Google Git
Sign in
akaros / upstream / refs/heads/ttrace / . / Documentation / processes.txt
blob: a843890fbdaa15213288c86eb0148fd87e6e63d6 [file] [log] [blame] [edit]
processes.txt
Barret Rhoden
All things processes! This explains processes from a high level, especially
focusing on the user-kernel boundary and transitions to the many-core state,
which is the way in which parallel processes run. This doesn't discuss deep
details of the ROS kernel's process code.
This is motivated by two things: kernel scalability and direct support for
parallel applications.
Part 1: Overview
Part 2: How They Work
Part 3: Resource Requests
Part 4: Preemption and Notification
Part 5: Old Arguments (mostly for archival purposes))
Part 6: Parlab app use cases
Revision History:
2009-10-30 - Initial version
2010-03-04 - Preemption/Notification, changed to many-core processes
Part 1: World View of Processes
==================================
A process is the lowest level of control, protection, and organization in the
kernel.
1.1: What's a process?
-------------------------------
Features:
- They are an executing instance of a program. A program can load multiple
other chunks of code and run them (libraries), but they are written to work
with each other, within the same address space, and are in essence one
entity.
- They have one address space/ protection domain.
- They run in Ring 3 / Usermode.
- They can interact with each other, subject to permissions enforced by the
kernel.
- They can make requests from the kernel, for things like resource guarantees.
They have a list of resources that are given/leased to them.
None of these are new. Here's what's new:
- They can run in a many-core mode, where its cores run at the same time, and
it is aware of changes to these conditions (page faults, preemptions). It
can still request more resources (cores, memory, whatever).
- Every core in a many-core process (MCP) is *not* backed by a kernel
thread/kernel stack, unlike with Linux tasks.
- There are *no* per-core run-queues in the kernel that decide for
themselves which kernel thread to run.
- They are not fork()/execed(). They are created(), and then later made
runnable. This allows the controlling process (parent) to do whatever it
wants: pass file descriptors, give resources, whatever.
These changes are directly motivated by what is wrong with current SMP
operating systems as we move towards many-core: direct (first class) support
for truly parallel processes, kernel scalability, and an ability of a process
to see through classic abstractions (the virtual processor) to understand (and
make requests about) the underlying state of the machine.
1.2: What's a partition?
-------------------------------
So a process can make resource requests, but some part of the system needs to
decide what to grant, when to grant it, etc. This goes by several names:
scheduler / resource allocator / resource manager. The scheduler simply says
when you get some resources, then calls functions from lower parts of the
kernel to make it happen.
This is where the partitioning of resources comes in. In the simple case (one
process per partitioned block of resources), the scheduler just finds a slot
and runs the process, giving it its resources.
A big distinction is that the *partitioning* of resources only makes sense
from the scheduler on up in the stack (towards userspace). The lower levels
of the kernel know about resources that are granted to a process. The
partitioning is about the accounting of resources and an interface for
adjusting their allocation. It is a method for telling the 'scheduler' how
you want resources to be granted to processes.
A possible interface for this is procfs, which has a nice hierarchy.
Processes can be grouped together, and resources can be granted to them. Who
does this? A process can create it's own directory entry (a partition), and
move anyone it controls (parent of, though that's not necessary) into its
partition or a sub-partition. Likewise, a sysadmin/user can simply move PIDs
around in the tree, creating partitions consisting of processes completely
unaware of each other.
Now you can say things like "give 25% of the system's resources to apache and
mysql". They don't need to know about each other. If you want finer-grained
control, you can create subdirectories (subpartitions), and give resources on
a per-process basis. This is back to the simple case of one process for one
(sub)partition.
This is all influenced by Linux's cgroups (process control groups).
http://www.mjmwired.net/kernel/Documentation/cgroups.txt. They group processes
together, and allow subsystems to attach meaning to those groups.
Ultimately, I view partitioning as something that tells the kernel how to
grant resources. It's an abstraction presented to userspace and higher levels
of the kernel. The specifics still need to be worked out, but by separating
them from the process abstraction, we can work it out and try a variety of
approaches.
