Download The Alta Operating System - Flux Research Group

The Alta Operating System
Patrick Tullmann
Masters Thesis Defense
University of Utah
Alta
Alta is an operating system in a
Java Virtual Machine
 Manages multiple applications on a
single JVM
 Supports the Fluke OS nested
process model (NPM)

Research Goals
Can I change the protection
mechanism in an OS model?
 Can I provide safe, controlled
sharing between Java processes?

Motivation: Servlet Engine
UT
Uniglobe
NV
Morris
Registered Agents
Airline Database
Public Area
Motivation

Java Virtual Machine provides:
– Safety
– Platform independence

Java-based systems need:
– Multiple “user” management
– Resource management
– Flexible & extensible control
Approach

Traditional OS a good model
– Hardware provides safety mechanism
– OS provides management

Fluke OS nested process model
Fluke Background

Microkernel
– Threads, mutexes, IPC, …
– Manages CPU and memory

User-level services
– File, Network, …

Nested process model
– Structured
– Well defined
Nested Process Model
A model of how processes interact
 Hierarchical: parent process provides
resources

1
Child A
2
Child B
Parent Process
Mapping an OS into Java
Type safety replaces hardware page
protections
 Bytecodes replace simple
instructions
 Native methods replace privileged
instructions
 All higher-level abstractions are
equivalent

Goals for Alta

Support Fluke features for process
management
– Mimic Fluke structure
– Provide parent process with control
Acceptable performance
 Maintain backwards compatibility

– Existing Java apps should work
Design of Alta

Four design aspects (really seven)
– Maintain “whole JVM” illusion
– Per-process, flexible typespaces
– Inter-process sharing
– Sharing & resource control
– IPC-based interfaces
– Exportable kernel state
– Kernel implementation
Design of Alta

Four design aspects
– Maintain “whole JVM” illusion
– Per-process, flexible typespaces
– Inter-process sharing
– Sharing & resource control
Design of Alta

Four design aspects
– Maintain “whole JVM” illusion
– Per-process, flexible typespaces
– Inter-process sharing
– Sharing & resource control
Per-process Typespaces
Typespace: Set of name to class
bindings in a process
 Extension of the NPM to Java
 Parent process resolves all class
names

– Enables access controls
– Enables code control in child process
– Problems with native methods
– Poses problems for sharing
Per-process Typespaces
Implies class has no fixed name
 Implies there can be inconsistencies

– Different notion of ‘File’
– Same notion of ‘Directory’
Design of Alta

Four design aspects
– Maintain “whole JVM” illusion
– Per-process, flexible typespaces
– Inter-process sharing
– Sharing & resource control
Inter-process Sharing

Alta allows limited inter-process
sharing
– Initial sharing via IPC
– Sharing through other shared objects
Processes can have inconsistent
types
 Inter-process type inconsistencies
can destroy a JVM

– pointer forging
Inter-process Type Checking
Alta ensures equivalent types for all
shared objects
 Effective limits on shareable types:

– Completely consistent field types
– Only allows non-polymorphic fields
Design of Alta

Four design aspects
– Maintain “whole JVM” illusion
– Per-process, flexible typespaces
– Inter-process sharing
– Sharing & resource control
Sharing & Resource Control

Sharing complicates resource
control
– Termination of process that has
“exported” objects

Alta lets applications control sharing
– Nested process model enables
constrained sharing
User-level Shared Objects

Child allocates -> Parent references
– Harmless. If parent dies then child dies
– Useful. Child can pass IPC arguments

Sibling allocates -> Sibling references
– Allowable. Parent trades communication
costs for separation

Parent allocates -> Child references
– Standard server behavior
– Cannot deallocate without child’s cooperation
Results & Evaluation
Micro-benchmark measurements
 Comparison with Fluke

– Structure
– Performance
Platform

Base system
– Kaffe Java virtual machine

Platform
– Measurements from a 300 Mhz PII
– Java code is JIT compiled
Micro-benchmarks

Alta vs. Kaffe
– Basic VM operations are ~ unchanged
– 50-100 cycle overhead on object
allocation

Kaffe/Alta vs. Microsoft JVM
– Three (or more) times slower
Alta vs. Fluke: Structure

Use similar internal organization
– Both implement a “red line” [Back 1999]
– Fully preemptible kernel
Alta allows kernel / user data sharing
 Alta’s kernel is almost malloc-less

– Except some JVM-internal structures
Alta vs. Fluke: Performance

Alta wins:
– Null system call
• 192 cycles (vs. 302 in Fluke)
– Optimal thread switch
• 185 cycles (vs. 519 in Fluke)

Fluke wins everything else, e.g.,
– Null IPC round trip
• 18,524 cycles (64 µs) vs. 7,519 cycles in Fluke
– Process creation:
• ~11.9M cycles (39 ms) vs. 1M cycles in Fluke
Performance Evaluation

Alta hampered by poor JIT compiler
– GCJ will improve this
– Alta kernel is C-like
– HotSpot, etc provide interesting
opportunities

Alta can be optimized, too
– Static definition of a typespace
– Better kernel synchronization
– Incorporate recent Fluke optimizations
Related Work: Java

[Balfanz 1998], [Bernadat 1998], [Sun 1998]

J-Kernel [Hawblitzel 1998]
– Pure Java
– No inter-process sharing

KaffeOS [Back 1999]
– More restrictive sharing
– Resource management focus
• Per-process heaps
• GC time accounting
• ...
Related Work: OS

Pilot / Cedar / Mesa [Redell 1980],
[Swinehart 1986]
Oberon / Juice [Franz 1996]
 Inferno [Dorward 1998]
 SPIN [Bershad 1995]
 Vino [Seltzer 1996]

Future Work
Resource accounting & GC
 Formal analysis of Alta type system
 Fluke & Alta integration
 Alta-specific applications

Contributions
Alta demonstrates applicability
of OS abstractions to Java
 The Fluke NPM with a different
protection mechanism
 Multiple application support in a JVM
 Type-safe sharing between
inconsistent typespaces
