the faultin~ the call. these Networking similar over request, 5.3 in the latency is faster and “Appe12 protection measures pages, the Appell Li memory call user of a single traps ker- 4: perceived measure is ~erformed quested. from page protection unprotection shown ,“ a page procedure communicate expensive the application Virtual memory operation overheads in microseconds. DEC OSF/1 nor Mach provide an interface for querying the internal state of a page frame. OSF/1 virtual [svstem Protl protection the time the is the thread. lJnm-of100 . Dirty a page fault to the & the Fault the Neither to query to refl~ct faulting [Appel Neither the standpoint time Table commonly DEC between executes. im- page. service I extenand an application The to is required. labeled to invoke the a allows SPIN several 4 microseconds invoke As the facility. an extension protected though, Operation inter- in virtual between is reflected in-kernel Mach, of more con- of the benchmarks line of interactions han- handling that a fast and inter- crossings to execute 91, al. fault a series application, crossing at once. of it. functionality referenced Engler all the by means et al. exception boundary time OSF’/l First, a subset specialized the through Second, functions only user/kernel precisely Table many requires and fault-based requires general requiring define avoid quite nel a page fault overhead. times, which use reference 94, Anderson several provide applications with application boundary systems result, of this can collect of handling & Levy fault in or problem the overhead in an application collectors invariants A longstanding strategies 91]. garbage maintain the TCP code, as the data the For SPIN, in the kernel, the engine which device as a is written and SPIN in 100pecs ATM on ATM. Mb/see and Protocol , .———, -.1—-.. extension SPIN’s functionality 1———, ventional systems. kernel defined by warding Lance device driver Fore I device driver Figure ~: This figure shows a protocol stack that routes incoming network packets to application-specific endpoints within the kernel. Ovals represent events raised to route control to handlers, which are represented by boxes. Handlers implement the protocol corresponding to their label. an application which for OSF/ 1 with incoming be generated col stack For scheduled each protocol kernel We do not as the for system in thre,ad the outside neither by a path OSF/ col’s 5. to the the Mach, our hosts. it is twice ATM card. and Latency DEc sPmJ DNC copied reveals 1 OSF/ 789 565 8.9 8.9 ATM 631 421 27.9 33 protocol The table the compared user latency which is roughly device driver nor [Thekkath the ATM 41 Mb/sec. using FORE on both not driver 93], and for the throughput. between We estimate the at roughly a pair minimum 250#secs user-level de- between forwarder, the protocol user/kernel each stack where boundary. Ta- implementations, work by done the user-level UDP SPIN L)k!x Osk sPiTJ- ‘/1 Ethernet 2080 1420 1607 1344 ATM 1730 1067 1389 1024 to route 16 Table in 6: packets Round trip latency in microseconds through a protocol forwarder. 5.4 End-to-end We have systems. for both Lance DEC the that system of the b.vte performance for of hosts the local third different round trip on Ethernet that that transforming of to directly in Figure and 279 sends registers a list incoming time system event, second to several as three file another la- Ether- rises implemented applications that, exploit extensibility. One is a networked video system consists of a server and a client viewer. The server is structured Ethernet Lance Using SPIN’s achieve a round-trip latency of 337 and 241 psecs on ATM, while reli- bandwidth start, possibly to be latency are optimized only proto- slow when are handled drivers Neither ATM & Levy is optimized our hardware tends device driver. device drivers we psecs on Ethernet able same vendor packets control, violated. the entirely latency to isolate differences due to those due to the characteristics SPIN from tency driver the same packets round-trip Throughput, OSF/1 and architecture net processing reduce in which We use the underlying that can to a system space. sensitive, shows kernel with TCP in microseconds and receive bandwidth in Mb/sec. We measure latency using small packets [16 bytes), and bandwidth using large packets (1 500 for Ethernet and 8132 for ATM). within connection are sPIm Ethernet 5: Network As se- for the two additional L)kic osF/ 1 Table end-to-end through 1 pack- layer. of connections on the the OSF/ end-to-end size negotiation, the