The actual granting of resources and enforcement is done by the lower levels
of the kernel (or by hardware, depending on future architectural changes).
Part 2: How They Work
===============================
2.1: States
-------------------------------
PROC_CREATED
PROC_RUNNABLE_S
PROC_RUNNING_S
PROC_WAITING
PROC_DYING
PROC_RUNNABLE_M
PROC_RUNNING_M
Difference between the _M and the _S states:
- _S : legacy process mode. There is no need for a second-level scheduler, and
the code running is analogous to a user-level thread.
- RUNNING_M implies *guaranteed* core(s). You can be a single core in the
RUNNING_M state. The guarantee is subject to time slicing, but when you
run, you get all of your cores.
- The time slicing is at a coarser granularity for _M states. This means that
when you run an _S on a core, it should be interrupted/time sliced more
often, which also means the core should be classified differently for a
while. Possibly even using it's local APIC timer.
- A process in an _M state will be informed about changes to its state, e.g.,
will have a handler run in the event of a page fault
For more details, check out kern/inc/process.h For valid transitions between
these, check out kern/src/process.c's proc_set_state().
2.2: Creation and Running
-------------------------------
Unlike the fork-exec model, processes are created, and then explicitly made
runnable. In the time between creation and running, the parent (or another
controlling process) can do whatever it wants with the child, such as pass
specific file descriptors, map shared memory regions (which can be used to
pass arguments).
New processes are not a copy-on-write version of the parent's address space.
Due to our changes in the threading model, we no longer need (or want) this
behavior left over from the fork-exec model.
By splitting the creation from the running and by explicitly sharing state
between processes (like inherited file descriptors), we avoid a lot of
concurrency and security issues.
2.3: Vcoreid vs Pcoreid
-------------------------------
The vcoreid is a virtual cpu number. Its purpose is to provide an easy way
for the kernel and userspace to talk about the same core. pcoreid (physical)
would also work. The vcoreid makes things a little easier, such as when a
process wants to refer to one of its other cores (not the calling core). It
also makes the event notification mechanisms easier to specify and maintain.
Processes that care about locality should check what their pcoreid is. This
is currently done via sys_getcpuid(). The name will probably change.
2.4: Transitioning to and from states
-------------------------------
2.4.1: To go from _S to _M, a process requests cores.
--------------
A resource request from 0 to 1 or more causes a transition from _S to _M. The
calling context is saved in the uthread slot (uthread_ctx) in vcore0's
preemption data (in procdata). The second level scheduler needs to be able to
restart the context when vcore0 starts up. To do this, it will need to save the
TLS/TCB descriptor and the floating point/silly state (if applicable) in the
user-thread control block, and do whatever is needed to signal vcore0 to run the
_S context when it starts up. One way would be to mark vcore0's "active thread"
variable to point to the _S thread. When vcore0 starts up at
_start/vcore_entry() (like all vcores), it will see a thread was running there
and restart it. The kernel will migrate the _S thread's silly state (FP) to the
new pcore, so that it looks like the process was simply running the _S thread
and got notified. Odds are, it will want to just restart that thread, but the
kernel won't assume that (hence the notification).
In general, all cores (and all subsequently allocated cores) start at the elf
entry point, with vcoreid in eax or a suitable arch-specific manner. There is
also a syscall to get the vcoreid, but this will save an extra trap at vcore
start time.
Future proc_runs(), like from RUNNABLE_M to RUNNING_M start all cores at the
entry point, including vcore0. The saving of a _S context to vcore0's
uthread_ctx only happens on the transition from _S to _M (which the process
needs to be aware of for a variety of reasons). This also means that userspace
needs to handle vcore0 coming up at the entry point again (and not starting the
program over). This is currently done in sysdeps-ros/start.c, via the static
variable init. Note there are some tricky things involving dynamically linked
programs, but it all works currently.
