Formal Requirements for
Virtualizable Third Generation
Architectures
Grad Operating System Mini-Project
Authors: Gerald J. Popek, and Robert P. Goldberg
Presented by: Yiji Zhang
Outline
•
•
•
•
Basic VM Concepts
Formal Definitions
Virtualization Theorems
Contribution
1
Outline
•
•
•
•
Basic VM Concepts
Formal Definitions
Virtualization Theorems
Contribution
2
Basic VM Concepts
• Virtual Machine (VM)
– efficient, isolated duplicate
of the real machine
– the environment created by
the virtual machine monitor
VMM
Hardware
VM
The virtual machine monitor
3
Basic VM Concepts
• Virtual machine monitor (VMM)
– a piece of software
– three properties:
1) Equivalence: program run under the VMM = run on
the original machine directly
2) Efficiency: statistically dominant subset of virtual
processor's instructions be executed by
real processor
3) Resource control: has complete control of resources
4
Outline
•
•
•
•
Basic VM Concepts
Formal Definitions
Virtualization Theorems
Contribution
5
Formal Definitions
• Three formal definitions
– Model of 3rd generation machine
– Instruction behavior
– Virtual machine monitor
6
Model of
rd
3
Generation Machine
• Overview
simplified conventional 3rd generation machine
– with a processor
– with linear, uniformly addressable memory
– without I/O instructions
– without interrupts
• Machine behavior
The machine can exist in any one of a finite
number of states S, where S = <E, M, P, R>.
7
Model of
rd
3
Generation Machine
• Behavior of the computer: state (S)
E: executable
storage
R: relocation-bounds register
S=<E, M, P, R>
M: processor mode
P: program count
8
Model of
rd
3
Generation Machine
• Behavior of the computer: state-space (S)
E: executable storage
• word or byte addressed memory;
• E[i]: contents of the ith unit of
storage in E
R: relocationbounds register
S=<E, M, P, R>
M: processor mode
P: program count
9
Model of
rd
3
Generation Machine
• Behavior of the computer: state-space (S)
E: executable
storage
R: relocation-bounds register
S=<E, M, P, R>
M: processor mode
2 types
• supervisor (s)
• user (u)
P: program count
10
Model of
rd
3
Generation Machine
• Behavior of the computer: state-space (S)
E: executable
storage
R: relocation-bounds register
S=<E, M, P, R>
M: processor mode
P: program count
• address relative to register;
• index
11
Model of
rd
3
Generation Machine
• Behavior of the computer: state-space (S)
E: executable
storage
R: relocation-bounds register R = (l, b)
• relocation part l: absolute address
• bound part b: absolute size of virtual
memory
S=<E, M, P, R>
M: processor mode
P: program count
12
Model of
rd
3
Generation Machine
• Program status word (PSW)
the contents of the triple <M, P, R>
– used for other definitions and proof later
• Instruction (i)
a function from one set of states (C) to
another. i: C C
e.g. i(S1) = S2
i(E1, M1, P1, R1) = (E2, M2, P2, R2)
13
Model of
rd
3
Generation Machine
• Trap
1. Definition
2. Particular kind of trap
14
Model of
rd
3
Generation Machine
• Trap
1. Definition
An instruction is said to trap if
i(E1, M1, P1, R1) = (E2, M2, P2, R2)
where E2[i] = E1[j], for 0<j<q
E2[0] = (M1, P1, R1)
(M2, P2, R2) = E1[1]
15
Model of
rd
3
Generation Machine
• Trap
1. Definition
An instruction is said to trap if
i(E1, M1, P1, R1) = (E2, M2, P2, R2)
where E2[i] = E1[j], for 0<j<q
E2[0] = (M1, P1, R1)
1. Save the
(M2, P2, R2) = E1[1]
current state
2. Pass control of a pre-specified
routine by changing PSW
16
Model of
rd
3
Generation Machine
• Trap
2. Particular kind of trap: memory trap
– caused by accessing an address which is over the
bounds in relocation-bounds register R(l, b) or physical
memory
– micro-sequence:
if a + l ≥ q then trap;
if a ≥ b then trap
where a is the address to be accessed, l is relocation,
q is the total size of memory, and b is the bound
17
Formal Definitions
• Three formal definitions
– Model of 3rd generation machine
– Instruction behavior
– Virtual machine monitor
18
Instruction Behavior
• privileged instruction
• sensitive instruction
– control sensitive instruction
– behavior sensitive instruction
• innocuous instructions
19
Instruction Behavior
• privileged instruction
• sensitive instruction
– control sensitive instruction
– behavior sensitive instruction
• innocuous instructions
20
Privileged Instruction
• Definition
Instruction i is privileged iff for any pair
of states S1 = <e, s, p ,r> and S2 = <e, u,
p ,r> in which i(S1) and i(S2) do not
memory trap: i(S2) traps and i(S1) does
not.