latency the DEC semantics performance DEC together transport congestion across using forwarder. Bandwidth OSF /1 TCP, pro- packets control also interferes two trips ble 6 compares The the the splices a protocol’s of and ser- a secondary protocol above Moreover, makes to socket. window the overall packet Ethernet 1, nor supports detection, A for- into service that to forward intermediary otherwise control number termination for and process case and con- balance a node a similar maintain the algorithms grading handler. for In failure a separately of the interrupt executes cannot A user-level proto- in Figure measurements provides DEC shown it it have extension. data port outgoing able establishment of events UDP/IP is done networking than a series 1P, UDP) processing present efficient causes layer (Ethernet/ATM, SPIN; more packet and is not because a result all implemented incoming forwarder in redirection to load installs redirects a user-level provide servers. a particular We have ets 9 be straightforwardly be used multiple to TCP as a SPIN also stack mantics. Each across used 95] that can an application host. an and are roughly available some et al. modifications can be generally example, SPIN destined ~ I For protocol requests In Ethernet of hosts can not [Balakrishnan required to architecture protocol tocol usable a pair 53 Mb/see. ~ICMP vice maximum between forwarding protocols data. The bandwidths video to the 5. the video itself The client. frame out single server On packets, extensions, video frames over the send into transmits client. using that the on the an decompresses buffer one from uses disk, the network, as a handler the clients. each kernel to read the and a SendPacket a multicast, 30 frames extension and writes structure to ~er aw;its them shown Because eachoutgoingpacket protocol graph stream, SPIN’S clients than To show tion only server this, a server that clients using the processor on OSF/1. DEC user sockets; space and is pushed into the device stack utilization idle by thread driver. the executes of a conventional buffering as a func- policy. In contrast, on top of the file DEC OSF/1 with avoid the into server implements on file type: is copied kernel’s protocol determine processor of a low-priority server. side latency server when the tem server’s though the stack, majority by network face that server’s DEC client one word when At that can send driver both SPIN the network, but the processor. support more clients on a slower using DMA. operating DEC OSF/1 half an event, of can as many SPIN I I I , .’ DEC OSF/1 Driver — T3 Driver --- ,.’ ,’ ,, .’ ,’ .’ .’ dler, an event the when there event, the .“ the I I I I I I I 2 4 6 8 10 12 14 Number of Clienfs Another application architecture is quickly, a web objects, not accessed a that web server cache as a function the and number the with the the event. large [Chankhunthod can should et of the number al. 3 that 95], recently are and system’s about 8 file. number we measure when 50 additional arrival to Presently, 585 psecs register but inter- all 50 guards evaluate we to true, perform as evaluating 94] or representing As the system no common guard matures, we optimizations. automatic extensible on latency, system storage cannot management depend on the correctness of unprivileged clients for its memory integrity. As previously mentioned, memory management schemes that allow extensions unsafe because SPIN’s requests accessed infrequently avoid these is linear installed handlers 50 guards et al. invoked. Ethernet all trees. guards, dispatch handlers such latency of the packet an if true, ultimately psecs. [Yuhara on and, rises to about and UDP When as decision of guard trip as in event dispatcher and at 565 psecs, 637 role installed complexity round optimizations to apply the call such a particular active handlers guards cases, for pair of an event of some to false. other Consequently, example, As han- as a, procedure In evaluates of guards For is critical. registered and to han- is effectively synchronous a more of event raisers system dispatcher guard/handler overhead which An of client Mb/sec. benefit from To service cache objects sys- web server cached a single handlers number the rises of handler. handler. on the Impact approximately server, Oth- file takes event in the takes each depends plan requires same is implemented dispatcher predicates stream web cache. operating for of the dispatcher subexpressions ,“ Each the matches to the are many guard-specific ,, 5’erver utilization server’s user-level the large client- a SPIN a non-caching on based for The to buffering) case raise For latency ,, streams. the procedure the raiser evaluate ,’ ,, video policy dispatcher latency in est in the ., I the In practice, ,’ T3 web is 5 milliseconds double dispatcher from invokes I relies the every mentioned, saturate or Since event, SPIN and delivery. I is in request and SPIN infrequently. through (no cache A no-cache extension cache buffering. issues event SPIN’s processor. 