When coming in to the entry point, whether as the result of a startcore or a
notification, the kernel will set the stack pointer to whatever is requested
by userspace in procdata. A process should allocate stacks of whatever size
it wants for its vcores when it is in _S mode, and write these location to
procdata. These stacks are the transition stacks (in Lithe terms) that are
used as jumping-off points for future function calls. These stacks need to be
used in a continuation-passing style, and each time they are used, they start
from the top.
2.4.2: To go from _M to _S, a process requests 0 cores
--------------
The caller becomes the new _S context. Everyone else gets trashed
(abandon_core()). Their stacks are still allocated and it is up to userspace
to deal with this. In general, they will regrab their transition stacks when
they come back up. Their other stacks and whatnot (like TBB threads) need to
be dealt with.
When the caller next switches to _M, that context (including its stack)
maintains its old vcore identity. If vcore3 causes the switch to _S mode, it
ought to remain vcore3 (lots of things get broken otherwise).
As of March 2010, the code does not reflect this. Don't rely on anything in
this section for the time being.
2.4.3: Requesting more cores while in _M
--------------
Any core can request more cores and adjust the resource allocation in any way.
These new cores come up just like the original new cores in the transition
from _S to _M: at the entry point.
2.4.4: Yielding
--------------
sys_yield()/proc_yield() will give up the calling core, and may or may not
adjust the desired number of cores, subject to its parameters. Yield is
performing two tasks, both of which result in giving up the core. One is for
not wanting the core anymore. The other is in response to a preemption. Yield
may not be called remotely (ARSC).
In _S mode, it will transition from RUNNING_S to RUNNABLE_S. The context is
saved in scp_ctx.
In _M mode, this yields the calling core. A yield will *not* transition from _M
to _S. The kernel will rip it out of your vcore list. A process can yield its
cores in any order. The kernel will "fill in the holes of the vcoremap" for any
future new cores requested (e.g., proc A has 4 vcores, yields vcore2, and then
asks for another vcore. The new one will be vcore2). When any core starts in
_M mode, even after a yield, it will come back at the vcore_entry()/_start point.
Yield will normally adjust your desired amount of vcores to the amount after the
calling core is taken. This is the way a process gives its cores back.
Yield can also be used to say the process is just giving up the core in response
to a pending preemption, but actually wants the core and does not want resource
requests to be readjusted. For example, in the event of a preemption
notification, a process may yield (ought to!) so that the kernel does not need
to waste effort with full preemption. This is done by passing in a bool
(being_nice), which signals the kernel that it is in response to a preemption.
The kernel will not readjust the amt_wanted, and if there is no preemption
pending, the kernel will ignore the yield.
There may be an m_yield(), which will yield all or some of the cores of an MPC,
remotely. This is discussed farther down a bit. It's not clear what exactly
it's purpose would be.
We also haven't addressed other reasons to yield, or more specifically to wait,
such as for an interrupt or an event of some sort.
2.4.5: Others
--------------
There are other transitions, mostly self-explanatory. We don't currently use
any WAITING states, since we have nothing to block on yet. DYING is a state
when the kernel is trying to kill your process, which can take a little while
to clean up.
Part 3: Resource Requests
===============================
A process can ask for resources from the kernel. The kernel either grants
these requests or not, subject to QoS guarantees, or other scheduler-related
criteria.
A process requests resources, currently via sys_resource_req. The form of a
request is to tell the kernel how much of a resource it wants. Currently,
this is the amt_wanted. We'll also have a minimum amount wanted, which tells
the scheduler not to run the process until the minimum amount of resources are
available.
How the kernel actually grants resources is resource-specific. In general,
there are functions like proc_give_cores() (which gives certain cores to a
process) that actually does the allocation, as well as adjusting the
amt_granted for that resource.
For expressing QoS guarantees, we'll probably use something like procfs (as
mentioned above) to explicitly tell the scheduler/resource manager what the
user/sysadmin wants. An interface like this ought to be usable both by
programs as well as simple filesystem tools (cat, etc).
Guarantees exist regardless of whether or not the allocation has happened. An
example of this is when a process may be guaranteed to use 8 cores, but
currently only needs 2. Whenever it asks for up to 8 cores, it will get them.