21
Privileged Instruction
• Definition
the only difference
Instruction i is privileged iff for any pair
of states S1 = <e, s, p ,r> and S2 = <e, u,
p ,r> in which i(S1) and i(S2) do not
memory trap: i(S2) traps and i(S1) does
not.
privileged instruction trap
• independent of the virtualization process
22
Instruction Behavior
• privileged instruction
• sensitive instruction
– control sensitive instruction
– behavior sensitive instruction
• innocuous instructions
23
Sensitive Instruction
• Control sensitive
An instruction i is control sensitive if
there exists a state S1 = <e1, m1, p1, r1>,
and i(S1) = S2 = <e2, m2, p2, r2> such
that i(S1) does not memory trap, and
either: (a) r1≠r2, or (b) m1 ≠ m2, or both.
– control sensitive instructions: affect or potentially
affect the control of VMM over recourses
– no isolated condition codes or other complications by
which instructions can interact
24
Sensitive Instruction
• Behavior sensitive…
25
Sensitive Instruction
• Behavior sensitive…
• First introduce new notations…
– operator ⊕: r’ = r ⊕ x = (l+x, b), which means the
relocation register has had its base
value shifted by the value of x
– E | R: which means the contents of the part of the
memory which can be effected by the
instruction
– E | r = E’ | r ⊕ x: for 0≤i≤b, E[l + i] = E’[l + x + i]
26
Sensitive Instruction
• Behavior sensitive (finally!)
An instruction i is behavior sensitive if there exists an
integer x and states:
(a) S1 = <e | r, m1, p, r>, and
(b) S2 = <e | r ⊕ x, m2, p, r ⊕ x >,
where
(c) i(S1) = <e1 | r, m1, p1, r>,
(d) i(S2) = <e2 | r ⊕ x, m2, p2, r ⊕ x >, and
(e) neither i(S1) or i(S2) memory trap,
such that either
(a) e1 | r ≠ e2 | r ⊕ x, or
(b) p1≠ p2, or both.
– the effect of the executions depends on the value of the
relocation-bounds register.
27
Instruction Behavior
• privileged instruction
• sensitive instruction
– control sensitive instruction
– behavior sensitive instruction
• innocuous instructions
28
Innocuous Instructions
• The instructions which are neither privileged
instruction nor sensitive instructions.
29
Formal Definitions
• Three formal definitions
– Model of 3rd generation machine
– Instruction behavior
– Virtual machine monitor
30
Virtual Machine Monitor
• VMM
a particular piece of software, called a
control program, that exhibits certain
properties
31
Virtual Machine Monitor
• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A)
Interpreters
32
Virtual Machine Monitor
• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A)
• top level module
• decide which module
to call
Interpreters
33
Virtual Machine Monitor
• Control program modules CP = <D, A, {vi}>
Control Program (CP)
• invoked by dispatcher
when an attempted
execution is to change
the resources
Dispatcher (D)
Allocator (A)
Interpreters
34
Virtual Machine Monitor
• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A)
• one interpreter
routine per privileged
instruction
• to simulate the effect
of trapped instruction
Interpreters
35
Virtual Machine Monitor
• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A)
• one interpreter
routine per privileged
instruction
• to simulate the effect
of trapped instructions
Interpreters
• vi: set of
interpre
tive
routines
36
Virtual Machine Monitor
• VMM properties
Recall Basic VM Concept…
– three properties (of VMM):
1) Equivalence: program run under the VMM = run on
the original machine directly
2) Efficiency: statistically dominant subset of virtual
processor's instructions be executed by
real processor
3) Resource control: has complete control of resources
37
Virtual Machine Monitor
• VMM properties
Recall Basic VM Concept… Now more formally...
– three properties (of VMM):
1) Equivalence: program run under the VMM = run on
the original machine directly
2) Efficiency: statistically dominant subset of virtual
processor's instructions be executed by
real processor
3) Resource control: has complete control of resources
38
Virtual Machine Monitor
• VMM properties (formally)
1) Equivalence:
Any program K executing with a control program
resident, with two possible exceptions, performs in a
manner indistinguishable from the case when the
control program did not exist and K had whatever
freedom of access to privileged instructions that the
programmer had intended.