1’ per Other dlers. We as much to DEC OSF/1, a faster network, I that own its caching and A comparable system its control transaction file goes the file. Scalability systems. OSF/1 only files, double caching of supported net- and hybrid HTTP server file 5.5 the a Dig- 45 Mb/see own small an the double buffering. its on top the controls both as a kernel milliseconds proces- with consumes SPIN Compared clients on than is an experimental in both DEC to double avoids from for requested to find that suffers 81]. is built to control to be accessed of the system a server of but inter- server is configured “T3” to tend the caching the SPIN less slowly 6 shows the server clevice 15 streams, that on are data a network of the number The same copies we find grows protocol is unable LRU running erwise, Al- resources that Using Figure adapter. interface use the utilization in the CPU 1/0 as a function of clients. less work server’s though, server’s. streams number at a time. DMA, processor T3PKT work does programmed supports OSF/1 a given of the the sor utilization ital for server SPIN the consumed the processor file but a server [Stonebraker cache caching problem which agents itself system’s allows files SPIN Using the FORE interface, we find that both and DEC OSF/ 1 consume roughly the same fraction of not problem, SPIN caching does communicates progress on the of other that and for the We with A server server packet through measuring that number in isolation. The each outgoing kernel buffering client packet SPIN and the per utilization for the in through once a larger each of clients runs executes not support processes we measure server and can one that of the number is pushed once, double by retaining a reference trace-based, lmostly-copying, 88] to safely m 280 to return objects to the system heap are a rogue client can violate the type system reclaim to a freed memory garbage object, SPIN collector resources. The uses a [Bartlett collector serves as a safety sures that through tion, net inaction Clients or that as a result allocate frequent effects. In practice, ments presented in this collector during out garbage collection, their pattern. same reason plied during Our memory were an efficient operating avoid having with- or the the on that issue with which of extensions its Table 7 shows an amount For are conceptually a dozen) not a few Mach, because circuitous routes tionality. stylized of performance, although we of our ways. As trouble few domain and a result, a particular for pager interested in for and few days features. we has that been the stand than those 7 Conclusions of func- portions The discovering write operating SPIN sible to achieve without Text NULL namic 656 127 1344 1568 CThreads 219 2480 1792 305 2304 3488 263 5712 1472 744 1900s 13088 OSF/1 VM threads workload 1P In tem 5712 4176 Forward 187 4592 2080 UDP Forward 138 4.592 2144 can Video Client 95 2736 1952 time Video Serve 304 9228 3312 and size of some different for at the system written to under- that system extending it is pos- granularity as Co-location, domains to sys- provides services, services. builders language language tures, 392 TCP the kernel easier The protection mechanisms ing .hown more in an extensible extensions and 9840 table logical allow accessed past, policies 16704 This its experience in C. safety. a programming 23968 69040 described and programming .5077 7: with our demonstrates of extensible binding the the 1046 extensions the and and dy- be dynamically of a procedure call. UDP T and mechanisms set modularity, call defined T(7P HTTP SPIN robust performance compromising as a core enforced bytes 96 19 sysca// ~ IPC DEC Table size bytes system good a set of efficient size less to learn of Modula-3, of the written of pro- it takes instance, in user space, well lines In terms that proficient more lan- nothing OSF/1 tem Source found anecdotal, portions that size or execution found semantics become and another C programmer Although are much the language: using code the evidence and large, section. we have both im- faults. Component