The exact nature of the guarantee is TBD, but there will be some sort of
latency involved in the guarantee for systems that want to take advantage of
idle resources (compared to simply reserving and not allowing anyone else to
use them). A latency of 0 would mean a process wants it instantly, which
probably means they ought to be already allocated (and billed to) that
process.
Part 4: Preemption and Event Notification
===============================
Preemption and Notification are tied together. Preemption is when the kernel
takes a resource (specifically, cores). There are two types core_preempt()
(one core) and gang_preempt() (all cores). Notification (discussed below) is
when the kernel informs a process of an event, usually referring to the act of
running a function on a core (active notification).
The rough plan for preemption is to notify beforehand, then take action if
userspace doesn't yield. This is a notification a process can ignore, though
it is highly recommended to at least be aware of impending core_preempt()
events.
4.1: Notification Basics
-------------------------------
One of the philosophical goals of ROS is to expose information up to userspace
(and allow requests based on that information). There will be a variety of
events in the system that processes will want to know about. To handle this,
we'll eventually build something like the following.
All events will have a number, like an interrupt vector. Each process will
have an event queue (per core, described below). On most architectures, it
will be a simple producer-consumer ring buffer sitting in the "shared memory"
procdata region (shared between the kernel and userspace). The kernel writes
a message into the buffer with the event number and some other helpful
information.
Additionally, the process may request to be actively notified of specific
events. This is done by having the process write into an event vector table
(like an IDT) in procdata. For each event, the process writes the vcoreid it
wants to be notified on.
4.2: Notification Specifics
-------------------------------
In procdata there is an array of per-vcore data, holding some
preempt/notification information and space for two trapframes: one for
notification and one for preemption.
4.2.1: Overall
-----------------------------
When a notification arrives to a process under normal circumstances, the
kernel places the previous running context in the notification trapframe, and
returns to userspace at the program entry point (the elf entry point) on the
transition stack. If a process is already handling a notification on that
core, the kernel will not interrupt it. It is the processes's responsibility
to check for more notifications before returning to its normal work. The
process must also unmask notifications (in procdata) before it returns to do
normal work. Unmasking notifications is the signal to the kernel to not
bother sending IPIs, and if an IPI is sent before notifications are masked,
then the kernel will double-check this flag to make sure interrupts should
have arrived.
Notification unmasking is done by clearing the notif_disabled flag (similar to
turning interrupts on in hardware). When a core starts up, this flag is on,
meaning that notifications are disabled by default. It is the process's
responsibility to turn on notifications for a given vcore.
4.2.2: Notif Event Details
-----------------------------
When the process runs the handler, it is actually starting up at the same
location in code as it always does. To determine if it was a notification or
not, simply check the queue and bitmask. This has the added benefit of allowing
a process to notice notifications that it missed previously, or notifs it wanted
without active notification (IPI). If we want to bypass this check by having a
magic register signal, we can add that later. Additionally, the kernel will
mask notifications (much like an x86 interrupt gate). It will also mask
notifications when starting a core with a fresh trapframe, since the process
will be executing on its transition stack. The process must check its per-core
event queue to see why it was called, and deal with all of the events on the
queue. In the case where the event queue overflows, the kernel will up a
counter so the process can at least be aware things are missed. At the very
least, the process will see the notification marked in a bitmask.
These notification events include things such as: an IO is complete, a
preemption is pending to this core, the process just returned from a
preemption, there was a trap (divide by 0, page fault), and many other things.
We plan to allow this list to grow at runtime (a process can request new event
notification types). These messages will often need some form of a timestamp,
especially ones that will expire in meaning (such as a preempt_pending).
Note that only one notification can be active at a time, including a fault.
This means that if a process page faults or something while notifications are
masked, the process will simply be killed. It is up to the process to make
sure the appropriate pages are pinned, which it should do before entering _M
mode.