39
Virtual Machine Monitor
• VMM properties (formally)
1) Equivalence (even more formally)
– Two machines : S1 and S1' = f(S1)
– “equivalent” iff: for any state S1, if the real
machine halts in state S2 ; then the virtual
machine halts in state S2’ = f(S2)
40
Virtual Machine Monitor
• VMM properties (formally)
1) Equivalence (even more formally)
– Two machines : S1 and S1' = f(S1)
– “equivalent” iff: for any state S1, if the real
machine halts in state S2 ; then the virtual
machine halts in state S2’ = f(S2)
Virtual Machine Map
(VM MAP)
41
Virtual Machine Monitor
• Virtual machine Map (VM Map)
f: Cr Cv is a one-one homomorphism w.r.t
all the operators ei in the instruction
sequence set I.
where Cr is the set of
possible states of the real
machine without a VMM,
and Cv is the set with
VMM.
The virtual machine map
42
Virtual Machine Monitor
• VMM properties (formally)
2) Efficiency:
All innocuous instructions are executed by
the hardware directly, with no intervention
at all on the part of the control program.
43
Virtual Machine Monitor
• VMM properties (formally)
3) Resource control:
It must be impossible for that arbitrary
program to affect the system resources, i.e.
memory, available to it; the allocator of the
control program is to be invoked upon any
attempt.
44
Outline
•
•
•
•
Basic VM Concepts
Formal Definitions
Virtualization Theorems
Conclusion
45
Visualization Theorem
• THEOREM 1. For any conventional third
generation computer, a virtual machine
monitor may be constructed if the set of
sensitive instructions for that computer is a
subset of the set of privileged instructions.
46
Visualization Theorem
• THEOREM 1. For any conventional third
generation computer, a virtual machine
monitor may be constructed if the set of
sensitive instructions for that computer is a
subset of the set of privileged instructions.
which implies all assumptions for:
• relocation mechanisms, supervisor/user mode, and trap
mechanisms
• the instruction set is of general purpose to support
dispatcher, allocator, and table lookup procedure
47
Visualization Theorem
• THEOREM 1. For any conventional third
generation computer, a virtual machine
monitor may be constructed if the set of
sensitive instructions for that computer is a
subset of the set of privileged instructions.
which 1) means:
to build a VMM it is sufficient that all
instructions that could affect the correct
functioning of the VMM always trap and pass
control to the VMM
48
Visualization Theorem
• THEOREM 1. For any conventional third
generation computer, a virtual machine
monitor may be constructed if the set of
sensitive instructions for that computer is a
subset of the set of privileged instructions.
which 2) guarantees:
the resource control property,
and equivalence property
49
Visualization Theorem
• THEOREM 1. For any conventional third
generation computer, a virtual machine
monitor may be constructed if the set of
sensitive instructions for that computer is a
subset of the set of privileged instructions.
which 3) provides:
a simple technique for implementing
a VMM, called trap-and-emulate
virtualization
50
Visualization Theorem
• THEOREM 2. A conventional third generation
computer is recursively virtualizable if it is: (a)
virtualizable, and (b) a VMM without any
timing dependencies can be constructed for it.
51
Visualization Theorem
• THEOREM 2. A conventional third generation
computer is recursively virtualizable if it is: (a)
virtualizable, and (b) a VMM without any
timing dependencies can be constructed for it.
• Exceptions:
1) programs with resource bound
– The theorem limits the number of nested VMMs of
the recursion.
2) programs that have time dependencies
52
Visualization Theorem
• THEOREM 3. A hybrid virtual machine monitor
may be constructed for any conventional third
generation machine in which the set of user
sensitive instructions are a subset of the set of
privileged instructions.
53
Visualization Theorem
• THEOREM 3. A hybrid virtual machine monitor
may be constructed for any conventional third
generation machine in which the set of user
sensitive instructions are a subset of the set of
privileged instructions.
user sensitive instruction: there exists a state S = (E, u, P,
R) for which instructions i is
control sensitive or behavior
sensitive.
54
Visualization Theorem
• THEOREM 3. A hybrid virtual machine monitor
may be constructed for any conventional third
generation machine in which the set of user
sensitive instructions are a subset of the set of
privileged instructions.
user control sensitive: the definition given earlier for
control sensitivity holds, with ml in
that definition set to user.
user behavior sensitive: the definition for location
sensitivity holds with the mode of
states S1 and S2 equal to user.
55
Outline
•
•
•
•
Basic VM Concepts
Formal Definitions
Virtualization Theorems
Contribution
56
Contribution
• A formal model of a 3rd generation computer
system
• Necessary and sufficient conditions to
determine whether a particular 3rd generation
machine can support a VMM
57
Reference
• Gerald J. Popek and Robert P. Goldberg. 1974.
Formal requirements for virtualizable third
generation architectures. Commun. ACM 17, 7
(July 1974), 412-421.
58
© Copyright 2026 Paperzz