language’s to ser- language for we have previous obvious advanced the about be effective a competent more in Modula-3 to follow level interface, a complete DEC forced a day another imple- relatively correctly on sometimes pager extensions, syntax to be exceptionally more achieve only the benchmarks we were external were use than not effectiveness, Modula-3. of our on we found prejudices guage. grammer by than Early could the semantics, etc. ), we found definition in it are slow in the considered them. C programmers about we to use Modula-3 our two main as shown the important extensions. In terms design that addressed written functional- simple import extensions us to implement protect to IPC have de- to require their and also and we had to Mach’s required syscall tend fairly extensions tend with and building In contrast, plementing of the extensions interfaces, in found difficult. Null Extensions system have the simple, mentations. event of some SPIN commensurate example, (about size section. of code ity. or the in this more the dif- language of C (type that programs remarkable scribed was of C. As we faced naming, satisfactorily build a language performance version we decided and time, care. to using issue we implemented to abandon Size some infeasible in any management, we understood interfaces was and major of a safe already vice that it without arise each storage system with proceeded, typically context Ultimately, path. that system semantics For Moreover, to be ap- certain syntax, redesign. in the is relatively likely Modula-3 was made of our safe subset issues objects, expected and for is less pressure is least ficult imple- some the the design we disable as well there allo- is avoided allocation pressure a critical grammers, might systems for do this can to use hIodula-3 than subsystems optimized with we had intended to define and implement a for a safe subset of C. All of us, being C pro- global allocation Instead, services the in decision adverse when Even Experiences Originally, compiler of the measure- change a consequence, and none tests. allocators As of memory with generalized (dynamic collector, amounts section latency. SPIN expensive). the 6 termina- and its extensions the high own en- either of premature For example, the usage and extension, is less of a problem SPIN paths. of its an collections this because on fast ment large garbage cation extensions, by reclaimed. trigger be expected untrusted released are eventually because for resources we more s.wtem that operating rely on to performance pha workstation described 281 into with heavily services construct in this have translate believe systems and in relied on operating machine the system compiler only sys- code. Us- appropriate fea- implementors language which run- structure are complementary. Additional information available at http://www-spzn. in this paper. to running paper. about the SPIN CS.Washington. SPIN and the HTTP project is edu, an Alextension Acknowledgements [Bershad et In Many people David Dion system’s have has Alec DE(2 Lamarca, on DEC Levy, and drafts of this T3 Special with JVatson David are of our Mach. due SRC, [Bershad et al. l~oelker, and the Fifth por-t for perfor- 92b] al. 89] [Black earlier us with et al. tem the System Kernels. Symposium 136, V), 92] et al. N., and and us [Bricker et Longtiages pages et 92] on and Levy, Parallelism. & Li Appel, for (lser D., and Spring ’91 [Bala Languages 96-107, et pages al. 9-I] Soft Bala, ware side on on (OSDI), and pages April L1. F., Caching the Monterey, CA, et and al. Katz., 95] R. Wireless Balakrishnan, H. Networks. ference H., Improving E. In O?L hfobzle Proceedings Comput%n.q and Barrera, J. In Symposinrn, pages [Bartlett 88] Bartlett, Ambiguous ary 1988. et S., Ftrst Amir, CA, Compacting Technical 94] Report IPC [Chen Principles, et al. 94] H. F., Blocking and of B. the ACM, N. Practical Concurrent Objects. International Systems, pages Secretr, A. In & Distributed et E. call. 55, D., al. 90] and ACM February 13ershad, Pittsburgh, Levy, El. Transactions B. M. N., Anderson, PA, Lightweight on Computer Remote Systems, and Bershad, B, N. Low- CMU-CS-93-1 32, 1993. and Li, K. Implementation File Caching. Symposium November B., on Oper- (OSDI), pages 1994. Bennett, J. K., Performance ACM N. and of Zwaenepoel, Munin. Symposium 152–64, P., for In on Pacific Keckler, Fast Pro- Operating Grove, the Sixth ,for S. It’., and CA, Oc- Dally, Capability-Based VI), \V. J. .4ddressing. Inter-national C:onjemnce Programming (A SPLOS- al. 95] Languages pages Chankhunthod, Schwartz, Object M., on and 319–327, of A,, and Cache. University 93] of Op- San Danzig, Worrell, Technical Colorado, Chen, Operating K. A Report July J. Jose, P., Neer- Hierarchical CU-CS-766-95, 1995. and Bershad, Structure Proceedings Operating NC, B. System In on & of Systems December B. on the N. The LIemory Fourteenth Pnnc!ples, Im- System ACM pages Sym- 120–133, 1993. 