4.2.3: Event Overflow and Non-Messages
-----------------------------
For missed/overflowed events, and for events that do not need messages (they
have no parameters and multiple notifications are irrelevant), the kernel will
toggle that event's bit in a bitmask. For the events that don't want messages,
we may have a flag that userspace sets, meaning they just want to know it
happened. This might be too much of a pain, so we'll see. For notification
events that overflowed the queue, the parameters will be lost, but hopefully the
application can sort it out. Again, we'll see. A specific notif_event should
not appear in both the event buffers and in the bitmask.
It does not make sense for all events to have messages. Others, it does not
make sense to specify a different core on which to run the handler (e.g. page
faults). The notification methods that the process expresses via procdata are
suggestions to the kernel. When they don't make sense, they will be ignored.
Some notifications might be unserviceable without messages. A process needs to
have a fallback mechanism. For example, they can read the vcoremap to see who
was lost, or they can restart a thread to cause it to page fault again.
Event overflow sucks - it leads to a bunch of complications. Ultimately, what
we really want is a limitless amount of notification messages (per core), as
well as a limitless amount of notification types. And we want these to be
relayed to userspace without trapping into the kernel.
We could do this if we had a way to dynamically manage memory in procdata, with
a distrusted process on one side of the relationship. We could imagine growing
procdata dynamically (we plan to, mostly to grow the preempt_data struct as we
request more vcores), and then run some sort of heap manager / malloc. Things
get very tricky since the kernel should never follow pointers that userspace can
touch. Additionally, whatever memory management we use becomes a part of the
kernel interface.
Even if we had that, dynamic notification *types* is tricky - they are
identified by a number, not by a specific (list) element.
For now, this all seems like an unnecessary pain in the ass. We might adjust it
in the future if we come up with clean, clever ways to deal with the problem,
which we aren't even sure is a problem yet.
4.2.4: How to Use and Leave a Transition Stack
-----------------------------
We considered having the kernel be aware of a process's transition stacks and
sizes so that it can detect if a vcore is in a notification handler based on
the stack pointer in the trapframe when a trap or interrupt fires. While
cool, the flag for notif_disabled is much easier and just as capable.
Userspace needs to be aware of various races, and only enable notifications
when it is ready to have its transition stack clobbered. This means that when
switching from big user-thread to user-thread, the process should temporarily
disable notifications and reenable them before starting the new thread fully.
This is analogous to having a kernel that disables interrupts while in process
context.
A process can fake not being on its transition stack, and even unmapping their
stack. At worst, a vcore could recursively page fault (the kernel does not
know it is in a handler, if they keep enabling notifs before faulting), and
that would continue til the core is forcibly preempted. This is not an issue
for the kernel.
When a process wants to use its transition stack, it ought to check
preempt_pending, mask notifications, jump to its transition stack, do its work
(e.g. process notifications, check for new notifications, schedule a new
thread) periodically checking for a pending preemption, and making sure the
notification queue/list is empty before moving back to real code. Then it
should jump back to a real stack, unmask notifications, and jump to the newly
scheduled thread.
This can be really tricky. When userspace is changing threads, it will need to
unmask notifs as well as jump to the new thread. There is a slight race here,
but it is okay. The race is that an IPI can arrive after notifs are unmasked,
but before returning to the real user thread. Then the code will think the
uthread_ctx represents the new user thread, even though it hasn't started (and
the PC is wrong). The trick is to make sure that all state required to start
the new thread, as well as future instructions, are all saved within the "stuff"
that gets saved in the uthread_ctx. When these threading packages change
contexts, they ought to push the PC on the stack of the new thread, (then enable
notifs) and then execute a return. If an IPI arrives before the "function
return", then when that context gets restarted, it will run the "return" with
the appropriate value on the stack still.
There is a further complication. The kernel can send an IPI that the process
wanted, but the vcore did not get truly interrupted since its notifs were
disabled. There is a race between checking the queue/bitmask and then enabling
notifications. The way we deal with it is that the kernel posts the
message/bit, then sets notif_pending. Then it sends the IPI, which may or may
not be received (based on notif_disabled). (Actually, the kernel only ought to
send the IPI if notif_pending was 0 (atomically) and notif_disabled is 0). When
leaving the transition stack, userspace should clear the notif_pending, then
check the queue do whatever, and then try to pop the tf. When popping the tf,
after enabling notifications, check notif_pending. If it is still clear, return
without fear of missing a notif. If it is not clear, it needs to manually
notify itself (sys_self_notify) so that it can process the notification that it
missed and for which it wanted to receive an IPI. Before it does this, it needs
to clear notif_pending, so the kernel will send it an IPI. These last parts are
handled in pop_user_ctx().
4.3: Preemption Specifics
-------------------------------
There's an issue with a preempted vcore getting restarted while a remote core
tries to restart that context. They resolve this fight with a variety of VC
flags (VC_UTHREAD_STEALING). Check out handle_preempt() in uthread.c.
4.4: Other trickiness
-------------------------------
Take all of these with a grain of salt - it's quite old.
4.4.1: Preemption -> deadlock
-------------------------------
One issue is that a context can be holding a lock that is necessary for the
userspace scheduler to manage preempted threads, and this context can be
preempted. This would deadlock the scheduler. To assist a process from
locking itself up, the kernel will toggle a preempt_pending flag in
procdata for that vcore before sending the actual preemption. Whenever the
scheduler is grabbing one of these critical spinlocks, it needs to check that
flag first, and yield if a preemption is coming in.
Another option we may implement is for the process to be able to signal to the
kernel that it is in one of these ultra-critical sections by writing a magic
value to a specific register in the trapframe. If there kernel sees this, it
will allow the process to run for a little longer. The issue with this is
that the kernel would need to assume processes will always do this (malicious
ones will) and add this extra wait time to the worst case preemption time.
Finally, a scheduler could try to use non-blocking synchronization (no
spinlocks), or one of our other long-term research synchronization methods to
avoid deadlock, though we realize this is a pain for userspace for now. FWIW,
there are some OSs out there with only non-blocking synchronization (I think).
4.4.2: Cascading and overflow
-------------------------------
There used to be issues with cascading interrupts (when contexts are still
running handlers). Imagine a pagefault, followed by preempting the handler.
It doesn't make sense to run the preempt context after the page fault.
Earlier designs had issues where it was hard for a vcore to determine the
order of events and unmixing preemption, notification, and faults. We deal
with this by having separate slots for preemption and notification, and by
treating faults as another form of notification. Faulting while handling a
notification just leads to death. Perhaps there is a better way to do that.
Another thing we considered would be to have two stacks - transition for
notification and an exception stack for faults. We'd also need a fault slot
for the faulting trapframe. This begins to take up even more memory, and it
is not clear how to handle mixed faults and notifications. If you fault while
on the notification slot, then fine. But you could fault for other reasons,
and then receive a notification. And then if you fault in that handler, we're
back to where we started - might as well just kill them.
Another issue was overload. Consider if vcore0 is set up to receive all
events. If events come in faster than it can process them, it will both nest
too deep and process out of order. To handle this, we only notify once, and
will not send future active notifications / interrupts until the process
issues an "end of interrupt" (EOI) for that vcore. This is modelled after
hardware interrupts (on x86, at least).
4.4.3: Restarting a Preempted Notification
-------------------------------
Nowadays, to restart a preempted notification, you just restart the vcore.
The kernel does, either if it gives the process more cores or if userspace asked
it to with a sys_change_vcore().
4.4.4: Userspace Yield Races
-------------------------------
Imagine a vcore realizes it is getting preempted soon, so it starts to yield.
However, it is too slow and doesn't make it into the kernel before a preempt
message takes over. When that vcore is run again, it will continue where it
left off and yield its core. The desired outcome is for yield to fail, since
the process doesn't really want to yield that core. To sort this out, yield
will take a parameter saying that the yield is in response to a pending
preemption. If the phase is over (preempted and returned), the call will not
yield and simply return to userspace.
4.4.5: Userspace m_yield
-------------------------------
There are a variety of ways to implement an m_yield (yield the entire MCP).