1994. Non- o.f the Thir- & of Destgn 83] Distributed Workstations. on Bretton Woods, 85] In R. Migration Oriented The and of A y. on Oper- (O SD I), pages R. and Zwaenepoel. Performance the for Ninth Disk- ACM pages Sym- 129–140, 1983, Performance Architectural Systems. Mellon D. its PTznczplcs, October J. 1994. and Systems NH, Colwell, tional Implementation Kernel K. Functionalist Sympostnrn PTorcedings Operattng Duds, Kernel November Cheriton, V and USENI.Y and CA, R. System FtTst Monterey, Zwaenepoel The D. Operating o.f the posium [Colwell Cheriton, L’lodel Systems less Web. 94] Proceedings W. Luotonen, for Duda attng 1993. E., C. Implementation pages of et 179–194, ~ornput~nq May T. Lficrosoft 1994. C., Carnegie [Bershad and SuppoTt Bershad In Digi- August Proceedings on .?. High-Bandwidth USENIX Thirteenth Systems Caching Febru- World-Wide Considerations 1991. OLE Report W., First CA, Carter, October [Cheriton with Labs, R., 37(8):76–82, Conference ‘264-274, The the Support Performance. 1991. Collection Cailliau, E. J. Proceedings pact Con- Afach WRL-TR-88-2, T., Perfor- EurOpen Imple- November Research in the E., November USENIX Garbage Western Berners-Lee, Bershad, teenth Monterey, Lessons 1991. Internet over A CA[ Network Second J. for March and Systems [Cheriton al. Nielsen, 93] the LipMicro- Application-Controlled Destgn o.f the daels, 1994. Networking, Mach oj Corporation Cornmunicatzons [Bershad Fast 1–11, Roots. [Berners-Lee A J. F. t al Equipment A., S. PToceedtng~ Instde Brmtolcmi, Carter, Asheville, 91] Systems: M., at May of ceed~ngs posium mentation. Architec- Look Norway, Felten, oj 91] [Chankhunthod 1995. [Barrera New ce, Tromsoe, Implementation CA, Sym- Performance o.f the Kernel Looka- November /IP USENIX Guillemot, A K. Sys- of the of h~onterey, al. In Implementation Seshan, TCP 1992. 1992. LI., Technical P,, Systems DCS [Balakrishnan Systems October Proceedings University, Proceedings erating W. USENI.Y and Cao, Architectural Translation Destgn of Operating Other- M. Processing Ivlellon Hardware Pro- (A SPLOS- Weihl, FZ rst J. R. S~Lp- Opemting MA, In 93] Performance et [Carter In- .foT 1991. and for o,f PrimiFourth Syst~ms CA, Systems 243-253, Memory Support Ellis, .4 TchiiectrlTa[ April Gien, Brockschmidt, Bershad 94] W. of Systems, o,f the Ope.at,ng Proceedin.qs Operating Virtual Clara, Kaashoek, Prefetching In K. P~oceedings Arch~tectui-al and Santa K., Buffers. pos~um Li, In April Proceedings Proceedings and Rozier, Networking. tober and Conference IV), Computer Op- FL, and Microkernel In Operating Protocol al. [Carter Effec- Management on & ating Lazowska, Activations: User-Level Workstation In on WA, A., and Conje~en 165–177, N., A. 1994. and 1991. B. Forin, Performance. Il., and al. Compatibility. 94] In et Mach. UNIX mance et Pro- 1992. }V. gramming [Cao Fourth for (.4 SPLOS- April Scheduler the Programs. ternational Bershad, Transact~ons February 91] tives CA, E., hf. for AC!M 10(1):53–79, [Appel H. Support o.f the Support Clara, D. Boston, Seattle, Bricker, Carnegie Bershad, Systems Redell, Micr-o-A’ervzels Orr, Simple of Architecture Architectural T. M., L. 11–30, 91] [Brustoloni 123– D. al. Latency H. N., 223-233, and J., Press, A CM pages Proceedings Operating Santa Thirteenth Interaction In on Anderson, Kernel the Levy, The and 108–120, al. D., tive D. Shapiro Operating 1989. E., Design. C:on.feTence gramming E. E. and for Principles, December T. System International IV), AZ, Lazowska, of Systems Anderson, Operating [Anderson Proceedin,qs Park, 91] M., and Biscayne, Uniprocessors. Languages Black, pages kis, Rozier, P., on Key Conference pages Architecture tures, provided Management Operating Litchfield [Anderson B. In on V., Memory B. Programming Workshop experiment. infrastructure. Abrmsinmv, Virtual Workshop for International [Brockschmidt et Generic R. System 148–153, Exclusion (A SPLOS- References M. Thtr-d Bershad, Mutual kernel-based [Abrcminmv the pages Draves, Evaluate Hank on who N., 1992. Fast server B. to oj Systems, An- Nichols, Bershad, Proceedings SPIN. provided video to DEC compiler for feedback Boggs in the the system David provided we used thanks much and up Geoff 92a] Microbenchmarks erating it possible from in understanding paper. that bringing driver McNamee, OSF/1 Terri cards made SCSI project. SPIN for Sanislo OSF/1 assisted mance the Jan Dylan Wolman to responsible server. us to use the thony contributed been UNIX al. Using Technical University, Effects Complexity Report August of in FuncObject- CLI{J-CS-8.5-159, 1985. Lazowska, [Cooper Procedure 8(1):37- & Draves Threads. 