We could have a "no niceness" yield - just immediately preempt, but there is a
danger of the locking business. We could do the usual delay game, though if
userspace is requesting its yield, arguably we don't need to give warning.
Another approach would be to not have an explicit m_yield call. Instead, we
can provide a notify_all call, where the notification sent to every vcore is
to yield. I imagine we'll have a notify_all (or rather, flags to the notify
call) anyway, so we can do this for now.
The fastest way will probably be the no niceness way. One way to make this
work would be for vcore0 to hold all of the low-level locks (from 4.4.1) and
manually unlock them when it wakes up. Yikes!
4.5: Random Other Stuff
-------------------------------
Pre-Notification issues: how much time does userspace need to clean up and
yield? How quickly does the kernel need the core back (for scheduling
reasons)?
Part 5: Old Arguments about Processes vs Partitions
===============================
This is based on my interpretation of the cell (formerly what I thought was
called a partition).
5.1: Program vs OS
-------------------------------
A big difference is what runs inside the object. I think trying to support
OS-like functionality is a quick path to unnecessary layers and complexity,
esp for the common case. This leads to discussions of physical memory
management, spawning new programs, virtualizing HW, shadow page tables,
exporting protection rings, etc.
This unnecessarily brings in the baggage and complexity of supporting VMs,
which are a special case. Yes, we want processes to be able to use their
resources, but I'd rather approach this from the perspective of "what do they
need?" than "how can we make it look like a real machine." Virtual machines
are cool, and paravirtualization influenced a lot of my ideas, but they have
their place and I don't think this is it.
For example, exporting direct control of physical pages is a bad idea. I
wasn't clear if anyone was advocating this or not. By exposing actual machine
physical frames, we lose our ability to do all sorts of things (like swapping,
for all practical uses, and other VM tricks). If the cell/process thinks it
is manipulating physical pages, but really isn't, we're in the VM situation of
managing nested or shadow page tables, which we don't want.
For memory, we'd be better off giving an allocation of a quantity frames, not
specific frames. A process can pin up to X pages, for instance. It can also
pick pages to be evicted when there's memory pressure. There are already
similar ideas out there, both in POSIX and in ACPM.
Instead of mucking with faking multiple programs / entities within an cell,
just make more processes. Otherwise, you'd have to export weird controls that
the kernel is doing anyway (and can do better!), and have complicated middle
layers.
5.2: Multiple "Things" in a "partition"
-------------------------------
In the process-world, the kernel can make a distinction between different
entities that are using a block of resources. Yes, "you" can still do
whatever you want with your resources. But the kernel directly supports
useful controls that you want.
- Multiple protection domains are no problem. They are just multiple
processes. Resource allocation is a separate topic.
- Processes can control one another, based on a rational set of rules. Even
if you have just cells, we still need them to be able to control one another
(it's a sysadmin thing).
"What happens in a cell, stays in a cell." What does this really mean? If
it's about resource allocation and passing of resources around, we can do that
with process groups. If it's about the kernel not caring about what code runs
inside a protection domain, a process provides that. If it's about a "parent"
program trying to control/kill/whatever a "child" (even if it's within a cell,
in the cell model), you *want* the kernel to be involved. The kernel is the
one that can do protection between entities.
5.3: Other Things
-------------------------------
Let the kernel do what it's made to do, and in the best position to do: manage
protection and low-level resources.
Both processes and partitions "have" resources. They are at different levels
in the system. A process actually gets to use the resources. A partition is
a collection of resources allocated to one or more processes.
In response to this:
On 2009-09-15 at 22:33 John Kubiatowicz wrote:
> John Shalf wrote:
> >
> > Anyhow, Barret is asking that resource requirements attributes be
> > assigned on a process basis rather than partition basis. We need
> > to justify why gang scheduling of a partition and resource
> > management should be linked.
I want a process to be aware of it's specific resources, as well as the other
members of it's partition. An individual process (which is gang-scheduled in
many-core mode) has a specific list of resources. Its just that the overall
'partition of system resources' is separate from the list of specific
resources of a process, simply because there can be many processes under the
same partition (collection of resources allocated).