199o. lon 282 88] Cooper, Technical University, June Report 1988. E. and Ilra”es, CMU-CS-88-1 C. 5-t, R. Carnegie P. C M.l- [Cooper et al. Fox 91] Cooper, Project: Technical versit [Davis et Report al. 93] 93] Davis, E. [Draves of Draves, P. The [Harty & Mellon D., Uni- Fe, The USENIX NM, Case for 94] oj tectural ing Replaceable Systems% Fourth & pages 160-164, Op Napa, of R. P. Control Technical University, Transfer Report May in Operating CMU-CS-94-142, and B,, et al. and 91] Draves, Dean, Thread R. In sium on cific Grove, & W. P., Operatzng Continuations Communication D. Fifth 78–83, Orcas Island, WA, & Proebsting 94] Engler, D. DCG: An tion System. ference guages 272, In on on Hot Topics Proceedings R. 81] Pa- [Int F. Exter- 89] et al. The 94] Engler, Operating In [Engler et tt’o al. J. 95] O. the of D. T. Code Fifteenth ACM Copper & Pasquale 94] Fall, Data tional A. In [Lazowska Genera- et 92] Felten, E. munication W. VI), pages F., and 263– O’Toole, the 159, et J. Focus & 1994 ACM Extensible 96] In Conference, [Forin et al. F., In and Jr, [Liedtke for Pasquale, o,f 1/0 System USENIX Mach No\,ember [Geschke et E. al. A CM, [Golub et 77] May Case for In Intel Fzrst IEEE and 20(8) al. 90] R. Llnix Supercomp uter Systems April and for the 1990 3.0. the In Symposium, 1996 and Winter C., LIorris, with hIesa. August An Dean, The Spring Nucleus: o,f the 1 i/!J3 163–176, J., 147–159, Cincinnati, Lucco, A.cht- M. An D., Levy, Vestal, Im- Operating Winter USENIX January H. M., S. The oj Con1993. Almes, G. T., Architecture the Etghth Principles, R., N. the Second An G. A., ACM pages Microkernel e~ June USENIX for Chang, on R. Memory 148— C. HiPEC: Caching. Sympostum on (O SDI), In Operating pages 153- 1994. Thread Management In Micro-~{ 213-221, J. and and Seattle, Com- Proceedings erne[s Improving IPC Fotmteenth ACM Principles, oj Other WA, by pages the First zng Deszgn and Systems & CA, Bershad the I{ernel April 1992, Kernel Design. Symposzum 175–188, In on OpeT- Asheville, and NC, the et on (OSDI), In Opevat page - 199, 1994. In et Marsh, E. 1993. 283 ACM pages B., N. Protocol Networking. Symposium 244–255, Scott, First-Class M., on Op- Asheville, LeBlanc, User-Level Thirteenth ACM NC, 110–121, 90] McNamee, T., Threads. Sympostum pages Armstrong the Mach User-Level the al. on Pacific Filter: Code. poszum on Austin, TX, D. Pager Replacement Mach October 87] External Page USENIX VT, work Pro- B. In and Proceed- Operating Gro\,e, Sys- CA, Octo- 1991. Packet pages Bershad, Fourteenth Principles, Principles, ton, P. the and High-Performance 1993. 91] & oj C. for oj of the date of Maeda, Systems al. [McNamee June Kougiouri.. Objects. Systems. Symposium Implementation Decomposition ings Rashid, 87–95, C~onference, Microkernel USENI.T November 93] Proceedings ber of Proceedings pages and and Continuations. High-Performance Markatos, Satterthwaite, In Fast of [Marsh CA, unzcat%ons Forin, C., Implementation S. Extending Co njeTence, Summ OH. 43.2 1993. erating B. Monterey, and Comm Hamilton, A 91– Programmer’s CA, l[SENI.Y J. o.f the Systems 94] In [Mogul ceedings iAPX Nelson, Virtual Proceedings USENI.Y of Program. USEN1.Y 93] and 1993 M. November pages Liedtke, Service 1977. Application Kougiouris the Proceedings CA, Without December Proceedings pages B. 1990. [Hamilton& pages Object-Oriented Systems Ftrst Workshop 93] tems S71 mmf T Prtncipies, ACM 1989. Diego, E. In and Liedtke, hlonterey, Application-Specific Bershad, D., New Thirteenth 1992. Elershad, 1996. an the to and Chen, oj the December Com- 171-181, D., Golub. as the San External Design 92] [Lucco January :540-553. Abbott, Systems, Application-Specific M. CA, Geschke, oj R., H., Monterey, ating Interna- 1994. pages Golub, Experiences L., 1981. C. Proceedings In-Kernel 1991. Early an OpeTating Architectures, Improving Computing MA, Mach of A. on Lazowska, Performance USENIX Systems with Diego, for 113-126, 1995. J. the Architecture A., of MzcTo- Evaluating Microprocessor Y. System. munication Proceedings Operating of Forin, i486 Fowler, Lee, Systems Architecture Proceedings San 91] 81] Proceedings European LT. on Fiuczynski, Protocol Networking. Peterson, December UNIX on 94] 164, Performance Conference, Bershad pages x-kernel: Systems AZ, Khalidi, December al. [Maeda [Fiuczynski C., in Proceedings 469-480, Eden High Programmable December Multimedia Protocols. Technology N. RPC Proceedings ht., Symposium CO, and The al. Fischer, of Management. K. Boston, Architectures, on 1990. of pages Lan- Sympostum oa 100–109, Overview Workshop Tntroductton 93] System. Con- System Proceedings Conference pages [FeIten In Nelson International Kaashoek, Playback Paths. File- 1994. Architectural USENI.Y Operating Manual, Programming the Mountain, Continuous-Media In Corporation. ference, [Liedtke [Fall G. Communi- 1981. for a Secure Operating Resource Princip/ts, & 1994. R., An Application-Level oj as September Eugler, Exokernel: the S. Park, plementation Systems, Proebsting, M. Kernel op. Popek, Layers. 1994. Proceedings rksh and February An Kemtel Corporation. Smth Kaashoek, System Machine. SIGOPS D., Clara, J. Hutchinson, on Intel [Khalidi [Lee [Engler Intel 90] Proceedings Ope Tating (A SPLOS- October Operat- 1992. O’Malley, Litchfield tectu-ce, 1995. and of the Systems CA, M. Dynamic Support Operatzng Jose, [Int Sympo- 122–136, In in May Retargettable .4rchztectural and San pages Kaashoek, of Techniques. 101, Operating A Ch4 Abstractions. o.f the Efficient, F., and Santa Implement in Thirteenth and pages [Engler to R. D. Other al. and Reference System Workshop Rashid, 1991. Engler, Operating N., PTinczples, October 95] All o.f the Systems CA, B. and Proceedings Kaashoek minate Bershad. Using Management Systems. [Engler R. Pro- Archi- 187–197, Stackable 12(1):58–89, April Symposium [Draves Heidemann, ACM, WA, Design 1994. the Proceedings et M. Mel- on Languages pages with In [Hutchinson System Carnegie In Conference Programming 94] Hildebrand, Seattle, Draves, for Physical Management. International (A SPLOS-IV), Popek Kernels CA, Fourth 92] QNX. on Application-Controlled Page-Cache Development [Hildebrand Ker- IJ’or!tsh R. 1991. cations Run-Time the April System Wrtting D. Support [Heidemann OSF/1 Harty, External Systems CA, 1993. Kernels. ceedings 3.o. Symposium, 91] Cheriton, using 1993. o,f the and Memory and Mach 1993. DEC Proceedings R., to Mach April Topics, Operat?ng Vaswani, Cheriton K. Software. Carnegie Corporation. In Workstation lon Lee, Systems Activations Third Advanced R. Modules. October 78, McNamee, the Santa DTiVeTS: 93] nel and of Scheduler Equipment Deuice [Draves P.-B., Adding 119–136, Digital R., 1991. Proceedings pages [Dig Harper, Development CMU-CS-91-1 y, August Lazowska, In E., Advanced and Interface Policies. Sympostum, Armstrong, to In pages K. AccommoProceedings 17–29, Burling- 1990. J., Mogul, An In Rashid, Efficient R., Mechanism Pr-oceedzngs Operating Systems November 1987. oj ihe and Accetta, for Ele,enth PTinctples, M. User-level .4 CJf pages The NetSynz39–51, [Mossenbock 94] Mossenbock, System. ary Nordic et al. baurn, 90] A. A in Computing, 91] 3. Mullender, S., pages Hall, The J., the Oberon [Thacker 1(1) :77–93, Febru- G. Tanen- Rossum, and van May V., Staveren, System editor. et for H. the Amoeba 1990’.. editor. B5700/B6700 Transactions & to tn Computer .?emes. System Academic Modula- [Thekkath & Bershad 94] Structuring Pardyak, Mechanism Language national In 312–219, and Bershad, on Object of the Dtstrtbuted Poznan, A June Group et al. 87] Rashid, D., Baron, Golub, J. R.. Black, oj chitectural ating Systems 1987. 881 [von Inter- 94] the Second on S. M., and CA, Management et C., 31–39, D. Experience oj the Parallel with ACM and Topaz and Palo [Wahbe al. and Distributed 92] for et al. 80] Lauer, and C., 92, D. Lynch, Purcell, sonal [Rome. Redell, H. S. C. Alto, et USENI.Y 176–18’7, al. 88] B. N. Conflict Systems 255–266, the TLB and W., Design Memory In A., Overhead Proceedings Symposium on oj [Wulf CA, and Ber- Using On- the Computer M.. Abrossimov, Guillemot, S., and Operating V., ‘M., & System. Armand, 90] of The Computing et al. 92] Schulman, 9-I] Small. Platform for search. Technical ACM Boule, Leonard, Dis- A., and Maxey, C. and D., and L’f. System Report on & .Julin 9.5] US: Unix On the 199.5 tV???ter January [Stodolsky Pietrek, M. VINO: and TR-30-94, An Inte- Database Harvard Re- University, Fast al. 93] Interrupt Kernels. on for OS J, M. Object USENI.Y Stodolsky, and Julin, Servers. In Conference, In New 81] 24(7):412-418, of and Diego, Othe CA, Stonebraker, the T Second I<ernel September 11. Management. July Bershad, Management Proce.dzngs San Database D., Priority A!ltcrokernels 105–110, [Stonebraker Stevenson, Generic D. P. Mach- P~oceedings oj Orleans, LA, 1995. et Wulf, romp: et al. B. for N., and Chen, Operating USENIX B. System Workshop Architectures, pages 1993. operating Co mmuntcations Languages San System of Support the D. E., Goldstein, A Mecha- Computation. In Symposium Gold on Coast, Aus- A CM, 1981. 