> >
> Simplicity!
>
> Yes, we can allow lots of options, but at the end of the day, the
> simplest model that does what we need is likely the best. I don't
> want us to hack together a frankenscheduler.
My view is also simple in the case of one address space/process per
'partition.' Extending it to multiple address spaces is simply asking that
resources be shared between processes, but without design details that I
imagine will be brutally complicated in the Cell model.
Part 6: Use Cases
===============================
6.1: Matrix Multiply / Trusting Many-core app
-------------------------------
The process is created by something (bash, for instance). It's parent makes
it runnable. The process requests a bunch of cores and RAM. The scheduler
decides to give it a certain amount of resources, which creates it's partition
(aka, chunk of resources granted to it's process group, of which it is the
only member). The sysadmin can tweak this allocation via procfs.
The process runs on its cores in it's many-core mode. It is gang scheduled,
and knows how many cores there are. When the kernel starts the process on
it's extra cores, it passes control to a known spot in code (the ELF entry
point), with the virtual core id passed as a parameter.
The code runs from a single binary image, eventually with shared
object/library support. It's view of memory is a virtual address space, but
it also can see it's own page tables to see which pages are really resident
(similar to POSIX's mincore()).
When it comes time to lose a core, or be completely preempted, the process is
notified by the OS running a handler of the process's choosing (in userspace).
The process can choose what to do (pick a core to yield, prepare to be
preempted, etc).
To deal with memory, the process is notified when it page faults, and keeps
its core. The process can pin pages in memory. If there is memory pressure,
the process can tell the kernel which pages to unmap.
This is the simple case.
6.2: Browser
-------------------------------
In this case, a process wants to create multiple protection domains that share
the same pool of resources. Or rather, with it's own allocated resources.
The browser process is created, as above. It creates, but does not run, it's
untrusted children. The kernel will have a variety of ways a process can
"mess with" a process it controls. So for this untrusted child, the parent
can pass (for example), a file descriptor of what to render, "sandbox" that
process (only allow a whitelist of syscalls, e.g. can only read and write
descriptors it has). You can't do this easily in the cell model.
The parent can also set up a shared memory mapping / channel with the child.
For resources, the parent can put the child in a subdirectory/ subpartition
and give a portion of its resources to that subpartition. The scheduler will
ensure that both the parent and the child are run at the same time, and will
give the child process the resources specified. (cores, RAM, etc).
After this setup, the parent will then make the child "runnable". This is why
we want to separate the creation from the runnability of a process, which we
can't do with the fork/exec model.
The parent can later kill the child if it wants, reallocate the resources in
the partition (perhaps to another process rendering a more important page),
preempt that process, whatever.
6.3: SMP Virtual Machines
-------------------------------
The main issue (regardless of paravirt or full virt), is that what's running
on the cores may or may not trust one another. One solution is to run each
VM-core in it's own process (like with Linux's KVM, it uses N tasks (part of
one process) for an N-way SMP VM). The processes set up the appropriate
shared memory mapping between themselves early on. Another approach would be
to allow a many-cored process to install specific address spaces on each
core, and interpose on syscalls, privileged instructions, and page faults.
This sounds very much like the Cell approach, which may be fine for a VM, but
not for the general case of a process.
Or with a paravirtualized SMP guest, you could (similar to the L4Linux way,)
make any Guest OS processes actual processes in our OS. The resource
allocation to the Guest OS partition would be managed by the parent process of
the group (which would be running the Guest OS kernel). We still need to play
tricks with syscall redirection.
For full virtualization, we'd need to make use of hardware virtualization
instructions. Dealing with the VMEXITs, emulation, and other things is a real
pain, but already done. The long range plan was to wait til the
http://v3vee.org/ project supported Intel's instructions and eventually
incorporate that.
All of these ways involve subtle and not-so-subtle difficulties. The
Cell-as-OS mode will have to deal with them for the common case, which seems
brutal. And rather unnecessary.