284 Anderson, pages T, Fault E., Symposium 203–216, and Isolation. In on OpeT- Asheville, NC, C. of Fifth the Weihl, USENIX B. Indexed 124–136, ConsisIn on Languages pages N. Caches. ConjeTence PTog?”amming Sym- 1994. Bershad, Intemtatzona[ E. Implementation November and W. Resource and CA, B. Virtually V), and First Destgn Monterey, for A. Proportional-Share and Boston, Pro- ArchztecOpeTating MA, Octo- R. The OpeTating Systems November 1987. 94] of B. Endpoints 1994 of oj and Harbison, S. CompwteT P. System. W~nter CA, and Eleventh Large January B. Messages. 1994. Operating and Sys- Symposium 63-76, N., Austin, Maeda, Demultiplexing Conference, Golub, D., Communication ACM pages R., Black, a Multiprocessor Packet USENIX and Bershad, Efficient Rashid, W., Memory the M., A., Bolosky, Principles, Yuhara, E. J., Duality Proceedings J. R., Tevanian, Chew, Implementation al. Levin, ErpeTimental M., J., In et A., An Young, Eppinger, the W. 1981. 87] Francisco, Com- S., ACM \Vheeler, for /C. the M, 1992. Seltzer, Operating Burrows, Lucco, Systems (A SPLOS- Moss, 1990. Addison-Wesley, Han- 145–156, Messages: and PToceed%ngs 1-11, the 81] [Yuhara 1994. [Stevenson oj Baron, 1 (4) :305– Transactions February 11’zndows. Seltzer D. Culler, 256–266, Flexible 92] al. in Chorus Systems, hf. RPC. 8(1):1–17, Undocumented grated Schroeder, Firefly Systems, [Schulman pages Bershad Snpport D., Twenty- F., F., W. Hard- Confer- pages Software-Based Operating Hydra tiple Burrows Performance puteT et [Young Architecture, Herrmann, Neuhauser, M. 1992. tem. LI., VI), Waldspurger, y Management ber and Monterey, Karlin, H. Exception PTogTamming Active Fourteenth In Systems Fzrst R., 94] McGraw–Hill, Ohlrich, Levy, International Principles, Weihl on tura[ Dy- Resolu- of E. pages Scheduling: & ten. :81– 1988. [Schroeder & Operattng Limits Computer 1993. & [Wheeler a Per- 23(2) Bershad, Cache for Nineteenth the Systems (OSDI), G., 1995. Langlois, tributed [Small ACM, R., H. for Proceedings pages T., Rozier, Giend, 370, for Promotion. International 1,, and In on Reducing ThtTd P., D., Policies Rome., Superpage et the M. on International Communication Efficient Management. 1994. pages [Rozier Lee, (OSDI), 9.5] B. line T. Murray, System of and Sixth T., K. Wahbe, oj Lottery 1988. Horsley, Operating Hardware. Sympostum al. shad, An H., Mapping November et T. Standard Implementation [Rome. K., the Eicken, the S. L. [Waldspurger In WoTk- October P. R., H. 1992. 93] ceedings Rome., Page on Y. Jones, Levy, Efficient (A SPLOS- Architecture, al. ating CA, 1980. 94] namic tion M. Communications February al. Dalal, C., Pilot: Computer. et D., W. August 1994. von oj May posium [Redell and A. for Support Integrated Proceedings Oper- SIGOPS Debugging, :909–920, 1993. C. oj Schauser, Graham, Ar- Teledebugging. SIGPLAN Satterth- Workstation. Transactions Support Systems and tralia, In on Languages pages and for Conference Programming Thekkath, October ComputeT Chew, Architectures. International C., 37(8) A. May Architectural December Redell, on for Young, W., Memory C. ACM Proceed~ngs Operating nism Bolosky, L. Multiprocessor Computers, Thekkath, Software In Eicken Systems, A., Multiprocessor (A SPLOS-11), Proceedings shop and Support April D., Virtual Uniprocessor PToceedtn,gs Jr., Stewart, a RPC. Levy and Jose, 1994. Tevanian, Machine-Independent Paged [Redell R., on 93] Proceedings [Rashid P., Oriented Fourteenth Computing Poland, C. Firefly: 11(2):179–203, & ence 1973. B. a Distributed Proceedings Conference pages P. for Objects. Levy dling. OrganLza- Press, H. Low-Latency and [Pardyak E. Systems, Programming Thacker, IEEE ware E., 88] Jr., [Thekkath IEEE 1990. System al. waite, 1988. 1991. Organick, trion: V., -P–54, G., Prentice 73] R. Operating Nelson, [Organick S. Renesse, Distributed Computer, [Nelson Extensibility of 1994. [Mullender – H. .Jotirnal In pages on TX, C., for Proceedings 153–165, and Muloj San

Extensibility, Safety and Performance in the

Related documents

Products

Support

Extensibility, Safety and Performance in the

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib