%!PS-Adobe-2.0
%%Creator: dvipsk 5.66a Copyright 1986-97 Radical Eye Software (www.radicaleye.com)
%%Title: thesis.dvi
%%Pages: 93
%%PageOrder: Ascend
%%BoundingBox: 0 0 612 792
%%DocumentFonts: Times-Bold Times-Roman Syntax-Roman Times-Italic
%%+ Syntax-Bold
%%EndComments
%DVIPSCommandLine: dvips thesis.dvi -o t.ps
%DVIPSParameters: dpi=600
%DVIPSSource:  TeX output 1998.10.28:2111
%%BeginProcSet: tex.pro
%!
/TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N
/X{S N}B /TR{translate}N /isls false N /vsize 11 72 mul N /hsize 8.5 72
mul N /landplus90{false}def /@rigin{isls{[0 landplus90{1 -1}{-1 1}
ifelse 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale
isls{landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div
hsize mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mul
TR[matrix currentmatrix{dup dup round sub abs 0.00001 lt{round}if}
forall round exch round exch]setmatrix}N /@landscape{/isls true N}B
/@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B
/FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{
/nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N
string /base X array /BitMaps X /BuildChar{CharBuilder}N /Encoding IE N
end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{
/sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]
N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup
length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{
128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub
get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data
dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N
/rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup
/base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx
0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff
setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff
.1 sub]{ch-image}imagemask restore}B /D{/cc X dup type /stringtype ne{]}
if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup
length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N}B /I{
cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin
0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul
add .99 lt{/QV}{/RV}ifelse load def pop pop}N /eop{SI restore userdict
/eop-hook known{eop-hook}if showpage}N /@start{userdict /start-hook
known{start-hook}if pop /VResolution X /Resolution X 1000 div /DVImag X
/IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for
65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0
0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V
{}B /RV statusdict begin /product where{pop false[(Display)(NeXT)
(LaserWriter 16/600)]{dup length product length le{dup length product
exch 0 exch getinterval eq{pop true exit}if}{pop}ifelse}forall}{false}
ifelse end{{gsave TR -.1 .1 TR 1 1 scale rulex ruley false RMat{BDot}
imagemask grestore}}{{gsave TR -.1 .1 TR rulex ruley scale 1 1 false
RMat{BDot}imagemask grestore}}ifelse B /QV{gsave newpath transform round
exch round exch itransform moveto rulex 0 rlineto 0 ruley neg rlineto
rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail{dup
/delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M}B /d{
-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{4 M}B
/w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{p 1 w}
B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p a}B
/bos{/SS save N}B /eos{SS restore}B end

%%EndProcSet
%%BeginProcSet: 8r.enc
% @psencodingfile{
%   author = "P. MacKay, Alan Jeffrey, S. Rahtz, K. Berry, B. Horn",
%   version = "0.2",
%   date = "7 September 94",
%   filename = "8r.enc",
%   email = "kb@cs.umb.edu",
%   address = "135 Center Hill Rd. // Plymouth, MA 02360",
%   codetable = "ISO/ASCII",
%   checksum = "xx",
%   docstring = "Encoding for TrueType or Type 1 fonts to be used with TeX."
% }
% 
% Idea is to have all the characters normally included in Type 1 fonts
% available for typesetting. This is effectively the characters in Adobe
% Standard Encoding + ISO Latin 1 + extra characters from Lucida.
% 
% Character code assignments were made as follows:
% 
% (1) the Windows ANSI characters are in their Windows ANSI positions,
% because Windows users cannot easily reencode the fonts, and it makes
% no difference on other systems. The only Windows ANSI characters not
% available are those that make no sense for typesetting -- rubout
% (127 decimal), nobreakspace (160), softhyphen (173).
% 
% (2) The caron and dotlessi characters are in the positions used by
% Y&Y for their modified ATM encoding.
% 
% (3) Remaining characters are assigned arbitrarily to the first few
% positions.
% 
% (4) (Y&Y) Lucida Bright includes some extra text characters; in the
% hopes that other PostScript fonts, perhaps created for public
% consumption, will include them, they are included starting at 0x10.
% 
% (5) Remaining positions left undefined are for use in (hopefully)
% upward-compatible revisions, if someday more characters are generally
% available in the Type 1 fonts.
% 
% Ligatures are omitted, since this encoding is intended for use at the
% driver end. Including ligatures and kerns would make the TFM files
% much larger, to no particular purpose. If someone actually wants to
% typeset in this encoding, they can pick a different name, and regenerate
% the fonts.
 
/TeXBase1Encoding [
% 0x00 (encoded characters from Adobe Standard not in Windows 3.1)
  /breve /dotaccent /fi /fl
  /fraction /hungarumlaut /Lslash /lslash
  /ogonek /ring /tilde /minus
  % These are the only two remaining unencoded characters, so may as
  % well include them.
  /Zcaron /zcaron /.notdef /.notdef
% 0x10 (TeX characters from, e.g., Lucida Bright)
 /dotlessj /ff /ffi /ffl /.notdef /.notdef /.notdef /.notdef
 /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
% 0x20 (ASCII begins)
 /space /exclam /quotedbl /numbersign
 /dollar /percent /ampersand /quotesingle
 /parenleft /parenright /asterisk /plus /comma /hyphen /period /slash
% 0x30
 /zero /one /two /three /four /five /six /seven
 /eight /nine /colon /semicolon /less /equal /greater /question
% 0x40
 /at /A /B /C /D /E /F /G /H /I /J /K /L /M /N /O
% 0x50
 /P /Q /R /S /T /U /V /W
 /X /Y /Z /bracketleft /backslash /bracketright /asciicircum /underscore
% 0x60
 /grave /a /b /c /d /e /f /g /h /i /j /k /l /m /n /o
% 0x70
 /p /q /r /s /t /u /v /w
 /x /y /z /braceleft /bar /braceright /asciitilde
 /.notdef % rubout; ASCII ends
% 0x80
 /.notdef /.notdef /quotesinglbase /florin
 /quotedblbase /ellipsis /dagger /daggerdbl
 /circumflex /perthousand /Scaron /guilsinglleft
 /OE
 /caron % Y&Y
 /.notdef
 /.notdef
% 0x90
 /.notdef /quoteleft /quoteright /quotedblleft
 /quotedblright /bullet /endash /emdash
 /tildeaccent /trademark /scaron /guilsinglright
 /oe
 /dotlessi % Y&Y
 /.notdef
 /Ydieresis
% 0xA0
 /.notdef % nobreakspace
 /exclamdown /cent /sterling
 /currency /yen /brokenbar /section
 /dieresis /copyright /ordfeminine /guillemotleft
 /logicalnot
 /hyphen % Y&Y (also at 45); Windows' softhyphen
 /registered
 /macron
% 0xD0
 /degree /plusminus /twosuperior /threesuperior
 /acute /mu /paragraph /periodcentered
 /cedilla /onesuperior /ordmasculine /guillemotright
 /onequarter /onehalf /threequarters /questiondown
% 0xC0
 /Agrave /Aacute /Acircumflex /Atilde /Adieresis /Aring /AE /Ccedilla
 /Egrave /Eacute /Ecircumflex /Edieresis
 /Igrave /Iacute /Icircumflex /Idieresis
% 0xD0
 /Eth /Ntilde /Ograve /Oacute
 /Ocircumflex /Otilde /Odieresis /multiply
 /Oslash /Ugrave /Uacute /Ucircumflex
 /Udieresis /Yacute /Thorn /germandbls
% 0xE0
 /agrave /aacute /acircumflex /atilde
 /adieresis /aring /ae /ccedilla
 /egrave /eacute /ecircumflex /edieresis
 /igrave /iacute /icircumflex /idieresis
% 0xF0
 /eth /ntilde /ograve /oacute
 /ocircumflex /otilde /odieresis /divide
 /oslash /ugrave /uacute /ucircumflex
 /udieresis /yacute /thorn /ydieresis
] def

%%EndProcSet
%%BeginProcSet: eka.enc
%Eddie Kohler Accent encoding
/EKAEncoding [
%00
  /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
  /.notdef/.notdef/.notdef/.notdef/fi/fl/.notdef/.notdef
%10
  /dotlessi/.notdef/grave/acute/caron/breve/macron/ring
  /cedilla/germandbls/ae/oe/oslash/AE/OE/Oslash
%20
  /space/exclam/quotedblright/numbersign/dollar/percent/ampersand/quoteright
  /parenleft/parenright/asterisk/plus/comma/hyphen/period/slash
%30
  /zero/one/two/three/four/five/six/seven
  /eight/nine/colon/semicolon/exclamdown/equal/questiondown/question
%40
  /at/A/B/C/D/E/F/G
  /H/I/J/K/L/M/N/O
%50
  /P/Q/R/S/T/U/V/W
  /X/Y/Z/bracketleft/quotedblleft/bracketright/circumflex/dotaccent
%60
  /quoteleft/a/b/c/d/e/f/g
  /h/i/j/k/l/m/n/o
%70
  /p/q/r/s/t/u/v/w
  /x/y/z/endash/emdash/hungarumlaut/tilde/dieresis
%80
  /Aacute/Acircumflex/Adieresis/Agrave/Aring/Atilde/.notdef/Ccedilla
  /Eacute/Ecircumflex/Edieresis/Egrave/.notdef/.notdef/.notdef/Eth
%90
  /Iacute/Icircumflex/Idieresis/Igrave/.notdef/.notdef/Lslash/Ntilde
  /Oacute/Ocircumflex/Odieresis/Ograve/Otilde/.notdef/Scaron/Thorn
%A0
  /Uacute/Ucircumflex/Udieresis/Ugrave/.notdef/Yacute/Ydieresis/Zcaron
  /aacute/acircumflex/adieresis/agrave/aring/atilde/.notdef/ccedilla
%B0
  /eacute/ecircumflex/edieresis/egrave/.notdef/.notdef/.notdef/eth
  /iacute/icircumflex/idieresis/igrave/.notdef/.notdef/lslash/ntilde
%C0
  /oacute/ocircumflex/odieresis/ograve/otilde/.notdef/scaron/thorn
  /uacute/ucircumflex/udieresis/ugrave/.notdef/yacute/ydieresis/zcaron
%D0
  /section/paragraph/dagger/daggerdbl/cent/bullet/.notdef/.notdef
  /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
%E0 
  /braceleft/braceright/backslash/minus/less/greater/bar/asciicircum
  /asciitilde/mu/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
%F0
  /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
  /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
  % LIGKERN acute A =: Aacute ; circumflex A =: Acircumflex ; ring A =: Aring ;
  % LIGKERN dieresis A =: Adieresis ; grave A =: Agrave ; tilde A =: Atilde ;
  % LIGKERN acute E =: Eacute ; circumflex E =: Ecircumflex ;
  % LIGKERN dieresis E =: Edieresis ; grave E =: Egrave ; 
  % LIGKERN acute I =: Iacute ; circumflex I =: Icircumflex ;
  % LIGKERN dieresis I =: Idieresis ; grave I =: Igrave ; 
  % LIGKERN acute O =: Oacute ; circumflex O =: Ocircumflex ;
  % LIGKERN dieresis O =: Odieresis ; grave O =: Ograve ; tilde O =: Otilde ;
  % LIGKERN acute U =: Uacute ; circumflex U =: Ucircumflex ;
  % LIGKERN dieresis U =: Udieresis ; grave U =: Ugrave ; 
  % LIGKERN cedilla C =: Ccedilla ; space L =: Lslash ; tilde N =: Ntilde ;
  % LIGKERN caron S =: Scaron ; acute Y =: Yacute ; dieresis Y =: Ydieresis ;
  % LIGKERN caron Z =: Zcaron ;
  % LIGKERN acute a =: aacute ; circumflex a =: acircumflex ; ring a =: aring ;
  % LIGKERN dieresis a =: adieresis ; grave a =: agrave ; tilde a =: atilde ;
  % LIGKERN acute e =: eacute ; circumflex e =: ecircumflex ;
  % LIGKERN dieresis e =: edieresis ; grave e =: egrave ; 
  % LIGKERN acute i =: iacute ; circumflex i =: icircumflex ;
  % LIGKERN dieresis i =: idieresis ; grave i =: igrave ; 
  % LIGKERN acute o =: oacute ; circumflex o =: ocircumflex ;
  % LIGKERN dieresis o =: odieresis ; grave o =: ograve ; tilde o =: otilde ;
  % LIGKERN acute u =: uacute ; circumflex u =: ucircumflex ;
  % LIGKERN dieresis u =: udieresis ; grave u =: ugrave ; 
  % LIGKERN cedilla c =: ccedilla ; space l =: lslash ; tilde n =: ntilde ;
  % LIGKERN caron s =: scaron ; acute y =: yacute ; dieresis y =: ydieresis ;
  % LIGKERN caron z =: zcaron ;
  % LIGKERN question quoteleft =: questiondown ;
  % LIGKERN exclam quoteleft =: exclamdown ;
  % LIGKERN hyphen hyphen =: endash ;  endash hyphen =: emdash ;
  % LIGKERN quoteleft quoteleft =: quotedblleft ;
  % LIGKERN quoteright quoteright =: quotedblright ;
] def

%%EndProcSet
%%BeginProcSet: texps.pro
%!
TeXDict begin /rf{findfont dup length 1 add dict begin{1 index /FID ne 2
index /UniqueID ne and{def}{pop pop}ifelse}forall[1 index 0 6 -1 roll
exec 0 exch 5 -1 roll VResolution Resolution div mul neg 0 0]/Metrics
exch def dict begin Encoding{exch dup type /integertype ne{pop pop 1 sub
dup 0 le{pop}{[}ifelse}{FontMatrix 0 get div Metrics 0 get div def}
ifelse}forall Metrics /Metrics currentdict end def[2 index currentdict
end definefont 3 -1 roll makefont /setfont cvx]cvx def}def /ObliqueSlant
{dup sin S cos div neg}B /SlantFont{4 index mul add}def /ExtendFont{3 -1
roll mul exch}def /ReEncodeFont{/Encoding exch def}def end

%%EndProcSet
%%BeginProcSet: special.pro
%!
TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N
/vs 792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP 0 N /rwiSeen
false N /rhiSeen false N /letter{}N /note{}N /a4{}N /legal{}N}B
/@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{@scaleunit
div /vsc X}B /@hsize{/hs X /CLIP 1 N}B /@vsize{/vs X /CLIP 1 N}B /@clip{
/CLIP 2 N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{
10 div /rwi X /rwiSeen true N}B /@rhi{10 div /rhi X /rhiSeen true N}B
/@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X}B /magscale
true def end /@MacSetUp{userdict /md known{userdict /md get type
/dicttype eq{userdict begin md length 10 add md maxlength ge{/md md dup
length 20 add dict copy def}if end md begin /letter{}N /note{}N /legal{}
N /od{txpose 1 0 mtx defaultmatrix dtransform S atan/pa X newpath
clippath mark{transform{itransform moveto}}{transform{itransform lineto}
}{6 -2 roll transform 6 -2 roll transform 6 -2 roll transform{
itransform 6 2 roll itransform 6 2 roll itransform 6 2 roll curveto}}{{
closepath}}pathforall newpath counttomark array astore /gc xdf pop ct 39
0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{PaintBlack}if}N
/txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR pop 1 -1
scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3 get
ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip
not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0
TR}if yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR
pop pop 270 rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1
-1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg
TR}if xflip yflip not and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg
sub neg 0 TR}if yflip xflip not and{TR pop pop 270 rotate ppr 2 get ppr
0 get neg sub neg 0 S TR}if}ifelse scaleby96{ppr aload pop 4 -1 roll add
2 div 3 1 roll add 2 div 2 copy TR .96 dup scale neg S neg S TR}if}N /cp
{pop pop showpage pm restore}N end}if}if}N /normalscale{Resolution 72
div VResolution 72 div neg scale magscale{DVImag dup scale}if 0 setgray}
N /psfts{S 65781.76 div N}N /startTexFig{/psf$SavedState save N userdict
maxlength dict begin /magscale true def normalscale currentpoint TR
/psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts
/psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx
psf$llx sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy
scale psf$cx psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR
/showpage{}N /erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{
psf$llx psf$lly psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2
roll moveto 6 -1 roll S lineto S lineto S lineto closepath clip newpath
moveto}N /endTexFig{end psf$SavedState restore}N /@beginspecial{SDict
begin /SpecialSave save N gsave normalscale currentpoint TR
@SpecialDefaults count /ocount X /dcount countdictstack N}N /@setspecial
{CLIP 1 eq{newpath 0 0 moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto
closepath clip}if ho vo TR hsc vsc scale ang rotate rwiSeen{rwi urx llx
sub div rhiSeen{rhi ury lly sub div}{dup}ifelse scale llx neg lly neg TR
}{rhiSeen{rhi ury lly sub div dup scale llx neg lly neg TR}if}ifelse
CLIP 2 eq{newpath llx lly moveto urx lly lineto urx ury lineto llx ury
lineto closepath clip}if /showpage{}N /erasepage{}N /copypage{}N newpath
}N /@endspecial{count ocount sub{pop}repeat countdictstack dcount sub{
end}repeat grestore SpecialSave restore end}N /@defspecial{SDict begin}
N /@fedspecial{end}B /li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{
/SaveX currentpoint /SaveY X N 1 setlinecap newpath}N /st{stroke SaveX
SaveY moveto}N /fil{fill SaveX SaveY moveto}N /ellipse{/endangle X
/startangle X /yrad X /xrad X /savematrix matrix currentmatrix N TR xrad
yrad scale 0 0 1 startangle endangle arc savematrix setmatrix}N end

%%EndProcSet
%%BeginFont: Syntax-Bold
%!PS-AdobeFont-1.0: Syntax-Bold 001.001
%%CreationDate: Tue Feb 13 19:51:34 1990
%%VMusage: 26366 33258
%% The digitally encoded machine readable software for producing the 
%% Typefaces licensed to you is copyrighted (c) 1989, 1990 Adobe Systems. All 
%% Rights Reserved. This software is the property of Adobe Systems 
%% Incorporated and its licensors, and may not be reproduced, used,  
%% displayed, modified, disclosed or transferred without the express  written 
%% approval of Adobe.  The digitally encoded machine readable outline data 
%% for producing the Typefaces licensed to you is copyrighted (c) 1981 
%% Linotype AG and/or its subsidiaries. All Rights Reserved. This data is 
%% the property of Linotype AG and/or its subsidiaries and may not be 
%% reproduced, used, displayed, modified, disclosed or  transferred without 
%% the express written approval of Linotype AG  and/or its subsidiaries. 
%% Syntax is a registered trademark of Linotype AG and/or its subsidiaries.
11 dict begin
/FontInfo 10 dict dup begin
/version (001.001) readonly def
/Notice (Copyright (c) 1989, 1990 Adobe Systems Incorporated.  All Rights Reserved.Syntax is a registered trademark of Linotype AG and/or its subsidiaries.) readonly def
/Copyright ( The digitally encoded machine readable software for producing the
 Typefaces licensed to you is copyrighted (c) 1989, 1990 Adobe Systems.
 All Rights Reserved. This software is the property of Adobe Systems
 Incorporated and its licensors, and may not be reproduced, used, 
 displayed, modified, disclosed or transferred without the express 
 written approval of Adobe.
 
 The digitally encoded machine readable outline data for producing
 the Typefaces licensed to you is copyrighted (c) 1981 Linotype AG
 and/or its subsidiaries. All Rights Reserved.
 This data is the property of Linotype AG and/or its subsidiaries
 and may not be reproduced, used, displayed, modified, disclosed or 
 transferred without the express written approval of Linotype AG 
 and/or its subsidiaries. ) readonly def
/FullName (Syntax Bold) readonly def
/FamilyName (Syntax) readonly def
/Weight (Bold) readonly def
/ItalicAngle 0 def
/isFixedPitch false def
/UnderlinePosition -100 def
/UnderlineThickness 50 def
end readonly def
/FontName /Syntax-Bold def
/Encoding StandardEncoding def
/PaintType 0 def
/FontType 1 def
/FontMatrix [0.001 0 0 0.001 0 0] readonly def
/UniqueID 28002 def
/FontBBox{-166 -242 1008 918}readonly def
currentdict end
currentfile eexec
59f63f2125b33cd026dd3d81743d42b1046f118c1e80803141cef2c09e47cd73
aaacf7532aceb1dc04760ee682878ba081b1d45873150d6816144e9ba0c81350
559fc4c4c38099804b8ad462d7b30a3c128a36449a89a89674813e9e6689684d
a60aac58d1cf66efd374e33f7d5857e194813ced917f272b313b47892b5db5ab
3a04cdd5330ed82f5cc90a3af8f4a0430a8acc492e24b28150159c539c72b697
832e7e577acc7d3bb08a4e7569f8692fb077873cf5d3b23a3c0e988cb0299886
71f6780ee8c82bea324e8a5c4e4e2f58a3c25605288078bb6f301aa174613778
c96f8560d8484661d5ce26ff2b0115f2f28269c329ee02ccde121071b758e931
45de18996d221de77a26e3536fb39564521726257056e14c444b2733e6c510b3
85681c0c63ad644b5c1e2181516944a367a938fe414f9b775a5ff0661e6a2c89
74ceb1dc906b369ad3146122b19dd30cbb6b95a83de7e4494a500b7512a3cda3
091e676c8465c974919ddcaae69d84c31970037d0e1c70f84f6b9736c11ea6e4
deb1f7c05e7c3dd92f419e3630cf3b6ac5e867bf7108b31f259e64e927385598
2a3951333260af19a8f655b10a284f16d9ca86fc2c817d81b729f86d79453549
1daccf6d122a7442c59a9a5bd15e49da965a12a70f0e581674584b843924a6b9
59ef52e32af8734d6bd24bb4da197c14a816fcce6a40d026655cb0a4094ec617
9209b30f9b93e74f5e019ad044675d6d4020c81227a58b3c6730cc8b70787fa2
c153b5ab6d4b2cc27c9b71cf8b47aaa5b77c4211ab8e6a77ea079ad969c352bc
4a6a43ad5c6696ce56d8727455c309c230597b0bde7ee1379ecae476e631cf4b
7929d1e42965b04f5f03822228dd52f4b7320c272c3914daf7abb5727bc8d30c
41eb5c7482831291a1a7351d228db526aa4f26e083a8d56bbd86164de8bf970b
992e7f0710633b59c2c582762ac48aafd068563ce8aa8b6a32f64e66e3203e4e
e8d5c74ddad8315ed4342394f7ac8b643a8b44c1d184444d6dd3d6b45a7cc367
b5bea5d8b1e375452050dcc47fef6c7cc198568e3e7e301c6a7e891901937321
c185c816449c52a592c2055a7df4ad4a152256de1f10edefcc09d4627b6b58ee
c18cf6848f8c82ec72a4b2e67899bfa6b10949f3e00388643a2d24f50e572d87
49b30b385a0720091a2b211a10241dfb7e61b3fb88dbfa22a30f427d06129610
4a2abac82f2b87b028a9af08006a4fcb9fdbd94c90a072aaa3faa32d92c0be43
dc465d36548c4c6da814e80ebd64092a555715bce72b5f8cc904f126151681fa
46e7d4a22002f27fb38ffd39a9e07ead6c933ff5319ab034744f93638e3cd178
251f03d4c7d8f83b0a9bbf610ecec43fda4db77ddfb680e15b2b4380727ac19b
d1980bc5128300bcc4a5b31518a42320aff1e5eca72d08b5ed227f360a587ad4
21d547c329ae5b7bac450af2f2e848a2b5654511cb5e63c7b95c7c26004c4204
fa46fef42a43e212e6eb283ecdf1aa07205d83338a908f9268637882765c3628
2d9a899c699cee6155483183c450dd93e843515f8f8f17ae5844d7aa451b7c68
9848ff4a0385a9d60e6759d3f1db872a5dcc9df7b1efd1fac74fb1566de68f52
afb879a629916185ea7cef859e0f519a08dcfb4f8b161e45f418109bf259bd44
93186d0cb354fe1e9a2e841e9e9052c44290c06049943b708c5be7326178c51f
a149a97e6daf94a796fe047bcf12e3d6fe006cfab81ff1e2b27ca6800a6c2f30
975d1393d57f6dcd33b2a58dd39c7992936ad177ddfcf56be7e87547cc948b6c
79606f52748d3896755817e6a2dd86ed2ccfd7608ec7be6f38b6fef347eee1a9
9347aba30e410531a46a8314115d66c4f00e602bb63dc5caeef0fb1b5b38b75c
32698b10ceb533a8fd5579f068aca5e6f2342314824f81c80922ddf9347b0109
fd9501ea671daca4508ec1f264569434e02e947a6770e0180cc5fc9fa2ec4da8
f4ada6e751cfeb612afaa77634e16509813739862781b3a22088e61201941d85
f96353bd75b8f72fc9013a60e291361c83d9e7c1e93e0f93028f1bde35e22189
c5ae6077a447082d85391ff39971fec83e81126ef56ae872efa7db885d2ad2f7
f48acdb41f929d3d7035f8b2ef15925af6181def0e09b1ae63c2ac5025af233a
7f377350e7ec586d2765475ae7655d0b32715dcaf3101e73cd8da4eaa97bcaf3
d28a66c6a4a4fef38fcaec1f4fd3143370b547b0e4e39f519d1e020c68ffc786
a2363bce397fb29266401e04f5cc0439a7366bd8eb57ee5e794a78b3fea93359
e3e9ded11aff0cb60c902f4564eb2aee7ec99b46b4d5c91031091be6b1d2cafc
c1a28dcb5d33f343161342b1e0cb9294cba59b5e22f62bac8be0c8f0082d5215
41727c71bd59b31db8d1df666850c684c879448c786da84a723ead3dcc2299d9
b141
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
cleartomark
%%EndFont 
%%BeginFont: Syntax-Roman
%!PS-AdobeFont-1.0: Syntax-Roman 001.001
%%CreationDate: Tue Feb 13 21:12:20 1990
%%VMusage: 25174 32066
%% The digitally encoded machine readable software for producing the 
%% Typefaces licensed to you is copyrighted (c) 1989, 1990 Adobe Systems. All 
%% Rights Reserved. This software is the property of Adobe Systems 
%% Incorporated and its licensors, and may not be reproduced, used,  
%% displayed, modified, disclosed or transferred without the express  written 
%% approval of Adobe.  The digitally encoded machine readable outline data 
%% for producing the Typefaces licensed to you is copyrighted (c) 1981 
%% Linotype AG and/or its subsidiaries. All Rights Reserved. This data is 
%% the property of Linotype AG and/or its subsidiaries and may not be 
%% reproduced, used, displayed, modified, disclosed or  transferred without 
%% the express written approval of Linotype AG  and/or its subsidiaries. 
%% Syntax is a registered trademark of Linotype AG and/or its subsidiaries.
11 dict begin
/FontInfo 10 dict dup begin
/version (001.001) readonly def
/Notice (Copyright (c) 1989, 1990 Adobe Systems Incorporated.  All Rights Reserved.Syntax is a registered trademark of Linotype AG and/or its subsidiaries.) readonly def
/Copyright ( The digitally encoded machine readable software for producing the
 Typefaces licensed to you is copyrighted (c) 1989, 1990 Adobe Systems.
 All Rights Reserved. This software is the property of Adobe Systems
 Incorporated and its licensors, and may not be reproduced, used, 
 displayed, modified, disclosed or transferred without the express 
 written approval of Adobe.
 
 The digitally encoded machine readable outline data for producing
 the Typefaces licensed to you is copyrighted (c) 1981 Linotype AG
 and/or its subsidiaries. All Rights Reserved.
 This data is the property of Linotype AG and/or its subsidiaries
 and may not be reproduced, used, displayed, modified, disclosed or 
 transferred without the express written approval of Linotype AG 
 and/or its subsidiaries. ) readonly def
/FullName (Syntax) readonly def
/FamilyName (Syntax) readonly def
/Weight (Roman) readonly def
/ItalicAngle 0 def
/isFixedPitch false def
/UnderlinePosition -100 def
/UnderlineThickness 50 def
end readonly def
/FontName /Syntax-Roman def
/Encoding StandardEncoding def
/PaintType 0 def
/FontType 1 def
/FontMatrix [0.001 0 0 0.001 0 0] readonly def
/UniqueID 28016 def
/FontBBox{-162 -252 1000 937}readonly def
currentdict end
currentfile eexec
ca1b70ee20c79173943effe588e6bcf48359d5e2eac695c74473347cc362247c
f7c90c67a5b98be3250135e0aaab3a1f985d00d66c9dafc68358e1ce17ef17a4
f5e0df3b807e01666f07b0d2514b3dbb841ca968cf83fa0e945d6e0b5020511a
e814c6e6fe05baf1b45ec589105a2f69933550fe1185e09f9cde9bbc3e333869
e34d7325209842bff3aa94a980f813ab88b727dd8b2372b97eb5d3e628d52f8d
1f5c15bde0dce9aaa871c9cf973d231e0d85f46493aad624bb9f49769c5ab09a
4bd13730232e80acb970f66ddaeba5f5595d5236ebdaac2e596931a357cd7337
50aca5b11de65b4bc4d24aa0be709780a50f39df524f3488833a83cce5fc9df0
6afdc109571f7266456be9edd8091a44386e1787e9e9fd0d34f3292d4d648083
00a5700f2f9e394bc4b9f23ca437bb9bec44f8f7fb0d7de6017b0e94b28bd4d3
d1dcd48e459c6b6895d8109cb32363675c95f249004465b7f9cf98d2e06690f9
121e0d525d6e5cd21e61d08c90288968dbe2be652d8a79a3c3369212688e34f2
ccd8d6a8b0771fedbb6ece0fe7a894ffb1d5be027e69c134f4194812f2dc7025
cb85f7622b4482577560d6a103297898a29c024a00fbbc65242cb752d807b585
94516106fef99f5a913bc2874dc4406e3ecd77f68a4b540235f24b5c8afbe05c
cebe06d16fa35bc57df09d48f3a36fe9ecdc746e81aac18549db05b77069fbcb
71baeba7efe2166a654edd9be394a98bfb1c70a6ff97297bf2996e870f0b5be6
63568a1550139733c065a490f8ceadad35058d10c5adf6026b8c879ebde585f9
0544931b55b084918cfc102ae8263e1eeca8d0ec14d9cbdd1979d9ce9f6659e6
50fe794b8486fc8f4866957e6ca67ff183232d54e7ea99ae40ec2d7ca95c4ef4
b6a2fe3565d146215dc23460f925329f61986bc3af22c7cf102e9fa94464c4f2
750f9bae04f77c8619af2cdd623a68291b5087ef4e3520c4768eed6e3b1e6e62
825d76c7b2aa9c2dbe630573381171ad30dd5333266408b9092056014d672fcb
01a0076d2b3dfd26e23b616c7939ebc655568300893362194bdd20026e6dda2b
cd8bf1629f684fe3ad968fdecb48d0707d9ccdbf7d68d595bc598d4df3f09105
0bc814ca3304037c111999ec4cabee782c2ef9ed6f39c86720178248d3663e51
635f223ed5f7e7086ff5c10d884b5cbf0300afdd0052b1938546a3b83c633e46
1eb5a27746b0f3f1b8fe28b04e8b02e28b43154084ccb97a664acae5658e114a
4960727d2af7cc179189bbdc7b1a967f07a9206eb27b1a341f5c2e2649297424
bd356ea9dff90a5ea3939a2f3552a1bdadd9f43d53fa7299ea69b56e058df669
e97bc699291604a65ecd2bc1083e3304e56febbc9d5274fb1d8df6bcec80be48
8776ac499699bbaa32dca83c29f963eed520f370bf7b4bcb8f4f8f579dc7be3e
b502a36636756330763d93ef803cad606174b0acd60f0dee966cf2df01098119
8ff3d3e2b87c34a0018ae40a0bd916c651f38e01cbf80db409c705d6030146c9
1742f96a547252b5a86e3f284f8e2889ec29b1c4b219bbeeac5880d5875e44eb
877c6996696114ccc182f4d475283369fa45ce360c7c51d474027e200a1f3193
be163387837802ad752e4f8ad481164572c380ca89af2c07d3aba2cf401e5e4b
667bcba8353ff2e949e2c099e3185b0a791502be44d6d11cae7d8522a5ee6d6c
b717e8ac603c6b75477f07f336baee489f7959d0a6339e06429ae002f3b71c2b
35cd33953c5fb157d8fbbe029681b29d6151b941f0ecff6c29c07ab0fa852538
ddc400688065109ece0d825f5077f6afc9288fc499e7e829ab36a40a0f848f73
61a399622acd8f7cf926f45fee85f68ddf09481f93938f8c975b359af17a82fb
24b98bfcf96ea787de997ce19d37cf6001718d6650f7d44ac45bd8a1ca96791e
c88e80e0a14853d65e3c8feb7d7f45eec247b5a15892d6a4643cb840d01a12f5
eb19c07a621ebc02ab85f1453fe88c13a7180d843771c771fb9b55de8ebcffa6
b2186cf1ddaabdadbd1eff555c670c9ea79965a81c7da3037c09ab9d8cf8f87d
c09d688121bf0c5b5bbc488a5aea349baaad32d96ce2e14e5d1a008a859096c9
2b208b14fe52622e305d513020ed47eb2c4451f40f7b4a2a249f01864967aacb
6cd5bbdf84c4e664e0ac5fe4dcbe409668efb0e333ce16993ff87a92b19a3ffb
412366d2edd758ab2857990be78de3ae6dd32912210875d56ca5351b2d566a8d
ed7ce11f78a6fb7b262acc1b2036139d4b5a0edffd8e22c8268aec49dfa5fc10
5bc1baae367915e263c7585a00149860419b449e7c3b067b27037aefe554e6fc
1442b0c5aeefed63f5a83b99ee5f37cb551692ba03e838b970014d613dc944c7
6acd1dba92f2f0d3c77726a6bece4ac76d4463a99675c3d26f1f2d2acdc7705a
f034af198e2c3e7fa8303ab3804fe0746ad1db23227ccd9cba3f3847ec9383fd
46c22dede0d83cfa439c60ec83e33cf9138e6969e75bf02317f2d9fc98c40fa8
2a3a6e6270eb97ee5fbcc26fe38d71e90de5650b3eca64cdee4eef1b9280403b
a03242467aa774b2812d6091abc7ded4c49bb9231ca53e704906893a411ee910
cfcb78b10ec2c5231a0af72c9c925f3aabcfd28b3bdbd2e68b819740cddd6618
c5b2ce27aeffff940b4dff5210bd5c84291438ba1973ed362706dc46f7f8d64c
cc6abbe13da2f9d5424e9fd67f1818a59ad05874904602ddc56b1b7fdcd4d822
178ae769ffabbebc69e6497d2b5d9ec1a987bf25f8462d1a6b9a83e5891d22c6
715ff27beae86aa0d5f8869ae60cb3da550df45081627e4c4e123b8390fd632e
8b6bdbf90c69d8cf701032db91a6a57b8eca8864453c1abb9f7433b9aba911d1
9232046628ce4516498bf8c1cb6a19a40f54e52dc73953a0f221fc419f724349
db4e532bc99ea4bee9a51e190d01dccec29ef899a5e990cda82a2973003001ff
daf0dba662b9f2ba7b6cd3054a76d8603b8e375a3fe94bba35da908e45280658
8fa64675a0240e51154975d101b34ca94ed42182b392e5b4e23808dcbb9f3145
e54e1985285cc01beb26c5654c40ce1cd2c00f91075314172210979fd747384a
f17676f759082365bfea61971ad896097f29bb95de25b164f92ecad5e110f89b
a1f5de5a8a8739f1c6f0961c93f843795433f0692e2db487a3ea8486911f7358
382337ce01d4eaa22d313db518f480d2e26f40b7ff5a5c72261ee1e69eebba49
a7cdf38032a5d24c1aa313a23eb9419cabef01e8a4c5e5191f627883a38f0402
6a4e4ae68bee5971262d46a301d1b1d79b37c649ef300ae1202181d321741e62
d1afba823f0e815fe471f47d8757841d5fa1708eca7f5c2d464ac16ee5c1099f
ee65fbd8a79e6435d5c9efa4ac85643b0aa36d5a1a21ab6a0e1363c5c8df387b
1cddb1df89522e7d41c3fd0e4413dc1e5e2f1434015c49bb60704a69ad562a4d
800e26df32eee33c1cda8183fc00d5e8f676902e9a2579efa01d363e7b255404
468ff6a49fc018928f8cdedd12f2b8ea245646d108e8f1261129b4ae9a0bd0c1
ff59277d1454358a1a09d1c78fd603ec22be4c1c4ed7f04e70f4f8ebaf679c55
17128499a82ae4595ce799b6bd9eaf7c01f5705cd5f26a74f7a8d5a62b601d38
1b5a597ed106d56e04d1009c57d2086cb3515bdd021509a8eef032a79ce96393
05a0720621767134a5023e8e3be6c4a4ab80ef6c7aceb1aa06adbe7fa2da5c0f
1332b0c786d28351b7bac342b8625d5b99ad9d90c34754723f111501aa212778
c56f8d970919c31226c903803c58303a82ee7e6ed9264d4f516b289bcb2cbace
6b8949ee5b937a8901089b3795a9aaef287a365c9996adede43e477cb7b0577d
3f614770368f7468c44fd6eea41c51a1240d52145df4603049ac95ad053a7a51
9348fa4f8c38db8b98a2da585c83533fe339a102fd71c247adbd618e6d214abe
a30fc656dfc7c213fbea06ee42bf0489cec2cfa555d2a48e2a7f5cd617d577f2
7ed9750543feac4eecfbdb2832d85d2361af628bbdb47f6eb5b0bebccd64dfbe
db1231f799986b9c94a65c2816c73909d42e29a509efd1dd95c2f4ca34931bbb
91f5ba2a12956f596e19c9e376830635420557a906b07fe445c71ab3b85066ac
4ca4f4a9f4b09859b9bf2b36f2e2c2587b4f605a20bf889347e3ca36efca30cd
ef35745e258e35583e7ff4ac42e39e400a6f1920d9bebd839b24e126787d1a85
6af95ce624ec5b1356d764b10b5f14f6efe4272da8e290555875b47475e94c77
865dad404f69a38c8fae9d20329cbc5f3fb5224a25ed440b355861da8790e39b
e103c14f4bc6f3a76ced7408441f03e9346bf48273450522c5a9c95e8baa11a8
f0ca6d9f4c5b428482d66a818e1c97c194e14b7c2f2c2fc4d49901c97a964eec
137ca76329b46e8a300b4f6af8c00682b9bb4146d07d84573a520f26c5ef2ff7
3cf7078af0cb4cea6b051899923959f740a912cb523210cf1a2475916807a9b5
68dfec755d219c281025bf7238ecb49e4597a2eba1df41b3cfc27a9c659b1bcd
733fc304557ca32755ac5fd25263eda17274f62a7f95c6438a883bde0b9f2c9b
fa63e83725a46b95e6ca8247a1cd23aa9310dafa630de0eea86328f7cbbf38c5
c5bd40edbb97e2fdc07ea750ad802120927630220cade949a5b79ec128da3085
151fc7ef0ee9df694dbbe47e415cec4cb98a1a6d33d9a0eb7251c427f9f8d0c0
ec8899a7d1e5eb23dca67d945d6895620a92aa25ba589d9aaf82c4663a3e4947
cf5bf35d00b61264bc6ca170a2ea98c5e80f3008b0f5d65bbffe2c9e37fa148f
0bf1234532d578a3e3be30301623275b9e2cc259757333927c98fcd33705a953
39b404434a253dd6dda6616e8c4e6c26b340d5aa751fcf474ff632b5362834fe
0cab9dab12801e17f2be20d07646b8f4eab9356fa39a4ef45fd6b56fc5b593dd
4727577c4175005ca6544bb654e2157e67557db1a5c3768fde17de2088c32a5d
bca2f6d706945b83ba57fd62c31dd41cf47342279b1711c64924d43d18962753
97886b7f9b09016c2c960b0587e8f3721c06a59fbba137c2182b42ba0ff21f0e
da11d3142a9db46ca3c1d47231ee02ff8723851110a67294ccef1b6ba1ecef5c
66d764978be9d3d9f365b300dd49dad3d8a05f900274de535a0e19adecb260a9
ed09d6fd1818eeeca811c2af6a83a342eb55386bfd241bdc131cff0de73e580e
68c83ced7e27b46e665fd564a51b3e602e392d96d9237d80cad1cffdb3001d47
affd0b0c68bdd042329771e0482befb1750af89c24882415087bacc79c9754c4
e27eec24fc9c223302e76c486d50949425d1529e14d914c9d6d6fbbaf7edefb6
da88d2dc16fa86416eb67d2754fb065d2fb8a490c950ff790588ca6ab1351f0a
446a25b1099d3cbc673761a5bf746567a8e04f02f649f2e1e279d8611dfbd082
2622b7c856f14cf9522ff94a437193bf8f0d16dbb0effeb83714c8a4d8de9c63
7ff3e7bd8c763d51a84d0479ae81a07f06c20875009ac8df24b4f0459feac711
631aa40af71623aab40e4f3cf193f9f3ce4b1185ed789f03ec7d9abff56d9611
ab5358614c4dfb98d39d0813623d4f651bb121ea39cbab540c0815df8bd0448e
aed22c348f24fef9d2d9ec3a61975d13052f74167b32aab90037ab90fed52717
6b473633ef661a834e5fbd4daed3f953926ffcac799dea617df9683f98692fe1
1f44887257108649b80bc1fecd6a99cac0fca06477c0e59fd7c5bac359a196e7
119c60e3f978f7038d91fc79c8ba1b607d04156113877b4828b9d255ad3dafe1
bb72b0fbb88d6dad7a3eae2e324b0ae8b22dcea211e14b06786bf6524d494edc
66452d8c9b9576be84af95b50df9493adc2c059db408b7b0b062197f36499a82
ff793137bd31b9a8232843986671694b1233a459fedbcc9d8b1418dd23c765ec
014be2d7810b2eecbaeb13e05ea52259949f966df2fadd240a67195b247f61f1
e932a99118a46e3414532578d6798584c0d34a03b0b3a00ba43d23abe84046ab
4ace0ed98ceb81123d3e6ff7a05eae5864472240224578fd8db0c88c88a60c10
3cc777c844973c8630f04ee9888a16e4fbcda85eebb8ea2153be9d6dbee91553
c2755a08597257be5fd533aa018680a95dbcd8a5d2618f467f3a1fdb22e79af0
d8ffb5e57d03e2b15678f16e928625efbd1ae1574f9a8a09704d16fa45762bf3
ca563db5cd8325c99a0b7cec06b981b9bf8c3cc88b5c64d8abbe1471621fa58f
ecd828306dd2f99e3da964c497d1e8b4fdefe623f7d59449f63134060a155d99
8f4909271788205d2da3fb41d60d9a2b72cb038bcbe19034dbf842b1783812e6
e49bea01714aaf1e8e1dd4b379db588cb7eb974ec216119e83962d8705fcabc5
f8a4bc8f077a05f08daded188dd5c61b3c2c8a3286a0685c8c9f084bfaf74f2c
242e3103c565d5874c781cc8389a48ef8e919ad4491f6ee8b8108731454dffdb
89cdc8cc62d2a4030720c472dbce69db0ae6b82a55442cadd116e52c389485e6
57cd9b55a8a3359464a7c99c33345b0a376073847d6850ecc3fb16de22e10903
dc56d66e67353be5f7d9912eaa45c642169d536c5e91dbac58306f42977e82d7
4c81bcd08431b7d40d9d28e51d793fc5f14c5540033a68b27e04c2353555f5f7
65792374c051d37fd84d4fa57f671e364fb85d737b443b808d18d154e23f89ad
88d00139fe70c6647fae44c3d2ee7a7b1bc7ef15a8135241e960d27b068d1a22
aaa69df3d4f724ee4379f5576eeaf51f2aaef3a72bba7290c41960428f77d95a
e83207d5559ee0a50aa9cd0ce18e72dc3f80f6ea91c9bfed304dd1d2d70aeda3
1e19d8a692076836b1b00f23edf954568d357ab352deb907cacf0bc4defd9d31
9fcb78664bc2c2d38bff37a98f980984beb75beaeaaa33eab8e665aac769d8a0
84da628d25dad6da5c8ca2ec3cf3a15dd9e6e1589e5760f9d9c179f7c58873f5
894e9fd0f56cf203dd608ca13f5d98e5cd60ad72b857b150cb23f126e2ec5d0e
21fd4c8271a069fde4b619d26bb39abb751c5695ae3c6f25a488251072aebd38
5e528e404d1d98e904c2a132f5469ac095ba73f728d6a96750c78782bd9aa9be
9d7ac247eafbd51668f5a30bc90b3242f416489a29b63a99ad73c344d13b0712
567815158cf3d5c0caea689efdae46488898b16670e6460afb39efedc7cab987
d451d5a5a02c13b1c8d669614d2b7a58e261362b5da09d48b1c7b7d51b26ea8f
1ac69f357270f5b8874c14f67af78a7a8a0911417a825dd8574418216bf7d296
eda7b487a6bfb6bf6566d4ad3cdcb98ded5304a4ab67dd515cfc73dffe5376ff
913ad5f5fbb5c8db22e2996f582d366f2f82d8503a6384d487f02eeef8f44ec7
5a2358158a29c3006bc2500b83e39285798f997f9eb287942051e67c720448c1
83e88a257db29b4417802a134d789a35942db3e6780402673c3748d4314f0817
b603318cf0764b356929f4347c59d878edacfe028ad45acf1a8171f79b08b89f
c3fbedf7aa65b948927c067f95d9af6e2114bbc9a798c13c877f37500a039632
2aa379a1f1b6a7ff4a545aefb23699e5cb975dba9ad9f0117a90a5fcd942c3c8
29b893e68dfa7059383d5e698a84a4b0278ebd8f660451688be36025af8755e4
9004fa01b9578ab41cb0118347b4e4267468e0cf9ea8dd5cb404b66de4470182
04614a13b74d23b15620f46cb451bc836c9ec43eb92870242fb79daadde40243
8e0c1c53606309995bb7d4926f042cb2a33a1439b50606a88cd1a436189ab0e9
c53faf018f9108a54e8dfb99d5fcf58ce367c15679e660e2f825a55ef48d1725
2b76a9af221d248693f29c8b305896a9bceffbd36af616b26934fd7e0f4ea9e4
1568a5fcbd77d43352d02838893fbd7ff4f71fcfd3d994eba99491c73da8b82a
5cd2ad8121711109cb9e739ec553388ba2d6cdbf884647e68f8362d0766f1ea4
a298da35763f5b082a2d20a53b00dc7591738033379d7f1cf8d4cbe5e66a3490
3ec00292925b0c6edd57c066cfce866177c759bb24dab3af4a65e4e30cbdc5f5
5f0712fe2c4ddec84a012758205dd594b35f1dd46ed72830a79aecbec5653090
31b643bdc14a593a071496500256f0557c33ca7c0025c9706c1596e9616e1d56
c4153feccba95c7bfdc48de6896f70f3fd99c82d34a30d1f2e4e04540d5d8d86
4fc1ab3461ec995db117680206ff6db7335cfcc7e78640b6e9eba917c9310547
a4cdc5fc146eed97964c32f0f54eeb0c25234f4a3b504334b0be874e2f461796
5fb777a899a99ab75bdbd3984ce73b784f4b34d4fc5a390d427d1efa4b16e090
f2f64f0d9837e515ede931d5ac23d6dad72f0aa6769062ad5006ae64700fbd9b
c00467960b4268921a72369a1cbc4a07e11185e2b7128184c77ae24d826456bd
346d1785028dd1d227d45fd433e4a311323e5f2115b8e5dbf2e9655ab75db32f
12500d57f8e3502ce8581c360f8ae5bcbde1180cab6feb3a146ff708c6a54ed0
066362c59746a72518959fe5b86afd2e9e849794bf32618e601ca102599e7027
66a65336b814f2b018c9df890d1c4e2d1e3b66c138417b81bcc6427f04906414
788328db19464b11b5341873200477131fb467982a09ebb279a832714970f39a
1f71c7156113e663effb5a1c1464c3cdbbedf7d1e7f7ea36610b0e7b9bc1fb65
4e06d8829ae50a83bee61e8f76af2e65fa68d7036754af1c04bf00408b593d6e
1e52eb5a0938ceb54b73943fa6c32de99ff4b50ccc5d8da5be18951465a1e395
3fa395534bfb6dcb57f41460c41ca7d134c2f2c1ac660200f456a47515926fb8
e0085a3d5e7abb6118065d2f2ab531783b7591ca9c85bce2ea78d32e25744abd
2fdda34aec940afffb84c14902f1b74e430519de2423260b820ed8008017a82f
335b9ed81053ccd3c9bd0b3e78f02c55ae8df1a061a1a7c6313896330d673717
89fea290b8b181884a8f86d7c40ba2272f1f9e5fc65e07e580e2586a586a54e9
b8f5d201aa5a6a6b93632647c395f6511151ea6bbc486a4e109d69c13cf507c5
47d514bbc648ddd48bda43d17489041e690514132d06c9c5e1a83ee108f1831f
dbdc7d45270ea87e7f69cfcbf92865d0dac4c9be4777c162e19063e1578cb566
a45bd19da3bbfe6f68b14fa8ae030152b0438d4fb79d1680927696abf6bf653d
e9f9649d384b3badadbdc2495c3cbf8d7b5a4f80a77837c1fc7fd41369991bac
7b20b8a347d47c60e49ae9e5428ac315e272367d61651fdeb7bf0c52dd3b8575
1ac5c8a985eaf0633af6b2f9e4112403299fc80a763d665499797c0f2bfe7ab3
27860fe1661d47c156917a5437db60a4a014c0a4bc933cafc67c65869e0e1182
5e87c266bf02644a49a9fef197aa9f3ef6bb8fb15489de0176ecb5bf887e6d74
825b0a5a1fd90b00a4468deaabf546a29f3c2ae2d1f8468edd402a1990578cb9
42b7c0cb192f87c3e612826ac374ed309b97812dbf1c2627a59f74b5ee798581
598cbd5c8f04edecd3437593b6db9be06dc797d97280b4b1c321003d9efb0bb9
2039c550684c4a9163782cf711533f9a8dbb6072f19361fa844e5ae3245e2bec
aa4ebeb36860dc0bc33976879ae2fe5d88a629de8ae3376ef25d77ebb3afb7e7
fc9fe5f2485b49ca5e2f7121f1fcc64f1bccb9d6f0b22d38fd8d8429c21926cc
d9700b328b0e22dde1e02418e304042a6fc7f06f5cad1f9fb36303800bf8c89d
2f176ff4ffbaecf15791babef8b5df8e1c54d6df6e168a1be3f9fed84b95aa2d
6ad2075ee2c776501e2b03d25b6b227a73955b8b12b759d14122f569b5ddf740
f652f6a9cfc293c897977012067f147e071faebd7118c98650851d45c49010de
30891e04a6d3400a2f1b9f61c0b728e018c570a73bfcf835a086104ac0600b2e
23720e037875efc90ed9c19f19f7b12026d4ffb80085bcaf22a554ba3eb6f22d
2bf60f30858c0d5406684e54c61c21765af3fd812758b68141ebe2efd6efea09
43d18067533b0b321a50244447abe6b4ae975d5f9283184710e5b6e6634c6bd5
404dbeda0b47244fa39f17b6ab62b367dc75017b91648ca45d5e71cfd561e5c8
22057f4a6745586c1dee90e293670de1221ac1164929c5cd4bab6acd3ca31097
63e97f8d3de6d1e9061b1fe2e3df4f742ab573e0cf8184a5409e36f0a53e7ffe
82ceb60837cf24e043f7c319337c29c6824dc2e4cf25f97fc58c12aa296e4f8f
587507c15ed66e06558ff94f13304922c2d34844c2a6a2b63a080552a87d510c
cc2113cd8cb0815029909e59b4fb6e0522e27cdb3612acbb98536476a43c10de
f8ac5c51ef3860f79b1af0aac1ffa719d79fb4bb7613622d7c207ba3266d1f02
7edd56ebf9a29aed126acb868cca853daba0a96594937cf0155aa79fc03c4b53
e45efe7026ba26cb4b364c3c420f01aac2a3564b715bb4ecba0bdfc1c82341e1
7734d65653f1cb97f779249608c61a4a349031e539e5eb04d237b1af9e0d0854
52c6e5fc657bf31a97a9f19721a026215df1126f1bb4206d85bf396d2c10a49c
4e332957c17eef51b9e67a1be699f4663c40886e60e799e2817b17faadadc300
ef64d39b504039381b6975ff7f7239988204be773e21b11b32b3eebc959165ad
c6721025a7abe8b33ceb65e12d11c5f64a6c37fe3b8a86e2dd377ffa1af09a09
c14d6cdaa50d97d1f4794365d89d799808b02b3d2fff453790e70b9b45c02283
57123cbeba82ecd72ce7ef3bbe69325148c502470ec116fab0e9a0ecf2054164
c27561738ea85f5d3956a0f871b2bd6d0f1ca8f7c0e30716363bc0f59d3430a3
3087c31aab04519a82ac28659507eb4135968f91d831208effb0989f5058ad85
9468b33f8bfea0438d59bb84adfe68c1d594c5a167dcacb9320d034039984823
e246b704a11f72a67a36da7d53da09e7f623e666343fcf41b6d5039c2d2a6681
797e270f6932f1983811e865b18c75097e4ecc2aa13f64b449ba371976fead0f
afbbda6a30c576191331f5acd318db82040789a6372b117a808619406ddd9a37
1f5be105e3c67b4b7587e4ce0baebf8de4555e87339ca3354f8825d8edc6d7eb
d422b81e9be93e2259f426e1947707bd6bbd1c222c33d6112c4e9438b0f10aac
6bc8b452033164d0c796d7a32c8f841ecd305041994ade55bf0c582d05ae3f9a
37eaa233057c1880ce12e53890de006ef19ea5e9445ea61c1ed910eeef481a41
29da2dfd414792bd4be42374301fef7075f7e83fb253e7e501c8b684375a785c
520ff816908a301d5c2235211e884d4aeb0d36158fec94542aefc663d35901e4
8a9f0d6f03d291f4d4bb7dd3db1d14a3f6ad161dd3a236f2a0c96433d82b826c
a1b80acbff17ba893a09d8e4a60b7e53e107f651f14d57f16d03d603ea02ecf4
6482a9a6b71782d6e774cb55a8c38e2b14288630b2c3ad454efa2a46e8426965
bc6014088a8a119f5e30c6ed9f9fe69ba982dc99337e19b38285eb88905f77d3
9f64ab30aba50232dab99c327b947697beaea78db5c3b8de9ecb749ec4bac793
7f17787f10bbb7a8979dcb3803613ceafa8e61eccfcf48ed50cadcfc7ea633a3
727efe5fc9c61c9da80ab5583c8c1b5e3fd3750655747e6dff5920e4970ca1f7
c4b49fa28c85838a76c6e67122941f17224f615ffdd6bdbc7709e3f853caadad
88153a062d2e70c6f5e1fc7115bae0c627f85995c861c2ff57166b90b2353b2f
d100004880f94bd8818a12d90aa32ea51532724857e23b68bf94543cffad0e15
2e5d10feca9178b91a046d4b0b7241d9bfbe12ed0fb211c71de91374de92636c
b0012b7af9f55b867e10408d7260f25c060f80530ac8dd629aa9c501617b0095
f02b0521ac716748f2302be55c822382ff1bc27b207815a4efbc54519c142935
2a47b257d0d223c55f70f6961f20f281b83d869b736ea1b1244c1b199e1ebad1
25cc7862c1dae0b60a8198a8f36ea9f5e5997083c0389f130f6899f01b71932f
c0e0cdfed2d682f00391246deed68bd3e2e4fcf8fdbf8a657c1024db2372eaa1
7178d91e1b9c51923d78f79418f11b6f43efbb10e9e073afbdbbda69e1d7d898
d5c93df9aae2d0c2f68428435f3f43a679157fe0c5ef30311e6970a21d4655b2
edbe595800228a1ad89557d20a9f4e17031efac281aa3abca547c8e21e9bda2c
a8577e8c9bc677885c5aa2793797a80a59d60d59d20c83f17384adb0cac821fd
73e8d04dabbe3883545368a9738bfe5fc8858c5da37292c4dba796e37860c991
d49e38c1b06a5cb50505238a80b895bfd6807e7110148ff158ebc13336c599d8
d2033384cc1dc2a5acc551548a190ed7bcfe1f65833880c339e2de4676c242bd
8372d07832dede99ae83e6c5dba5efdd60c5b1a6ee0e769244d9dae9740570c3
290a32f053cb0fe5b9cdec18a3c524ffa5f3b415259727fe86a380adbf32e386
99e77ca06a0bfc814e6e2d9ac577aaacdfca5d013e1a43c3709ac6d468fb8735
ec51207b399a951b6420866f5e3d3cb48a7792f977bc14106cd98c4c042a0cf6
197d5b2298c061e2b9c3c4d294d2d380f47b112ffb808ad8c8a3650423a3f16d
c5d562806e548c5c2cb94bdb109d956964ec26d7a2719eedb7621b6bac2954d5
0a8d619ca400036b265c0aac89372e635d5ceafc5a745bbe7b6f9e7efdf48571
cf8ab32a9509656312fd688c4870474dddce987c1e3b352df71da8ed872d0a18
6410a99e63f582958cf4aa625324baffc5dc1f6b29583afc1e764a4cc893aa16
072bfa1e90e0c51872405e4802a01f00348e7c6285bde2d0c5e337f88c487df7
a8ed44ed29f2464a882c9a2c3cd956f9d24ddbd4d624b42f93bdecb3f35b9833
ac40edffe2040918569c1948826b3fb0565783790c2482c31f31b960b023881d
77bd3915fd851a42558826e8b6dd006479ff90cda8bbbf8a359479517c1523bc
c5d441d53794f16cbbd240489e03672679e69f6d74132f81a46c295e0ec088f8
1d0565e4795d39d3ee5d0316c71450b444901eb958ca0ec1a327d42fc8e7638d
3deac22a3424deeaf02d0caf288de163926b4833b998e5765198160354cd604e
451b60d79fd7816926d0fa165cfedabca4cba27ba8f30b4067b63b29b6184072
b741ebeea29de2db15a3a4755e625fe0375ffce6a214c59e8a4341ed1d5e55d2
c746c1e7d691b38b6db106870fff9f523864bf9f5056e175380de67a544fc5c3
0326e9ccb8515461f489e98b94337c01a9dd552a5513e8b6d1ee53782b2fb142
d66a76753aabf9328c959e98bd049570b6e5ae044df0c8e435dbc629ec28a436
19947e9e87ac776108c0f48cbce968082d795d64f76355417425b2d568ac36c4
864b7ac35c3e24df2ac0d20947ecf3a143dce712736855cb2e040ad4698b478c
419ee3f95bb8334df6cc674320e1abd41908fbf2bf57c19ba85fc6e9936f1b9d
5049706e764c2e72c45c760c0f4b4e48331a3103a2fa3ad89988ac3763b8890c
360478ef8462873d28201c7be71c52742763ed4cf1b298d797f4b71e9c67d9b7
52e8401c840cce9acdf3059e9a33c5bd1b5f85c4944fff2d6740e1128ce21189
2f6922c7fd3c43ef9d7bf84ca48138f210295041122af7276f2f9b3788c54d9a
4eca6e7c9366ca8e448c68633a80fe3f8e15182fdccb8ee66b9967d75efdf229
587cd89b6b36cad640a2669c2eb452fb713954b5ca04cd16c5b095f6bfab8332
143208060ba9610cc1a9e3769076f7adad221a0b0b587b93ea30d0030c2c858d
aeebb46e50e24479d2b0e495646ba177f13d44a452d00c656a5c3d5f3800584e
e70012b5ee4e855a46a02c52ea8826a82f1d44a1dcafacc7a141542438a19a89
7519f69e4f1d30028674eaa29bb653daeef3aa05367b5e00ebca5e4d5333e550
67bac44c7361cb14e77019d64e903f378b74deeac4a0410bfd729d06cdb30db6
b6d2c5a2c55a1503b456806a898395f8b5c57a71a0ba1b55bfde3621d51d8929
47de92933b4af5933f02c078a51f9e8bcb458c4c6589a20b7254eac067b9f608
1bf6e5ebda55355dabb9a319bef1b4ecedda80ae6d52905c869569d348ff2464
6ebbb45334fe74259ffc3977c760dd372a0f1170d441508051859194f46b41c6
8d9cc3f6b01923f42164314fc9c7222005d9db52a038e2fb9feab4cd1928630f
52553532e5d7aab1c38f6a560825b86a77a94023b44efa03b4ac50e72f6df29a
21cdd0e4384be07f2b68df941968cd96a24b9a0acc7353263aa12ab45ed2db56
1db499388e26d84bf33a933ae95ebb0a4e366d64f342951eebf836e3d4160415
f5bcaa649de5918fd032ce3fcaa836dfc82f653a182379fe2b7a380b90adb0bd
597b1b120e8488ddbae6d197d0e1695c692ec8bc73312eb3bcbd427da0ee5d2d
48abf76001de8ce0bb09d69b17b5754330bbdc424a502119915a9db5dc60aec5
e162a8f968ae8c29ef510cb6f112fbdd7d8feae8b95d3a7368f5914c45ab4f2d
abd3984f58e2d279da62c917a40053753b0c69459a8de69faee14bdf30e9d5a6
cd9626dd21782360002a1779196a649dc065d705d2c387074005e092f76ab7fb
59a9bb4c51ef20a9c006b988a601aca371f7f307d493cc58094fde7ffc7d04b3
b875cbd977d43f79d0dd2a69e3b8fbb3a3ac829b5e2092fe4549ffb229a3981e
949e1f53c17b43583f5088cfb668a6955b963a01a2369cfabd8bcba4df1e19eb
d1e86e65cf72d2cabf1fce874d596be598a49965b9765a1ce8d1c6a73b80e3e7
34f1b6fae235cf02c53bcef41eff8f3ae0bdf65e07c554dc2d46ca3eb3bd31c0
91e35412b5c26172bd8e461da0340222c177443d49a8f2c13c2eddd0b58d3ac9
1b924ceff8b70533776f63038671d9c120fa9bd6217fd52e6a959e0b9bcbace3
8d8a250d5449fbdc441c526a1a9a2d94bc649f9ad19c012822feefc220eff630
f2b1bcb859ca0a8e2c9b40a08d71bae983259ab957e10b1a805decd3b204fa31
1bc93406ba4e5dd35ddf61233e3cf2608942d133cf3ec3da0f419779dc534771
ae507dec3a7ed75602e4ca6db755b3e73144248acf69afeba91286ffb21c51d1
17fd0e970792cc3d8348adc87dd5c52d4b4be55c77fd352ad2588dba782b567f
268b86fbe604e76d316083f0e19ca5d346af48144362761358c8d80d069dae5a
3b2b7ea07d43960f6d958079d786fc340443cffce02dd7ac62e7d676eed98f2a
47c9896eee38330bbe9aa6f5ea0e317848c75d0952772475c86c59b12a44d902
37afc6a5b8931aab733fae2d634ad826228b931e0f346d17509fd104ee2a9f59
0c44ded38aa80f30c5a2a7b0e9aa43dc9c03731654a821e7448e5439d09c81cc
408ae41d827b7035002b4afb9377dd6c97dfb5b39a0d1493481b5ba0628cec33
60a3f9c049d88050ae5bc720067f7bbf0aabe711284ac539aac9fd697d6e7029
a6449aa290285ae42a85525b1093ab35915f991da8236dd50919b61da30f8c5b
c8deb4d58164f8c34e202b40bd8a4445bdec112feabd355235375c9de3691e12
c80ad6d4e55e7222bd008dd107eeb29dd03ec9213cd0351390674395e2040c96
adf224a0cc831073741c6c1670b20076393ae77e81e62475e289397f4147fd96
8a000c56101b4b889c99012a003eee3babbcf12320eb1ad00c65a793c2fa0b69
15d696863b730175e2ae250d26b1ef4b5f2f7b678748eb5477a92bc5ec2937c9
217cccc85e181405de32bb108d85e3f7cc871920bfba2070ae14cf10172a46ae
74b497bdb0893acd222c4aaed2f9578c0ee4304967c7d32b00b997b3544193f7
07b0eb0751ddc40ba690feb080f1b5a907c803a367e78c7fa04746fc0adfe227
8d031bb08b0a0ffce9f673fd363412e9364e29cca3babcaa49195349d8cc92be
0b9b7e9fecde45db1a0cdf892b06f614032894c206c4c78ff62a4f33f2bc89ee
3de11fa858c53a92e208fe2859f80e66b2505005497fe656a2821cfae8d504d0
7c12daf8fdc92357429eb77aae0269811d07607d59bf685afcba51253727ff77
900e9163b0163a74aa3f8f330ac9ab7559652f58dbb7142e3fccee63d10a4468
1ee6cb09a7d064ae6e4cfcde33ae599c0b43ab6ef6c6d5cbec6ee3a599b4793e
b5ad4f0d54fb3787e259b7e28766a7a2558a66ea29786eaa40092dd4bc268772
06774686fb970b7233415b99bf03b21ed313399e7eebda1a49afc0782224b817
53c4ea8184d87bda96712c787e2616f338ac9901793be3e7e25a73151cf32dbb
23fb951d5ffcf37fbcbcac6e160d3a275ff969f2e5e5f0ba830860cbbe1fd612
5e866a327d0043538928b8ab586046b88cfae576cc6b4e9e8eea79d96cf491f4
ea30aa5dea5cd58c1b4b026c7d5d67a51882040ba291c689ffd3037372d52c7c
03975199d802eaa4bb5a17a8f8967953ae01f21f313d884c5fe7da4658b2e623
b20529c99029c681af861e5f7d765eb3b92ee44f416ff83c19db66047ddcc66f
5520b5cd6260870d09d758353ce2d6c6eb446b9e069d978ded114938ff5feb9c
a6da71be95a34e2365486eef87bbfc1a69b1b8bf338d54902932179e7e7c9d77
f68e37b5e84c6737919667f138c71a026547a910b153ec196f38d40c83ef71ea
bda49e09c6af72debeb80986d69b1a6ee3b37822a6e656bfb39cbdb7170c8193
9753969af070c53f30b7ccb7e3193dffd7f1741fbf9227524fbf7b8a2ed60246
2957c2d02e6fc60e3596cd6173b7ce88c0fe44a77585f263aae9b0ca6eaac285
c8d65db9a363fbb3c2489588979c4e7aaff7a6fdc0759c431dea56fabd2d20a7
94e0d1b67d01e885d72d3b1426a68f56ca4980f6feb8ad44fa44338c7756aecf
717cc1d0c875b134caa33e80db566890c262aa3ec4a9aa907b1482373862347b
2783fb3f13e64444011670c978173f6d1514db3a3de263d644c1961725a89cc6
2f7bda3b3ca131c7b2d293c51c89c2311a3fb984e335b78a907ca3cce9340f0e
5596246715b7c1e78f17e604d6457f2e28dcdfb01d6d8f5a4184e9b948ba2594
a49ce04c9075fec7800f12f478f4762eab4e194bd0a09e6d8b546a5f44205f47
798e077194104eb9e16dd11205affc7cad95b554f0b865621c1479d09e1029d0
ee0d4c14e33ff5a493513233dd827cc4e69d6a7acf2e3685765a8236ff51c9d2
8bc6169b8ce1e73a5da2e2b558e1f594ad7e6e218d4cd00cca496789c5dd1e15
30c28db40d22b0833af1218227593fe095a1c1e3df1da499241b1462035c1139
92ebff49996f72424f3bbbbe39ebb70cd2ccf734768b7f6c74ff60c72cd40408
25343873243c5e11a34c50f8864ce5fa92ebece330724de0f7f07431b6a66921
6a7fba953b55137ef0a5005f9b3d14674131f3f2e5f44e7a3de3292fc8785ded
f87b532c2744a7152c5a0cea40279544bf32013ef975aa87fe3a5f4f2b38a604
9acbc12881c9e0031bdeb90a18373b2be90bcf0623c5637fcb96229304f45632
0561575b1081e1da9f852f3cb24b11552895bbcf31e6def2fdecf4320b40c23a
0676915a5ba60fb4af455cdaecfdb8c87e3bf79ddce8ce125e1d547008dd3a1e
6fe735daf006c150a1853696456c7c5aad73dff44ee7e984c1818a557ef5a575
aba4fa1a08b8d5636cfb9accccbdb55e756d70ce5311d844020b3c6f3856da8d
25cd72824157a7f6835572283fc8e5b7b54ccd670135cdd06cd7b3cdc4c0cea1
449045235a20c65cc99f34788b3026785d7edc4d1d76d6e614c5309f01a49957
e64b2d8129d0748ff4ba87569159a2d5ccd945044dfecf83b036aefae95063d8
a837f668dace1b377057d8299220137838164f7273e3614c11ddcc2ff1a5976a
3c2e486c1cad4d51e9c805a49bc4474e3909ebbffce79a4bd49077bb1a769b36
ee50469fabae0d409523daad60fc8e583f4eef25ddc308beaf502b931b772591
d095e1996580da2408
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
cleartomark
%%EndFont 
TeXDict begin 40258431 52099146 1000 600 600 (thesis.dvi)
@start /Fa 138[39 23 31 23 14[31 99[{EKAEncoding ReEncodeFont}5
70.5687 /Syntax-Bold rf
%DVIPSBitmapFont: Fb pcrr8r 10 6
/Fb 6 119 df<000000040000000E0000000F0000001E0000001E0000003C0000003C00
00007800000078000000F0000000F0000001E0000001E0000003C0000003C00000078000
0007800000078000000F0000000F0000001E0000001E0000003C0000003C000000780000
0078000000F0000000F0000001E0000001E0000003C0000003C000000780000007800000
078000000F0000000F0000001E0000001E0000003C0000003C0000007800000078000000
F0000000F0000001E0000001E0000003C0000003C0000003C0000007800000078000000F
0000000F0000001E0000001E0000003C0000003C0000007800000078000000F0000000F0
00000060000000203F77B732>47 D<0000001FF0000000003FF0000000001FF000000000
1FF000000000007000000000007000000000007000000000007000000000007000000000
0070000000000070000000000070000000000070000000000070000007FE007000001FFF
807000007FFFE0700001FFFFF0700003FC03F8700007F0007C70000FC0001E70000F0000
0F70001E000007F0003C000003F0003C000001F00078000001F00078000000F000700000
00F000F0000000F000F0000000F000E00000007000E00000007000E00000007000E00000
007000E00000007000E00000007000F0000000F000F0000000F00070000000F000780000
01F00038000001F0003C000003F0001E000007F0001F00000F70000F80001F700007E000
3E700003FC01FC7FC001FFFFF87FE000FFFFF07FE0003FFFC07FE0000FFF000000000070
0000002B347BB132>100 D<0007FF8000001FFFE000007FFFF80000FFFFFE0003FE01FF
0007F0001F800FC00007C00F000003E01E000001E03E000000F03C000000F07800000078
7800000078700000003CF00000003CF00000003CFFFFFFFFFCFFFFFFFFFCFFFFFFFFFCFF
FFFFFFFCF000000000F00000000070000000007800000000780000000038000000003C00
0000001E000000001F000000000F8000001807C000007C03F00001FC01FE001FF800FFFF
FFE0003FFFFF80001FFFFE000003FFF00000001C000026267BA332>I<FFC0000000FFC0
000000FFC00000007FC000000001C000000001C000000001C000000001C000000001C000
000001C000000001C000000001C000000001C000000001C000000001C000000001C007FF
E001C00FFFF001C007FFF001C007FFE001C000F80001C001F00001C003E00001C00FC000
01C01F000001C03E000001C07C000001C1F8000001C3E0000001C7C0000001CF80000001
DFC0000001FFE0000001F9F0000001F0F8000001E07C000001C03E000001C01F000001C0
0F800001C007C00001C003E00001C001F00001C000F80001C0007C0001C0003E0001C000
0F0001C00007807FC0007FFEFFC0007FFFFFC000FFFF7FC0007FFE28327BB132>107
D<0007F001FC007F8FFC07FE00FF1FFE0FFF00FF3FFF1FFF807F7C1F3F07C007F007FC03
C007E003F801E007C003F001E0078001E000E0078001E000E0070001C000E0070001C000
E0070001C000E0070001C000E0070001C000E0070001C000E0070001C000E0070001C000
E0070001C000E0070001C000E0070001C000E0070001C000E0070001C000E0070001C000
E0070001C000E0070001C000E0070001C000E0070001C000E0070001C000E0070001C000
E0070001C000E0070001C000E07FF801FC00FEFFF801FE00FFFFFC01FE00FFFFF801FC00
FF30247FA332>109 D<7FFF8007FFF8FFFFC00FFFFCFFFFC00FFFF87FFF8007FFF803C0
00000F0001E000001E0001E000001E0000F000003C0000F000003C0000F8000078000078
00007800007800007000003C0000F000003C0000F000001E0001E000001E0001E000000F
0003C000000F0003C0000007800780000007800780000007C00700000003C00F00000003
E00F00000001E01E00000001E01E00000000F03C00000000F03C00000000787800000000
7878000000007CF0000000003CF0000000003FF0000000001FE0000000001FE000000000
0FC000002E237EA232>118 D E
%EndDVIPSBitmapFont
/Fc 139[22 26 29 1[37 33 37 55 18 37 1[18 37 2[29 1[29
1[33 28[48 1[44 24[22 22 40[{TeXBase1Encoding ReEncodeFont}18
66.4176 /Times-Bold rf
%DVIPSBitmapFont: Fd cmmi7 7 1
/Fd 1 85 df<0FFFFFFFFFE01FFFFFFFFFE01F800FE007E01E000FC001C03C000FC001C0
38001FC000C030001FC000C070001F8000C060001F8001C060003F800180E0003F800180
C0003F000180C0003F00018000007F00000000007F00000000007E00000000007E000000
0000FE0000000000FE0000000000FC0000000000FC0000000001FC0000000001FC000000
0001F80000000001F80000000003F80000000003F80000000003F00000000003F0000000
0007F00000000007F00000000007E00000000007E0000000000FE0000000000FE0000000
000FC0000000000FC0000000001FC00000001FFFFF8000001FFFFF8000002B287DA727>
84 D E
%EndDVIPSBitmapFont
/Fe 139[18 26 26 1[33 33 33 48 3[18 3[29 1[29 1[33 97[{
TeXBase1Encoding ReEncodeFont}11 66.4176 /Times-Italic
rf
%DVIPSBitmapFont: Ff cmsy10 10 5
/Ff 5 104 df<000380000007C0000007C0000007C0000007C0000007C0000007C00000
07C0007803803CFC03807EFE0380FE7F8383FC3FC387F80FE38FE003FBBF8000FFFE0000
3FF800000FE000000FE000003FF80000FFFE0003FBBF800FE38FE03FC387F87F8383FCFE
0380FEFC03807E7803803C0007C0000007C0000007C0000007C0000007C0000007C00000
07C000000380001F247BA62A>3 D<60000000000000F8000000000000FE000000000000
7F8000000000003FE000000000000FF8000000000003FE000000000000FF800000000000
3FE000000000000FF8000000000003FE000000000000FF8000000000003FE00000000000
0FF8000000000003FE000000000000FF8000000000003FE000000000000FF80000000000
03FE000000000000FF8000000000003FE000000000000FF8000000000003FE0000000000
00FF8000000000003FC000000000001FC000000000007F800000000001FF000000000007
FC00000000001FF000000000007FC00000000001FF000000000007FC00000000001FF000
000000007FC00000000001FF000000000007FC00000000001FF000000000007FC0000000
0001FF000000000007FC00000000001FF000000000007FC00000000001FF000000000007
FC00000000001FF000000000007FC00000000000FF000000000000FC0000000000007000
000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000007FFFFFFFFF
FF80FFFFFFFFFFFFC0FFFFFFFFFFFFC07FFFFFFFFFFF80324479B441>21
D<0000000000001E00000000000000001E00000000000000001E00000000000000001E00
000000000000001F00000000000000000F00000000000000000F00000000000000000F80
0000000000000007800000000000000007C00000000000000003E00000000000000003E0
0000000000000001F00000000000000000F80000000000000000FC00000000000000007E
00000000000000003F00000000000000001F80000000000000000FC00000000000000007
F07FFFFFFFFFFFFFFFFCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFFFFFF
FC0000000000000007F0000000000000000FC0000000000000001F80000000000000003F
00000000000000007E0000000000000000FC0000000000000000F80000000000000001F0
0000000000000003E00000000000000003E00000000000000007C0000000000000000780
000000000000000F80000000000000000F00000000000000000F00000000000000001F00
000000000000001E00000000000000001E00000000000000001E00000000000000001E00
00482C7BAA53>33 D<000001F800000FF800003F800000FC000001F8000003F0000007E0
000007E000000FE000000FC000000FC000000FC000000FC000000FC000000FC000000FC0
00000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC0
00000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC0
00001FC000001F8000003F8000007F000000FE000003F800007FE00000FF0000007FE000
0003F8000000FE0000007F0000003F8000001F8000001FC000000FC000000FC000000FC0
00000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC0
00000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC0
00000FC000000FC000000FC000000FC000000FE0000007E0000007E0000003F0000001F8
000000FC0000003F8000000FF8000001F81D537ABD2A>102 D<FC000000FFC0000007F0
000001FC0000007E0000003F0000003F8000001F8000001FC000000FC000000FC000000F
C000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000F
C000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000F
C000000FC000000FC000000FC000000FC000000FE0000007E0000007F0000003F8000001
FC0000007E0000001FF0000007F800001FF000007E000001FC000003F8000007F0000007
E000000FE000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000F
C000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000F
C000000FC000000FC000000FC000000FC000000FC000000FC000000FC000000FC000001F
C000001F8000003F8000003F0000007E000001FC000007F00000FFC00000FC0000001D53
7ABD2A>I E
%EndDVIPSBitmapFont
/Fg 82[22 21[66 2[29 29 24[29 33 33 48 33 33 18 26 22
33 33 33 33 52 18 33 18 18 33 33 22 29 33 29 33 29 3[22
1[22 2[48 63 1[48 41 37 44 1[37 48 48 59 41 1[26 22 48
1[37 41 48 44 44 48 6[18 1[33 1[33 33 1[33 33 33 33 18
17 1[17 2[22 22 22 35[37 37 2[{TeXBase1Encoding ReEncodeFont}68
66.4176 /Times-Roman rf /Fh 203[25 25 25 25 49[{
TeXBase1Encoding ReEncodeFont}4 49.8132 /Times-Roman
rf /Fi 203[29 29 29 29 49[{TeXBase1Encoding ReEncodeFont}4
58.1154 /Times-Roman rf /Fj 139[55 1[74 1[92 7[92 2[74
3[83 29[120 9[83 83 83 83 83 83 83 83 83 49[{
TeXBase1Encoding ReEncodeFont}16 166.044 /Times-Bold
rf /Fk 82[28 50[32 37 37 55 37 42 23 32 32 1[42 42 42
60 23 37 23 23 42 42 23 37 42 37 42 42 8[51 69 51 60
46 42 51 1[51 60 55 69 46 1[37 28 60 60 51 51 60 55 51
51 6[28 42 42 42 42 1[42 42 42 42 42 23 21 1[21 2[28
28 28 36[42 2[{TeXBase1Encoding ReEncodeFont}65 83.022
/Times-Italic rf /Fl 26[42 42 42 1[23 23 97[16 3[31 35
35 55 35 39 23 27 23 39 39 39 39 59 16 35 16 16 39 39
23 35 39 31 39 35 20 1[16 23 39 23 39 43 43 71 47 51
39 35 43 59 39 59 51 67 35 43 1[20 51 51 35 35 51 47
39 47 1[35 1[42 1[20 20 39 39 39 39 39 39 39 39 39 39
31 20 27 20 42 39 23 23 20 51 71 1[39 39 24 19[39 39
12[{EKAEncoding ReEncodeFont}92 70.5687 /Syntax-Roman
rf
%DVIPSBitmapFont: Fm cmmi10 10 3
/Fm 3 85 df<0003800000000007E0000700000FE0000F80000FE0001F80000FC0001F80
000FC0001F80001FC0003F80001FC0003F80001F80003F00001F80003F00003F80007F00
003F80007F00003F00007E00003F00007E00007F0000FE00007F0000FE00007E0000FC00
007E0000FC0000FE0001FC0000FE0001FC0000FC0001F80000FC0001F80001FC0003F800
01FC0003F80001F80003F01801F80003F01803F80007F01803F80007F03803F80007E030
03F8000FE03007F8000FE07007F8001FE06007F8003FE06007FC0077E0E00FFE00E3E1C0
0FFF03C1F3800FCFFF00FF000FC3FC003E001FC0000000001FC0000000001F8000000000
1F80000000003F80000000003F80000000003F00000000003F00000000007F0000000000
7F00000000007E00000000007E0000000000FE0000000000FE0000000000FC0000000000
FC00000000007000000000002D377EA432>22 D<1C007F00FF80FF80FF80FF80FF807F00
1C000909798817>58 D<03FFFFFFFFFFFE03FFFFFFFFFFFE07FFFFFFFFFFFE07F8003FC0
01FE07C0003F80007E0F80003F80003C0F00007F80001C1E00007F80001C1C00007F0000
1C1C00007F00001C380000FF00001C380000FF00001C300000FE00001C700000FE000018
600001FE000018E00001FE000018C00001FC000018C00001FC000018C00003FC00001800
0003FC000000000003F8000000000003F8000000000007F8000000000007F80000000000
07F0000000000007F000000000000FF000000000000FF000000000000FE000000000000F
E000000000001FE000000000001FE000000000001FC000000000001FC000000000003FC0
00000000003FC000000000003F8000000000003F8000000000007F8000000000007F8000
000000007F0000000000007F000000000000FF000000000000FF000000000000FE000000
000000FE000000000001FE000000000001FE000000000001FC000000000001FC00000000
0003FC000000000003FC000000000003F800000000000FFC000000003FFFFFFF0000007F
FFFFFF0000007FFFFFFF00000037397EB831>84 D E
%EndDVIPSBitmapFont
/Fn 134[104 104 150 1[115 69 81 92 1[115 104 115 173
58 115 1[58 115 104 69 92 115 92 115 104 8[150 3[138
1[150 1[127 1[150 196 138 2[81 161 1[127 1[150 150 138
150 6[69 18[69 35[115 3[{TeXBase1Encoding ReEncodeFont}39
207.555 /Times-Bold rf /Fo 82[28 24[42 42 24[37 42 42
60 42 46 28 32 37 46 46 42 46 69 23 46 28 23 46 42 28
37 46 37 46 42 8[60 83 1[60 55 46 60 1[51 65 60 78 55
65 1[32 65 65 51 55 60 60 55 60 1[42 4[28 42 42 42 42
42 42 42 42 42 42 23 21 1[21 4[28 35[46 46 2[{
TeXBase1Encoding ReEncodeFont}68 83.022 /Times-Bold rf
/Fp 82[28 4[28 16[83 42 1[37 37 24[37 42 42 60 42 42
23 32 28 42 42 42 42 65 23 42 23 23 42 42 28 37 42 37
42 37 3[28 1[28 51 60 60 78 60 60 51 46 55 60 46 60 60
74 51 60 32 28 60 60 46 51 60 55 55 60 1[37 1[47 1[23
23 42 42 42 42 42 42 42 42 42 42 23 21 1[21 47 1[28 28
28 1[69 2[34 28 2[28 26[46 46 2[{TeXBase1Encoding ReEncodeFont}87
83.022 /Times-Roman rf /Fq 82[33 24[50 50 24[44 50 50
72 50 55 33 39 44 55 55 50 55 83 28 55 1[28 55 50 33
44 55 44 55 50 8[72 2[72 66 55 72 1[61 78 72 94 66 2[39
78 1[61 66 72 72 66 72 1[50 1[57 2[33 50 50 50 50 50
50 50 50 50 50 28 25 2[57 40[55 2[{TeXBase1Encoding ReEncodeFont}63
99.6264 /Times-Bold rf
%DVIPSBitmapFont: Fr cmmi12 12 1
/Fr 1 59 df<1E007F807F80FFC0FFC0FFC0FFC07F807F801E000A0A78891B>58
D E
%EndDVIPSBitmapFont
%DVIPSBitmapFont: Fs cmsy10 12 1
/Fs 1 14 df<0000000003FFE00000000000000000007FFFFF000000000000000003FFFF
FFE0000000000000000FFFFFFFF8000000000000007FFE003FFF00000000000000FFC000
01FF80000000000003FE0000003FE000000000000FF80000000FF800000000001FC00000
0001FC00000000003F8000000000FE0000000000FE00000000003F8000000001FC000000
00001FC000000003F0000000000007E000000007E0000000000003F00000000FC0000000
000001F80000001F80000000000000FC0000003F000000000000007E0000007E00000000
0000003F0000007C000000000000001F000000F8000000000000000F800001F800000000
0000000FC00001F00000000000000007C00003E00000000000000003E00003E000000000
00000003E00007C00000000000000001F0000FC00000000000000001F8000F8000000000
00000000F8000F00000000000000000078001F0000000000000000007C001F0000000000
000000007C003E0000000000000000003E003E0000000000000000003E003C0000000000
000000001E003C0000000000000000001E007C0000000000000000001F007C0000000000
000000001F00780000000000000000000F00780000000000000000000F00F80000000000
000000000F80F80000000000000000000F80F00000000000000000000780F00000000000
000000000780F00000000000000000000780F00000000000000000000780F00000000000
000000000780F00000000000000000000780F00000000000000000000780F00000000000
000000000780F00000000000000000000780F00000000000000000000780F00000000000
000000000780F00000000000000000000780F80000000000000000000F80F80000000000
000000000F80780000000000000000000F00780000000000000000000F007C0000000000
000000001F007C0000000000000000001F003C0000000000000000001E003C0000000000
000000001E003E0000000000000000003E003E0000000000000000003E001F0000000000
000000007C001F0000000000000000007C000F00000000000000000078000F8000000000
00000000F8000FC00000000000000001F80007C00000000000000001F00003E000000000
00000003E00003E00000000000000003E00001F00000000000000007C00001F800000000
0000000FC00000F8000000000000000F8000007C000000000000001F0000007E00000000
0000003F0000003F000000000000007E0000001F80000000000000FC0000000FC0000000
000001F800000007E0000000000003F000000003F0000000000007E000000001FC000000
00001FC000000000FE00000000003F80000000003F8000000000FE00000000001FC00000
0001FC00000000000FF80000000FF8000000000003FE0000003FE0000000000000FFC000
01FF800000000000007FFE003FFF000000000000000FFFFFFFF80000000000000003FFFF
FFE000000000000000007FFFFF00000000000000000003FFE00000000000595C7BC664>
13 D E
%EndDVIPSBitmapFont
/Ft 136[84 3[45 39 2[58 58 1[32 4[58 1[52 3[52 14[78
12[71 84 21[29 46[{TeXBase1Encoding ReEncodeFont}13 116.231
/Times-Roman rf /Fu 134[50 1[72 50 50 28 39 33 50 50
50 50 78 28 50 1[28 50 50 33 44 50 44 50 44 7[72 3[72
61 55 66 1[55 72 72 89 61 72 1[33 72 72 55 61 72 66 1[72
7[50 50 6[50 2[25 1[25 41[55 2[{TeXBase1Encoding ReEncodeFont}48
99.6264 /Times-Roman rf /Fv 82[39 51[58 58 84 58 65 39
45 52 65 65 58 65 97 32 65 1[32 65 58 39 52 65 52 65
58 8[84 116 84 84 78 65 84 1[71 90 84 110 1[90 1[45 1[90
71 78 84 84 78 84 6[39 1[58 58 58 58 58 58 58 58 2[29
1[29 40[65 65 2[{TeXBase1Encoding ReEncodeFont}58 116.231
/Times-Bold rf end
%%EndProlog
%%BeginSetup
%%Feature: *Resolution 600dpi
TeXDict begin

%%EndSetup
%%Page: 1 1
1 0 bop 795 79 a Fv(The)27 b(Exok)o(er)n(nel)h(Operating)g(System)g(Ar)
n(chitectur)n(e)1900 278 y Fu(by)1523 477 y Ft(Da)n(wson)h(R.)g(Engler)
396 677 y Fu(Submitted)24 b(to)g(the)h(Department)f(of)h(Electrical)g
(Engineering)f(and)g(Computer)h(Science)807 793 y(in)f(partial)h
(ful\002llment)e(of)i(the)g(requirements)f(for)h(the)f(de)o(gree)h(of)
751 992 y(Doctor)f(of)h(Philosophy)e(in)h(Computer)h(Science)h(and)e
(Engineering)1841 1191 y(at)h(the)833 1391 y(MASSA)l(CHUSETTS)g
(INSTITUTE)g(OF)h(TECHNOLOGY)1677 1590 y(October)f(1998)626
1786 y(c)598 1789 y Fs(\015)g Fu(Massachusetts)e(Institute)h(of)h(T)-7
b(echnology)24 b(1998.)35 b(All)24 b(rights)g(reserv)o(ed.)0
2337 y(Author)g Fr(:)17 b(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g
(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)
f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f
(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)
h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)
1476 2453 y Fu(Department)25 b(of)f(Electrical)h(Engineering)f(and)h
(Computer)f(Science)3344 2570 y(May)g(18,)h(1998)0 3360
y(Certi\002ed)h(by)17 b Fr(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h
(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)
g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g
(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)
h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)3123
3477 y Fu(M.)24 b(Frans)h(Kaashoek)3111 3593 y(Associate)g(Professor)
3183 3709 y(Thesis)f(Supervisor)0 4527 y(Accepted)h(by)g
Fr(:)17 b(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h
(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)
g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g
(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)g(:)g(:)
f(:)h(:)g(:)f(:)h(:)g(:)f(:)h(:)3172 4643 y Fu(Leonard)25
b(A.)g(Gould)1565 4760 y(Chairman,)f(Departmental)g(Committee)g(on)h
(Graduate)g(Students)p eop
%%Page: 2 2
2 1 bop 960 83 a Fq(The)26 b(Exok)o(er)o(nel)f(Operating)g(System)h(Ar)
n(chitectur)n(e)1900 199 y Fu(by)1584 315 y(Da)o(wson)e(R.)h(Engler)655
531 y Fp(Submitted)19 b(to)i(the)f(Department)f(of)h(Electrical)f
(Engineering)f(and)i(Computer)f(Science)1205 631 y(on)h(May)g(18,)f
(1998,)g(in)h(partial)g(ful\002llment)g(of)f(the)1448
731 y(requirements)f(for)i(the)g(de)o(gree)f(of)951 830
y(Doctor)g(of)h(Philosophy)e(in)i(Computer)f(Science)h(and)g
(Engineering)0 1068 y Fq(Abstract)0 1224 y Fp(On)h(traditional)f
(operating)g(systems)h(only)g(trusted)g(softw)o(are)f(such)h(as)h(pri)n
(vile)o(ged)d(serv)o(ers)i(or)g(the)g(k)o(ernel)g(can)g(manage)f
(resources.)0 1323 y(This)g(thesis)h(proposes)e(a)i(ne)n(w)f(approach,)
d(the)k(e)o(xok)o(ernel)d(architecture,)g(which)i(mak)o(es)g(resource)f
(management)e(unpri)n(vile)o(ged)h(b)n(ut)0 1423 y(safe)27
b(by)g(separating)e(management)g(from)h(protection:)41
b(an)27 b(e)o(xok)o(ernel)e(protects)h(resources,)i(while)f(untrusted)e
(application\255le)n(v)o(el)0 1522 y(softw)o(are)d(manages)f(them.)35
b(As)23 b(a)g(result,)g(in)f(an)g(e)o(xok)o(ernel)f(system,)h
(untrusted)f(softw)o(are)h(\(e.g.,)g(library)f(operating)f(systems\))j
(can)0 1622 y(implement)c(abstractions)g(such)h(as)h(virtual)f(memory)
-5 b(,)17 b(\002le)k(systems,)g(and)e(netw)o(orking.)125
1722 y(The)i(main)g(thrusts)g(of)g(this)h(thesis)g(are:)32
b(\(1\))21 b(ho)n(w)g(to)g(b)n(uild)g(an)h(e)o(xok)o(ernel)d(system;)j
(\(2\))f(whether)f(it)j(is)f(possible)f(to)h(b)n(uild)f(a)h(real)0
1821 y(one;)27 b(and)e(\(3\))f(whether)h(doing)f(so)h(a)h(good)e(idea.)
44 b(Our)25 b(results,)h(dra)o(wn)e(from)g(tw)o(o)i(e)o(xok)o(ernel)d
(systems)j([25)n(,)g(48)o(],)g(sho)n(w)f(that)h(the)0
1921 y(approach)c(yields)j(dramatic)e(bene\002ts.)43
b(F)o(or)24 b(e)o(xample,)g(Xok,)h(an)f(e)o(xok)o(ernel,)f(runs)i(a)g
(web)f(serv)o(er)g(an)g(order)g(of)g(magnitude)e(f)o(aster)0
2021 y(than)i(the)g(closest)h(equi)n(v)n(alent)d(on)i(the)g(same)h
(hardw)o(are,)e(common)f(unaltered)h(Unix)h(applications)f(up)h(to)g
(three)g(times)g(f)o(aster)m(,)h(and)0 2120 y(impro)o(v)o(es)18
b(global)i(system)g(performance)d(up)j(to)g(a)h(f)o(actor)f(of)f(\002v)
o(e.)125 2220 y(The)g(thesis)i(also)g(discusses)f(some)g(of)g(the)h
(unusual)e(techniques)f(we)j(ha)n(v)o(e)e(used)h(to)h(remo)o(v)o(e)d
(the)i(o)o(v)o(erhead)e(of)i(protection.)27 b(The)0 2319
y(most)e(unusual)e(technique,)h(untrusted)f(deterministic)h(functions,)
g(enables)g(an)g(e)o(xok)o(ernel)f(to)i(v)o(erify)e(that)i
(applications)e(correctly)0 2419 y(track)17 b(the)g(resources)f(the)o
(y)g(o)n(wn,)h(eliminating)f(the)h(need)f(for)h(it)h(to)f(do)g(so.)28
b(Additionally)-5 b(,)15 b(the)j(thesis)f(re\003ects)h(on)e(the)h
(subtle)g(issues)h(in)0 2519 y(using)j(do)n(wnloaded)e(code)i(for)g(e)o
(xtensibility)f(and)h(the)h(sometimes)f(painful)f(lessons)i(learned)f
(in)h(b)n(uilding)e(three)h(e)o(xok)o(ernel\255based)0
2618 y(systems.)0 2792 y(Thesis)g(Supervisor:)27 b(M.)21
b(Frans)f(Kaashoek)0 2892 y(T)m(itle:)30 b(Associate)21
b(Professor)p eop
%%Page: 2 3
2 2 bop 960 83 a Fq(The)26 b(Exok)o(er)o(nel)f(Operating)g(System)h(Ar)
n(chitectur)n(e)1900 199 y Fu(by)1584 315 y(Da)o(wson)e(R.)h(Engler)655
531 y Fp(Submitted)19 b(to)i(the)f(Department)f(of)h(Electrical)f
(Engineering)f(and)i(Computer)f(Science)1205 631 y(on)h(May)g(18,)f
(1998,)g(in)h(partial)g(ful\002llment)g(of)f(the)1448
731 y(requirements)f(for)i(the)g(de)o(gree)f(of)951 830
y(Doctor)g(of)h(Philosophy)e(in)i(Computer)f(Science)h(and)g
(Engineering)0 1068 y Fq(Abstract)0 1224 y Fp(On)h(traditional)f
(operating)g(systems)h(only)g(trusted)g(softw)o(are)f(such)h(as)h(pri)n
(vile)o(ged)d(serv)o(ers)i(or)g(the)g(k)o(ernel)g(can)g(manage)f
(resources.)0 1323 y(This)g(thesis)h(proposes)e(a)i(ne)n(w)f(approach,)
d(the)k(e)o(xok)o(ernel)d(architecture,)g(which)i(mak)o(es)g(resource)f
(management)e(unpri)n(vile)o(ged)h(b)n(ut)0 1423 y(safe)27
b(by)g(separating)e(management)g(from)h(protection:)41
b(an)27 b(e)o(xok)o(ernel)e(protects)h(resources,)i(while)f(untrusted)e
(application\255le)n(v)o(el)0 1522 y(softw)o(are)d(manages)f(them.)35
b(As)23 b(a)g(result,)g(in)f(an)g(e)o(xok)o(ernel)f(system,)h
(untrusted)f(softw)o(are)h(\(e.g.,)g(library)f(operating)f(systems\))j
(can)0 1622 y(implement)c(abstractions)g(such)h(as)h(virtual)f(memory)
-5 b(,)17 b(\002le)k(systems,)g(and)e(netw)o(orking.)125
1722 y(The)i(main)g(thrusts)g(of)g(this)h(thesis)g(are:)32
b(\(1\))21 b(ho)n(w)g(to)g(b)n(uild)g(an)h(e)o(xok)o(ernel)d(system;)j
(\(2\))f(whether)f(it)j(is)f(possible)f(to)h(b)n(uild)f(a)h(real)0
1821 y(one;)27 b(and)e(\(3\))f(whether)h(doing)f(so)h(a)h(good)e(idea.)
44 b(Our)25 b(results,)h(dra)o(wn)e(from)g(tw)o(o)i(e)o(xok)o(ernel)d
(systems)j([25)n(,)g(48)o(],)g(sho)n(w)f(that)h(the)0
1921 y(approach)c(yields)j(dramatic)e(bene\002ts.)43
b(F)o(or)24 b(e)o(xample,)g(Xok,)h(an)f(e)o(xok)o(ernel,)f(runs)i(a)g
(web)f(serv)o(er)g(an)g(order)g(of)g(magnitude)e(f)o(aster)0
2021 y(than)i(the)g(closest)h(equi)n(v)n(alent)d(on)i(the)g(same)h
(hardw)o(are,)e(common)f(unaltered)h(Unix)h(applications)f(up)h(to)g
(three)g(times)g(f)o(aster)m(,)h(and)0 2120 y(impro)o(v)o(es)18
b(global)i(system)g(performance)d(up)j(to)g(a)h(f)o(actor)f(of)f(\002v)
o(e.)125 2220 y(The)g(thesis)i(also)g(discusses)f(some)g(of)g(the)h
(unusual)e(techniques)f(we)j(ha)n(v)o(e)e(used)h(to)h(remo)o(v)o(e)d
(the)i(o)o(v)o(erhead)e(of)i(protection.)27 b(The)0 2319
y(most)e(unusual)e(technique,)h(untrusted)f(deterministic)h(functions,)
g(enables)g(an)g(e)o(xok)o(ernel)f(to)i(v)o(erify)e(that)i
(applications)e(correctly)0 2419 y(track)17 b(the)g(resources)f(the)o
(y)g(o)n(wn,)h(eliminating)f(the)h(need)f(for)h(it)h(to)f(do)g(so.)28
b(Additionally)-5 b(,)15 b(the)j(thesis)f(re\003ects)h(on)e(the)h
(subtle)g(issues)h(in)0 2519 y(using)j(do)n(wnloaded)e(code)i(for)g(e)o
(xtensibility)f(and)h(the)h(sometimes)f(painful)f(lessons)i(learned)f
(in)h(b)n(uilding)e(three)h(e)o(xok)o(ernel\255based)0
2618 y(systems.)0 2792 y(Thesis)g(Supervisor:)27 b(M.)21
b(Frans)f(Kaashoek)0 2892 y(T)m(itle:)30 b(Associate)21
b(Professor)p eop
%%Page: 3 4
3 3 bop 208 930 a Fp(\223But)20 b(I)h(don')o(t)d(w)o(ant)i(to)h(go)f
(among)e(mad)i(people,)-6 b(\224)19 b(Alice)h(remark)o(ed.)208
1063 y(\223Oh,)f(you)h(can')o(t)f(help)h(that,)-6 b(\224)20
b(said)g(the)g(Cat:)31 b(\223we')l(re)19 b(all)i(mad)f(here.)28
b(I'm)20 b(mad,)f(you')l(re)g(mad.)-6 b(\224)208 1196
y("Ho)n(w)20 b(do)f(you)h(kno)n(w)f(I'm)g(mad?")h(said)g(Alice.)208
1328 y(\223Y)-9 b(ou)19 b(must)h(be,)-6 b(\224)20 b(said)h(the)f(Cat,)h
(\223or)e(you)h(w)o(ouldn')o(t)e(ha)n(v)o(e)i(come)f(here.)-6
b(\224)1668 1461 y(\255)21 b(Le)n(wis)f(Carroll)g(\(1832\2551898\),)c
Fo(Alice)k(In)i(W)-6 b(onderland)1929 5589 y Fp(3)p eop
%%Page: 4 5
4 4 bop 0 83 a Fv(Ackno)o(wledgments)0 269 y Fp(The)18
b(e)o(xok)o(ernel)e(project)h(has)i(been)e(the)h(w)o(ork)g(of)g(man)o
(y)f(people.)27 b(The)18 b(basic)g(principles)f(of)h(Chapter)g(2)g(and)
g(Ae)o(gis)g(implementation)0 368 y(come)j(from)f(a)h(paper)f([25)o(])i
(written)e(jointly)h(with)g(Frans)h(Kaashoek)e(and)g(James)i(O'T)-7
b(oole)20 b(\(which)h(descended)e(from)h(my)h(master')-5
b(s)0 468 y(thesis,)21 b(done)e(under)g(Kaashoek,)f(with)j(ideas)f
(initated)g(by)g([26)n(,)h(27)o(]\).)125 567 y(In)h(contrast)g(to)h(Ae)
o(gis,)g(Xok)f(has)h(been)f(written)g(lar)o(gely)f(by)h(others.)36
b(Da)n(v)o(e)23 b(Mazieres)f(implemented)f(the)i(initial)f(Xok)h(k)o
(ernel.)0 667 y(Thomas)d(Pinckne)o(y)f(Russell)j(Hunt,)e(Gre)o(g)g
(Ganger)m(,)f(Frans)i(Kaashoek,)e(and)h(Hector)g(Briceno)g(further)g
(de)n(v)o(eloped)e(Xok)i(and)g(made)0 767 y(ExOS)e(into)g(a)g(real)g
(Unix)g(system.)28 b(Gre)o(g)18 b(Ganger)f(designed)f(and)i
(implemented)e(C\255FFS)j([37)o(])f(and)f(the)h(Cheetah)g(webserv)o(er)
e(\(based)0 866 y(in)24 b(part)g(on)g([49)n(]\),)h(the)f(tw)o(o)g
(linchpins)g(of)f(most)h(of)g(our)g(application)e(performance)f
(numbers.)40 b(Ganger)23 b(and)g(Kaashoek)g(o)o(v)o(ersa)o(w)0
966 y(countless)i(modi\002cations)e(to)i(the)g(entire)g(system.)43
b(Eddie)25 b(K)m(ohler)f(made)g(an)h(enormous)e(contrib)n(ution)g(in)i
(our)f(write)h(up)g(of)f(these)0 1066 y(results.)29 b(This)21
b(w)o(ork,)e(described)g(in)h([48)o(],)g(forms)g(the)g(basis)h(for)e
(Chapter)h(5,)g(and)g(as)g(a)h(less)g(primary)e(source)g(for)h
(Chapters)g(2\227)g(4.)p eop
%%Page: 5 6
5 5 bop 0 747 a Fn(Contents)0 1262 y Fo(1)83 b(Intr)o(oduction)3240
b(11)125 1362 y Fp(1.1)85 b(Relation)21 b(to)f(other)f(OS)i(structures)
32 b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)93 b Fp(13)315 1461 y(1.1.1)98 b(Recent)20
b(e)o(xtensible)g(operating)e(systems)43 b Fm(:)e(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)
f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(14)125 1561 y(1.2)85
b(The)20 b(focusing)f(questions)g(of)h(this)h(thesis)44
b Fm(:)e(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(14)315 1660 y(1.2.1)98 b(Ho)n(w)20 b(to)h(b)n(uild)e(an)h(e)o(xok)
o(ernel?)70 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)93 b Fp(15)315 1760 y(1.2.2)98 b(Can)21 b(you)e(b)n(uild)h
(a)g(real)h(e)o(xok)o(ernel)d(system?)70 b Fm(:)41 b(:)h(:)g(:)f(:)h(:)
f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h
(:)g(:)f(:)h(:)f(:)93 b Fp(16)315 1860 y(1.2.3)98 b(Are)20
b(e)o(xok)o(ernels)f(a)h(good)f(idea?)45 b Fm(:)d(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(17)315
1959 y(1.2.4)98 b(Summary)83 b Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)
f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(18)125 2059 y(1.3)85 b(Concerns)36 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(18)125 2159 y(1.4)85
b(Summary)26 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
93 b Fp(19)0 2341 y Fo(2)83 b(Ho)o(w)20 b(to)f(b)n(uild)j(an)f(exok)o
(er)o(nel:)28 b(principles)2353 b(20)125 2441 y Fp(2.1)85
b(Exok)o(ernel)19 b(principles)48 b Fm(:)41 b(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(21)315 2540 y(2.1.1)98 b(Polic)o(y)67 b Fm(:)42
b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(22)125 2640
y(2.2)85 b(K)n(ernel)20 b(support)f(for)g(protected)g(abstractions)25
b Fm(:)41 b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(22)125 2740 y(2.3)85 b(Implementation\255de\002ned)16
b(Decisions)44 b Fm(:)d(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)93 b Fp(24)125 2839 y(2.4)85 b(V)-5 b(isible)21
b(Resource)f(Re)n(v)n(ocation)35 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(24)125 2939 y(2.5)85 b(Secure)20 b(Bindings)62 b
Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(25)125
3039 y(2.6)85 b(Methodology)18 b(Discussion)34 b Fm(:)42
b(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)93 b Fp(26)0 3221 y Fo(3)83 b(Practice:)28
b(A)n(pplying)20 b(exok)o(er)o(nel)f(principles)2284
b(28)315 3321 y Fp(3.0.1)98 b(Xok)20 b(o)o(v)o(ervie)n(w)66
b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(28)315 3421 y(3.0.2)98
b(Ae)o(gis)20 b(o)o(v)o(ervie)n(w)82 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(28)125 3520 y(3.1)85 b(Multiple)o(xing)19 b(Physical)g(Memory)83
b Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)93 b Fp(29)315 3620 y(3.1.1)98 b(Ae)o(gis:)30
b(application)18 b(virtual)i(memory)31 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(29)315 3719 y(3.1.2)98
b(Xok:)29 b(hardw)o(are\255de\002ned)17 b(page)j(tables)79
b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(30)125 3819 y(3.2)85 b(Multiple)o(xing)19 b(the)h(Netw)o(ork)66
b Fm(:)41 b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)93 b Fp(30)125 3919 y(3.3)85 b(Multiple)o(xing)19
b(the)h(CPU)66 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(31)315
4018 y(3.3.1)98 b(Ae)o(gis)20 b(and)g(Xok)g(CPU)h(multiple)o(xing)57
b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(31)315 4118 y(3.3.2)98 b(Ae)o(gis)20 b(Processor)g(En)m
(vironments)31 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)93 b Fp(33)315 4218 y(3.3.3)98 b(Implementing)18
b(Unix)i(Processes)g(on)g(Xok)47 b Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)93 b Fp(33)125 4317 y(3.4)85 b(Exposing)19
b(Machine)g(Ev)o(ents)61 b Fm(:)41 b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)
f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h
(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(33)315
4417 y(3.4.1)98 b(Ae)o(gis)20 b(Exceptions)83 b Fm(:)41
b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)93 b Fp(33)315 4516 y(3.4.2)98 b(Ae)o(gis)20
b(Protected)g(Control)f(T)m(ransfers)49 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(34)315 4616 y(3.4.3)98
b(Implementing)18 b(Unix)i(IPC)g(on)g(Xok)48 b Fm(:)41
b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(35)125 4716 y(3.5)85 b(Discussion)51 b Fm(:)42 b(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(35)0 4898 y Fo(4)83
b(The)21 b(Hardest)e(Multiplexing)i(Pr)o(oblem:)28 b(Disk)2228
b(36)125 4998 y Fp(4.1)85 b(Ef)n(\002cient,)20 b(\002ne\255grained)e
(disk)i(multiple)o(xing)52 b Fm(:)41 b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)93 b Fp(36)315 5098 y(4.1.1)98 b(Ef)n(\002cienc)o
(y:)28 b(State)21 b(P)o(artitioning)83 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(39)315 5197
y(4.1.2)98 b(More)20 b(sophisticated)f(partitioning)74
b Fm(:)41 b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(41)125 5297 y(4.2)85 b(Ov)o(ervie)n(w)19 b(of)h(XN)55
b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(42)1929
5589 y(5)p eop
%%Page: 6 7
6 6 bop 125 83 a Fp(4.3)85 b(XN:)21 b(Problem)e(and)h(history)29
b Fm(:)42 b(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)
f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(43)125 183 y(4.4)85 b(XN:)21
b(Design)f(and)g(implementation)41 b Fm(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(43)125
282 y(4.5)85 b(XN)21 b(usage)f Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)93 b Fp(45)125 382 y(4.6)85 b(Crash)21
b(Reco)o(v)o(ery)d(Issues)49 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(46)125 482 y(4.7)85 b(C\255FFS:)22 b(a)e(library)g(\002le)g
(system)74 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(47)125 581 y(4.8)85
b(Discussion)51 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(47)0 764 y Fo(5)83 b(P)n(erf)n(ormance)19 b(of)g(exok)o(er)o(nel)h
(systems)2488 b(49)125 863 y Fp(5.1)85 b(Xok)20 b(Experimental)e(En)m
(vironment)60 b Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)
f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(49)125 963 y(5.2)85 b(Performance)18
b(of)i(common,)e(unaltered)h(applications)43 b Fm(:)e(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)93 b Fp(50)125 1063 y(5.3)85 b(The)20
b(cost)h(of)f(e)o(xok)o(ernel)e(\003e)o(xibility)62 b
Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)93 b Fp(51)315 1162 y(5.3.1)98 b(The)20 b(cost)h(of)e(OS)i
(abstractions)f(in)g(libraries)80 b Fm(:)41 b(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)93 b Fp(51)315 1262 y(5.3.2)98 b(The)20 b(cost)h(of)e
(protection)63 b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(51)125 1362 y(5.4)85
b(Aggressi)n(v)o(e)19 b(application)g(performance)51
b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
93 b Fp(52)315 1461 y(5.4.1)98 b(XCP:)21 b(a)g(\223zero\255touch\224)d
(\002le)i(cop)o(ying)f(program)30 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)93 b Fp(52)315 1561 y(5.4.2)98 b(The)20 b(Cheetah)g(HTTP/1.0)f
(Serv)o(er)39 b Fm(:)j(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)93 b Fp(52)125 1660 y(5.5)85 b(Global)20 b(performance)69
b Fm(:)41 b(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h
(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)
f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(54)315 1760 y(5.5.1)98
b(Experiments)51 b Fm(:)41 b(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(54)315 1860 y(5.5.2)98 b(Discussion)43 b Fm(:)f(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)93 b Fp(55)315 1959 y(5.5.3)98 b(Summary)83 b
Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(56)0 2142
y Fo(6)83 b(Re\003ections)20 b(on)g(Do)o(wnloading)g(Code)2500
b(57)125 2242 y Fp(6.1)85 b(DPF:)22 b(dynamic)c(pack)o(et)i(\002lters)
68 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)93 b Fp(58)315 2341 y(6.1.1)98 b(Language)18
b(design)36 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(58)315 2441
y(6.1.2)98 b(Do)n(wnloaded)18 b(code)i(pro)o(vides)e(po)n(wer)50
b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(59)315 2540 y(6.1.3)98 b(Some)20 b(lessons)j Fm(:)41
b(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)
f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(59)125 2640 y(6.2)85
b(Application\255speci\002c)19 b(message)h(handlers)40
b Fm(:)i(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(60)315 2740 y(6.2.1)98 b(Pulling)20 b(application)f(semantics)h
(into)g(e)n(v)o(ent)f(handling)61 b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(60)315 2839 y(6.2.2)98 b(Discussion)43 b Fm(:)f(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)93 b Fp(61)125 2939 y(6.3)85 b(XN:)21 b(ef)n(\002cient)f(disk)g
(multiple)o(xing)i Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(61)315 3039 y(6.3.1)98
b(Language)18 b(Ev)n(olution)55 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b
Fp(62)315 3138 y(6.3.2)98 b(Insights)80 b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)
f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)93 b Fp(62)315 3238 y(6.3.3)98 b(Lessons)76
b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(63)125
3337 y(6.4)85 b(Protected)20 b(Methods)47 b Fm(:)42 b(:)f(:)h(:)g(:)f
(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)
f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)93 b Fp(63)125 3437 y(6.5)85 b(Discussion)51
b Fm(:)42 b(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)
f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(64)125 3537 y(6.6)85 b(Related)21 b(W)-7 b(ork)23
b Fm(:)41 b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b
Fp(65)0 3719 y Fo(7)83 b(Conclusion)3295 b(67)125 3819
y Fp(7.1)85 b(Possible)21 b(F)o(ailures)f(of)g(the)g(Architecture)41
b Fm(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(67)125 3919 y(7.2)85 b(Experience)40 b Fm(:)i(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(68)315 4018 y(7.2.1)98
b(Clear)21 b(adv)n(antages)32 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(68)315 4118 y(7.2.2)98 b(Costs)31 b Fm(:)41 b(:)h(:)f(:)h(:)f(:)h
(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)
f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h
(:)g(:)f(:)h(:)f(:)93 b Fp(68)315 4218 y(7.2.3)98 b(Lessons)76
b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(69)125
4317 y(7.3)85 b(Conclusion)36 b Fm(:)42 b(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)93 b Fp(69)0 4500 y Fo(8)83 b(XN')m(s)20
b(Interface)3171 b(71)125 4599 y Fp(A)130 b(Pri)n(vile)o(ged)19
b(system)i(calls)40 b Fm(:)i(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)
f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h
(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(71)315
4699 y(A.1)143 b(XN)21 b(initialization)e(and)h(shutdo)n(wn)74
b Fm(:)41 b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(71)315 4799 y(A.2)143 b(Reconstruction)32 b Fm(:)42
b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)93 b Fp(71)125 4898 y(B)135 b(Public)20
b(system)h(calls)37 b Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(72)315 4998 y(B.1)148 b(Creating)20 b(types)54 b
Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(72)315 5098 y(B.2)148
b(Creating)20 b(and)f(deleting)h(\002le)h(system)f(trees)41
b Fm(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b
Fp(72)315 5197 y(B.3)148 b(Buf)n(fer)20 b(cache)f(operations)67
b Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)93 b Fp(73)315 5297 y(B.4)148 b(Metadata)20 b(operations)53
b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)93 b Fp(75)1929 5589 y(6)p eop
%%Page: 7 8
7 7 bop 315 83 a Fp(B.5)148 b(Reading)20 b(XN)g(data)g(structures)68
b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
93 b Fp(75)315 183 y(B.6)148 b(File)21 b(system\255independent)c(na)n
(vigation)h(calls)85 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(76)0 365 y Fo(9)83 b(Aegis')20 b(Interface)3126
b(77)315 465 y Fp(.7)203 b(CPU)21 b(interf)o(ace)64 b
Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(77)315 565 y(.8)203
b(En)m(vironments)71 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(77)315 664 y(.9)203 b(Physical)20 b(memory)h Fm(:)42
b(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)93 b Fp(80)315 764 y(.10)161 b(Interrupts)19
b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(80)315
863 y(.11)161 b(Netw)o(orking)75 b Fm(:)41 b(:)h(:)g(:)f(:)h(:)f(:)h(:)
f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f
(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(83)315 963 y(.12)161 b(TLB)21 b(manipulation)48
b Fm(:)41 b(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)93 b Fp(83)1929 5589 y(7)p eop
%%Page: 8 9
8 8 bop 0 747 a Fn(List)52 b(of)g(Figur)l(es)125 1179
y Fp(1\2551)78 b(Possible)18 b(e)o(xok)o(ernel)d(system.)29
b(Applications)16 b(link)h(against)g(library)f(operating)g(systems)h
(\(libOS\),)g(which)g(pro)o(vide)315 1279 y(standard)35
b(operating)e(system)j(abstractions)f(\(virtual)f(memory)-5
b(,)37 b(\002les,)j(netw)o(ork)34 b(protocols,)k(etc.\).)75
b(Because)315 1378 y(libOSes,)23 b(are)g(unpri)n(vile)o(ged,)c
(applications)i(can)h(also)g(specialize)h(them)e(or)h(write)h(their)f
(o)n(wn,)g(as)g(the)h(web)f(serv)o(er)315 1478 y(in)h(the)f(picture)f
(has)h(done.)34 b(Because)22 b(the)g(e)o(xok)o(ernel)e(pro)o(vides)g
(protection,)h(completely)f(dif)n(ferent)h(libOSes)h(can)315
1577 y(simultaneously)j(run)f(on)i(the)g(same)f(system)h(and)f(safely)h
(share)f(resources)g(such)h(as)g(disk)g(blocks)f(and)g(physical)315
1677 y(pages.)76 b Fm(:)41 b(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)93 b Fp(12)125 1860 y(2\2551)78 b(A)18 b(simpli\002ed)e(e)o
(xok)o(ernel)e(system)j(with)g(tw)o(o)g(applications,)f(each)g(link)o
(ed)g(with)h(its)h(o)n(wn)e(libOS)h(and)f(sharing)f(pages)315
1959 y(through)k(a)h(b)n(uf)n(fer)f(cache)h(re)o(gistry)-5
b(.)25 b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)93 b Fp(21)125 2142 y(3\2551)78 b
(Application\255le)n(v)o(el)18 b(stride)i(scheduler)-5
b(.)51 b Fm(:)41 b(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)93 b Fp(32)125 2325 y(4\2551)78 b(Implementation)12
b(sk)o(etch)i(of)g(a)h(disk)f(block)f(allocation)h(system)g(call)h
(that)f(uses)h(UDFs)g(to)g(let)g(untrusted)d(\002le)j(systems)315
2424 y(track)20 b(the)g(blocks)g(the)o(y)f(control.)30
b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)93 b Fp(40)125 2524 y(4\2552)78 b(Unix)15
b(indirect)e(block)h(and)g(its)h(associated)f(state)i(partitioning)c
(UDFs,)17 b Fl(indir)o(ect)p 2580 2524 22 4 v 27 w(access)g
Fp(and)d Fl(indir)o(ect)p 3166 2524 V 27 w(npartitions)p
Fp(.)30 b(The)315 2623 y(UDFs)23 b(are)f(\223constant\224)f(in)i(that)f
(the)o(y)f(do)h(not)f(use)h(the)h(meta)e(data)h(block)f(to)i(compute)d
(partitions.)34 b(Non\255constant)315 2723 y(UDFs)22
b(can)e(be)g(used)g(as)h(long)e(as)i(the)o(y)e(are)h(retested)g(when)g
(the)g(state)h(the)o(y)f(depend)e(on)i(has)g(been)g(modi\002ed.)68
b Fm(:)42 b(:)f(:)93 b Fp(41)125 2906 y(5\2551)78 b(Performance)25
b(of)i(unmodi\002ed)e(UNIX)i(applications.)48 b(Xok/ExOS)26
b(and)h(OpenBSD/C\255FFS)g(use)h(a)f(C\255FFS)h(\002le)315
3005 y(system)21 b(while)f(Free/OpenBSD)g(use)g(their)g(nati)n(v)o(e)f
(FFS)j(\002le)f(systems.)29 b(T)m(imes)21 b(are)f(in)g(seconds.)38
b Fm(:)j(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(50)125
3105 y(5\2552)78 b(HTTP)12 b(document)g(throughput)g(as)g(a)g(function)
g(of)f(the)h(docu)o(men)o(t)g(size)g(for)g(se)n(v)o(er)o(al)g(HTTP/1.0)
f(serv)o(er)o(s.)21 b Fo(NCSA/BSD)315 3205 y Fp(represents)i(the)h
(NCSA/1.4.2)f(serv)o(er)g(running)e(on)i(OpenBSD.)h Fo(Har)o(v)o
(est/BSD)f Fp(represents)g(the)g(Harv)o(est)h(proxy)315
3304 y(cache)14 b(running)d(on)i(OpenBSD.)h Fo(Sock)o(et/BSD)g
Fp(represents)e(our)h(HTTP)h(serv)o(er)f(using)g(TCP)h(sock)o(ets)g(on)
f(OpenBSD.)315 3404 y Fo(Sock)o(et/Xok)k Fp(represents)g(our)f(HTTP)h
(serv)o(er)g(using)f(the)h(TCP)h(sock)o(et)f(interf)o(ace)g(b)n(uilt)g
(on)g(our)f(e)o(xtensible)g(TCP/IP)315 3504 y(implementation)29
b(on)h(the)g(Xok)g(e)o(xok)o(ernel.)58 b Fo(Cheetah/Xok)29
b Fp(represents)h(the)g(Cheetah)g(HTTP)h(serv)o(er)m(,)g(which)315
3603 y(e)o(xploits)20 b(the)g(TCP)h(and)f(\002le)h(system)f
(implementations)e(for)i(speed.)30 b Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(53)125 3703 y(5\2553)78 b(Measured)25 b(global)g(performance)e(of)
i(Xok/ExOS)g(\(the)g(\002rst)h(bar\))f(and)g(FreeBSD)i(\(the)e(second)g
(bar\),)h(using)f(the)315 3802 y(\002rst)e(application)d(pool.)34
b(T)m(imes)22 b(are)g(in)g(seconds)f(and)g(on)g(a)i(log)e(scale.)35
b Fk(number/number)20 b Fp(refers)h(to)h(the)g(the)g(total)315
3902 y(number)e(of)i(applications)e(run)h(by)g(the)h(script)g(and)f
(the)g(maximum)f(number)g(of)h(jobs)h(run)f(concurrently)-5
b(.)30 b Fo(T)-8 b(otal)22 b Fp(is)315 4002 y(the)j(total)g(running)e
(time)i(of)f(each)h(e)o(xperiment,)e Fo(Max)i Fp(is)h(the)e(longest)h
(runtime)e(of)i(an)o(y)f(process)g(in)h(a)g(gi)n(v)o(en)f(run)315
4101 y(\(gi)n(ving)19 b(the)h(w)o(orst)h(latenc)o(y\).)28
b Fo(Min)21 b Fp(is)g(the)f(minimum.)92 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h
(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)
f(:)h(:)f(:)93 b Fp(54)125 4201 y(5\2554)78 b(Measured)25
b(global)g(performance)e(of)i(Xok/ExOS)g(\(the)g(\002rst)h(bar\))f(and)
g(FreeBSD)i(\(the)e(second)g(bar\),)h(using)f(the)315
4301 y(second)20 b(application)e(pool.)29 b(Methodology)17
b(and)j(presentation)e(are)i(as)h(described)e(for)h(Figure)f(5\2553)h
(.)65 b Fm(:)41 b(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(55)125
4483 y(8\2551)78 b(Metadata)20 b(operation)e(structure.)i
Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)93 b Fp(73)125 4583 y(8\2552)78 b(I/O)21
b(v)o(ector)e(structure.)67 b Fm(:)41 b(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h
(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)
f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(74)125 4765 y(9\2551)78 b(Ae)o(gis)21 b(time\255slice)f
(representation)27 b Fm(:)41 b(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h
(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)
f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(78)125 4865 y(9\2552)78
b(En)m(vironment)17 b(structure)60 b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f
(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)
h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(79)125 4965 y(9\2553)78 b(Structures)20 b(used)g(for)f
(libOS\255le)n(v)o(el)h(interrupt)e(handling.)38 b Fm(:)k(:)g(:)f(:)h
(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)
h(:)g(:)f(:)h(:)f(:)93 b Fp(81)125 5064 y(9\2554)78 b(Structure)22
b(used)g(to)g(hold)g(where)f(each)h(e)o(xposed)f(k)o(ernel)g(data)i
(structure)e(be)o(gins)g(and)h(its)h(size.)37 b(By)22
b(def)o(ault,)g(each)315 5164 y(en)m(vironment)c(has)i(read)g(access)g
(to)h(the)f(pages)g(containing)e(these)i(structures.)63
b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)93 b Fp(82)125 5264 y(9\2555)78 b(Netw)o(ork)20 b(pack)o(et)g(recei)
n(v)o(e)f(structure)29 b Fm(:)42 b(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h
(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)
f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(83)1929 5589
y(8)p eop
%%Page: 9 10
9 9 bop 125 83 a Fp(9\2556)78 b(STLB)21 b(structure)29
b Fm(:)42 b(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f
(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)
g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93 b Fp(84)125
183 y(9\2557)78 b(Assembly)20 b(code)g(used)g(by)g(Ae)o(gis)g(to)g
(lookup)e(mapping)h(in)h(STLB)h(\(18)e(instructions\).)64
b Fm(:)42 b(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)93
b Fp(85)125 282 y(9\2558)78 b(Hardw)o(are)20 b(de\002ned)f(\223lo)n
(w\224)h(portion)e(of)i(a)h(TLB)g(entry)e(\(i.e.,)g(the)i(part)f(bound)
e(to)i(a)h(virtual)e(page)h(number\).)52 b Fm(:)41 b(:)h(:)f(:)93
b Fp(86)1929 5589 y(9)p eop
%%Page: 10 11
10 10 bop 0 747 a Fn(List)52 b(of)g(T)-19 b(ables)125
1179 y Fp(5.1)85 b(The)20 b(I/O\255intensi)n(v)o(e)f(w)o(orkload)f
(installs)k(a)e(lar)o(ge)f(application)g(\(the)h(lcc)h(compiler\).)27
b(The)20 b(size)h(of)f(the)g(compressed)315 1279 y(archi)n(v)o(e)f
(\002le)i(for)f(lcc)g(is)h(1.1)f(MByte.)49 b Fm(:)42
b(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g
(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)h(:)f(:)h(:)g(:)f(:)h(:)f(:)
93 b Fp(50)1908 5589 y(10)p eop
%%Page: 11 12
11 11 bop 0 706 a Fj(Chapter)42 b(1)0 1121 y Fn(Intr)l(oduction)208
1553 y Fp(And)21 b(no)n(w)h(that)g(the)g(le)o(gislators)g(and)g(the)g
(do\255gooders)d(ha)n(v)o(e)j(so)g(futilely)g(in\003icted)g(so)g(man)o
(y)f(systems)i(upon)e(society)-5 b(,)208 1652 y(may)18
b(the)o(y)g(end)h(up)f(where)h(the)o(y)f(should)g(ha)n(v)o(e)g(be)o
(gun:)27 b(may)19 b(the)o(y)f(reject)h(all)g(systems,)h(and)e(try)h
(liberty)-5 b(...)27 b(\227)20 b(Frederic)208 1752 y(Bastiat)208
1882 y(It)26 b(is)h(hard)f(to)g(let)h(old)f(beliefs)h(go.)47
b(The)o(y)25 b(are)h(f)o(amiliar)-5 b(.)48 b(W)-7 b(e)28
b(are)e(comfortable)e(with)j(them)f(and)f(ha)n(v)o(e)h(spent)g(years)
208 1982 y(b)n(uilding)f(systems)h(and)g(de)n(v)o(eloping)e(habits)i
(that)h(depend)d(on)i(them.)48 b(Lik)o(e)26 b(a)h(man)f(who)f(has)i(w)o
(orn)f(e)o(ye)o(glasses)g(so)208 2081 y(long)19 b(that)i(he)f(for)o
(gets)g(he)g(has)h(them)f(on,)g(we)h(for)o(get)e(that)i(the)f(w)o(orld)
g(looks)g(to)h(us)g(the)g(w)o(ay)f(it)h(does)g(because)f(we)h(ha)n(v)o
(e)208 2181 y(become)c(used)i(to)g(seeing)f(it)i(that)e(w)o(ay)h
(through)e(a)i(particular)f(set)h(of)g(lenses.)29 b(T)-7
b(oday)i(,)17 b(ho)n(we)n(v)o(er)m(,)g(we)i(need)f(ne)n(w)h(lenses.)208
2281 y(And)g(we)i(need)e(to)i(thro)n(w)e(the)h(old)g(ones)g(a)o(w)o(ay)
-5 b(.)28 b(\227)21 b(K)n(enich)f(Ohmae)125 2451 y(T)m(raditional)13
b(operating)g(systems)i(abstract)f(and)g(protect)g(system)h(resources.)
26 b(F)o(or)15 b(e)o(xample,)f(the)o(y)g(abstract)g(physical)f(memory)g
(in)0 2550 y(terms)j(of)g(virtual)g(memory)-5 b(,)14
b(disk)j(blocks)e(in)h(terms)h(of)f(\002les,)h(and)f(e)o(xceptions)f
(and)g(CPU)i(in)g(terms)f(of)g(processes.)28 b(This)16
b(or)o(ganization)0 2650 y(has)24 b(three)f(signi\002cant)g
(bene\002ts.)38 b(First,)25 b(it)f(pro)o(vides)e(a)i(portable)e(interf)
o(ace)g(to)i(the)f(underlying)e(machine;)j(applications)e(need)h(not)0
2750 y(care)d(about)f(the)h(details)h(of)f(the)g(underlying)d(hardw)o
(are.)28 b(Second,)19 b(it)i(pro)o(vides)d(a)j(lar)o(ge)e(def)o(ault)h
(functionality)e(base,)i(remo)o(ving)e(the)0 2849 y(need)f(for)g
(application)g(programmers)e(to)j(write)g(de)n(vice)f(dri)n(v)o(ers)g
(or)h(other)f(lo)n(w\255le)n(v)o(el)f(operating)g(system)i(code.)28
b(Finally)-5 b(,)18 b(it)g(pro)o(vides)0 2949 y(protection:)36
b(because)24 b(the)g(operating)f(system)h(controls)g(all)h(application)
d(uses)j(of)f(resources,)h(it)g(can)f(control)f(application)g(access)0
3049 y(to)g(them,)g(pre)n(v)o(enting)d(b)n(uggy)h(or)h(malicious)g
(applications)g(from)f(compromising)f(the)j(system.)37
b(Empirically)-5 b(,)21 b(the)i(ability)f(to)h(ha)n(v)o(e)0
3148 y(multiple)16 b(applications)f(and)i(users)f(sharing)g(the)h(same)
f(machine)g(is)h(useful.)28 b(Despite)17 b(this)g(or)o(ganization')-5
b(s)14 b(bene\002ts,)j(it)g(has)g(a)g(serious)0 3248
y(problem:)36 b(only)24 b(pri)n(vile)o(ged)e(serv)o(ers)i(and)g(the)g
(k)o(ernel)g(can)g(manage)f(system)h(resources.)41 b(Untrusted)24
b(applications)f(are)h(restricted)0 3347 y(to)29 b(the)g(interf)o(aces)
g(and)g(implementations)e(of)i(this)g(pri)n(vile)o(ged)e(softw)o(are.)
56 b(This)29 b(or)o(ganization)d(is)k(\003a)o(wed)f(because)f
(application)0 3447 y(demands)15 b(v)n(ary)h(widely)-5
b(.)27 b(An)16 b(interf)o(ace)g(designed)f(to)h(accommodate)e(e)n(v)o
(ery)h(application)g(must)i(anticipate)e(all)i(possible)f(needs.)28
b(The)0 3547 y(implementation)19 b(of)j(such)f(an)g(interf)o(ace)g(w)o
(ould)g(need)g(to)g(resolv)o(e)g(all)h(tradeof)n(fs)e(and)h(anticipate)
g(all)h(w)o(ays)g(the)f(interf)o(ace)g(could)g(be)0 3646
y(used.)28 b(Experience)15 b(suggests)j(that)f(such)g(anticipation)f
(is)j(infeasible)e(and)g(that)g(the)g(cost)h(of)f(mistak)o(es)h(is)g
(high)f([3)o(,)h(9,)f(16)o(,)h(25)o(,)g(43)o(,)g(79)o(].)125
3746 y(The)26 b Fk(e)n(xok)o(ernel)g(ar)m(c)o(hitectur)m(e)f
Fp(attacks)i(this)g(problem)e(by)h(gi)n(ving)f(untrusted)g(application)
g(code)g(as)j(much)d(safe)i(control)e(o)o(v)o(er)0 3846
y(resources)31 b(as)i(possible,)i(thereby)c(allo)n(wing)h(orders)f(of)h
(magnitude)f(more)g(programmers)f(to)i(inno)o(v)n(ate)f(and)h(use)g
(inno)o(v)n(ations,)0 3945 y(without)21 b(compromising)f(system)i(inte)
o(grity)-5 b(.)33 b(It)23 b(does)e(so)i(by)f(di)n(viding)e
(responsibilities)h(dif)n(ferently)f(from)h(the)i(w)o(ay)f(con)m(v)o
(entional)0 4045 y(systems)29 b(do.)53 b(Exok)o(ernels)26
b(separate)i(protection)e(from)i(management:)43 b(the)o(y)28
b(protect)f(resources,)i(applications)e(manage)g(them.)0
4144 y(An)f(e)o(xok)o(ernel)f(stri)n(v)o(es)h(to)h(mo)o(v)o(e)e(all)i
(functionality)d(not)i(required)f(for)h(protection)e(out)j(of)f(pri)n
(vile)o(ged)e(k)o(ernels)i(and)g(serv)o(ers)g(into)0
4244 y(unpri)n(vile)o(ged)c(applications.)43 b(F)o(or)25
b(e)o(xample,)g(in)g(the)g(conte)o(xt)f(of)h(virtual)f(memory)-5
b(,)25 b(an)g(e)o(xok)o(ernel)e(protects)h(physical)g(pages)h(and)0
4344 y(disk)20 b(blocks)g(used)g(for)f(paging,)g(b)n(ut)h(defers)g(the)
g(rest)h(of)f(management)e(to)i(applications)f(\(i.e.,)h(paging,)e
(allocation,)i(f)o(ault)g(handling,)0 4443 y(page)i(table)i(layout,)e
(etc.\).)38 b(The)23 b(ideal)g(e)o(xok)o(ernel)e(mak)o(es)i(untrusted)f
(softw)o(are)h(as)g(po)n(werful)f(as)i(a)f(pri)n(vile)o(ged)e
(operating)h(system,)0 4543 y(without)d(sacri\002cing)h(either)g
(protection)e(or)i(ef)n(\002cienc)o(y)-5 b(.)125 4643
y(Of)13 b(course,)f(not)h(all)g(applications)g(need)g(customized)g
(resour)o(ce)g(man)o(age)o(men)o(t.)22 b(Instead)13 b(of)g
(communicating)g(with)g(the)g(e)n(xo)o(k)o(ern)o(el)0
4742 y(directly)-5 b(,)17 b(we)i(e)o(xpect)f(most)g(programs)f(to)h(be)
h(link)o(ed)e(with)i(libraries)f(that)h(hide)e(lo)n(w\255le)n(v)o(el)h
(resources)f(behind)g(traditional)g(operating)0 4842
y(system)25 b(abstractions.)42 b(Ho)n(we)n(v)o(er)m(,)24
b(unlik)o(e)h(traditional)e(implementations)g(of)i(these)g
(abstractions,)g(library)f(implementations)f(are)0 4941
y(unpri)n(vile)o(ged)j(and)i(can)h(therefore)e(be)i(modi\002ed)f(or)g
(replaced)g(at)h(will.)56 b(W)-7 b(e)30 b(refer)e(to)i(these)f(unpri)n
(vile)o(ged)c(libraries)k(as)h Fk(libr)o(ary)0 5041 y(oper)o(ating)25
b(systems,)30 b Fp(or)d(libOSes.)51 b(On)27 b(the)g(e)o(xok)o(ernels)f
(described)g(in)h(this)h(thesis,)h(libOSes)f(implement)e(virtual)g
(memory)-5 b(,)27 b(\002le)0 5141 y(systems,)19 b(netw)o(orking,)e(and)
h(processes.)29 b(Applications)18 b(are)g(written)h(on)f(top)h(of)f
(these)i(libraries)e(in)h(a)g(w)o(ay)g(similar)g(to)g(ho)n(w)g(the)o(y)
f(are)0 5240 y(written)e(on)g(top)g(of)g(current)f(operating)f
(systems.)29 b(As)17 b(a)g(result,)f(applications)g(can)g(achie)n(v)o
(e)f(appreciable)f(speedups)i(on)f(an)i(e)o(xok)o(ernel)0
5340 y(by)j(simply)g(linking)f(against)g(an)h(optimized)f(library)g
(operating)g(system.)29 b(Figure)19 b(1\2551)h(illustrates)h(a)f
(generic)f(e)o(xok)o(ernel)f(system.)1908 5589 y(11)p
eop
%%Page: 12 13
12 12 bop 39 618 a Fp(clip=)20 b(angle=270)e @beginspecial
@clip 270 @angle 0 @llx 0 @lly 612 @urx 792 @ury 2520
@rwi @setspecial
%%BeginDocument: e.ps
%!PS-Adobe-3.0
%%Title: (exo-arch.pdf)
%%Version: 1 2
%%CreationDate: (D:19981003204701)
%%DocumentData: Clean7Bit
%%BoundingBox: 0 0 612 792
%%Pages: 1
%%DocumentProcessColors: Cyan Magenta Yellow Black
%%DocumentSuppliedResources:
%%+ font Times-Roman
%%+ font Times-Bold
%%+ procset (Adobe Acrobat - PDF operators) 1.2 0
%%+ procset (Adobe Acrobat - type operators) 1.2 0
%%EndComments
%%BeginDefaults
%%EndDefaults
%%BeginProlog
%%EndProlog
%%BeginSetup
/currentpacking where{pop currentpacking true setpacking}if
userdict /PDF 85 dict put
%%BeginFile: pdfvars.prc
%%Copyright: Copyright 1987-1996 Adobe Systems Incorporated. All Rights Reserved.
userdict /PDFVars 75 dict dup begin put
/_save 0 def
/_cshow 0 def
/InitAll 0 def
/TermAll 0 def
/_lp /none def
/_doClip 0 def
/sfc 0 def
/_sfcs 0 def
/_sfc 0 def
/ssc 0 def
/_sscs 0 def
/_ssc 0 def
/_fcs 0 def
/_scs 0 def
/_fp 0 def
/_sp 0 def
/_f0 0 array def
/_f1 1 array def
/_f3 3 array def
/_f4 4 array def
/_fc null def
/_s0 0 array def
/_s1 1 array def
/_s3 3 array def
/_s4 4 array def
/_sc null def
/_cpcf null def
/_cpcs null def
/_inT false def
/_tr -1 def
/_rise 0 def
/_ax 0 def
/_cx 0 def
/_ld 0 def
/_tm matrix def
/_ctm matrix def
/_mtx matrix def
/_hy (-) def
/_fScl 0 def
/_hs 1 def
/_pdfEncodings 2 array def
/_Tj 0 def
/_italMtx[1 0 .212557 1 0 0]def
/_basefont 0 def
/_basefonto 0 def
/_categories 10 dict def
/_sa? true def
/_op? false def
/_ColorSep5044? false def
/_tmpcolr? [] def
/_tmpop? {} def
end
%%EndFile
PDFVars begin PDF begin
%%BeginFile: pdfutil.prc
%%Copyright: Copyright 1993 Adobe Systems Incorporated. All Rights Reserved.
/bd {bind def} bind def
/ld {load def} bd
/dd { PDFVars 3 1 roll put } bd
/xdd { exch dd } bd
/Level2?
/languagelevel where { pop languagelevel 2 ge } { false } ifelse
def
/here {
dup currentdict exch known
{ currentdict exch get true }
{ pop false }
ifelse
} bd
/isdefined? { where { pop true } { false } ifelse } bd
/StartLoad { dup dup not { /_save save dd } if } bd
/EndLoad { if not { _save restore } if } bd
/npop { { pop } repeat } bd
%%EndFile
%%BeginFile: l2compat
%%Copyright: Copyright 1987-1993 Adobe Systems Incorporated. All Rights Reserved.
/cshow isdefined? not StartLoad {
/cshow {
exch /_cshow xdd
{ 0 0 _cshow exec } forall
} bd
} EndLoad
/setcmykcolor isdefined? not StartLoad {
/setcmykcolor {
1 sub 4 1 roll
3 {
3 index add neg dup 0 lt { pop 0 } if
3 1 roll
} repeat
setrgbcolor
pop
} bd
} EndLoad
/rectclip isdefined? not StartLoad {
/re 0 def
/rectclip { newpath re clip newpath } bd
} EndLoad
/execform isdefined? not StartLoad {
/execform {
gsave dup begin
Matrix concat
BBox aload pop
exch 3 index sub
exch 2 index sub
rectclip
PaintProc end grestore
} def
} EndLoad
%%EndFile
%%BeginFile: pdf.prc
%%Copyright: Copyright 1987-1996 Adobe Systems Incorporated. All Rights Reserved.
/initialize {
_ColorSep5044? {sep_ops begin 50 dict begin} if
newpath
} bd
/terminate {
_ColorSep5044? {end end} if
} bd
Level2? StartLoad
{ /m/moveto ld
/l/lineto ld
/c/curveto ld
/setSA/setstrokeadjust ld
} EndLoad
Level2? not StartLoad
{
/pl {
transform
0.25 sub round 0.25 add exch
0.25 sub round 0.25 add exch
itransform
} bd
/m { _sa? { pl } if moveto } bd
/l { _sa? { pl } if lineto } bd
/c { _sa? { pl } if curveto } bd
/setSA { /_sa? xdd } bd
} EndLoad
/v { currentpoint 6 2 roll c } bd
/y { 2 copy c } bd
/h/closepath ld
/d/setdash ld
/j/setlinejoin ld
/J/setlinecap ld
/M/setmiterlimit ld
/w/setlinewidth ld
/cf currentflat def
/i {
dup 0 eq { pop cf } if
setflat
} bd
/ilp { /_lp /none dd } bd
/sfc {
_lp /fill ne {
_sfcs
_sfc
/_lp /fill dd
} if
} dd
/ssc {
_lp /stroke ne {
_sscs
_ssc
/_lp /stroke dd
} if
} dd
/n {
_doClip 1 ge {
_doClip 1 eq { clip } { eoclip } ifelse
/_doClip 0 dd
} if
newpath
} bd
/f {
_doClip 1 ge
{
gsave sfc fill grestore
_doClip 1 eq { clip } { eoclip } ifelse
newpath
ilp
/_doClip 0 dd
}
{ sfc fill }
ifelse
} bd
/f* {
_doClip 1 ge
{
gsave sfc eofill grestore
_doClip 1 eq { clip } { eoclip } ifelse
newpath
ilp
/_doClip 0 dd
}
{ sfc eofill }
ifelse
} bd
/S {
_doClip 1 ge
{
gsave ssc stroke grestore
_doClip 1 eq { clip } { eoclip } ifelse
newpath
ilp
/_doClip 0 dd
}
{ ssc stroke }
ifelse
} bd
/s { h S } bd
/B {
_doClip dup 1 ge
gsave f grestore
{
gsave S grestore
1 eq { clip } { eoclip } ifelse
newpath
ilp
/_doClip 0 dd
}
{ pop S }
ifelse
} bd
/b { h B } bd
/B* {
_doClip dup 1 ge
gsave f* grestore
{
gsave S grestore
1 eq { clip } { eoclip } ifelse
newpath
ilp
/_doClip 0 dd
}
{ pop S }
ifelse
} bd
/b* { h B* } bd
/W { /_doClip 1 dd } bd
/W* { /_doClip 2 dd } bd
/q/save ld
/Q { restore ilp } bd
Level2? StartLoad
{ /defineRes/defineresource ld
/findRes/findresource ld
currentglobal
true systemdict /setglobal get exec
[/Function /ExtGState /Form]
{ /Generic /Category findresource dup length dict copy /Category defineresource pop }
forall
systemdict /setglobal get exec
} EndLoad
Level2? not StartLoad
{ /AlmostFull?
{ dup maxlength exch length sub 2 le
} bind def
/Expand
{ 1 index maxlength mul cvi dict
dup begin exch { def } forall end
} bind def
/xput
{ 3 2 roll
dup 3 index known not
{ dup AlmostFull? { 1.5 Expand } if
} if
dup 4 2 roll put
} bind def
/defineRes
{ _categories 1 index known not
{ /_categories _categories 2 index 10 dict xput store
} if
_categories exch 2 copy get 5 -1 roll 4 index xput put
} bind def
/findRes
{ _categories exch get exch get
} bind def
} EndLoad
/cs
{
dup where { pop load } if
dup /_fcs xdd
ucs
_cpcf exch get
/_fc xdd
/_fp null dd
} bd
/CS
{
dup where { pop load } if
dup /_scs xdd ucs _cpcs exch get /_sc xdd /_sp null dd
} bd
/ucs {
dup type /arraytype eq
{ dup 0 get
dup /Indexed eq
{ pop 0 get }
{ /Pattern eq
{ dup length 2 eq
{ 1 get ucs }
{ 0 get }
ifelse }
{ 0 get }
ifelse }
ifelse }
if }
bd
/_cpcf
15 dict dup begin
/DefaultGray _f1 def
/DeviceGray _f1 def
/DefaultRGB _f3 def
/DeviceRGB _f3 def
/DeviceCMYK _f4 def
/CalGray _f1 def
/CalRGB _f3 def
/CalCMYK _f4 def
/Lab _f3 def
/Pattern _f0 def
/Indexed _f1 def
/Separation _f1 def
/CIEBasedA _f1 def
/CIEBasedABC _f3 def
end
dd
/_cpcs
15 dict dup begin
/DefaultGray _s1 def
/DeviceGray _s1 def
/DefaultRGB _s3 def
/DeviceRGB _s3 def
/DeviceCMYK _s4 def
/CalGray _s1 def
/CalRGB _s3 def
/CalCMYK _s4 def
/Lab _s3 def
/Pattern _s0 def
/Indexed _s1 def
/Separation _s1 def
/CIEBasedA _s1 def
/CIEBasedABC _s3 def
end
dd
Level2? not StartLoad {
/_sfcs { } dd
/_sscs { } dd
/_sfc { _fc L1setcolor } dd
/_ssc { _sc L1setcolor } dd
/L1setcolor {
aload length
dup 0 eq
{ pop .5 setgray }
{ dup 1 eq
{ pop setgray }
{ 3 eq
{ setrgbcolor }
{ setcmykcolor }
ifelse }
ifelse }
ifelse
} bind dd
/ri/pop ld
/makePat/pop ld
/sethalftone
{
begin
HalftoneType 1 eq
{ Frequency Angle /SpotFunction load }
{ 0 0 currentdict }
ifelse
setscreen
end
} bind def
} EndLoad
Level2? StartLoad
{
/_sfcs
{
_fcs setcolorspace
} bind dd
/_sscs
{
_scs setcolorspace
} bind dd
/_sfc
{
_fc aload pop
_fp null eq
{ setcolor }
{ _fp setpattern }
ifelse
} bind dd
/_ssc
{
_sc aload pop
_sp null eq { setcolor } { _sp setpattern } ifelse
} bind dd
/ri
{
/findcolorrendering isdefined?
{
mark exch
findcolorrendering
counttomark 2 eq
{ type /booleantype eq
{ dup type /nametype eq
{ dup /ColorRendering resourcestatus
{ pop pop
dup /DefaultColorRendering ne
{
/ColorRendering findresource
setcolorrendering
} if
} if
} if
} if
} if
cleartomark
}
{ pop
} ifelse
} bd
/makePat /makepattern ld
} EndLoad
/sc
{
_fc astore pop
ilp
} bd
/SC
{
_sc astore pop
ilp
} bd
/scn {
dup type /dicttype eq
{ dup /_fp xdd
/PaintType get 1 eq
{ /_fc _f0 dd ilp }
{ /_fc _cpcf _fcs ucs get dd
sc }
ifelse }
{ sc }
ifelse
} bd
/SCN {
dup type /dicttype eq
{ dup /_sp xdd
/PaintType get 1 eq
{ /_sc _s0 dd ilp }
{ /_sc _cpcs _scs ucs get dd
SC }
ifelse }
{ SC }
ifelse
} bd
/g { /DefaultGray cs sc } bd
/rg { /DefaultRGB cs sc } bd
/k { /DeviceCMYK cs sc } bd
/G { /DefaultGray CS SC } bd
/RG { /DefaultRGB CS SC } bd
/K { /DeviceCMYK CS SC } bd
/cm { _mtx astore concat } bd
/re {
4 2 roll m
1 index 0 rlineto
0 exch rlineto
neg 0 rlineto
h
} bd
/RC/rectclip ld
/EF/execform ld
/PS { cvx exec } bd
/initgs {
/DefaultGray where
{ pop }
{ /DefaultGray /DeviceGray dd }
ifelse
/DefaultRGB where
{ pop }
{ /DefaultRGB /DeviceRGB dd }
ifelse
0 g 0 G
[] 0 d 0 j 0 J 10 M 1 w
true setSA
} bd
21 dict dup begin
/CosineDot
{ 180 mul cos exch 180 mul cos add 2 div } bd
/Cross
{ abs exch abs 2 copy gt { exch } if pop neg } bd
/Diamond
{ abs exch abs 2 copy add .75 le
{ dup mul exch dup mul add 1 exch sub }
{ 2 copy add 1.23 le
{ .85 mul add 1 exch sub }
{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
ifelse }
ifelse } bd
/Double
{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add } bd
/DoubleDot
{ 2 { 360 mul sin 2 div exch } repeat add } bd
/Ellipse
{ abs exch abs 2 copy 3 mul exch 4 mul add 3 sub dup 0 lt
{ pop dup mul exch .75 div dup mul add 4 div
1 exch sub }
{ dup 1 gt
{pop 1 exch sub dup mul exch 1 exch sub
.75 div dup mul add 4 div 1 sub }
{ .5 exch sub exch pop exch pop }
ifelse }
ifelse } bd
/EllipseA
{ dup mul .9 mul exch dup mul add 1 exch sub } bd
/EllipseB
{ dup 5 mul 8 div mul exch dup mul exch add sqrt 1 exch sub } bd
/EllipseC
{ dup .5 gt { 1 exch sub } if
dup .25 ge
{ .5 exch sub 4 mul dup mul 1 sub }
{ 4 mul dup mul 1 exch sub }
ifelse
exch
dup .5 gt { 1 exch sub } if
dup .25 ge
{ .5 exch sub 4 mul dup mul 1 sub }
{ 4 mul dup mul 1 exch sub }
ifelse
add -2 div } bd
/InvertedDouble
{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add neg } bd
/InvertedDoubleDot
{ 2 { 360 mul sin 2 div exch } repeat add neg } bd
/InvertedEllipseA
{ dup mul .9 mul exch dup mul add 1 sub } bd
/InvertedSimpleDot
{ dup mul exch dup mul add 1 sub } bd
/Line
{ exch pop abs neg } bd
/LineX
{ pop } bd
/LineY
{ exch pop } bd
/Rhomboid
{ abs exch abs 0.9 mul add 2 div } bd
/Round
{ abs exch abs 2 copy add 1 le
{ dup mul exch dup mul add 1 exch sub }
{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
ifelse } bd
/SimpleDot
{ dup mul exch dup mul add 1 exch sub } bd
/Square
{ abs exch abs 2 copy lt { exch } if pop neg } bd
end
{ /Function defineRes pop } forall
/Identity {} /Function defineRes pop
Level2? StartLoad {
/gs
{
begin
/SA here { setstrokeadjust } if
/OP here { setoverprint } if
/BG here { setblackgeneration } if
/UCR here { setundercolorremoval } if
/HT here { sethalftone } if
/sethalftonephase isdefined? { /HTP here { sethalftonephase } if } if
/TR here
{
dup xcheck { settransfer } { aload pop setcolortransfer } ifelse
} if
end
} bd
{ /Default /Halftone findresource pop } stopped
{
currenthalftone exch defineresource pop }
if
/Type6supported? {
{ 6 /HalftoneType findresource } stopped
{ pop pop false } { pop true } ifelse
} bd
/Convert6to3 {
begin
Thresholds Width Height mul string readstring pop
/Thresholds exch def
/HalftoneType 3 def
currentdict
end
} bd
/sethalftone6
{
dup /HalftoneType get 6 eq
{ Type6supported? not
{ Convert6to3 } if
} if
sethalftone
} bd
} EndLoad
Level2? not StartLoad {
/gs
{
begin
/SA here { /_sa? xdd } if
/OP here { dup /_op? xdd
/setoverprint where {pop setoverprint}
{pop} ifelse
} if
/HT here { sethalftone } if
/TR here { dup type xcheck { settransfer } if } if
end
} bd
5 dict dup
begin
currentscreen 1 [/HalftoneType /SpotFunction /Angle /Frequency]
{ exch def } forall
end
/Default exch /Halftone defineRes pop
} EndLoad
/int {
dup 2 index sub 3 index 5 index sub div 6 -2 roll sub mul
exch pop add exch pop
} bd
_ColorSep5044? StartLoad {
/_sfc
{
_fp null eq
{ _fcs type /arraytype eq
{_fcs 0 get /Separation eq
{
_fcs 1 get /All eq
{
_fc aload pop 1 exch sub
/setseparationgray where pop begin setseparationgray end
}
{
1 _fcs 3 get exec _fcs 1 get
/findcmykcustomcolor where pop begin findcmykcustomcolor end
_fc aload pop
/setcustomcolor where pop begin setcustomcolor end
}
ifelse
}
{ _fc L1setcolor }
ifelse
}
{ _fc L1setcolor }
ifelse
}
{ _fp setpattern }
ifelse
} bind dd
/_ssc
{
_sp null eq
{ _scs type /arraytype eq
{_scs 0 get /Separation eq
{
_scs 1 get /All eq
{
_sc aload pop 1 exch sub
/setseparationgray where pop begin setseparationgray end
}
{
1 _scs 3 get exec _scs 1 get
/findcmykcustomcolor where pop begin findcmykcustomcolor end
_sc aload pop
/setcustomcolor where pop begin setcustomcolor end
}
ifelse
}
{ _sc L1setcolor }
ifelse
}
{ _sc L1setcolor }
ifelse
}
{ _sp setpattern }
ifelse
} bind dd
} EndLoad
%%EndFile
%%BeginFile: pdftext.prc
%%Copyright: Copyright 1987-1994 Adobe Systems Incorporated. All Rights Reserved.
PDF /PDFText 51 dict dup begin put
/initialize { PDFText begin } bd
/terminate { end } bd
/CopyFont {
{
1 index /FID ne 2 index /UniqueID ne and
{ def } { pop pop } ifelse
} forall
} bd
/modEnc {
/_enc xdd
/_icode 0 dd
counttomark 1 sub -1 0
{
index
dup type /nametype eq
{
_enc _icode 3 -1 roll put
_icode 1 add
}
if
/_icode xdd
} for
cleartomark
_enc
} bd
/trEnc {
/_enc xdd
255 -1 0 {
exch dup -1 eq
{ pop /.notdef }
{ Encoding exch get }
ifelse
_enc 3 1 roll put
} for
pop
_enc
} bd
/TE {
/_i xdd
StandardEncoding 256 array copy modEnc
_pdfEncodings exch _i exch put
} bd
/TZ
{
/_usePDFEncoding xdd
findfont
dup length 2 add dict
begin
{
1 index /FID ne { def } { pop pop } ifelse
} forall
/FontName exch def
_usePDFEncoding 0 ge
{
/Encoding _pdfEncodings _usePDFEncoding get def
pop
}
{
_usePDFEncoding -1 eq
{
counttomark 0 eq
{ pop }
{
Encoding 256 array copy
modEnc /Encoding exch def
}
ifelse
}
{
256 array
trEnc /Encoding exch def
}
ifelse
}
ifelse
FontName currentdict
end
definefont pop
}
bd
/_pdfIsLevel2
systemdict /languagelevel known
{languagelevel 2 ge}
{false}
ifelse
def
_pdfIsLevel2
{
/_pdfFontStatus
{
dup /Font resourcestatus
{pop pop pop true}
{
/CIDFont /Category resourcestatus
{
pop pop
/CIDFont resourcestatus
{pop pop true}
{false}
ifelse
}
{ pop false }
ifelse
}
ifelse
} bd
}
{
/_pdfFontStatusString 50 string def
_pdfFontStatusString 0 (fonts/) putinterval
/_pdfFontStatus
{
_pdfFontStatusString 6 42 getinterval
cvs length 6 add
_pdfFontStatusString exch 0 exch getinterval
status
{ pop pop pop pop true}
{ false }
ifelse
} bd
}
ifelse
systemdict /composefont known
{
/_pdfComposeFont
{
1 index /CMap resourcestatus
{pop pop true}
{false}
ifelse
1 index true exch
{
_pdfFontStatus not
{pop false exit}
if
}
forall
and
{composefont true}
{
pop pop
dup _pdfFontStatus
{ findfont true }
{ pop false }
ifelse
}
ifelse
} bd
}
{
/_pdfString100 100 string def
/_pdfComposeFont
{
dup length 1 eq
{
0 get
1 index
type /nametype eq
{
_pdfString100 cvs
length dup dup _pdfString100 exch (-) putinterval
_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
2 index exch cvs length
add 1 add _pdfString100 exch 0 exch getinterval
exch pop
}
{
pop pop dup
}
ifelse
}
{
pop pop dup
}
ifelse
2 copy _pdfFontStatus
{ pop findfont definefont true }
{
eq
{pop false}
{
dup _pdfFontStatus
{findfont true}
{pop false}
ifelse
}
ifelse
}
ifelse
} bd
}
ifelse
/_pdfFaceByStyleDict 4 dict dup begin
_pdfIsLevel2
{
/Serif
/Ryumin-Light-83pv-RKSJ-H /Font resourcestatus
{pop pop /Ryumin-Light}
{/HeiseiMin-W3}
ifelse
def
/SanSerif
/GothicBBB-Medium-83pv-RKSJ-H /Font resourcestatus
{pop pop /GothicBBB-Medium}
{/HeiseiKakuGo-W5}
ifelse
def
/Default Serif def
}
{
/Mincho /Ryumin-Light def
/Gothic /GothicBBB-Medium def
(fonts/Jun101-Light-83pv-RKSJ-H) status
{/RoundGothic /Jun101-Light def }
if
/Default Mincho def
}
ifelse
end
def
/TZzero
{
/_styleArr xdd
3 copy
_pdfComposeFont
{exch pop exch pop exch pop}
{
[
0 1 _styleArr length 1 sub
{
_styleArr exch get
_pdfFaceByStyleDict exch 2 copy known not
{ pop /Default }
if
get
}
for
]
exch pop
2 index 3 1 roll
_pdfComposeFont
{exch pop}
{findfont}
ifelse
}
ifelse
definefont pop
}
bd
/swj {
dup 4 1 roll
dup length exch stringwidth
exch 5 -1 roll 3 index mul add
4 1 roll 3 1 roll mul add
6 2 roll /_cnt 0 dd
{1 index eq {/_cnt _cnt 1 add dd} if} forall pop
exch _cnt mul exch _cnt mul 2 index add 4 1 roll 2 index add 4 1 roll pop pop
} bd
/jss {
4 1 roll
{
2 npop
(0) exch 2 copy 0 exch put
gsave
32 eq
{
exch 6 index 6 index 6 index 5 -1 roll widthshow
currentpoint
}
{
false charpath currentpoint
4 index setmatrix stroke
}
ifelse
grestore
moveto
2 copy rmoveto
} exch cshow
6 npop
} def
/jsp
{
{
2 npop
(0) exch 2 copy 0 exch put
32 eq
{ exch 5 index 5 index 5 index 5 -1 roll widthshow }
{ false charpath }
ifelse
2 copy rmoveto
} exch cshow
5 npop
} bd
/trj { _cx 0 32 _ax 0 6 5 roll } bd
/pjsf { trj sfc awidthshow } bd
/pjss { trj _ctm ssc jss } bd
/pjsc { trj jsp } bd
/_Tjdef [
/pjsf load
/pjss load
{
dup
currentpoint 3 2 roll
pjsf
newpath moveto
pjss
} bind
{
trj swj rmoveto
} bind
{
dup currentpoint 4 2 roll gsave
pjsf
grestore 3 1 roll moveto
pjsc
} bind
{
dup currentpoint 4 2 roll
currentpoint gsave newpath moveto
pjss
grestore 3 1 roll moveto
pjsc
} bind
{
dup currentpoint 4 2 roll gsave
dup currentpoint 3 2 roll
pjsf
newpath moveto
pjss
grestore 3 1 roll moveto
pjsc
} bind
/pjsc load
] def
/BT
{
/_inT true dd
_ctm currentmatrix pop matrix _tm copy pop
0 _rise translate _hs 1 scale
0 0 moveto
} bd
/ET
{
/_inT false dd
_tr 3 gt {clip} if
_ctm setmatrix newpath
} bd
/Tr {
_inT { _tr 3 le {currentpoint newpath moveto} if } if
dup /_tr xdd
_Tjdef exch get /_Tj xdd
} bd
/Tj {
userdict /$$copystring 2 index put
_Tj
} bd
/iTm { _ctm setmatrix _tm concat 0 _rise translate _hs 1 scale } bd
/Tm { _tm astore pop iTm 0 0 moveto } bd
/Td { _mtx translate _tm _tm concatmatrix pop iTm 0 0 moveto } bd
/TD { dup /_ld xdd Td } bd
/Tf {
dup 1000 div /_fScl xdd
exch findfont exch scalefont setfont
} bd
/TL { neg /_ld xdd } bd
/Tw { /_cx xdd } bd
/Tc { /_ax xdd } bd
/Ts { /_rise xdd currentpoint iTm moveto } bd
/Tz { 100 div /_hs xdd iTm } bd
/Tk { exch pop _fScl mul neg 0 rmoveto } bd
/T* { 0 _ld Td } bd
/' { 0 0 3 -1 roll " } bd
/" { exch Tc exch Tw T* Tj } bd
/TJ {
{
dup type /stringtype eq
{ Tj }
{ 0 exch Tk }
ifelse
} forall
} bd
/T- { _hy Tj } bd
/d0/setcharwidth ld
/d1 { setcachedevice /sfc{}dd /ssc{}dd } bd
/nND {{/.notdef} repeat} bd
/T3Defs {
/BuildChar
{
1 index /Encoding get exch get
1 index /BuildGlyph get exec
}
def
/BuildGlyph {
exch begin
GlyphProcs exch get exec
end
} def
} bd
/MakeBold {
findfont dup dup length 2 add dict
begin
CopyFont
/PaintType 2 def
/StrokeWidth .03 0 FontMatrix idtransform pop def
/dummybold currentdict
end
definefont
8 dict begin
/_basefont exch def
/_basefonto exch def
/FontType 3 def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/Encoding StandardEncoding def
/BuildChar
{
exch begin
_basefont setfont
( )dup 0 4 -1 roll put
dup stringwidth
1 index 0 ne { exch .03 add exch }if
setcharwidth
0 0 moveto
gsave
dup show
grestore
_basefonto setfont
show
end
}bd
currentdict
end
definefont pop
}bd
/MakeItalic {
findfont _italMtx makefont
dup length dict
begin
CopyFont
currentdict
end
definefont pop
}bd
/MakeBoldItalic {
/dummybold exch
MakeBold
/dummybold
MakeItalic
}bd
currentdict readonly pop end
%%EndFile
PDFText begin
[39/quotesingle 96/grave 128/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis
/Udieresis/aacute/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute
/egrave/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde
/oacute/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex
/udieresis/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
/registered/copyright/trademark/acute/dieresis/.notdef/AE/Oslash
/.notdef/plusminus/.notdef/.notdef/yen/mu/.notdef/.notdef
/.notdef/.notdef/.notdef/ordfeminine/ordmasculine/.notdef/ae/oslash
/questiondown/exclamdown/logicalnot/.notdef/florin/.notdef/.notdef
/guillemotleft/guillemotright/ellipsis/.notdef/Agrave/Atilde/Otilde/OE/oe
/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide
/.notdef/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright
/fi/fl/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex
/Idieresis/Igrave/Oacute/Ocircumflex/.notdef/Ograve/Uacute/Ucircumflex
/Ugrave/dotlessi/circumflex/tilde/macron/breve/dotaccent/ring/cedilla
/hungarumlaut/ogonek/caron
0 TE
[1/dotlessi/caron 39/quotesingle 96/grave 
127/bullet/bullet/bullet/quotesinglbase/florin/quotedblbase/ellipsis
/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE
/bullet/bullet/bullet/bullet/quoteleft/quoteright/quotedblleft
/quotedblright/bullet/endash/emdash/tilde/trademark/scaron
/guilsinglright/oe/bullet/bullet/Ydieresis/space/exclamdown/cent/sterling
/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus
/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis
/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash
/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave
/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute
/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde
/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute
/ucircumflex/udieresis/yacute/thorn/ydieresis
1 TE
end
currentdict readonly pop
end end
/currentpacking where {pop setpacking}if
PDFVars/InitAll{[PDF PDFText]{/initialize get exec}forall initgs 0 Tr}put
PDFVars/TermAll{[PDFText PDF]{/terminate get exec}forall}put
PDFVars begin PDF begin PDFVars/InitAll get exec
% Begin encoding-delta
[/N6/Times-Roman -1 TZ
% End encoding-delta
% Begin encoding-delta
[/N7/Times-Bold -1 TZ
% End encoding-delta
PDFVars/TermAll get exec end end

%%EndSetup
%%Page: 1 1
%%BeginPageSetup
userdict /pgsave save put
PDFVars begin PDF begin PDFVars/InitAll get exec
%%EndPageSetup
0 0 612 792 RC
0.12 0 0 0.12 0 0 cm
q
0.6156 g
1 i
654.75 853.75 350 1600 re
f* 
25 w
1 J
654.75 853.75 350 1600 re
S 
0 g
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 108.33 181.89 Tm
(g)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
826 1610 m
818 1610 l
818 1594.6 l
818 1590.6 817.28 1587.6 815.6 1583.6 c
814 1579.2 l
812 1573.8 811 1568.4 811 1563.2 c
811 1544.6 825.4 1530.2 843.6 1530.2 c
856.2 1530.2 863.8 1535.29 870.4 1548.4 c
873.2 1545.6 875.8 1542.8 878.4 1539.8 c
884.2 1533.2 888.2 1531 892.2 1531 c
896.6 1531 898.8 1533.12 902.8 1541.2 c
913.2 1526.8 919.8 1522 927.2 1522 c
937.8 1522 946 1537.22 946 1556.2 c
946 1570.6 941.425 1585.8 933.8 1596.2 c
927.4 1604.4 920.8 1608 912.8 1608 c
900.4 1608 892 1598.68 891.4 1584 c
890.2 1558.2 l
889.801 1547.4 888 1542.6 884.801 1542.6 c
880.801 1542.6 873.801 1549.2 872.2 1554.6 c
872.6 1558.4 l
873 1562 873 1564.8 873 1566 c
873 1573 870.272 1580.8 865.4 1586.8 c
859.8 1594 852.6 1597 842.2 1597 c
836.607 1597 832.171 1596.05 826 1593.4 c
h
903.4 1545.4 m
904.8 1552.2 906 1568 906 1577.8 c
906 1596 908.4 1602 915.8 1602 c
927.4 1602 935 1587.04 935 1564.6 c
935 1547 929.279 1536 920.6 1536 c
916 1536 913 1537.73 903.4 1545.4 c
h
835.4 1546.4 m
823.6 1546.4 816.999 1552 816.999 1561.2 c
816.999 1567.4 820.254 1572.6 826 1575.8 c
833 1579.6 842 1582 850.199 1582 c
861.199 1582 868 1576.12 868 1567 c
868 1554.6 855.08 1546.4 836 1546.4 c
h
903 1616 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 108.33 193.89 Tm
(c)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
871.8 1695.6 m
885.8 1686 891 1678.8 891 1667.4 c
891 1649 874.836 1636 851.6 1636 c
830.8 1636 817 1647.16 817 1663.6 c
817 1670.8 819.154 1673.4 826.4 1675.4 c
830.8 1676.6 l
836.6 1678.2 840 1681.8 840 1686.2 c
840 1691.4 836.2 1695.6 831.6 1695.6 c
820.4 1695.6 811 1681.6 811 1664.8 c
811 1655.4 814.6 1645.8 821.2 1637.8 c
830.2 1627 844 1621 860.6 1621 c
886.4 1621 905 1636.8 905 1659 c
905 1667.6 902.2 1675.2 896.6 1682 c
891.8 1688 886 1692 873.6 1698.4 c
h
903 1704.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 108.33 204.57 Tm
(c)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
871.8 1784.6 m
885.8 1775 891 1767.8 891 1756.4 c
891 1738 874.836 1725 851.6 1725 c
830.8 1725 817 1736.16 817 1752.6 c
817 1759.8 819.154 1762.4 826.4 1764.4 c
830.8 1765.6 l
836.6 1767.2 840 1770.8 840 1775.2 c
840 1780.4 836.2 1784.6 831.6 1784.6 c
820.4 1784.6 811 1770.6 811 1753.8 c
811 1744.4 814.6 1734.8 821.2 1726.8 c
830.2 1716 844 1710 860.6 1710 c
886.4 1710 905 1725.8 905 1748 c
905 1756.6 902.2 1764.2 896.6 1771 c
891.8 1777 886 1781 873.6 1787.4 c
h
903 1793.8 m
f* 
Q
q
0.8156 g
1 i
1004.75 853.75 650 1600 re
f* 
25 w
1 J
1004.75 853.75 650 1600 re
S 
0 g
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 168.33 106.41 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 18 Tf
0 1 -1 0 168.33 112.41 Tm
(V)Tj
12.96 0 Td
(M)Tj
17.04 0 Td
( )Tj
4.56 0 Td
( )Tj
4.44 0 Td
( )Tj
4.56 0 Td
( )Tj
4.44 0 Td
( )Tj
4.56 0 Td
( )Tj
4.44 0 Td
( )Tj
4.56 0 Td
(N)Tj
12.96 0 Td
(E)Tj
12 0 Td
(T)Tj
12 0 Td
( )Tj
4.44 0 Td
( )Tj
4.56 0 Td
( )Tj
4.44 0 Td
( )Tj
4.56 0 Td
( )Tj
4.44 0 Td
( )Tj
4.56 0 Td
( )Tj
4.44 0 Td
( )Tj
4.56 0 Td
(F)Tj
11.04 0 Td
(S)Tj
/N6 18 Tf
9.96 0 Td
( )Tj
4.44 0 Td
( )Tj
4.56 0 Td
( )Tj
4.44 0 Td
( )Tj
4.56 0 Td
( )Tj
ET
Q
1 i
19 w
1 j
1004.75 1203.75 m
1654.75 1203.75 l
S 
1004.75 1803.75 m
1654.75 1803.75 l
S 
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 24 Tf
0 1 -1 0 141.33 157.65 Tm
(l)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1043 1355 m
1043 1317.2 l
1047.6 1317.2 l
1048.2 1324.2 1051.8 1327 1059.2 1327 c
1161.2 1327 l
1168.6 1327 1172.6 1323.73 1173.2 1317.2 c
1178 1317.2 l
1178 1365 l
1173 1365 l
1172.8 1358.4 1169.07 1355 1161.2 1355 c
h
1178 1369.6 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 24 Tf
0 1 -1 0 141.33 164.25 Tm
(i)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1086 1411 m
1086 1372.2 l
1090.6 1372.2 l
1092.4 1381 1094.2 1383 1102.4 1383 c
1161.2 1383 l
1169.4 1383 1171 1381.57 1173.2 1372.2 c
1178 1372.2 l
1178 1420 l
1173.2 1420 l
1172.2 1413 1169.4 1411 1161.8 1411 c
h
1040 1396.8 m
1040 1387.8 1046.71 1381 1055.4 1381 c
1064.2 1381 1071 1387.6 1071 1396.4 c
1071 1405.2 1064.31 1412 1055.4 1412 c
1046.8 1412 1040 1405.2 1040 1396.8 c
h
1178 1424.6 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 24 Tf
0 1 -1 0 141.33 170.85 Tm
(b)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1043 1466 m
1043 1427.4 l
1047.6 1427.4 l
1049.4 1436.6 1051.2 1438 1059.2 1438 c
1180.6 1438 l
1180.6 1440.8 l
1169.4 1456.6 l
1177.8 1465.8 1180.8 1473 1180.8 1483 c
1180.8 1509.8 1160.2 1528 1130.2 1528 c
1102.4 1528 1083.6 1512.68 1083.6 1490.6 c
1083.6 1480.72 1086.74 1473.66 1094.6 1466 c
h
1106 1466 m
1097.4 1469.65 1094.6 1473.51 1094.6 1480.2 c
1094.6 1492.6 1107.67 1499 1133.8 1499 c
1161.6 1499 1173.8 1492.94 1173.8 1480 c
1173.8 1471.6 1167.83 1466 1158.6 1466 c
h
1178 1535.2 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 24 Tf
0 1 -1 0 141.33 184.29 Tm
(O)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1040 1614.6 m
1040 1572.6 1069.32 1543 1111 1543 c
1152.4 1543 1181.8 1572.4 1181.8 1613.8 c
1181.8 1655.2 1152.4 1684 1110.8 1684 c
1070 1684 1040 1654.46 1040 1614.6 c
h
1047 1613.2 m
1047 1636.6 1069.99 1649 1112.8 1649 c
1153.4 1649 1174.8 1636.67 1174.8 1613.8 c
1174.8 1590.6 1153.14 1578 1112.4 1578 c
1070.4 1578 1047 1590.95 1047 1613.2 c
h
1178 1691.6 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 24 Tf
0 1 -1 0 141.33 202.89 Tm
(S)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1083 1788.2 m
1039.8 1788.2 l
1039.8 1781.8 l
1045.04 1780.4 1046.4 1779 1046.4 1775.4 c
1046.4 1773.6 1045.8 1771.2 1044.4 1767 c
1041 1757.8 1040 1751.4 1040 1743.6 c
1040 1716.4 1055.32 1700 1080.6 1700 c
1085.6 1700 1089.8 1700.73 1093.8 1702 c
1104.4 1706.2 1113.8 1717 1122 1734 c
1128.4 1747.4 l
1136.8 1765 1142 1770 1152.6 1770 c
1166.4 1770 1174.8 1760.12 1174.8 1744.6 c
1174.8 1733 1170.13 1723.4 1160.8 1715.8 c
1153.4 1710 1146.6 1707.2 1132.4 1703.8 c
1132.4 1698 l
1181.8 1698 l
1181.8 1703.8 l
1176.6 1705 1175 1706.6 1175 1709.8 c
1175 1711.4 1175.6 1713.6 1177 1718 c
1180.4 1727.8 1181.8 1735.2 1181.8 1744 c
1181.8 1773.6 1164.8 1794 1139.6 1794 c
1124.6 1794 1109.6 1784.84 1103.2 1771.6 c
1088.6 1742.2 l
1080.6 1726 1075.8 1722 1066 1722 c
1053.6 1722 1047 1730.25 1047 1743.6 c
1047 1752.6 1050.46 1761 1057.2 1768.2 c
1064.2 1775 1070 1778.2 1083 1782.2 c
h
1178 1802.2 m
f* 
Q
q
0.698 g
1 i
604.75 3103.75 1050 2700 re
f* 
6 w
1 J
604.75 3103.75 1050 2700 re
S 
[100 75 50 75 ]0 d
25 w
0 J
1 j
1054.75 3103.75 m
1054.75 5803.75 l
S 
0 g
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 415.65 Tm
(S)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
742.8 3553.4 m
742.8 3549.2 l
747.2 3548.4 750 3546.2 750 3542.8 c
750 3540.8 749.066 3537.6 747.2 3534 c
744.4 3526.6 743.199 3519.4 743.199 3512.4 c
743.199 3504.6 746.247 3496.2 751.199 3489.8 c
757.599 3482 766.199 3478 777.199 3478 c
793 3478 804.199 3486.86 816 3509.4 c
823.8 3523.8 831.8 3534.2 839.4 3539.2 c
842.2 3541 846.2 3542 851.2 3542 c
864.4 3542 872.8 3532 872.8 3517.4 c
872.8 3499.4 862.048 3487 838.2 3477 c
838.2 3472.4 l
880.6 3478.4 l
880.6 3482.4 l
876.8 3482.61 874 3485.19 874 3488.4 c
874 3490.6 874.8 3494 876.199 3497.8 c
879.199 3505.4 880.8 3513.4 880.8 3521.4 c
880.8 3544.6 865 3563 844.399 3563 c
827.799 3563 814.999 3551.76 800.599 3524.8 c
789.199 3503.8 780.399 3495 769.399 3495 c
758.399 3495 751.199 3503.56 751.199 3516.2 c
751.199 3525.2 754.93 3533.6 762 3540.6 c
768.399 3546.8 773.599 3549.6 785.399 3552.8 c
785.399 3557.8 l
h
878 3575.2 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 428.97 Tm
(p)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
799.4 3576.8 m
799.2 3578.6 799.2 3580 799.2 3581.8 c
799.2 3588.6 801.2 3590 810.6 3590 c
904.2 3590 l
914.6 3590 916.8 3587.8 918 3576 c
921 3576 l
921 3624.4 l
917.8 3624.4 l
917.6 3609.4 915.4 3607 902.8 3607 c
871.4 3607 l
878 3614.13 880 3618.68 880 3627 c
880 3650.8 857.6 3669 828.6 3669 c
803.8 3669 786 3655 786 3635.6 c
786 3624.48 790.8 3615.74 801.8 3607 c
786.4 3607 l
786 3605.6 l
790.2 3595 792.8 3587.8 796.2 3576.8 c
h
811.2 3607 m
805.2 3607 798 3618.09 798 3627.2 c
798 3642 813.2 3652 836.6 3652 c
858.6 3652 874 3642.12 874 3627.6 c
874 3618.2 866.582 3607 860.4 3607 c
h
878 3675 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 440.97 Tm
(e)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
845.2 3756.6 m
860.4 3747 866 3738.4 866 3725.6 c
866 3714.6 860.865 3706.2 850.2 3700.4 c
842.23 3696.4 835.078 3694.8 822 3694.4 c
822 3756 l
809.309 3754.4 803.647 3752.4 797.4 3747.4 c
790.2 3741.4 786 3732.2 786 3721.8 c
786 3697 806 3680 835.2 3680 c
862.8 3680 880 3694.4 880 3717.4 c
880 3736.6 868.2 3751.4 846.6 3759.8 c
h
816 3694.8 m
800.342 3697 794 3703.8 794 3716 c
794 3728.2 799.356 3733 816 3735.6 c
h
878 3763.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 451.65 Tm
(c)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
846.8 3843.6 m
860.8 3834 866 3826.8 866 3815.4 c
866 3797 849.836 3784 826.6 3784 c
805.8 3784 792 3795.16 792 3811.6 c
792 3818.8 794.154 3821.4 801.4 3823.4 c
805.8 3824.6 l
811.6 3826.2 815 3829.8 815 3834.2 c
815 3839.4 811.2 3843.6 806.6 3843.6 c
795.4 3843.6 786 3829.6 786 3812.8 c
786 3803.4 789.6 3793.8 796.2 3785.8 c
805.2 3775 819 3769 835.6 3769 c
861.4 3769 880 3784.8 880 3807 c
880 3815.6 877.2 3823.2 871.6 3830 c
866.8 3836 861 3840 848.6 3846.4 c
h
878 3852.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 462.33 Tm
(i)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
786 3888 m
797 3857 l
800 3857 l
799.8 3858.6 l
799.4 3861 799.2 3863.6 799.2 3865.4 c
799.2 3870.2 802.4 3872 811.2 3872 c
857.6 3872 l
872 3872 874.2 3870 875 3856.2 c
878 3856.2 l
878 3903.6 l
875 3903.6 l
874 3890.4 872 3889 857.6 3889 c
786.6 3889 l
h
741.8 3878.8 m
741.8 3873.2 746.22 3868 751.6 3868 c
757.4 3868 761.8 3872.66 761.8 3878.6 c
761.8 3884.6 757.4 3889 751.6 3889 c
746 3889 741.8 3884.4 741.8 3878.8 c
h
878 3908.6 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 468.93 Tm
(a)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
864.8 3996.4 m
867.6 3993 869 3990.6 869 3987.6 c
869 3983 866.103 3982 857 3982 c
818 3982 l
807.8 3982 802.2 3980.89 797.6 3977.8 c
790 3973.6 786 3965 786 3952.8 c
786 3942.6 788.8 3933 793.4 3927.4 c
797.6 3922.4 803.4 3919 808.4 3919 c
813 3919 817 3922.89 817 3927.8 c
817 3932.6 813 3936.8 808.6 3936.8 c
807.8 3936.8 806.8 3936.6 805.4 3936.4 c
803.6 3936 802 3936 800.6 3936 c
795.2 3936 791 3942.31 791 3950.2 c
791 3960 796.73 3966 807.4 3966 c
819.6 3966 l
832 3934.77 833.6 3931.32 841.2 3922.6 c
845.2 3918.2 852 3915.4 858.601 3915.4 c
871.201 3915.4 880.001 3924 880.001 3936.4 c
880.001 3945.2 875.801 3953.4 865.401 3965.6 c
876.001 3966.6 880.001 3970.2 880.001 3978.4 c
880.001 3985.2 877.601 3989.4 870.001 3996.4 c
h
853.401 3966 m
859.601 3966 861.401 3964.88 864.001 3960.2 c
866.801 3955.4 868.001 3949.8 868.001 3945.6 c
868.001 3938.6 861.378 3933.2 853.001 3933.2 c
852.201 3933.2 l
840.401 3933.2 833.201 3941.5 824.401 3966 c
h
878 3996.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 479.49 Tm
(l)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
753.4 3999.8 m
753.4 4001 l
753.2 4003.2 753 4005.6 753 4007.2 c
753 4013.6 755.8 4016 765.2 4016 c
860.6 4016 l
871.4 4016 874 4013.13 875 4000.2 c
878 4000.2 l
878 4047.4 l
875 4047.4 l
874.2 4034.6 872.2 4033 861.2 4033 c
741.8 4033 l
741.4 4031.6 l
744.8 4021.2 746.8 4013.6 750.2 3999.8 c
h
878 4051.6 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 486.21 Tm
(i)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
786 4087 m
797 4056 l
800 4056 l
799.8 4057.6 l
799.4 4060 799.2 4062.6 799.2 4064.4 c
799.2 4069.2 802.4 4071 811.2 4071 c
857.6 4071 l
872 4071 874.2 4069 875 4055.2 c
878 4055.2 l
878 4102.6 l
875 4102.6 l
874 4089.4 872 4088 857.6 4088 c
786.6 4088 l
h
741.8 4077.8 m
741.8 4072.2 746.22 4067 751.6 4067 c
757.4 4067 761.8 4071.66 761.8 4077.6 c
761.8 4083.6 757.4 4088 751.6 4088 c
746 4088 741.8 4083.4 741.8 4077.8 c
h
878 4107.6 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 492.81 Tm
(z)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
851 4190.6 m
850.2 4187 l
860.2 4185 863.4 4183.8 866.8 4181.2 c
870.2 4178.4 872 4171.6 872 4161.4 c
872 4133.8 l
791 4187.6 l
788 4187.6 l
788 4118.2 l
811.6 4117.6 l
811.6 4121.2 l
797 4123 794 4126 794 4138 c
794 4165.6 l
875 4112.4 l
878 4112.4 l
878 4187.8 l
h
878 4195.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 503.37 Tm
(e)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
845.2 4276.6 m
860.4 4267 866 4258.4 866 4245.6 c
866 4234.6 860.865 4226.2 850.2 4220.4 c
842.23 4216.4 835.078 4214.8 822 4214.4 c
822 4276 l
809.309 4274.4 803.647 4272.4 797.4 4267.4 c
790.2 4261.4 786 4252.2 786 4241.8 c
786 4217 806 4200 835.2 4200 c
862.8 4200 880 4214.4 880 4237.4 c
880 4256.6 868.2 4271.4 846.6 4279.8 c
h
816 4214.8 m
800.342 4217 794 4223.8 794 4236 c
794 4248.2 799.356 4253 816 4255.6 c
h
878 4283.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 514.05 Tm
(d)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
880 4352.8 m
869.6 4382.2 l
867 4382.2 l
866.6 4378.8 867.2 4378.6 867.2 4377.6 c
867.2 4370.4 864.884 4369 855.2 4369 c
741.8 4369 l
741.4 4367.8 l
744.8 4358.2 746.8 4351.2 750.2 4338.4 c
753.4 4338.4 l
753.2 4340 753.2 4341.2 753.2 4342.8 c
753.2 4350.2 755.2 4352 763.4 4352 c
794.6 4352 l
788.2 4344.4 786 4339 786 4331 c
786 4308 808.6 4290 837 4290 c
862.6 4290 880 4304.56 880 4326.4 c
880 4337.6 876 4345.2 866.6 4352 c
879.4 4352 l
h
857.6 4352 m
859 4352 861.2 4350.8 863.2 4349 c
867.4 4345.4 870 4340.4 870 4334.2 c
870 4317.4 853.842 4307 829 4307 c
806.4 4307 792 4316.64 792 4331.6 c
792 4342.4 801.211 4352 811.6 4352 c
h
878 4384 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 526.05 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 532.05 Tm
(W)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
746 4620.4 m
746 4580.8 l
749.4 4580.8 l
750.4 4591 752.6 4594.6 758 4594.6 c
762.2 4594.6 767.4 4593.4 773 4591.4 c
840.8 4566.4 l
772.6 4540 l
766.6 4537.6 l
762.2 4535.6 758.6 4534.6 756.4 4534.6 c
751.8 4534.6 750 4539.4 749.8 4550 c
746 4550 l
746 4496.6 l
749.8 4496.6 l
749.995 4508 751.756 4510 767.4 4516.8 c
783.8 4523.4 l
840.2 4502 l
765 4473.2 l
761.2 4471.8 758 4471 755.6 4471 c
751.4 4471 750 4474 749.4 4484 c
746 4484 l
746 4435 l
749.4 4435 l
750.4 4445.2 753.8 4448.2 772.8 4455.6 c
880.2 4494.2 l
880.2 4497.2 l
795.6 4528 l
880.2 4560 l
880.2 4563 l
828 4580 822.4 4582 763.6 4603.8 c
753.2 4607.6 751.4 4609.8 749.4 4620.4 c
h
878 4622.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 554.61 Tm
(W)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
746 4808.4 m
746 4768.8 l
749.4 4768.8 l
750.4 4779 752.6 4782.6 758 4782.6 c
762.2 4782.6 767.4 4781.4 773 4779.4 c
840.8 4754.4 l
772.6 4728 l
766.6 4725.6 l
762.2 4723.6 758.6 4722.6 756.4 4722.6 c
751.8 4722.6 750 4727.4 749.8 4738 c
746 4738 l
746 4684.6 l
749.8 4684.6 l
749.995 4696 751.756 4698 767.4 4704.8 c
783.8 4711.4 l
840.2 4690 l
765 4661.2 l
761.2 4659.8 758 4659 755.6 4659 c
751.4 4659 750 4662 749.4 4672 c
746 4672 l
746 4623 l
749.4 4623 l
750.4 4633.2 753.8 4636.2 772.8 4643.6 c
880.2 4682.2 l
880.2 4685.2 l
795.6 4716 l
880.2 4748 l
880.2 4751 l
828 4768 822.4 4770 763.6 4791.8 c
753.2 4795.6 751.4 4797.8 749.4 4808.4 c
h
878 4810.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 577.29 Tm
(W)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
746 4997.4 m
746 4957.8 l
749.4 4957.8 l
750.4 4968 752.6 4971.6 758 4971.6 c
762.2 4971.6 767.4 4970.4 773 4968.4 c
840.8 4943.4 l
772.6 4917 l
766.6 4914.6 l
762.2 4912.6 758.6 4911.6 756.4 4911.6 c
751.8 4911.6 750 4916.4 749.8 4927 c
746 4927 l
746 4873.6 l
749.8 4873.6 l
749.995 4885 751.756 4887 767.4 4893.8 c
783.8 4900.4 l
840.2 4879 l
765 4850.2 l
761.2 4848.8 758 4848 755.6 4848 c
751.4 4848 750 4851 749.4 4861 c
746 4861 l
746 4812 l
749.4 4812 l
750.4 4822.2 753.8 4825.2 772.8 4832.6 c
880.2 4871.2 l
880.2 4874.2 l
795.6 4905 l
880.2 4937 l
880.2 4940 l
828 4957 822.4 4959 763.6 4980.8 c
753.2 4984.6 751.4 4986.8 749.4 4997.4 c
h
878 4999.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 599.85 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 605.85 Tm
(s)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
815.2 5112.4 m
788 5111.6 l
788 5109 l
788.4 5108.6 l
789.8 5106.8 790 5106.6 790 5105.8 c
790 5104.6 789.6 5102.6 788.6 5100.4 c
787 5096.2 786.199 5091.6 786.199 5086.8 c
786.199 5070.4 796.199 5059 810.8 5059 c
822 5059 829.8 5065.45 839.6 5082.6 c
846.2 5094.2 l
850.2 5101.2 855 5105 861.2 5105 c
870 5105 876 5098.45 876 5088 c
876 5074.2 868.291 5067.2 847.6 5062.6 c
847.6 5059.2 l
878.8 5059.2 l
878.8 5062 l
876.8 5063.4 876.4 5064.2 876.4 5066.6 c
876.4 5068.8 876.8 5071 878 5075.8 c
879.2 5081.4 880 5086.4 880 5090.6 c
880 5105.8 868.4 5119 854.4 5119 c
844.4 5119 837.8 5114.29 830.6 5101.8 c
817.8 5080.2 l
814.6 5074.6 809.6 5071 804.2 5071 c
796 5071 790.2 5077.44 790.2 5087 c
790.2 5098.4 796.907 5104.4 815.2 5109 c
h
878 5126.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 615.33 Tm
(e)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
845.2 5209.6 m
860.4 5200 866 5191.4 866 5178.6 c
866 5167.6 860.865 5159.2 850.2 5153.4 c
842.23 5149.4 835.078 5147.8 822 5147.4 c
822 5209 l
809.309 5207.4 803.647 5205.4 797.4 5200.4 c
790.2 5194.4 786 5185.2 786 5174.8 c
786 5150 806 5133 835.2 5133 c
862.8 5133 880 5147.4 880 5170.4 c
880 5189.6 868.2 5204.4 846.6 5212.8 c
h
816 5147.8 m
800.342 5150 794 5156.8 794 5169 c
794 5181.2 799.356 5186 816 5188.6 c
h
878 5216.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 625.89 Tm
(r)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
800 5217.4 m
799.4 5220.2 799.2 5222 799.2 5224.4 c
799.2 5229.4 802.4 5231 811.2 5231 c
861.2 5231 l
871.2 5231 872.6 5229.62 875 5217 c
878 5217 l
878 5265 l
875 5265 l
874.4 5251.4 871.4 5248 860 5248 c
815 5248 l
808.6 5248 798.6 5256.4 798.6 5262 c
798.6 5263.2 799.6 5265 801.6 5267.2 c
804.6 5270.4 805.6 5272.6 805.6 5275.2 c
805.6 5280 802.2 5283 796.6 5283 c
790 5283 786 5278.8 786 5272 c
786 5263.6 790.399 5258 804.8 5248 c
786.4 5248 l
786 5247 l
790.2 5236.4 793 5229.2 796.8 5217.4 c
h
878 5282.6 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 633.93 Tm
(v)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
788 5378.4 m
788 5350.6 l
791 5350.6 l
791.6 5357 793.6 5360 797.4 5360 c
799.4 5360 801.4 5359.6 803.4 5358.8 c
855.2 5339 l
804 5318.6 l
801 5317.4 798.4 5316.8 796.4 5316.8 c
793 5316.8 791.6 5319.2 791 5326 c
788 5326 l
788 5286.8 l
791 5286.8 l
791.4 5294.4 793.4 5295.8 814 5305 c
871.4 5329 l
873.2 5329.6 874.6 5330 875.6 5330.6 c
879.2 5331.8 880.8 5333 880.8 5334.2 c
880.8 5335.4 878.2 5336.8 870.8 5339.8 c
806.6 5365.4 l
793 5371.2 791.6 5372.4 791 5378.4 c
h
878 5383 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 645.93 Tm
(e)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
845.2 5464.6 m
860.4 5455 866 5446.4 866 5433.6 c
866 5422.6 860.865 5414.2 850.2 5408.4 c
842.23 5404.4 835.078 5402.8 822 5402.4 c
822 5464 l
809.309 5462.4 803.647 5460.4 797.4 5455.4 c
790.2 5449.4 786 5440.2 786 5429.8 c
786 5405 806 5388 835.2 5388 c
862.8 5388 880 5402.4 880 5425.4 c
880 5444.6 868.2 5459.4 846.6 5467.8 c
h
816 5402.8 m
800.342 5405 794 5411.8 794 5424 c
794 5436.2 799.356 5441 816 5443.6 c
h
878 5471.8 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 105.33 656.49 Tm
(r)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
800 5472.4 m
799.4 5475.2 799.2 5477 799.2 5479.4 c
799.2 5484.4 802.4 5486 811.2 5486 c
861.2 5486 l
871.2 5486 872.6 5484.62 875 5472 c
878 5472 l
878 5520 l
875 5520 l
874.4 5506.4 871.4 5503 860 5503 c
815 5503 l
808.6 5503 798.6 5511.4 798.6 5517 c
798.6 5518.2 799.6 5520 801.6 5522.2 c
804.6 5525.4 805.6 5527.6 805.6 5530.2 c
805.6 5535 802.2 5538 796.6 5538 c
790 5538 786 5533.8 786 5527 c
786 5518.6 790.399 5513 804.8 5503 c
786.4 5503 l
786 5502 l
790.2 5491.4 793 5484.2 796.8 5472.4 c
h
878 5537.6 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 391.65 Tm
(F)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1381.8 3359.8 m
1335.4 3359.8 l
1335.4 3355.2 l
1351.4 3352.8 1355 3349.2 1355 3333.2 c
1355 3305 l
1310 3305 l
1304.4 3305 1304 3305.87 1304 3310.6 c
1304 3337.8 l
1304 3360.4 1306.89 3364.8 1324.2 3368.2 c
1324.2 3373.2 l
1296 3372.6 l
1296 3266.4 l
1299.4 3266.4 l
1300.6 3281.2 1303.2 3284 1317.4 3284 c
1404 3284 l
1420.6 3284 1423.2 3281.77 1424.2 3266.4 c
1428 3266.4 l
1428 3322.4 l
1424 3322.4 l
1423.21 3307 1420.44 3305 1406.2 3305 c
1363 3305 l
1363 3333.2 l
1363 3349.4 1365.94 3352.8 1381.8 3355.2 c
h
1428 3375.2 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 404.97 Tm
(S)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1292.8 3464.4 m
1292.8 3460.2 l
1297.2 3459.4 1300 3457.2 1300 3453.8 c
1300 3451.8 1299.07 3448.6 1297.2 3445 c
1294.4 3437.6 1293.2 3430.4 1293.2 3423.4 c
1293.2 3415.6 1296.25 3407.2 1301.2 3400.8 c
1307.6 3393 1316.2 3389 1327.2 3389 c
1343 3389 1354.2 3397.86 1366 3420.4 c
1373.8 3434.8 1381.8 3445.2 1389.4 3450.2 c
1392.2 3452 1396.2 3453 1401.2 3453 c
1414.4 3453 1422.8 3443 1422.8 3428.4 c
1422.8 3410.4 1412.05 3398 1388.2 3388 c
1388.2 3383.4 l
1430.6 3389.4 l
1430.6 3393.4 l
1426.8 3393.61 1424 3396.19 1424 3399.4 c
1424 3401.6 1424.8 3405 1426.2 3408.8 c
1429.2 3416.4 1430.8 3424.4 1430.8 3432.4 c
1430.8 3455.6 1415 3474 1394.4 3474 c
1377.8 3474 1365 3462.76 1350.6 3435.8 c
1339.2 3414.8 1330.4 3406 1319.4 3406 c
1308.4 3406 1301.2 3414.56 1301.2 3427.2 c
1301.2 3436.2 1304.93 3444.6 1312 3451.6 c
1318.4 3457.8 1323.6 3460.6 1335.4 3463.8 c
1335.4 3468.8 l
h
1428 3486.2 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 418.41 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 424.41 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 430.41 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 436.41 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 442.41 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 448.41 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 454.41 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 460.41 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 466.41 Tm
(N)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1430.2 4010 m
1325 4010 l
1313 4010 1305.6 4011.79 1303 4015.2 c
1301 4018 1300.2 4020.8 1299.4 4028.4 c
1296 4028.4 l
1296 3981.4 l
1299.4 3981.4 l
1300 3989 1300.8 3991.8 1302.6 3994.8 c
1305.4 3998.8 1312.6 4001 1325 4001 c
1392.4 4001 l
1296 3923.6 l
1296 3889.4 l
1300 3889.4 l
1300 3898.09 1301.51 3900.92 1310.4 3909 c
1398.6 3909 l
1419.2 3909 1423 3906.17 1424.2 3889.4 c
1428 3889.4 l
1428 3936.4 l
1424 3936.4 l
1423.21 3921 1418.64 3918 1398.6 3918 c
1320.2 3918 l
1430.2 4006 l
h
1428 4031.4 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 483.81 Tm
(E)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1394.2 4151.4 m
1394.2 4145.8 l
1415.8 4135.8 1420 4127.2 1420 4098.6 c
1420 4093.2 l
1420 4083.6 1419.42 4075.6 1418.4 4073.8 c
1417.6 4072.6 1415.8 4073 1412 4073 c
1363 4073 l
1363 4103 l
1363 4119.4 1365.55 4122.4 1381.8 4125 c
1381.8 4129.6 l
1335.4 4129.6 l
1335.4 4125 l
1351.8 4122.4 1355 4119.2 1355 4103 c
1355 4073 l
1310 4073 l
1304.4 4073 1304 4074.05 1304 4078.8 c
1304 4105.8 l
1304 4128.4 1306.89 4132.8 1324.2 4136.2 c
1324.2 4141.2 l
1296 4140.6 l
1296 4034.4 l
1299.4 4034.4 l
1300.6 4049.2 1303.2 4052 1317.4 4052 c
1406.2 4052 l
1420.4 4052 1423.2 4049.17 1424.2 4034.4 c
1428 4034.4 l
1428 4142.4 l
h
1428 4154.2 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 498.45 Tm
(T)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1304 4205 m
1404 4205 l
1421 4205 1423.2 4202.78 1424.2 4186 c
1428 4186 l
1428 4244.4 l
1424 4244.4 l
1423.21 4228 1420.64 4226 1406.2 4226 c
1304 4226 l
1304 4236 l
1304 4258.8 1307.6 4263.2 1329.6 4267.8 c
1329.6 4272.6 l
1296 4271.4 l
1296 4158.6 l
1329.6 4157.4 l
1329.6 4162.2 l
1307.6 4167 1304 4171.6 1304 4194 c
h
1428 4276.2 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 512.97 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 518.97 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N6 24 Tf
0 1 -1 0 171.33 524.97 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
0.6156 g
1 i
1054.75 4453.75 600 1350 re
f* 
25 w
1 J
1054.75 4453.75 600 1350 re
S 
0 g
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 561.93 Tm
(l)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1300 4717 m
1300 4685.67 l
1304.12 4685.67 l
1304.62 4691.52 1307.63 4694 1313.8 4694 c
1398.97 4694 l
1405.15 4694 1408.49 4691.22 1408.99 4685.67 c
1413 4685.67 l
1413 4725.58 l
1409 4725.58 l
1408.83 4720.07 1405.66 4717 1398.97 4717 c
h
1413 4729.42 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 567.45 Tm
(i)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1336 4764 m
1336 4731.67 l
1340.02 4731.67 l
1341.53 4739.02 1343.03 4741 1349.88 4741 c
1398.97 4741 l
1405.82 4741 1407.16 4739.77 1408.99 4731.67 c
1413 4731.67 l
1413 4771.58 l
1408.99 4771.58 l
1408.16 4765.74 1405.82 4764 1399.47 4764 c
h
1297.49 4752.21 m
1297.49 4744.7 1303.22 4739 1310.63 4739 c
1317.98 4739 1323.5 4744.52 1323.5 4751.88 c
1323.5 4759.23 1317.98 4765 1310.63 4765 c
1303.45 4765 1297.49 4759.28 1297.49 4752.21 c
h
1413 4775.42 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 572.97 Tm
(b)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1300 4810 m
1300 4777.84 l
1304.12 4777.84 l
1305.62 4785.52 1307.12 4787 1313.8 4787 c
1415.17 4787 l
1415.17 4789.03 l
1405.82 4802.22 l
1412.83 4809.9 1415.34 4815.91 1415.34 4824.26 c
1415.34 4846.64 1398.14 4862 1373.09 4862 c
1349.88 4862 1334 4849.14 1334 4830.61 c
1334 4822.33 1336.67 4816.42 1343.36 4810 c
h
1352.88 4810 m
1345.7 4813.07 1343 4816.3 1343 4821.93 c
1343 4832.28 1354.03 4837 1376.09 4837 c
1399.31 4837 1409.34 4832.14 1409.34 4821.76 c
1409.34 4814.74 1404.42 4810 1396.8 4810 c
h
1413 4867.85 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 584.01 Tm
(O)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1297.49 4932.63 m
1297.49 4897.56 1322.09 4873 1357.06 4873 c
1391.62 4873 1416.17 4897.48 1416.17 4931.96 c
1416.17 4966.53 1391.62 4991 1356.89 4991 c
1322.82 4991 1297.49 4966.15 1297.49 4932.63 c
h
1303.49 4931.46 m
1303.49 4951 1322.73 4961 1358.56 4961 c
1392.46 4961 1410.17 4950.83 1410.17 4931.96 c
1410.17 4912.59 1392.14 4903 1358.23 4903 c
1323.16 4903 1303.49 4913.47 1303.49 4931.46 c
h
1413 4996.92 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 599.61 Tm
(S)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1333.68 5078.16 m
1297.33 5078.16 l
1297.33 5072.82 l
1301.92 5071.65 1303.12 5070.48 1303.12 5067.47 c
1303.12 5065.97 1302.62 5063.97 1301.45 5060.46 c
1298.61 5052.78 1297.5 5047.43 1297.5 5040.92 c
1297.5 5018.21 1310.4 5004 1331.67 5004 c
1335.85 5004 1339.35 5004.79 1342.69 5006.19 c
1351.55 5009.69 1359.39 5018.71 1366.24 5032.9 c
1371.59 5044.09 l
1378.6 5058.79 1382.94 5063 1391.79 5063 c
1403.31 5063 1410.17 5054.74 1410.17 5041.76 c
1410.17 5032.07 1406.33 5024.05 1398.64 5017.71 c
1392.46 5012.86 1386.78 5010.53 1374.93 5007.69 c
1374.93 5002.85 l
1416.17 5002.85 l
1416.17 5007.69 l
1411.83 5008.69 1410.5 5010.03 1410.5 5012.7 c
1410.5 5014.03 1411 5015.87 1412.17 5019.54 c
1415 5027.73 1416.17 5033.91 1416.17 5041.25 c
1416.17 5065.97 1401.98 5083 1380.94 5083 c
1368.41 5083 1355.89 5075.35 1350.54 5064.3 c
1338.35 5039.75 l
1331.67 5026.22 1327.67 5022 1319.48 5022 c
1309.13 5022 1303.5 5029.22 1303.5 5040.92 c
1303.5 5048.44 1306.43 5055.45 1312.13 5061.46 c
1317.98 5067.14 1322.82 5069.81 1333.68 5073.15 c
h
1413 5089.85 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 610.65 Tm
( )Tj
ET
Q
Q
q
110.75 108.75 m
W n 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 615.69 Tm
(s)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1358.56 5187.49 m
1334.33 5187.49 l
1334.33 5184.1 l
1336.85 5183.1 1337.67 5182.1 1337.67 5179.93 c
1337.67 5178.93 1337.34 5177.43 1336.52 5174.75 c
1334.68 5169.41 1334 5165.57 1334 5161.73 c
1334 5146.53 1344.36 5135 1358.39 5135 c
1369.41 5135 1377.1 5141.99 1384.28 5159.22 c
1389.29 5170.75 1393.46 5175 1398.81 5175 c
1405.32 5175 1409.34 5170.09 1409.34 5162.73 c
1409.34 5151.04 1401.93 5143.36 1387.62 5139.85 c
1387.62 5135.18 l
1415.17 5135.18 l
1415.17 5139.35 l
1411.66 5141.19 1410.5 5142.19 1410.5 5143.69 c
1410.5 5144.53 1410.83 5145.86 1411.5 5147.53 c
1413.5 5152.38 1415.34 5160.89 1415.34 5165.57 c
1415.34 5180.77 1404.98 5191 1389.95 5191 c
1378.1 5191 1370.75 5184.73 1363.9 5168.24 c
1359.06 5156.88 1354.89 5152 1349.21 5152 c
1343.7 5152 1340 5156.76 1340 5163.23 c
1340 5167.74 1341.67 5172.08 1344.87 5175.75 c
1348.21 5179.26 1351.38 5181.1 1358.56 5183.6 c
h
1413 5195.96 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 623.49 Tm
(u)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1415.17 5253.17 m
1412.67 5260.38 1412 5264.41 1410.83 5275.32 c
1409.66 5285.68 l
1406 5285.68 l
1405.66 5278.33 1403.45 5276 1396.13 5276 c
1336 5276 l
1336 5242.76 l
1340.02 5242.76 l
1340.69 5251.11 1342.69 5253 1349.88 5253 c
1397.14 5253 l
1402.65 5247.53 1404.34 5244.22 1404.34 5239.42 c
1404.34 5232.57 1401.04 5230 1392.63 5230 c
1336 5230 l
1336 5198.67 l
1340.02 5198.67 l
1341.36 5205.52 1342.86 5207 1349.88 5207 c
1391.96 5207 l
1406.65 5207 1415.34 5215.3 1415.34 5229.07 c
1415.34 5237.71 1412.67 5243.53 1404.32 5253.17 c
h
1413 5288.85 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 634.53 Tm
(b)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1300 5323 m
1300 5290.84 l
1304.12 5290.84 l
1305.62 5298.52 1307.12 5300 1313.8 5300 c
1415.17 5300 l
1415.17 5302.03 l
1405.82 5315.22 l
1412.83 5322.9 1415.34 5328.91 1415.34 5337.26 c
1415.34 5359.64 1398.14 5375 1373.09 5375 c
1349.88 5375 1334 5362.14 1334 5343.61 c
1334 5335.33 1336.67 5329.42 1343.36 5323 c
h
1352.88 5323 m
1345.7 5326.07 1343 5329.3 1343 5334.93 c
1343 5345.28 1354.03 5350 1376.09 5350 c
1399.31 5350 1409.34 5345.14 1409.34 5334.76 c
1409.34 5327.74 1404.42 5323 1396.8 5323 c
h
1413 5380.85 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 645.69 Tm
(s)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1358.56 5437.49 m
1334.33 5437.49 l
1334.33 5434.1 l
1336.85 5433.1 1337.67 5432.1 1337.67 5429.93 c
1337.67 5428.93 1337.34 5427.43 1336.52 5424.75 c
1334.68 5419.41 1334 5415.57 1334 5411.73 c
1334 5396.53 1344.36 5385 1358.39 5385 c
1369.41 5385 1377.1 5391.99 1384.28 5409.22 c
1389.29 5420.75 1393.46 5425 1398.81 5425 c
1405.32 5425 1409.34 5420.09 1409.34 5412.73 c
1409.34 5401.04 1401.93 5393.36 1387.62 5389.85 c
1387.62 5385.18 l
1415.17 5385.18 l
1415.17 5389.35 l
1411.66 5391.19 1410.5 5392.19 1410.5 5393.69 c
1410.5 5394.53 1410.83 5395.86 1411.5 5397.53 c
1413.5 5402.38 1415.34 5410.89 1415.34 5415.57 c
1415.34 5430.77 1404.98 5441 1389.95 5441 c
1378.1 5441 1370.75 5434.73 1363.9 5418.24 c
1359.06 5406.88 1354.89 5402 1349.21 5402 c
1343.7 5402 1340 5406.76 1340 5413.23 c
1340 5417.74 1341.67 5422.08 1344.87 5425.75 c
1348.21 5429.26 1351.38 5431.1 1358.56 5433.6 c
h
1413 5445.96 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 653.49 Tm
(e)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1392.13 5513.13 m
1400.31 5506.29 1403.34 5501.28 1403.34 5494.09 c
1403.34 5487.75 1400.49 5482.74 1394.8 5479.4 c
1389.43 5476.23 1383.73 5474.89 1372 5474.22 c
1372 5516.31 l
1358.18 5515.3 1350.52 5512.8 1344.03 5507.62 c
1337.52 5502.28 1334 5494.43 1334 5485.08 c
1334 5464.2 1350.53 5450.18 1374.92 5450.18 c
1399.31 5450.18 1415.34 5463.87 1415.34 5484.58 c
1415.34 5498.1 1410.16 5506.29 1394.46 5517.14 c
h
1366 5473.39 m
1345.89 5473.89 1340 5476.89 1340 5485.08 c
1340 5489.92 1342.39 5492.93 1347.04 5494.26 c
1350.21 5495.1 1354.89 5495.43 1363.4 5495.76 c
1366 5495.76 l
h
1413 5520.15 m
f* 
Q
q
q
8.3333 0 0 8.3333 0 0 cm
BT
/N7 20.0395 Tf
0 1 -1 0 169.53 662.25 Tm
(t)Tj
ET
Q
Q
q
110.75 108.75 m
W n 
0.2 i
1336 5569.93 m
1336 5554 l
1307.79 5554 l
1307.79 5550.06 l
1322.15 5539.87 1329.67 5533.19 1338.85 5522.34 c
1343 5522.34 l
1343 5531 l
1397.47 5531 l
1408.32 5531 1415 5538.19 1415 5549.73 c
1415 5560.92 1409.99 5567.6 1396.3 5574.44 c
1394.46 5570.27 l
1400.81 5566.93 1403 5564.26 1403 5560.75 c
1403 5556.07 1400.21 5554 1393.63 5554 c
1343 5554 l
1343 5569.93 l
h
1413 5574.61 m
f* 
Q
q
[100 75 50 75 ]0 d
1 i
25 w
1 j
1054.75 3703.75 m
1654.75 3703.75 l
S 
Q
q
1914.75 303.75 m
1914.75 6303.75 l
2245.75 6303.75 l
2245.75 303.75 l
h
W n 
0.3137 g
1 i
1954.75 303.75 250 6000 re
f* 
6 w
1 J
1954.75 303.75 250 6000 re
S 
Q
q
0.2 i
2161.03 4304.04 m
2161.03 4283.34 2156.14 4267.52 2146.18 4256.48 c
2136.32 4245.55 2122.26 4239.98 2103.9 4239.98 c
2086.03 4239.98 2071.77 4245.16 2061.03 4255.41 c
2050.48 4265.66 2045.11 4280.02 2045.01 4298.48 c
2045.11 4315.27 2049.6 4327.87 2058.68 4336.27 c
2067.86 4344.86 2080.85 4348.96 2097.65 4348.96 c
2110.05 4348.96 l
2110.05 4273.96 l
2115.03 4274.36 2119.23 4275.33 2122.55 4277.19 c
2125.97 4279.04 2128.61 4281.48 2130.46 4284.41 c
2132.51 4287.34 2133.98 4290.86 2134.76 4294.67 c
2135.64 4298.67 2136.03 4302.87 2136.03 4307.46 c
2136.03 4311.46 2135.73 4315.37 2134.86 4319.28 c
2133.98 4323.09 2132.9 4326.6 2131.44 4329.73 c
2130.36 4332.66 2129.09 4335.2 2127.73 4337.54 c
2126.36 4339.98 2125.09 4341.84 2124.02 4343.4 c
2124.02 4347.01 l
2152.04 4347.01 l
2153.21 4344.28 2154.29 4341.74 2155.17 4339.39 c
2156.14 4337.05 2157.02 4333.93 2157.9 4329.82 c
2158.98 4326.11 2159.66 4322.3 2160.15 4318.4 c
2160.73 4314.49 2161.03 4309.71 2161.03 4304.04 c
2161.03 4304.04 l
2088.96 4314.98 m
2081.93 4314.79 2076.46 4313.12 2072.65 4310 c
2068.94 4306.88 2067.08 4302.09 2066.98 4295.55 c
2067.08 4288.91 2069.04 4283.83 2073.04 4280.02 c
2077.04 4276.31 2082.32 4274.26 2088.96 4273.87 c
h
2158 4354.04 m
f* 
2158 4473.69 m
2158 4433.75 l
2127.92 4413.05 l
2158 4391.86 l
2158 4352.7 l
2102.92 4393.62 l
2048.04 4353.67 l
2048.04 4393.62 l
2078.41 4414.42 l
2048.04 4434.53 l
2048.04 4473.69 l
2102.43 4433.17 l
h
2158 4474 m
f* 
2103.02 4591.69 m
2121.09 4591.69 2135.25 4586.8 2145.6 4576.94 c
2155.95 4567.08 2161.03 4553.21 2161.03 4535.24 c
2161.03 4517.37 2155.95 4503.5 2145.6 4493.64 c
2135.25 4483.68 2121.09 4478.7 2103.02 4478.7 c
2085.05 4478.7 2070.79 4483.68 2060.54 4493.64 c
2050.29 4503.5 2045.11 4517.37 2045.01 4535.24 c
2045.11 4553.11 2050.29 4567.08 2060.54 4576.94 c
2070.99 4586.8 2085.15 4591.69 2103.02 4591.69 c
2103.02 4591.69 l
2103.21 4556.73 m
2096.96 4556.73 2091.59 4556.24 2087.39 4555.07 c
2083.2 4553.99 2079.78 4552.53 2077.24 4550.67 c
2074.6 4548.62 2072.75 4546.37 2071.67 4543.83 c
2070.6 4541.39 2070.11 4538.46 2070.01 4535.24 c
2070.11 4532.12 2070.6 4529.38 2071.48 4526.94 c
2072.45 4524.5 2074.21 4522.25 2076.65 4520.1 c
2079.29 4518.25 2082.71 4516.69 2087 4515.51 c
2091.4 4514.34 2096.77 4513.76 2103.21 4513.76 c
2109.86 4513.76 2115.23 4514.24 2119.23 4515.42 c
2123.33 4516.49 2126.46 4517.96 2128.9 4519.62 c
2131.34 4521.47 2133.2 4523.72 2134.27 4526.45 c
2135.54 4529.19 2136.03 4532.21 2136.03 4535.44 c
2136.03 4538.27 2135.54 4541 2134.27 4543.83 c
2133.2 4546.67 2131.54 4548.91 2129.09 4550.57 c
2126.46 4552.62 2123.23 4554.19 2119.33 4555.16 c
2115.52 4556.24 2110.15 4556.73 2103.21 4556.73 c
h
2158 4597.05 m
f* 
2158 4720.77 m
2158 4679.95 l
2110.25 4650.07 l
2117.47 4644.7 l
2158 4644.7 l
2158 4610.71 l
2006.43 4610.71 l
2006.43 4644.7 l
2092.07 4644.7 l
2048.42 4677.71 l
2048.42 4717.74 l
2095.78 4679.17 l
2158.38 4720.77 l
h
2158 4719 m
f* 
2161.03 4788.04 m
2161.03 4767.34 2156.14 4751.52 2146.18 4740.48 c
2136.32 4729.55 2122.26 4723.98 2103.9 4723.98 c
2086.03 4723.98 2071.77 4729.16 2061.03 4739.41 c
2050.48 4749.66 2045.11 4764.02 2045.01 4782.48 c
2045.11 4799.27 2049.6 4811.87 2058.68 4820.27 c
2067.86 4828.86 2080.85 4832.96 2097.65 4832.96 c
2110.05 4832.96 l
2110.05 4757.96 l
2115.03 4758.36 2119.23 4759.33 2122.55 4761.19 c
2125.97 4763.04 2128.61 4765.48 2130.46 4768.41 c
2132.51 4771.34 2133.98 4774.86 2134.76 4778.67 c
2135.64 4782.67 2136.03 4786.87 2136.03 4791.46 c
2136.03 4795.46 2135.73 4799.37 2134.86 4803.28 c
2133.98 4807.09 2132.9 4810.6 2131.44 4813.73 c
2130.36 4816.66 2129.09 4819.2 2127.73 4821.54 c
2126.36 4823.98 2125.09 4825.84 2124.02 4827.4 c
2124.02 4831.01 l
2152.04 4831.01 l
2153.21 4828.28 2154.29 4825.74 2155.17 4823.39 c
2156.14 4821.05 2157.02 4817.93 2157.9 4813.82 c
2158.98 4810.11 2159.66 4806.3 2160.15 4802.4 c
2160.73 4798.49 2161.03 4793.71 2161.03 4788.04 c
2161.03 4788.04 l
2088.96 4798.98 m
2081.93 4798.79 2076.46 4797.12 2072.65 4794 c
2068.94 4790.88 2067.08 4786.09 2066.98 4779.55 c
2067.08 4772.91 2069.04 4767.83 2073.04 4764.02 c
2077.04 4760.31 2082.32 4758.26 2088.96 4757.87 c
h
2158 4838.04 m
f* 
2079.97 4925.01 m
2079.97 4922.08 l
2079.78 4920.81 2079.48 4918.86 2079.29 4916.42 c
2079.19 4913.88 2079.09 4911.14 2079 4908.02 c
2079.09 4904.41 2079.58 4900.6 2080.66 4896.59 c
2081.73 4892.59 2082.9 4888.78 2084.27 4884.97 c
2158 4884.97 l
2158 4850.99 l
2048.31 4850.99 l
2048.31 4884.97 l
2064.43 4884.97 l
2063.06 4886.63 2061.3 4888.78 2059.06 4891.61 c
2056.91 4894.35 2055.15 4896.98 2053.78 4899.23 c
2052.32 4901.77 2051.05 4904.7 2049.97 4908.02 c
2048.9 4911.34 2048.31 4914.46 2048.31 4917.39 c
2048.31 4918.57 2048.41 4919.84 2048.41 4921.3 c
2048.51 4922.67 2048.61 4923.84 2048.61 4925.01 c
2080.25 4925.01 l
h
2158 4925.01 m
f* 
2158 5039.76 m
2158 5005.77 l
2103.21 5005.77 l
2098.72 5005.77 2094.33 5005.58 2089.84 5005.19 c
2085.54 5004.8 2082.22 5004.11 2079.97 5003.14 c
2077.53 5001.97 2075.77 5000.21 2074.7 4997.96 c
2073.62 4995.72 2073.04 4992.59 2073.04 4988.78 c
2073.04 4985.95 2073.62 4983.02 2074.6 4980.09 c
2075.77 4977.26 2077.34 4974.13 2079.58 4970.72 c
2158 4970.72 l
2158 4936.73 l
2048.31 4936.73 l
2048.31 4970.72 l
2060.42 4970.72 l
2055.74 4976.38 2052.12 4981.85 2049.39 4987.22 c
2046.75 4992.59 2045.38 4998.45 2045.29 5004.89 c
2045.38 5016.22 2048.9 5024.82 2055.93 5030.77 c
2063.06 5036.83 2073.31 5039.76 2086.69 5039.76 c
2158.27 5039.76 l
h
2158 5052.03 m
f* 
2161.03 5121.04 m
2161.03 5100.34 2156.14 5084.52 2146.18 5073.48 c
2136.32 5062.55 2122.26 5056.98 2103.9 5056.98 c
2086.03 5056.98 2071.77 5062.16 2061.03 5072.41 c
2050.48 5082.66 2045.11 5097.02 2045.01 5115.48 c
2045.11 5132.27 2049.6 5144.87 2058.68 5153.27 c
2067.86 5161.86 2080.85 5165.96 2097.65 5165.96 c
2110.05 5165.96 l
2110.05 5090.96 l
2115.03 5091.36 2119.23 5092.33 2122.55 5094.19 c
2125.97 5096.04 2128.61 5098.48 2130.46 5101.41 c
2132.51 5104.34 2133.98 5107.86 2134.76 5111.67 c
2135.64 5115.67 2136.03 5119.87 2136.03 5124.46 c
2136.03 5128.46 2135.73 5132.37 2134.86 5136.28 c
2133.98 5140.09 2132.9 5143.6 2131.44 5146.73 c
2130.36 5149.66 2129.09 5152.2 2127.73 5154.54 c
2126.36 5156.98 2125.09 5158.84 2124.02 5160.4 c
2124.02 5164.01 l
2152.04 5164.01 l
2153.21 5161.28 2154.29 5158.74 2155.17 5156.39 c
2156.14 5154.05 2157.02 5150.93 2157.9 5146.82 c
2158.98 5143.11 2159.66 5139.3 2160.15 5135.4 c
2160.73 5131.49 2161.03 5126.71 2161.03 5121.04 c
2161.03 5121.04 l
2088.96 5131.98 m
2081.93 5131.79 2076.46 5130.12 2072.65 5127 c
2068.94 5123.88 2067.08 5119.09 2066.98 5112.55 c
2067.08 5105.91 2069.04 5100.83 2073.04 5097.02 c
2077.04 5093.31 2082.32 5091.26 2088.96 5090.87 c
h
2158 5171.04 m
f* 
2006.43 5183.99 151.573 33.9844 re
f* 
0.498 g
1 i
2404.75 403.75 900 1500 re
f* 
6 w
1 J
2404.75 403.75 900 1500 re
S 
0 g
0.2 i
3633 1158.69 m
3577.73 1158.69 l
3572.36 1158.69 3567.77 1158.59 3563.96 1158.4 c
3560.34 1158.2 3557.22 1157.52 3554.78 1156.54 c
3552.53 1155.56 3550.77 1154 3549.7 1151.95 c
3548.62 1149.8 3548.04 1146.87 3548.04 1143.06 c
3548.04 1140.43 3548.72 1137.79 3549.8 1135.15 c
3550.97 1132.52 3552.63 1129.78 3554.58 1126.66 c
3633 1126.66 l
3633 1092.67 l
3577.73 1092.67 l
3572.45 1092.67 3567.86 1092.58 3564.05 1092.28 c
3560.34 1092.09 3557.22 1091.4 3554.78 1090.43 c
3552.53 1089.45 3550.77 1087.89 3549.7 1085.84 c
3548.62 1083.69 3548.04 1080.76 3548.04 1077.05 c
3548.04 1074.22 3548.72 1071.38 3549.99 1068.65 c
3551.36 1065.92 3552.92 1063.28 3554.58 1060.64 c
3633 1060.64 l
3633 1026.66 l
3523.31 1026.66 l
3523.31 1060.64 l
3535.42 1060.64 l
3530.74 1066.31 3527.12 1071.58 3524.39 1076.66 c
3521.75 1081.64 3520.38 1087.21 3520.29 1093.36 c
3520.38 1100.1 3521.95 1106.05 3525.17 1111.13 c
3528.39 1116.31 3533.18 1120.21 3539.43 1122.75 c
3533.37 1129.39 3528.69 1135.64 3525.27 1141.5 c
3522.04 1147.46 3520.38 1153.32 3520.29 1159.37 c
3520.38 1164.45 3521.17 1169.04 3522.83 1173.14 c
3524.49 1177.15 3526.93 1180.56 3530.05 1183.4 c
3533.76 1186.52 3537.86 1188.87 3542.75 1190.33 c
3547.63 1191.89 3553.98 1192.67 3561.69 1192.67 c
3633.27 1192.67 l
3633.27 1158.69 l
h
3633 1205.02 m
f* 
3636.03 1274.04 m
3636.03 1253.34 3631.14 1237.52 3621.18 1226.48 c
3611.32 1215.55 3597.26 1209.98 3578.9 1209.98 c
3561.03 1209.98 3546.77 1215.16 3536.03 1225.41 c
3525.48 1235.66 3520.11 1250.02 3520.01 1268.48 c
3520.11 1285.27 3524.6 1297.87 3533.68 1306.27 c
3542.86 1314.86 3555.85 1318.96 3572.65 1318.96 c
3585.05 1318.96 l
3585.05 1243.96 l
3590.03 1244.36 3594.23 1245.33 3597.55 1247.19 c
3600.97 1249.04 3603.61 1251.48 3605.46 1254.41 c
3607.51 1257.34 3608.98 1260.86 3609.76 1264.67 c
3610.64 1268.67 3611.03 1272.87 3611.03 1277.46 c
3611.03 1281.46 3610.73 1285.37 3609.86 1289.28 c
3608.98 1293.09 3607.9 1296.6 3606.44 1299.73 c
3605.36 1302.66 3604.09 1305.2 3602.73 1307.54 c
3601.36 1309.98 3600.09 1311.84 3599.02 1313.4 c
3599.02 1317.01 l
3627.04 1317.01 l
3628.21 1314.28 3629.29 1311.74 3630.17 1309.39 c
3631.14 1307.05 3632.02 1303.93 3632.9 1299.82 c
3633.98 1296.11 3634.66 1292.3 3635.15 1288.4 c
3635.73 1284.49 3636.03 1279.71 3636.03 1274.04 c
3636.03 1274.04 l
3563.96 1284.98 m
3556.93 1284.79 3551.46 1283.12 3547.65 1280 c
3543.94 1276.88 3542.08 1272.09 3541.98 1265.55 c
3542.08 1258.91 3544.04 1253.83 3548.04 1250.02 c
3552.04 1246.31 3557.32 1244.26 3563.96 1243.87 c
h
3633 1324.04 m
f* 
3633 1467.69 m
3577.73 1467.69 l
3572.36 1467.69 3567.77 1467.59 3563.96 1467.4 c
3560.34 1467.2 3557.22 1466.52 3554.78 1465.54 c
3552.53 1464.56 3550.77 1463 3549.7 1460.95 c
3548.62 1458.8 3548.04 1455.87 3548.04 1452.06 c
3548.04 1449.43 3548.72 1446.79 3549.8 1444.15 c
3550.97 1441.52 3552.63 1438.78 3554.58 1435.66 c
3633 1435.66 l
3633 1401.67 l
3577.73 1401.67 l
3572.45 1401.67 3567.86 1401.58 3564.05 1401.28 c
3560.34 1401.09 3557.22 1400.4 3554.78 1399.43 c
3552.53 1398.45 3550.77 1396.89 3549.7 1394.84 c
3548.62 1392.69 3548.04 1389.76 3548.04 1386.05 c
3548.04 1383.22 3548.72 1380.38 3549.99 1377.65 c
3551.36 1374.92 3552.92 1372.28 3554.58 1369.64 c
3633 1369.64 l
3633 1335.66 l
3523.31 1335.66 l
3523.31 1369.64 l
3535.42 1369.64 l
3530.74 1375.31 3527.12 1380.58 3524.39 1385.66 c
3521.75 1390.64 3520.38 1396.21 3520.29 1402.36 c
3520.38 1409.1 3521.95 1415.05 3525.17 1420.13 c
3528.39 1425.31 3533.18 1429.21 3539.43 1431.75 c
3533.37 1438.39 3528.69 1444.64 3525.27 1450.5 c
3522.04 1456.46 3520.38 1462.32 3520.29 1468.37 c
3520.38 1473.45 3521.17 1478.04 3522.83 1482.14 c
3524.49 1486.15 3526.93 1489.56 3530.05 1492.4 c
3533.76 1495.52 3537.86 1497.87 3542.75 1499.33 c
3547.63 1500.89 3553.98 1501.67 3561.69 1501.67 c
3633.27 1501.67 l
3633.27 1467.69 l
h
3633 1514.02 m
f* 
3578.02 1631.69 m
3596.09 1631.69 3610.25 1626.8 3620.6 1616.94 c
3630.95 1607.08 3636.03 1593.21 3636.03 1575.24 c
3636.03 1557.37 3630.95 1543.5 3620.6 1533.64 c
3610.25 1523.68 3596.09 1518.7 3578.02 1518.7 c
3560.05 1518.7 3545.79 1523.68 3535.54 1533.64 c
3525.29 1543.5 3520.11 1557.37 3520.01 1575.24 c
3520.11 1593.11 3525.29 1607.08 3535.54 1616.94 c
3545.99 1626.8 3560.15 1631.69 3578.02 1631.69 c
3578.02 1631.69 l
3578.21 1596.73 m
3571.96 1596.73 3566.59 1596.24 3562.39 1595.07 c
3558.2 1593.99 3554.78 1592.53 3552.24 1590.67 c
3549.6 1588.62 3547.75 1586.37 3546.67 1583.83 c
3545.6 1581.39 3545.11 1578.46 3545.01 1575.24 c
3545.11 1572.12 3545.6 1569.38 3546.48 1566.94 c
3547.45 1564.5 3549.21 1562.25 3551.65 1560.1 c
3554.29 1558.25 3557.71 1556.69 3562 1555.51 c
3566.4 1554.34 3571.77 1553.76 3578.21 1553.76 c
3584.86 1553.76 3590.23 1554.24 3594.23 1555.42 c
3598.33 1556.49 3601.46 1557.96 3603.9 1559.62 c
3606.34 1561.47 3608.2 1563.72 3609.27 1566.45 c
3610.54 1569.19 3611.03 1572.21 3611.03 1575.44 c
3611.03 1578.27 3610.54 1581 3609.27 1583.83 c
3608.2 1586.67 3606.54 1588.91 3604.09 1590.57 c
3601.46 1592.62 3598.23 1594.19 3594.33 1595.16 c
3590.52 1596.24 3585.15 1596.73 3578.21 1596.73 c
h
3633 1637.05 m
f* 
3554.97 1725.01 m
3554.97 1722.08 l
3554.78 1720.81 3554.48 1718.86 3554.29 1716.42 c
3554.19 1713.88 3554.09 1711.14 3554 1708.02 c
3554.09 1704.41 3554.58 1700.6 3555.66 1696.59 c
3556.73 1692.59 3557.9 1688.78 3559.27 1684.97 c
3633 1684.97 l
3633 1650.99 l
3523.31 1650.99 l
3523.31 1684.97 l
3539.43 1684.97 l
3538.06 1686.63 3536.3 1688.78 3534.06 1691.61 c
3531.91 1694.35 3530.15 1696.98 3528.78 1699.23 c
3527.32 1701.77 3526.05 1704.7 3524.97 1708.02 c
3523.9 1711.34 3523.31 1714.46 3523.31 1717.39 c
3523.31 1718.57 3523.41 1719.84 3523.41 1721.3 c
3523.51 1722.67 3523.61 1723.84 3523.61 1725.01 c
3555.25 1725.01 l
h
3633 1725.01 m
f* 
3523.31 1838.75 m
3672.94 1783.67 l
3672.94 1745.88 l
3628.31 1763.07 l
3523.2 1723.71 l
3523.2 1759.94 l
3589.51 1782.01 l
3523.2 1802.42 l
3523.2 1838.75 l
h
3633 1839.04 m
f* 
3576.95 2018.73 m
3594.72 2018.73 3608.98 2014.33 3619.82 2005.25 c
3630.66 1996.27 3636.03 1985.23 3636.03 1972.14 c
3636.03 1966.58 3635.34 1961.79 3634.17 1957.69 c
3632.9 1953.69 3631.05 1949.39 3628.31 1944.7 c
3673.04 1944.7 l
3673.04 1910.72 l
3523.41 1910.72 l
3523.41 1944.7 l
3535.04 1944.7 l
3530.74 1949.78 3527.22 1954.96 3524.49 1960.13 c
3521.85 1965.41 3520.48 1971.56 3520.39 1978.39 c
3520.48 1991.19 3525.56 2001.15 3535.72 2008.18 c
3545.97 2015.21 3559.84 2018.73 3577.32 2018.73 c
3577.32 2018.73 l
3578.3 1983.77 m
3567.46 1983.77 3559.64 1982.1 3554.76 1978.69 c
3549.88 1975.37 3547.44 1970.19 3547.34 1963.06 c
3547.44 1959.94 3547.93 1956.91 3548.9 1953.78 c
3549.98 1950.76 3551.44 1947.73 3553.3 1944.7 c
3609.25 1944.7 l
3610.13 1946.66 3610.72 1948.61 3610.91 1950.76 c
3611.3 1953 3611.4 1955.64 3611.4 1958.77 c
3611.4 1967.26 3608.67 1973.51 3603.2 1977.61 c
3597.73 1981.71 3589.33 1983.77 3578.3 1983.77 c
h
3633 2023.98 m
f* 
3604.39 2098.02 m
3582.02 2098.02 l
3582.61 2092.07 3583.2 2087.28 3583.59 2083.57 c
3583.98 2079.86 3584.86 2076.25 3585.93 2072.73 c
3587.1 2069.61 3588.66 2067.26 3590.62 2065.6 c
3592.77 2063.84 3595.4 2062.96 3598.82 2062.96 c
3603.9 2062.96 3607.41 2064.43 3609.27 2067.26 c
3611.12 2070.09 3612.1 2074.29 3612 2079.86 c
3612.1 2082.98 3611.42 2086.11 3610.05 2089.23 c
3608.78 2092.46 3606.93 2095.39 3604.39 2098.02 c
3604.39 2098.02 l
3621.38 2098.02 m
3623.33 2095.58 3625.19 2093.53 3626.65 2091.68 c
3628.31 2089.82 3629.88 2087.28 3631.34 2084.16 c
3632.9 2081.03 3634.07 2078.1 3634.86 2075.17 c
3635.64 2072.34 3636.03 2068.24 3636.03 2062.96 c
3636.03 2053.2 3632.8 2045.09 3626.36 2038.65 c
3619.82 2032.3 3611.61 2028.98 3601.65 2028.98 c
3593.55 2028.98 3587 2030.74 3581.93 2033.96 c
3576.95 2037.18 3573.04 2041.87 3570.01 2048.02 c
3567.08 2054.27 3565.03 2061.7 3563.86 2070.29 c
3562.69 2078.98 3561.71 2088.26 3561.03 2098.22 c
3560.44 2098.22 l
3554.29 2098.22 3549.99 2095.97 3547.65 2091.48 c
3545.21 2086.99 3544.04 2080.15 3544.04 2071.17 c
3544.04 2067.16 3544.82 2062.38 3546.28 2056.91 c
3547.84 2051.44 3549.8 2046.17 3552.04 2040.89 c
3552.04 2037.96 l
3525.48 2037.96 l
3524.6 2041.38 3523.43 2046.85 3522.06 2054.47 c
3520.79 2062.09 3520.11 2069.8 3520.01 2077.42 c
3520.11 2096.46 3523.23 2110.33 3529.48 2119.02 c
3535.83 2127.71 3545.4 2132.01 3558.29 2132.01 c
3633 2132.01 l
3633 2098.02 l
h
3633 2144.02 m
f* 
3597.94 2223.98 m
3547.84 2223.98 l
3547.06 2222.22 3546.48 2220.07 3545.89 2217.54 c
3545.4 2214.9 3545.11 2212.36 3545.01 2209.72 c
3545.11 2201.23 3547.75 2194.78 3553.02 2190.48 c
3558.49 2186.19 3565.91 2184.04 3575.48 2184.04 c
3580.36 2184.04 3584.37 2184.33 3587.69 2185.02 c
3591.11 2185.6 3593.94 2186.77 3596.48 2188.53 c
3599.02 2190.29 3600.87 2192.54 3602.14 2195.27 c
3603.41 2198 3604.09 2201.52 3604 2205.72 c
3604.09 2209.04 3603.61 2212.16 3602.53 2215.19 c
3601.46 2218.32 3599.89 2221.25 3597.94 2223.98 c
3597.94 2223.98 l
3620.11 2257.96 m
3630.36 2257.96 3638.96 2256.5 3645.99 2253.47 c
3653.12 2250.54 3658.59 2246.44 3662.59 2241.27 c
3666.59 2236.09 3669.52 2229.84 3671.28 2222.61 c
3673.14 2215.39 3674.02 2207.38 3674.02 2198.49 c
3674.02 2191.17 3673.53 2184.04 3672.65 2177.4 c
3671.67 2170.76 3670.6 2164.9 3669.43 2160.02 c
3641.98 2160.02 l
3641.98 2164.12 l
3642.77 2165.88 3643.55 2168.02 3644.33 2170.37 c
3645.11 2172.71 3645.89 2175.15 3646.48 2177.59 c
3647.26 2180.43 3647.84 2183.36 3648.33 2186.09 c
3648.82 2188.82 3649.02 2191.66 3649.02 2194.49 c
3649.02 2200.54 3648.43 2205.52 3647.16 2209.53 c
3645.99 2213.53 3644.23 2216.46 3641.89 2218.51 c
3639.54 2220.56 3636.81 2222.03 3633.59 2222.81 c
3630.46 2223.59 3626.55 2223.98 3621.77 2223.98 c
3619.82 2223.98 l
3623.23 2220.07 3625.97 2215.48 3628.02 2210.41 c
3630.07 2205.23 3631.05 2199.96 3631.05 2194.49 c
3631.05 2179.94 3626.46 2168.71 3617.18 2160.8 c
3608 2152.98 3593.94 2148.98 3575.09 2148.98 c
3566.59 2148.98 3558.88 2150.25 3552.04 2152.59 c
3545.21 2155.04 3539.35 2158.45 3534.46 2162.75 c
3529.97 2166.85 3526.36 2171.83 3523.82 2177.79 c
3521.28 2183.65 3520.11 2189.8 3520.01 2196.05 c
3520.11 2201.71 3520.79 2206.99 3522.16 2211.48 c
3523.72 2215.97 3525.58 2220.07 3527.92 2223.79 c
3523.04 2225.05 l
3523.04 2257.96 l
h
3633 2269.98 m
f* 
3636.03 2339.04 m
3636.03 2318.34 3631.14 2302.52 3621.18 2291.48 c
3611.32 2280.55 3597.26 2274.98 3578.9 2274.98 c
3561.03 2274.98 3546.77 2280.16 3536.03 2290.41 c
3525.48 2300.66 3520.11 2315.02 3520.01 2333.48 c
3520.11 2350.27 3524.6 2362.87 3533.68 2371.27 c
3542.86 2379.86 3555.85 2383.96 3572.65 2383.96 c
3585.05 2383.96 l
3585.05 2308.96 l
3590.03 2309.36 3594.23 2310.33 3597.55 2312.19 c
3600.97 2314.04 3603.61 2316.48 3605.46 2319.41 c
3607.51 2322.34 3608.98 2325.86 3609.76 2329.67 c
3610.64 2333.67 3611.03 2337.87 3611.03 2342.46 c
3611.03 2346.46 3610.73 2350.37 3609.86 2354.28 c
3608.98 2358.09 3607.9 2361.6 3606.44 2364.73 c
3605.36 2367.66 3604.09 2370.2 3602.73 2372.54 c
3601.36 2374.98 3600.09 2376.84 3599.02 2378.4 c
3599.02 2382.01 l
3627.04 2382.01 l
3628.21 2379.28 3629.29 2376.74 3630.17 2374.39 c
3631.14 2372.05 3632.02 2368.93 3632.9 2364.82 c
3633.98 2361.11 3634.66 2357.3 3635.15 2353.4 c
3635.73 2349.49 3636.03 2344.71 3636.03 2339.04 c
3636.03 2339.04 l
3563.96 2349.98 m
3556.93 2349.79 3551.46 2348.12 3547.65 2345 c
3543.94 2341.88 3542.08 2337.09 3541.98 2330.55 c
3542.08 2323.91 3544.04 2318.83 3548.04 2315.02 c
3552.04 2311.31 3557.32 2309.26 3563.96 2308.87 c
h
3633 2389.04 m
f* 
3636.03 2435.78 m
3636.03 2427.67 3635.15 2420.05 3633.39 2412.83 c
3631.63 2405.6 3629.58 2399.64 3627.24 2394.96 c
3598.04 2394.96 l
3598.04 2397.79 l
3599.31 2399.45 3600.68 2401.3 3602.14 2403.36 c
3603.61 2405.41 3605.17 2408.34 3606.63 2412.05 c
3608.2 2415.27 3609.46 2418.79 3610.54 2422.79 c
3611.61 2426.79 3612.1 2431.09 3612 2435.78 c
3612.1 2440.66 3611.42 2444.86 3609.95 2448.47 c
3608.59 2452.18 3606.24 2454.04 3603.12 2454.04 c
3600.68 2454.04 3598.72 2453.16 3597.36 2451.4 c
3596.09 2449.74 3594.91 2446.42 3593.64 2441.54 c
3593.06 2438.9 3592.38 2435.58 3591.59 2431.68 c
3590.81 2427.67 3589.93 2424.16 3588.96 2421.03 c
3586.32 2412.34 3582.41 2405.89 3577.14 2401.6 c
3571.87 2397.2 3564.93 2394.96 3556.34 2394.96 c
3551.46 2394.96 3546.96 2396.13 3542.57 2398.38 c
3538.27 2400.62 3534.37 2403.94 3530.85 2408.34 c
3527.63 2412.73 3524.99 2418.1 3523.04 2424.55 c
3521.09 2430.99 3520.11 2438.22 3520.01 2446.32 c
3520.11 2454.04 3520.89 2461.17 3522.36 2467.61 c
3524.02 2474.16 3525.77 2479.53 3527.92 2484.02 c
3556.05 2484.02 l
3556.05 2481.29 l
3555.17 2480.11 3554 2478.26 3552.43 2475.72 c
3550.97 2473.18 3549.6 2470.74 3548.53 2468.3 c
3547.26 2465.37 3546.18 2462.14 3545.3 2458.63 c
3544.52 2455.11 3544.04 2451.4 3544.04 2447.69 c
3544.04 2442.71 3544.91 2438.61 3546.48 2435.09 c
3548.04 2431.77 3550.19 2430.02 3552.82 2430.02 c
3555.36 2430.02 3557.41 2430.89 3558.78 2432.55 c
3560.25 2434.21 3561.61 2437.93 3562.88 2443.59 c
3563.66 2446.62 3564.45 2450.04 3565.03 2453.84 c
3565.81 2457.65 3566.69 2461.36 3567.86 2464.78 c
3570.4 2472.79 3574.21 2478.75 3579.09 2482.85 c
3583.98 2487.05 3590.52 2489 3598.62 2489 c
3603.9 2489 3608.78 2487.83 3613.47 2485.39 c
3618.16 2483.04 3622.06 2479.53 3625.19 2475.13 c
3628.7 2470.45 3631.34 2464.98 3633.2 2458.53 c
3635.05 2452.18 3636.03 2444.66 3636.03 2435.78 c
h
3633 2492.03 m
f* 
Q
q
3514.75 4513.75 m
3514.75 6303.75 l
3745.75 6303.75 l
3745.75 4513.75 l
h
W n 
0.498 g
1 i
3554.75 4553.75 150 1750 re
f* 
6 w
1 J
3554.75 4553.75 150 1750 re
S 
Q
q
0.498 g
1 i
2904.75 4253.75 300 1150 re
f* 
37 w
1 J
2904.75 4253.75 300 1150 re
S 
0 g
0.2 i
3133 4524.76 m
3133 4490.77 l
3078.21 4490.77 l
3073.72 4490.77 3069.33 4490.58 3064.84 4490.19 c
3060.54 4489.8 3057.22 4489.11 3054.97 4488.14 c
3052.53 4486.97 3050.77 4485.21 3049.7 4482.96 c
3048.62 4480.72 3048.04 4477.59 3048.04 4473.78 c
3048.04 4470.95 3048.62 4468.02 3049.6 4465.09 c
3050.77 4462.26 3052.34 4459.13 3054.58 4455.72 c
3133 4455.72 l
3133 4421.73 l
3023.31 4421.73 l
3023.31 4455.72 l
3035.42 4455.72 l
3030.74 4461.38 3027.12 4466.85 3024.39 4472.22 c
3021.75 4477.59 3020.38 4483.45 3020.29 4489.89 c
3020.38 4501.22 3023.9 4509.82 3030.93 4515.77 c
3038.06 4521.83 3048.31 4524.76 3061.69 4524.76 c
3133.27 4524.76 l
h
3133 4537.03 m
f* 
3136.03 4606.04 m
3136.03 4585.34 3131.14 4569.52 3121.18 4558.48 c
3111.32 4547.55 3097.26 4541.98 3078.9 4541.98 c
3061.03 4541.98 3046.77 4547.16 3036.03 4557.41 c
3025.48 4567.66 3020.11 4582.02 3020.01 4600.48 c
3020.11 4617.27 3024.6 4629.87 3033.68 4638.27 c
3042.86 4646.86 3055.85 4650.96 3072.65 4650.96 c
3085.05 4650.96 l
3085.05 4575.96 l
3090.03 4576.36 3094.23 4577.33 3097.55 4579.19 c
3100.97 4581.04 3103.61 4583.48 3105.46 4586.41 c
3107.51 4589.34 3108.98 4592.86 3109.76 4596.67 c
3110.64 4600.67 3111.03 4604.87 3111.03 4609.46 c
3111.03 4613.46 3110.73 4617.37 3109.86 4621.28 c
3108.98 4625.09 3107.9 4628.6 3106.44 4631.73 c
3105.36 4634.66 3104.09 4637.2 3102.73 4639.54 c
3101.36 4641.98 3100.09 4643.84 3099.02 4645.4 c
3099.02 4649.01 l
3127.04 4649.01 l
3128.21 4646.28 3129.29 4643.74 3130.17 4641.39 c
3131.14 4639.05 3132.02 4635.93 3132.9 4631.82 c
3133.98 4628.11 3134.66 4624.3 3135.15 4620.4 c
3135.73 4616.49 3136.03 4611.71 3136.03 4606.04 c
3136.03 4606.04 l
3063.96 4616.98 m
3056.93 4616.79 3051.46 4615.12 3047.65 4612 c
3043.94 4608.88 3042.08 4604.09 3041.98 4597.55 c
3042.08 4590.91 3044.04 4585.83 3048.04 4582.02 c
3052.04 4578.31 3057.32 4576.26 3063.96 4575.87 c
h
3133 4656.04 m
f* 
3136.03 4710.88 m
3136.03 4697.02 3133.1 4686.86 3127.34 4680.51 c
3121.67 4674.16 3112.1 4671.04 3098.92 4671.04 c
3046.96 4671.04 l
3046.96 4658.05 l
3023.04 4658.05 l
3023.04 4671.04 l
2991.98 4671.04 l
2991.98 4705.02 l
3023.04 4705.02 l
3023.04 4738.03 l
3046.96 4738.03 l
3046.96 4705.02 l
3086.42 4705.02 l
3090.42 4705.02 3093.84 4705.02 3096.67 4705.12 c
3099.6 4705.22 3102.24 4705.71 3104.48 4706.59 c
3106.93 4707.56 3108.68 4709.22 3110.05 4711.47 c
3111.42 4713.81 3112.1 4717.23 3112 4721.62 c
3112.1 4723.48 3111.71 4725.92 3111.03 4728.85 c
3110.34 4731.78 3109.66 4733.83 3108.98 4735.1 c
3108.98 4738.03 l
3132.9 4738.03 l
3133.98 4734.32 3134.66 4730.41 3135.15 4726.21 c
3135.73 4722.11 3136.03 4716.94 3136.03 4710.88 c
h
3133 4739.01 m
f* 
3023.31 4915.61 m
3133 4883.29 l
3133 4846.86 l
3061.91 4827.43 l
3133 4807.99 l
3133 4771.47 l
3023.31 4739.54 l
3023.31 4774.99 l
3096.07 4792.56 l
3023.31 4813.46 l
3023.31 4843.83 l
3096.07 4863.56 l
3023.31 4880.16 l
h
3133 4917.03 m
f* 
3078.02 5034.69 m
3096.09 5034.69 3110.25 5029.8 3120.6 5019.94 c
3130.95 5010.08 3136.03 4996.21 3136.03 4978.24 c
3136.03 4960.37 3130.95 4946.5 3120.6 4936.64 c
3110.25 4926.68 3096.09 4921.7 3078.02 4921.7 c
3060.05 4921.7 3045.79 4926.68 3035.54 4936.64 c
3025.29 4946.5 3020.11 4960.37 3020.01 4978.24 c
3020.11 4996.11 3025.29 5010.08 3035.54 5019.94 c
3045.99 5029.8 3060.15 5034.69 3078.02 5034.69 c
3078.02 5034.69 l
3078.21 4999.73 m
3071.96 4999.73 3066.59 4999.24 3062.39 4998.07 c
3058.2 4996.99 3054.78 4995.53 3052.24 4993.67 c
3049.6 4991.62 3047.75 4989.37 3046.67 4986.83 c
3045.6 4984.39 3045.11 4981.46 3045.01 4978.24 c
3045.11 4975.12 3045.6 4972.38 3046.48 4969.94 c
3047.45 4967.5 3049.21 4965.25 3051.65 4963.1 c
3054.29 4961.25 3057.71 4959.69 3062 4958.51 c
3066.4 4957.34 3071.77 4956.76 3078.21 4956.76 c
3084.86 4956.76 3090.23 4957.24 3094.23 4958.42 c
3098.33 4959.49 3101.46 4960.96 3103.9 4962.62 c
3106.34 4964.47 3108.2 4966.72 3109.27 4969.45 c
3110.54 4972.19 3111.03 4975.21 3111.03 4978.44 c
3111.03 4981.27 3110.54 4984 3109.27 4986.83 c
3108.2 4989.67 3106.54 4991.91 3104.09 4993.57 c
3101.46 4995.62 3098.23 4997.19 3094.33 4998.16 c
3090.52 4999.24 3085.15 4999.73 3078.21 4999.73 c
h
3133 5040.05 m
f* 
3054.97 5128.01 m
3054.97 5125.08 l
3054.78 5123.81 3054.48 5121.86 3054.29 5119.42 c
3054.19 5116.88 3054.09 5114.14 3054 5111.02 c
3054.09 5107.41 3054.58 5103.6 3055.66 5099.59 c
3056.73 5095.59 3057.9 5091.78 3059.27 5087.97 c
3133 5087.97 l
3133 5053.99 l
3023.31 5053.99 l
3023.31 5087.97 l
3039.43 5087.97 l
3038.06 5089.63 3036.3 5091.78 3034.06 5094.61 c
3031.91 5097.35 3030.15 5099.98 3028.78 5102.23 c
3027.32 5104.77 3026.05 5107.7 3024.97 5111.02 c
3023.9 5114.34 3023.31 5117.46 3023.31 5120.39 c
3023.31 5121.57 3023.41 5122.84 3023.41 5124.3 c
3023.51 5125.67 3023.61 5126.84 3023.61 5128.01 c
3055.25 5128.01 l
h
3133 5128.01 m
f* 
3133 5250.77 m
3133 5209.95 l
3085.25 5180.07 l
3092.47 5174.7 l
3133 5174.7 l
3133 5140.71 l
2981.43 5140.71 l
2981.43 5174.7 l
3067.07 5174.7 l
3023.42 5207.71 l
3023.42 5247.74 l
3070.78 5209.17 l
3133.38 5250.77 l
h
3133 5249 m
f* 
0.498 g
1 i
3154.75 4553.75 549 149 re
f 
0 J
1 j
3204.75 4553.75 m
3704.75 4553.75 l
S 
3204.75 4703.75 m
3554.75 4703.75 l
S 
Q
q
3534.75 4683.75 m
3534.75 6303.75 l
3575.75 6303.75 l
3575.75 4683.75 l
h
W n 
1 i
37 w
1 j
3554.75 4703.75 m
3554.75 6303.75 l
S 
Q
q
3684.75 4533.75 m
3684.75 6303.75 l
3725.75 6303.75 l
3725.75 4533.75 l
h
W n 
1 i
37 w
1 j
3704.75 4553.75 m
3704.75 6303.75 l
S 
Q
q
0.6156 g
1 i
2504.75 503.75 900 1500 re
f* 
6 w
1 J
2504.75 503.75 900 1500 re
S 
0.498 g
2604.75 603.75 900 1500 re
f* 
2604.75 603.75 900 1500 re
S 
2704.75 703.75 900 1500 re
f* 
2704.75 703.75 900 1500 re
S 
0.6156 g
2804.75 803.75 899 1499 re
f 
0.498 g
2904.75 903.75 900 1500 re
f* 
2904.75 903.75 900 1500 re
S 
3004.75 1003.75 900 1500 re
f* 
3004.75 1003.75 900 1500 re
S 
0 g
0.2 i
3483 1158.69 m
3427.73 1158.69 l
3422.36 1158.69 3417.77 1158.59 3413.96 1158.4 c
3410.34 1158.2 3407.22 1157.52 3404.78 1156.54 c
3402.53 1155.56 3400.77 1154 3399.7 1151.95 c
3398.62 1149.8 3398.04 1146.87 3398.04 1143.06 c
3398.04 1140.43 3398.72 1137.79 3399.8 1135.15 c
3400.97 1132.52 3402.63 1129.78 3404.58 1126.66 c
3483 1126.66 l
3483 1092.67 l
3427.73 1092.67 l
3422.45 1092.67 3417.86 1092.58 3414.05 1092.28 c
3410.34 1092.09 3407.22 1091.4 3404.78 1090.43 c
3402.53 1089.45 3400.77 1087.89 3399.7 1085.84 c
3398.62 1083.69 3398.04 1080.76 3398.04 1077.05 c
3398.04 1074.22 3398.72 1071.38 3399.99 1068.65 c
3401.36 1065.92 3402.92 1063.28 3404.58 1060.64 c
3483 1060.64 l
3483 1026.66 l
3373.31 1026.66 l
3373.31 1060.64 l
3385.42 1060.64 l
3380.74 1066.31 3377.12 1071.58 3374.39 1076.66 c
3371.75 1081.64 3370.38 1087.21 3370.29 1093.36 c
3370.38 1100.1 3371.95 1106.05 3375.17 1111.13 c
3378.39 1116.31 3383.18 1120.21 3389.43 1122.75 c
3383.37 1129.39 3378.69 1135.64 3375.27 1141.5 c
3372.04 1147.46 3370.38 1153.32 3370.29 1159.37 c
3370.38 1164.45 3371.17 1169.04 3372.83 1173.14 c
3374.49 1177.15 3376.93 1180.56 3380.05 1183.4 c
3383.76 1186.52 3387.86 1188.87 3392.75 1190.33 c
3397.63 1191.89 3403.98 1192.67 3411.69 1192.67 c
3483.27 1192.67 l
3483.27 1158.69 l
h
3483 1205.02 m
f* 
3486.03 1274.04 m
3486.03 1253.34 3481.14 1237.52 3471.18 1226.48 c
3461.32 1215.55 3447.26 1209.98 3428.9 1209.98 c
3411.03 1209.98 3396.77 1215.16 3386.03 1225.41 c
3375.48 1235.66 3370.11 1250.02 3370.01 1268.48 c
3370.11 1285.27 3374.6 1297.87 3383.68 1306.27 c
3392.86 1314.86 3405.85 1318.96 3422.65 1318.96 c
3435.05 1318.96 l
3435.05 1243.96 l
3440.03 1244.36 3444.23 1245.33 3447.55 1247.19 c
3450.97 1249.04 3453.61 1251.48 3455.46 1254.41 c
3457.51 1257.34 3458.98 1260.86 3459.76 1264.67 c
3460.64 1268.67 3461.03 1272.87 3461.03 1277.46 c
3461.03 1281.46 3460.73 1285.37 3459.86 1289.28 c
3458.98 1293.09 3457.9 1296.6 3456.44 1299.73 c
3455.36 1302.66 3454.09 1305.2 3452.73 1307.54 c
3451.36 1309.98 3450.09 1311.84 3449.02 1313.4 c
3449.02 1317.01 l
3477.04 1317.01 l
3478.21 1314.28 3479.29 1311.74 3480.17 1309.39 c
3481.14 1307.05 3482.02 1303.93 3482.9 1299.82 c
3483.98 1296.11 3484.66 1292.3 3485.15 1288.4 c
3485.73 1284.49 3486.03 1279.71 3486.03 1274.04 c
3486.03 1274.04 l
3413.96 1284.98 m
3406.93 1284.79 3401.46 1283.12 3397.65 1280 c
3393.94 1276.88 3392.08 1272.09 3391.98 1265.55 c
3392.08 1258.91 3394.04 1253.83 3398.04 1250.02 c
3402.04 1246.31 3407.32 1244.26 3413.96 1243.87 c
h
3483 1324.04 m
f* 
3483 1467.69 m
3427.73 1467.69 l
3422.36 1467.69 3417.77 1467.59 3413.96 1467.4 c
3410.34 1467.2 3407.22 1466.52 3404.78 1465.54 c
3402.53 1464.56 3400.77 1463 3399.7 1460.95 c
3398.62 1458.8 3398.04 1455.87 3398.04 1452.06 c
3398.04 1449.43 3398.72 1446.79 3399.8 1444.15 c
3400.97 1441.52 3402.63 1438.78 3404.58 1435.66 c
3483 1435.66 l
3483 1401.67 l
3427.73 1401.67 l
3422.45 1401.67 3417.86 1401.58 3414.05 1401.28 c
3410.34 1401.09 3407.22 1400.4 3404.78 1399.43 c
3402.53 1398.45 3400.77 1396.89 3399.7 1394.84 c
3398.62 1392.69 3398.04 1389.76 3398.04 1386.05 c
3398.04 1383.22 3398.72 1380.38 3399.99 1377.65 c
3401.36 1374.92 3402.92 1372.28 3404.58 1369.64 c
3483 1369.64 l
3483 1335.66 l
3373.31 1335.66 l
3373.31 1369.64 l
3385.42 1369.64 l
3380.74 1375.31 3377.12 1380.58 3374.39 1385.66 c
3371.75 1390.64 3370.38 1396.21 3370.29 1402.36 c
3370.38 1409.1 3371.95 1415.05 3375.17 1420.13 c
3378.39 1425.31 3383.18 1429.21 3389.43 1431.75 c
3383.37 1438.39 3378.69 1444.64 3375.27 1450.5 c
3372.04 1456.46 3370.38 1462.32 3370.29 1468.37 c
3370.38 1473.45 3371.17 1478.04 3372.83 1482.14 c
3374.49 1486.15 3376.93 1489.56 3380.05 1492.4 c
3383.76 1495.52 3387.86 1497.87 3392.75 1499.33 c
3397.63 1500.89 3403.98 1501.67 3411.69 1501.67 c
3483.27 1501.67 l
3483.27 1467.69 l
h
3483 1514.02 m
f* 
3428.02 1631.69 m
3446.09 1631.69 3460.25 1626.8 3470.6 1616.94 c
3480.95 1607.08 3486.03 1593.21 3486.03 1575.24 c
3486.03 1557.37 3480.95 1543.5 3470.6 1533.64 c
3460.25 1523.68 3446.09 1518.7 3428.02 1518.7 c
3410.05 1518.7 3395.79 1523.68 3385.54 1533.64 c
3375.29 1543.5 3370.11 1557.37 3370.01 1575.24 c
3370.11 1593.11 3375.29 1607.08 3385.54 1616.94 c
3395.99 1626.8 3410.15 1631.69 3428.02 1631.69 c
3428.02 1631.69 l
3428.21 1596.73 m
3421.96 1596.73 3416.59 1596.24 3412.39 1595.07 c
3408.2 1593.99 3404.78 1592.53 3402.24 1590.67 c
3399.6 1588.62 3397.75 1586.37 3396.67 1583.83 c
3395.6 1581.39 3395.11 1578.46 3395.01 1575.24 c
3395.11 1572.12 3395.6 1569.38 3396.48 1566.94 c
3397.45 1564.5 3399.21 1562.25 3401.65 1560.1 c
3404.29 1558.25 3407.71 1556.69 3412 1555.51 c
3416.4 1554.34 3421.77 1553.76 3428.21 1553.76 c
3434.86 1553.76 3440.23 1554.24 3444.23 1555.42 c
3448.33 1556.49 3451.46 1557.96 3453.9 1559.62 c
3456.34 1561.47 3458.2 1563.72 3459.27 1566.45 c
3460.54 1569.19 3461.03 1572.21 3461.03 1575.44 c
3461.03 1578.27 3460.54 1581 3459.27 1583.83 c
3458.2 1586.67 3456.54 1588.91 3454.09 1590.57 c
3451.46 1592.62 3448.23 1594.19 3444.33 1595.16 c
3440.52 1596.24 3435.15 1596.73 3428.21 1596.73 c
h
3483 1637.05 m
f* 
3404.97 1725.01 m
3404.97 1722.08 l
3404.78 1720.81 3404.48 1718.86 3404.29 1716.42 c
3404.19 1713.88 3404.09 1711.14 3404 1708.02 c
3404.09 1704.41 3404.58 1700.6 3405.66 1696.59 c
3406.73 1692.59 3407.9 1688.78 3409.27 1684.97 c
3483 1684.97 l
3483 1650.99 l
3373.31 1650.99 l
3373.31 1684.97 l
3389.43 1684.97 l
3388.06 1686.63 3386.3 1688.78 3384.06 1691.61 c
3381.91 1694.35 3380.15 1696.98 3378.78 1699.23 c
3377.32 1701.77 3376.05 1704.7 3374.97 1708.02 c
3373.9 1711.34 3373.31 1714.46 3373.31 1717.39 c
3373.31 1718.57 3373.41 1719.84 3373.41 1721.3 c
3373.51 1722.67 3373.61 1723.84 3373.61 1725.01 c
3405.25 1725.01 l
h
3483 1725.01 m
f* 
3373.31 1838.75 m
3522.94 1783.67 l
3522.94 1745.88 l
3478.31 1763.07 l
3373.2 1723.71 l
3373.2 1759.94 l
3439.51 1782.01 l
3373.2 1802.42 l
3373.2 1838.75 l
h
3483 1839.04 m
f* 
3426.95 2018.73 m
3444.72 2018.73 3458.98 2014.33 3469.82 2005.25 c
3480.66 1996.27 3486.03 1985.23 3486.03 1972.14 c
3486.03 1966.58 3485.34 1961.79 3484.17 1957.69 c
3482.9 1953.69 3481.05 1949.39 3478.31 1944.7 c
3523.04 1944.7 l
3523.04 1910.72 l
3373.41 1910.72 l
3373.41 1944.7 l
3385.04 1944.7 l
3380.74 1949.78 3377.22 1954.96 3374.49 1960.13 c
3371.85 1965.41 3370.48 1971.56 3370.39 1978.39 c
3370.48 1991.19 3375.56 2001.15 3385.72 2008.18 c
3395.97 2015.21 3409.84 2018.73 3427.32 2018.73 c
3427.32 2018.73 l
3428.3 1983.77 m
3417.46 1983.77 3409.64 1982.1 3404.76 1978.69 c
3399.88 1975.37 3397.44 1970.19 3397.34 1963.06 c
3397.44 1959.94 3397.93 1956.91 3398.9 1953.78 c
3399.98 1950.76 3401.44 1947.73 3403.3 1944.7 c
3459.25 1944.7 l
3460.13 1946.66 3460.72 1948.61 3460.91 1950.76 c
3461.3 1953 3461.4 1955.64 3461.4 1958.77 c
3461.4 1967.26 3458.67 1973.51 3453.2 1977.61 c
3447.73 1981.71 3439.33 1983.77 3428.3 1983.77 c
h
3483 2023.98 m
f* 
3454.39 2098.02 m
3432.02 2098.02 l
3432.61 2092.07 3433.2 2087.28 3433.59 2083.57 c
3433.98 2079.86 3434.86 2076.25 3435.93 2072.73 c
3437.1 2069.61 3438.66 2067.26 3440.62 2065.6 c
3442.77 2063.84 3445.4 2062.96 3448.82 2062.96 c
3453.9 2062.96 3457.41 2064.43 3459.27 2067.26 c
3461.12 2070.09 3462.1 2074.29 3462 2079.86 c
3462.1 2082.98 3461.42 2086.11 3460.05 2089.23 c
3458.78 2092.46 3456.93 2095.39 3454.39 2098.02 c
3454.39 2098.02 l
3471.38 2098.02 m
3473.33 2095.58 3475.19 2093.53 3476.65 2091.68 c
3478.31 2089.82 3479.88 2087.28 3481.34 2084.16 c
3482.9 2081.03 3484.07 2078.1 3484.86 2075.17 c
3485.64 2072.34 3486.03 2068.24 3486.03 2062.96 c
3486.03 2053.2 3482.8 2045.09 3476.36 2038.65 c
3469.82 2032.3 3461.61 2028.98 3451.65 2028.98 c
3443.55 2028.98 3437 2030.74 3431.93 2033.96 c
3426.95 2037.18 3423.04 2041.87 3420.01 2048.02 c
3417.08 2054.27 3415.03 2061.7 3413.86 2070.29 c
3412.69 2078.98 3411.71 2088.26 3411.03 2098.22 c
3410.44 2098.22 l
3404.29 2098.22 3399.99 2095.97 3397.65 2091.48 c
3395.21 2086.99 3394.04 2080.15 3394.04 2071.17 c
3394.04 2067.16 3394.82 2062.38 3396.28 2056.91 c
3397.84 2051.44 3399.8 2046.17 3402.04 2040.89 c
3402.04 2037.96 l
3375.48 2037.96 l
3374.6 2041.38 3373.43 2046.85 3372.06 2054.47 c
3370.79 2062.09 3370.11 2069.8 3370.01 2077.42 c
3370.11 2096.46 3373.23 2110.33 3379.48 2119.02 c
3385.83 2127.71 3395.4 2132.01 3408.29 2132.01 c
3483 2132.01 l
3483 2098.02 l
h
3483 2144.02 m
f* 
3447.94 2223.98 m
3397.84 2223.98 l
3397.06 2222.22 3396.48 2220.07 3395.89 2217.54 c
3395.4 2214.9 3395.11 2212.36 3395.01 2209.72 c
3395.11 2201.23 3397.75 2194.78 3403.02 2190.48 c
3408.49 2186.19 3415.91 2184.04 3425.48 2184.04 c
3430.36 2184.04 3434.37 2184.33 3437.69 2185.02 c
3441.11 2185.6 3443.94 2186.77 3446.48 2188.53 c
3449.02 2190.29 3450.87 2192.54 3452.14 2195.27 c
3453.41 2198 3454.09 2201.52 3454 2205.72 c
3454.09 2209.04 3453.61 2212.16 3452.53 2215.19 c
3451.46 2218.32 3449.89 2221.25 3447.94 2223.98 c
3447.94 2223.98 l
3470.11 2257.96 m
3480.36 2257.96 3488.96 2256.5 3495.99 2253.47 c
3503.12 2250.54 3508.59 2246.44 3512.59 2241.27 c
3516.59 2236.09 3519.52 2229.84 3521.28 2222.61 c
3523.14 2215.39 3524.02 2207.38 3524.02 2198.49 c
3524.02 2191.17 3523.53 2184.04 3522.65 2177.4 c
3521.67 2170.76 3520.6 2164.9 3519.43 2160.02 c
3491.98 2160.02 l
3491.98 2164.12 l
3492.77 2165.88 3493.55 2168.02 3494.33 2170.37 c
3495.11 2172.71 3495.89 2175.15 3496.48 2177.59 c
3497.26 2180.43 3497.84 2183.36 3498.33 2186.09 c
3498.82 2188.82 3499.02 2191.66 3499.02 2194.49 c
3499.02 2200.54 3498.43 2205.52 3497.16 2209.53 c
3495.99 2213.53 3494.23 2216.46 3491.89 2218.51 c
3489.54 2220.56 3486.81 2222.03 3483.59 2222.81 c
3480.46 2223.59 3476.55 2223.98 3471.77 2223.98 c
3469.82 2223.98 l
3473.23 2220.07 3475.97 2215.48 3478.02 2210.41 c
3480.07 2205.23 3481.05 2199.96 3481.05 2194.49 c
3481.05 2179.94 3476.46 2168.71 3467.18 2160.8 c
3458 2152.98 3443.94 2148.98 3425.09 2148.98 c
3416.59 2148.98 3408.88 2150.25 3402.04 2152.59 c
3395.21 2155.04 3389.35 2158.45 3384.46 2162.75 c
3379.97 2166.85 3376.36 2171.83 3373.82 2177.79 c
3371.28 2183.65 3370.11 2189.8 3370.01 2196.05 c
3370.11 2201.71 3370.79 2206.99 3372.16 2211.48 c
3373.72 2215.97 3375.58 2220.07 3377.92 2223.79 c
3373.04 2225.05 l
3373.04 2257.96 l
h
3483 2269.98 m
f* 
3486.03 2339.04 m
3486.03 2318.34 3481.14 2302.52 3471.18 2291.48 c
3461.32 2280.55 3447.26 2274.98 3428.9 2274.98 c
3411.03 2274.98 3396.77 2280.16 3386.03 2290.41 c
3375.48 2300.66 3370.11 2315.02 3370.01 2333.48 c
3370.11 2350.27 3374.6 2362.87 3383.68 2371.27 c
3392.86 2379.86 3405.85 2383.96 3422.65 2383.96 c
3435.05 2383.96 l
3435.05 2308.96 l
3440.03 2309.36 3444.23 2310.33 3447.55 2312.19 c
3450.97 2314.04 3453.61 2316.48 3455.46 2319.41 c
3457.51 2322.34 3458.98 2325.86 3459.76 2329.67 c
3460.64 2333.67 3461.03 2337.87 3461.03 2342.46 c
3461.03 2346.46 3460.73 2350.37 3459.86 2354.28 c
3458.98 2358.09 3457.9 2361.6 3456.44 2364.73 c
3455.36 2367.66 3454.09 2370.2 3452.73 2372.54 c
3451.36 2374.98 3450.09 2376.84 3449.02 2378.4 c
3449.02 2382.01 l
3477.04 2382.01 l
3478.21 2379.28 3479.29 2376.74 3480.17 2374.39 c
3481.14 2372.05 3482.02 2368.93 3482.9 2364.82 c
3483.98 2361.11 3484.66 2357.3 3485.15 2353.4 c
3485.73 2349.49 3486.03 2344.71 3486.03 2339.04 c
3486.03 2339.04 l
3413.96 2349.98 m
3406.93 2349.79 3401.46 2348.12 3397.65 2345 c
3393.94 2341.88 3392.08 2337.09 3391.98 2330.55 c
3392.08 2323.91 3394.04 2318.83 3398.04 2315.02 c
3402.04 2311.31 3407.32 2309.26 3413.96 2308.87 c
h
3483 2389.04 m
f* 
3486.03 2435.78 m
3486.03 2427.67 3485.15 2420.05 3483.39 2412.83 c
3481.63 2405.6 3479.58 2399.64 3477.24 2394.96 c
3448.04 2394.96 l
3448.04 2397.79 l
3449.31 2399.45 3450.68 2401.3 3452.14 2403.36 c
3453.61 2405.41 3455.17 2408.34 3456.63 2412.05 c
3458.2 2415.27 3459.46 2418.79 3460.54 2422.79 c
3461.61 2426.79 3462.1 2431.09 3462 2435.78 c
3462.1 2440.66 3461.42 2444.86 3459.95 2448.47 c
3458.59 2452.18 3456.24 2454.04 3453.12 2454.04 c
3450.68 2454.04 3448.72 2453.16 3447.36 2451.4 c
3446.09 2449.74 3444.91 2446.42 3443.64 2441.54 c
3443.06 2438.9 3442.38 2435.58 3441.59 2431.68 c
3440.81 2427.67 3439.93 2424.16 3438.96 2421.03 c
3436.32 2412.34 3432.41 2405.89 3427.14 2401.6 c
3421.87 2397.2 3414.93 2394.96 3406.34 2394.96 c
3401.46 2394.96 3396.96 2396.13 3392.57 2398.38 c
3388.27 2400.62 3384.37 2403.94 3380.85 2408.34 c
3377.63 2412.73 3374.99 2418.1 3373.04 2424.55 c
3371.09 2430.99 3370.11 2438.22 3370.01 2446.32 c
3370.11 2454.04 3370.89 2461.17 3372.36 2467.61 c
3374.02 2474.16 3375.77 2479.53 3377.92 2484.02 c
3406.05 2484.02 l
3406.05 2481.29 l
3405.17 2480.11 3404 2478.26 3402.43 2475.72 c
3400.97 2473.18 3399.6 2470.74 3398.53 2468.3 c
3397.26 2465.37 3396.18 2462.14 3395.3 2458.63 c
3394.52 2455.11 3394.04 2451.4 3394.04 2447.69 c
3394.04 2442.71 3394.91 2438.61 3396.48 2435.09 c
3398.04 2431.77 3400.19 2430.02 3402.82 2430.02 c
3405.36 2430.02 3407.41 2430.89 3408.78 2432.55 c
3410.25 2434.21 3411.61 2437.93 3412.88 2443.59 c
3413.66 2446.62 3414.45 2450.04 3415.03 2453.84 c
3415.81 2457.65 3416.69 2461.36 3417.86 2464.78 c
3420.4 2472.79 3424.21 2478.75 3429.09 2482.85 c
3433.98 2487.05 3440.52 2489 3448.62 2489 c
3453.9 2489 3458.78 2487.83 3463.47 2485.39 c
3468.16 2483.04 3472.06 2479.53 3475.19 2475.13 c
3478.7 2470.45 3481.34 2464.98 3483.2 2458.53 c
3485.05 2452.18 3486.03 2444.66 3486.03 2435.78 c
h
3483 2492.03 m
f* 
1 i
25 w
1 j
3754.75 4053.75 m
3698.75 4053.75 3654.75 3773.75 3654.75 3428.75 c
3654.75 3082.75 3698.75 2803.75 3754.75 2803.75 c
3809.75 2803.75 3854.75 3082.75 3854.75 3428.75 c
3854.75 3773.75 3809.75 4053.75 3754.75 4053.75 c
s 
2754.75 4053.75 m
2698.75 4053.75 2654.75 3773.75 2654.75 3428.75 c
2654.75 3082.75 2698.75 2803.75 2754.75 2803.75 c
2809.75 2803.75 2854.75 3082.75 2854.75 3428.75 c
2854.75 3773.75 2809.75 4053.75 2754.75 4053.75 c
s 
0 J
2754.75 2803.75 m
3754.75 2803.75 l
S 
2754.75 4053.75 m
3754.75 4053.75 l
S 
0.2 i
3333 3327.69 m
3333 3293.71 l
3321.67 3293.71 l
3323.53 3291.46 3325.48 3288.83 3327.53 3285.99 c
3329.58 3283.06 3331.14 3280.52 3332.12 3278.38 c
3333.49 3275.54 3334.46 3272.81 3335.05 3270.08 c
3335.73 3267.34 3336.03 3264.02 3336.03 3260.21 c
3336.03 3247.52 3330.85 3237.46 3320.5 3229.94 c
3310.15 3222.52 3296.28 3218.71 3278.9 3218.71 c
3269.33 3218.71 3261.03 3220.08 3253.9 3222.52 c
3246.96 3225.06 3240.71 3228.57 3235.54 3232.97 c
3230.85 3237.07 3227.04 3242.05 3224.21 3247.81 c
3221.48 3253.57 3220.11 3259.72 3220.01 3266.17 c
3220.11 3272.03 3220.7 3276.81 3221.87 3280.62 c
3223.14 3284.33 3224.89 3288.73 3227.43 3293.71 c
3179.97 3293.71 l
3179.97 3327.69 l
3332.62 3327.69 l
3301.95 3293.71 m
3247.66 3293.71 l
3246.78 3291.95 3246.09 3289.7 3245.51 3286.77 c
3245.02 3283.94 3244.73 3281.5 3244.63 3279.45 c
3244.73 3270.95 3247.66 3264.51 3253.42 3260.21 c
3259.18 3255.92 3267.29 3253.77 3277.64 3253.77 c
3288.57 3253.77 3296.48 3255.52 3301.37 3258.84 c
3306.25 3262.26 3308.69 3267.83 3308.59 3275.45 c
3308.69 3278.57 3308.11 3281.79 3306.84 3285.02 c
3305.76 3288.14 3304.1 3291.07 3301.95 3293.71 c
h
3333 3339.98 m
f* 
3333 3386.97 m
3333 3352.99 l
3223.31 3352.99 l
3223.31 3386.97 l
3333 3386.97 l
3207.34 3388.05 m
3207.34 3352.01 l
3180.29 3352.01 l
3180.29 3388.05 l
h
3333 3399.96 m
f* 
3336.03 3446.78 m
3336.03 3438.67 3335.15 3431.05 3333.39 3423.83 c
3331.63 3416.6 3329.58 3410.64 3327.24 3405.96 c
3298.04 3405.96 l
3298.04 3408.79 l
3299.31 3410.45 3300.68 3412.3 3302.14 3414.36 c
3303.61 3416.41 3305.17 3419.34 3306.63 3423.05 c
3308.2 3426.27 3309.46 3429.79 3310.54 3433.79 c
3311.61 3437.79 3312.1 3442.09 3312 3446.78 c
3312.1 3451.66 3311.42 3455.86 3309.95 3459.47 c
3308.59 3463.18 3306.24 3465.04 3303.12 3465.04 c
3300.68 3465.04 3298.72 3464.16 3297.36 3462.4 c
3296.09 3460.74 3294.91 3457.42 3293.64 3452.54 c
3293.06 3449.9 3292.38 3446.58 3291.59 3442.68 c
3290.81 3438.67 3289.93 3435.16 3288.96 3432.03 c
3286.32 3423.34 3282.41 3416.89 3277.14 3412.6 c
3271.87 3408.2 3264.93 3405.96 3256.34 3405.96 c
3251.46 3405.96 3246.96 3407.13 3242.57 3409.38 c
3238.27 3411.62 3234.37 3414.94 3230.85 3419.34 c
3227.63 3423.73 3224.99 3429.1 3223.04 3435.55 c
3221.09 3441.99 3220.11 3449.22 3220.01 3457.32 c
3220.11 3465.04 3220.89 3472.17 3222.36 3478.61 c
3224.02 3485.16 3225.77 3490.53 3227.92 3495.02 c
3256.05 3495.02 l
3256.05 3492.29 l
3255.17 3491.11 3254 3489.26 3252.43 3486.72 c
3250.97 3484.18 3249.6 3481.74 3248.53 3479.3 c
3247.26 3476.37 3246.18 3473.14 3245.3 3469.63 c
3244.52 3466.11 3244.04 3462.4 3244.04 3458.69 c
3244.04 3453.71 3244.91 3449.61 3246.48 3446.09 c
3248.04 3442.77 3250.19 3441.02 3252.82 3441.02 c
3255.36 3441.02 3257.41 3441.89 3258.78 3443.55 c
3260.25 3445.21 3261.61 3448.93 3262.88 3454.59 c
3263.66 3457.62 3264.45 3461.04 3265.03 3464.84 c
3265.81 3468.65 3266.69 3472.36 3267.86 3475.78 c
3270.4 3483.79 3274.21 3489.75 3279.09 3493.85 c
3283.98 3498.05 3290.52 3500 3298.62 3500 c
3303.9 3500 3308.78 3498.83 3313.47 3496.39 c
3318.16 3494.04 3322.06 3490.53 3325.19 3486.13 c
3328.7 3481.45 3331.34 3475.98 3333.2 3469.53 c
3335.05 3463.18 3336.03 3455.66 3336.03 3446.78 c
h
3333 3503.03 m
f* 
3333 3626.77 m
3333 3585.95 l
3285.25 3556.07 l
3292.47 3550.7 l
3333 3550.7 l
3333 3516.71 l
3181.43 3516.71 l
3181.43 3550.7 l
3267.07 3550.7 l
3223.42 3583.71 l
3223.42 3623.74 l
3270.78 3585.17 l
3333.38 3626.77 l
h
3333 3625 m
f* 
0.6156 g
1 i
3004.75 2903.75 99.9998 200 re
f* 
6 w
1 J
0 j
3004.75 2903.75 99.9998 200 re
S 
0.698 g
3154.75 2903.75 99.9998 200 re
f* 
3154.75 2903.75 99.9998 200 re
S 
0.6156 g
3304.75 2903.75 99.9998 200 re
f* 
3304.75 2903.75 99.9998 200 re
S 
3454.75 2903.75 99.9998 200 re
f* 
3454.75 2903.75 99.9998 200 re
S 
0.698 g
3004.75 3203.75 99.9998 200 re
f* 
3004.75 3203.75 99.9998 200 re
S 
19 w
0 J
1 j
1554.75 1053.75 m
2554.75 1253.75 l
S 
1 J
1638.75 1120.75 m
1554.75 1053.75 l
1658.75 1025.75 l
S 
2470.75 1186.75 m
2554.75 1253.75 l
2450.75 1281.75 l
S 
0 J
1504.75 2303.75 m
3054.75 2953.75 l
S 
1 J
1574.75 2385.75 m
1504.75 2303.75 l
1611.75 2296.75 l
S 
2984.75 2871.75 m
3054.75 2953.75 l
2947.75 2960.75 l
S 
0 J
1504.75 4603.75 m
3054.75 3053.75 l
S 
1 J
1607.75 4570.75 m
1504.75 4603.75 l
1538.75 4501.75 l
S 
2951.75 3086.75 m
3054.75 3053.75 l
3020.75 3155.75 l
S 
0 J
1454.75 3903.75 m
2954.75 4453.75 l
S 
1 J
1527.75 3982.75 m
1454.75 3903.75 l
1561.75 3891.75 l
S 
2881.75 4374.75 m
2954.75 4453.75 l
2847.75 4465.75 l
S 
Q
PDFVars/TermAll get exec end end
userdict /pgsave get restore
showpage
%%PageTrailer
%%EndPage
%%Trailer
%%EOF

%%EndDocument
 @endspecial 0 2600 a(Figure)26 b(1\2551:)40 b(Possible)27
b(e)o(xok)o(ernel)d(system.)47 b(Applications)26 b(link)g(against)f
(library)g(operating)g(systems)h(\(libOS\),)g(which)g(pro)o(vide)0
2700 y(standard)21 b(operating)f(system)j(abstractions)e(\(virtual)g
(memory)-5 b(,)21 b(\002les,)i(netw)o(ork)e(protocols,)g(etc.\).)35
b(Because)23 b(libOSes,)g(are)f(unpri)n(v\255)0 2800
y(ile)o(ged,)j(applications)f(can)g(also)h(specialize)g(them)g(or)f
(write)h(their)g(o)n(wn,)g(as)h(the)f(web)f(serv)o(er)g(in)h(the)g
(picture)f(has)h(done.)42 b(Because)0 2899 y(the)18 b(e)o(xok)o(ernel)e
(pro)o(vides)h(protection,)g(completely)f(dif)n(ferent)h(libOSes)i(can)
f(simultaneously)e(run)i(on)g(the)g(same)h(system)f(and)g(safely)0
2999 y(share)i(resources)f(such)h(as)h(disk)f(blocks)g(and)f(physical)g
(pages.)125 3255 y(An)g(e)o(xok)o(ernel)f(retains)h(the)h(three)f
(bene\002ts)g(of)h(traditional)e(operating)g(systems:)30
b(def)o(ault)18 b(functionality)g(and)h(portability)f(come)0
3354 y(from)k(writing)h(applications)f(on)g(top)h(of)g(a)h(libOS,)f
(while)g(protection)f(comes)g(from)h(the)g(e)o(xok)o(ernel,)e(which)i
(guards)f(all)i(resources.)0 3454 y(In)i(addition,)g(we)h(hope)e(that)h
(the)g(e)o(xok)o(ernel)e(or)o(ganization)f(dramatically)i(impro)o(v)o
(es)f(system)i(inno)o(v)n(ation.)45 b(W)-7 b(e)27 b(ha)n(v)o(e)f(four)f
(main)0 3553 y(reasons)20 b(for)f(this)i(hope:)104 3708
y(1.)41 b(F)o(ault\255isolation:)48 b(an)31 b(error)e(in)i(a)g(libOS)g
(only)f(af)n(fects)g(the)h(applications)e(using)h(it,)k(in)c(contrast)g
(to)h(errors)f(in)h(pri)n(vile)o(ged)208 3808 y(operating)21
b(systems,)i(which)g(can)f(compromise)f(the)i(entire)g(system.)37
b(Thus,)23 b(an)g(e)o(xok)o(ernel)e(signi\002cantly)h(reduces)g(the)g
(risk)208 3907 y(of)d(using)h(operating)e(system)j(inno)o(v)n(ations.)
104 4068 y(2.)41 b(Co\255e)o(xistence:)47 b(by)30 b(design,)h
(multiple,)h(possibly)d(specialized,)j(library)d(operating)f(systems)i
(can)g(co\255e)o(xist)f(on)g(the)h(same)208 4167 y(e)o(xok)o(ernel)15
b(system,)i(in)h(contrast)e(to)i(traditional)e(systems,)i(which)e
(by\255and\255lar)o(ge)e(pre)n(v)o(ent)h(more)i(than)f(one)h(operating)
e(system)208 4267 y(running)j(at)i(a)h(time.)29 b(Thus,)20
b(an)g(e)o(xok)o(ernel)e(enables)i(inno)o(v)n(ation)d(composition.)104
4427 y(3.)41 b(Increased)31 b(implementor)f(base:)54
b(there)32 b(are)h(se)n(v)o(eral)f(orders)f(of)h(magnitude)f(more)h
(systems)h(programmers)d(than)i(pri)n(vi\255)208 4527
y(le)o(ged)e(implementors)f(\(of)i(oft\255times)g(proprietary)e
(operating)g(systems\).)63 b(W)-7 b(e)32 b(hope)e(the)i(rate)f(of)g
(inno)o(v)n(ation)e(increases)208 4627 y(proportionally)-5
b(.)104 4787 y(4.)41 b(Increased)17 b(user)h(base:)29
b(by)19 b(making)e(operating)g(system)i(softw)o(are)f(no)g(dif)n
(ferent)f(from)h(other)g(runtime)f(libraries,)i(the)f(number)208
4886 y(of)23 b(people)g(with)i(discretion)e(to)h(use)g(an)g(inno)o(v)n
(ation)e(increases)i(by)g(an)g(e)n(v)o(en)f(lar)o(ger)f(f)o(actor)-5
b(.)41 b(Similarly)-5 b(,)24 b(using)g(inno)o(v)n(ations)208
4986 y(becomes)15 b(a)h(simple)h(matter)f(of)g(linking)f(in)h(a)h(ne)n
(w)f(library)f(rather)g(than)h(ha)n(ving)f(to)h(replace)g(an)g(entire)g
(system\255wide)f(operating)208 5086 y(system)20 b(\(and)f(forcing)g
(all)i(other)e(users)h(of)g(the)g(system)h(to)f(use)h(it,)f(and)g(its)h
(b)n(ugs,)f(in)g(the)g(process\).)0 5240 y(These)36 b(four)f(features)g
(remo)o(v)o(e)f(man)o(y)h(of)h(the)g(practical)g(barriers)f(f)o(acing)g
(operating)f(system)i(inno)o(v)n(ation)e(de)n(v)o(elopment)f(and)0
5340 y(deplo)o(yment.)1908 5589 y(12)p eop
%%Page: 13 14
13 13 bop 125 83 a Fp(W)-7 b(e)30 b(do)e(not)h(assume)g(that)g
(application)f(programmers)e(will)k(modify)e(operating)f(system)i
(softw)o(are)g(as)h(a)f(matter)g(of)g(course.)0 183 y(Instead,)g(we)f
(re)o(gard)e(libOS)i(modi\002cation)e(as)j(similar)f(to)g(that)g(of)g
(compilers:)44 b(both)27 b(are)g(lar)o(ge,)i(relati)n(v)o(ely)e(comple)
o(x)f(pieces)i(of)0 282 y(softw)o(are,)15 b(not)f(altered)g(in)g(the)h
(normal)e(course)h(of)g(day\255to\255day)e(programming.)23
b(Ho)n(we)n(v)o(er)m(,)14 b(in)g(the)h(case)g(of)f(compilers,)g(the)h
(enormous)0 382 y(implementor)j(and)h(user)h(community)e(coupled)g
(with,)i(unpri)n(vile)o(ged,)d(f)o(ault\255isolated)i(compiler)g
(implementations)f(has)i(resulted)f(in)0 482 y(thousands)c(of)h
(languages)f(and)g(implementations.)26 b(F)o(or)16 b(e)o(xample,)g(ne)n
(w)g(languages)f(such)h(as)h(Ja)n(v)n(a,)g(Tcl,)g(Perl,)g(and)f(C++)h
(ha)n(v)o(e)e(swept)0 581 y(the)i(implementor)f(base)h(e)n(v)o(ery)f
(fe)n(w)h(years.)28 b(Observ)o(ed)16 b(operating)f(systems)j(re)n(v)n
(olutions)e(happen)g(both)g(on)h(a)h(more)e(attenuated)g(time)0
681 y(scale,)j(and)e(with)h(less)h(dramatic)d(scope.)28
b(W)-7 b(e)19 b(hope)e(that)h(by)f(making)g(OS)h(softw)o(are)g(more)f
(similar)h(to)g(compilers)e(in)i(the)g(abo)o(v)o(e)e(w)o(ays)0
780 y(that)k(their)g(e)n(v)n(olution)f(will)i(become)e(more)g(similar)i
(as)f(well.)125 880 y(An)k(e)o(xok)o(ernel')-5 b(s)23
b(success)i(does)f(not)g(depend)f(on)h(a)h(panoply)d(of)i(dif)n(ferent)
f(operating)g(systems.)42 b(In)24 b(our)g(vie)n(w)-5
b(,)25 b(similar)g(again)0 980 y(to)i(compilers)e(and)h(languages,)g
(there)g(will)i(be)e(a)h(fe)n(w)f(dominant)f(operating)g(systems)i(b)n
(ut,)h(importantly)-5 b(,)25 b(the)i(f)o(act)f(that)h(the)o(y)f(are)0
1079 y(unpri)n(vile)o(ged)17 b(will)k(enable)e(them)h(to)h(e)n(v)n(olv)
o(e)e(more)g(readily)g(than)h(traditional)f(systems.)0
1326 y Fv(1.1)117 b(Relation)28 b(to)h(other)f(OS)h(structur)n(es)0
1512 y Fp(There)19 b(is)j(a)e(lar)o(ge)g(literature)f(on)h(e)o
(xtensible)f(operating)g(systems,)h(starting)g(with)h(the)f(classic)h
(rationales)f(by)f(Lampson)g(and)h(Brinch)0 1611 y(Hansen)35
b([41)n(,)h(53)o(,)g(54)o(].)74 b(Pre)n(vious)34 b(approaches)g(to)h(e)
o(xtensibility)f(can)h(be)g(coarsely)g(classi\002ed)g(in)h(to)f(three)g
(groups:)58 b(better)0 1711 y(microk)o(ernels,)26 b(virtual)g
(machines,)h(and)f(do)n(wnloading)d(untrusted)j(code)f(into)i(the)f(k)o
(ernel.)48 b(W)-7 b(e)27 b(discuss)g(each)g(in)f(turn)g(and)g(then)0
1811 y(relate)20 b(e)o(xok)o(ernels)e(to)j(recent)e(w)o(ork)h(in)g(e)o
(xtensible)f(operating)g(systems.)125 1910 y(The)14 b(e)o(xok)o(ernel)g
(dif)n(fers)g(from)g(traditional)g(monolithic)g(systems)i(in)f(that)h
(it)f(places)h(the)f(b)n(ulk)g(of)g(operating)e(system)j(functionality)
0 2010 y(in)26 b(unpri)n(vile)o(ged)c(libraries.)45 b(It)26
b(similarly)f(dif)n(fers)g(from)g(a)h(microk)o(ernel)d(in)j(that,)h
(while)e(both)g(or)o(ganizations)e(mo)o(v)o(e)h(code)h(out)g(of)0
2110 y(the)31 b(k)o(ernel,)i(a)e(microk)o(ernel)e(pushes)h(code)g(into)
h(pri)n(vile)o(ged)e(serv)o(ers,)k(which)d(applications)g(cannot)g
(modify)-5 b(.)59 b(In)31 b(some)f(sense,)0 2209 y(the)c(principal)f
(goal)g(of)h(an)g(e)o(xok)o(ernel\227gi)n(ving)c(applications)j
(control\227is)g(orthogonal)f(to)i(the)g(question)f(of)h(monolithic)e
(v)o(ersus)0 2309 y(microk)o(ernel)19 b(or)o(ganization.)30
b(If)21 b(applications)f(are)h(restricted)g(to)h(inadequate)d(interf)o
(aces,)i(it)h(mak)o(es)g(little)g(dif)n(ference)d(whether)i(the)0
2408 y(implementations)f(reside)j(in)f(the)h(k)o(ernel)e(or)h(pri)n
(vile)o(ged)f(user)n(\255le)n(v)o(el)g(serv)o(ers)h([39)o(,)g(39)o(];)i
(in)f(both)e(cases)j(applications)d(lack)h(control.)0
2508 y(F)o(or)f(e)o(xample,)f(it)i(is)h(dif)n(\002cult)e(to)g(change)g
(the)g(b)n(uf)n(fer)f(management)g(polic)o(y)g(of)h(a)h(shared)f
(\002le)h(serv)o(er)-5 b(.)32 b(In)22 b(man)o(y)e(w)o(ays,)i(serv)o
(ers)f(can)0 2608 y(be)27 b(vie)n(wed)f(as)i(\002x)o(ed)f(k)o(ernel)f
(subsystems)h(that)g(happen)e(to)i(run)g(in)g(user)g(space.)50
b(Whether)26 b(monolithic)f(or)i(microk)o(ernel\255based,)0
2707 y(the)e(goal)f(of)h(an)f(e)o(xok)o(ernel)f(system)i(remains)f(for)
g(pri)n(vile)o(ged)f(softw)o(are)h(to)h(pro)o(vide)e(interf)o(aces)h
(that)h(do)g(not)f(limit)h(the)g(ability)g(of)0 2807
y(unpri)n(vile)o(ged)17 b(applications)i(to)h(manage)f(their)h(o)n(wn)g
(resources.)125 2907 y(Hydra)j(w)o(as)i(the)g(most)f(ambitious)g(early)
g(system)g(to)h(ha)n(v)o(e)f(the)g(separation)f(of)h(k)o(ernel)g(polic)
o(y)f(and)h(mechanism)f(as)j(one)d(of)i(its)0 3006 y(central)19
b(tenets)h([94)o(].)29 b(An)19 b(e)o(xok)o(ernel)f(tak)o(es)i(the)g
(elimination)e(of)h(polic)o(y)g(one)g(step)h(further)e(by)h(remo)o
(ving)e(\223mechanism\224)h(where)n(v)o(er)0 3106 y(possible.)38
b(This)23 b(process)g(is)h(moti)n(v)n(ated)e(by)h(the)g(insight)g(that)
h(mechanism)e Fk(is)i Fp(polic)o(y)-5 b(,)22 b(albeit)h(with)h(one)e
(less)j(layer)e(of)g(indirection.)0 3205 y(F)o(or)e(instance,)g(a)h
(page\255table)e(is)i(a)g(v)o(ery)f(detailed)g(polic)o(y)f(that)i
(controls)e(ho)n(w)h(to)h(translate,)f(store)h(and)e(delete)i(mappings)
e(and)h(what)0 3305 y(actions)f(to)g(tak)o(e)h(on)e(in)m(v)n(alid)g
(addresses)h(and)g(accesses.)1652 3275 y Fi(1)125 3405
y Fp(Some)13 b(ne)n(wer)h(microk)o(ernels)e(push)i(the)g(k)o(ernel)f
(interf)o(ace)h(closer)g(to)g(the)g(hardw)o(are)f([16)o(,)h(42)o(,)h
(73)o(],)g(obtaining)e(better)g(performance)0 3504 y(and)27
b(rob)n(ustness)g(than)h(pre)n(vious)e(microk)o(ernels)g(and)h(allo)n
(wing)f(for)i(a)g(greater)e(de)o(gree)h(of)g(\003e)o(xibility)-5
b(,)28 b(since)g(shared)f(monolithic)0 3604 y(serv)o(ers)35
b(can)g(be)h(brok)o(en)d(into)j(se)n(v)o(eral)e(serv)o(ers.)75
b(T)-6 b(echniques)34 b(to)i(reduce)e(the)h(cost)h(of)f(shared)g(serv)o
(ers)g(by)g(impro)o(ving)e(IPC)0 3704 y(performance,)17
b(mo)o(ving)h(code)i(from)f(serv)o(ers)g(into)h(libraries,)g(mapping)e
(read\255only)g(shared)h(data)h(structures,)f(and)h(batching)e(system)0
3803 y(calls)j([8)o(,)g(39)o(,)f(58)o(,)h(61)o(])f(can)g(also)h(be)f
(successfully)f(applied)g(in)i(an)f(e)o(xok)o(ernel)e(system.)125
3903 y(V)-5 b(irtual)24 b(machines)g([12)n(,)h(34)o(,)g(38)o(])g
(\(VMs\))f(are)h(an)f(OS)h(structure)f(in)h(which)f(a)g(pri)n(vile)o
(ged)f(virtual)h(machine)f(monitor)g(\(VMM\))0 4002 y(isolates)30
b(less)g(pri)n(vile)o(ged)e(softw)o(are)h(in)g(emulated)f(copies)i(of)f
(the)g(underlying)e(hardw)o(are.)55 b(V)-5 b(irtual)29
b(machines)g(and)f(e)o(xok)o(ernels)0 4102 y(dif)n(fer)g(in)i(tw)o(o)f
(main)g(w)o(ays.)58 b(First,)32 b(virtual)d(machines)f(emulate,)j(e)o
(xok)o(ernels)d(do)g(not.)57 b(Emulation)28 b(hides)h(information.)54
b(This)0 4202 y(can)23 b(lead)g(to)h(inef)n(fecti)n(v)o(e)d(use)j(of)f
(hardw)o(are)f(resources;)i(for)e(instance,)i(the)f(VMM)h(has)f(no)g(w)
o(ay)h(of)f(kno)n(wing)e(if)j(a)f(VM)h(no)f(longer)0
4301 y(needs)28 b(a)h(particular)e(virtual)g(page.)53
b(In)28 b(contrast,)i(an)e(e)o(xok)o(ernel)e(attempts)i(to)h(e)o(xpose)
e(all)i(information)d(about)h(the)i(system)f(and)0 4401
y(e)o(xplicitly)20 b(communicates)g(with)i(the)f(library)g(operating)e
(system)j(rather)f(than)g(presenting)f(a)i(virtual)f(f)o(acade)f(and)h
(making)g(its)h(o)n(wn)0 4501 y(resource)j(management)f(decisions.)48
b(Second,)26 b(VMs)i(can)e(only)f(share)h(resources)g(through)e(remote)
i(communication)d(protocols.)0 4600 y(This)j(pre)n(v)o(ents)e(VMs)i
(from)f(sharing)f(man)o(y)g(OS)j(abstractions)d(such)i(as)g(processes)f
(or)h(\002le)g(descriptors)e(with)i(each)f(other)-5 b(.)45
b(Thus,)0 4700 y(VMMs)32 b(con\002ne)f(specialized)g(operating)f
(systems)i(and)g(associated)f(processes)h(to)g(isolated)f(virtual)g
(machines.)63 b(Rather)32 b(than)0 4800 y(partitioning)18
b(the)h(machine)f(into)i(disjoint)f(pieces,)g(an)h(e)o(xok)o(ernel)d
(allo)n(ws)j(non\255trusting)d(applications)h(to)i(use)g(customized)e
(libOSes)p 0 4871 1560 4 v 90 4926 a Fh(1)120 4949 y
Fg(The)k(OS)f(community)j(has)e(no)h(rigorous)g(de\002nition)h(of)f
(either)h(\223polic)o(y\224)g(or)f(\223mechanism.)-5
b(\224)42 b(In)22 b(its)h(most)f(general)i(sense,)g(polic)o(y)g(refers)
f(to)f(the)h(goals)g(of)g(a)0 5028 y(computer)f(system)f(\(e.g.,)h
(what)f(security)i(threats)g(to)e(resist,)h(what)g(resources)g(to)g
(protect\).)38 b(In)21 b(conte)o(xt)i(of)d(e)o(xtensible)k(operating)g
(systems,)d(polic)o(y)i(refers)f(to)f(the)0 5107 y(algorithm)c(used)f
(to)f(mak)o(e)h(security)i(or)d(resource)i(management)g(decisions,)g
(while)f(mechanism)h(refers)f(to)f(the)h(machinery)i(used)d(to)h
(implement)h(a)e(particular)k(polic)o(y)l(.)0 5186 y(F)o(or)c(e)o
(xample,)h(a)f(virtual)i(memory)e(paging)i(polic)o(y)f(is)f(to)g(e)n
(vict)i(least)f(recently)i(used)d(pages)h(to)f(disk.)24
b(The)15 b(data)h(structures)h(used)e(to)g(do)g(so,)g(such)g(as)g(page)
h(tables)g(and)g(a)0 5265 y(sorted)h(page)f(list,)h(w)o(ould)g(be)f
(mechanism.)24 b(Similar)17 b(to)f(the)h(concepts)g(of)f(code)h(and)f
(data,)h(there)g(is)f(no)f(clear)j(fundamental)g(dif)n(ference)h
(between)f(these)e(tw)o(o)h(notions.)1908 5589 y Fp(13)p
eop
%%Page: 14 15
14 14 bop 0 83 a Fp(to)20 b(share)g(resources)g(\(such)f(as)i(physical)
e(memory)g(and)g(disk)h(blocks\))g(without)f(sacri\002cing)h(a)g
(single)g(vie)n(w)g(of)g(the)h(machine,)125 183 y(Do)n(wnloading)j
(code)i(into)g(the)h(k)o(ernel)f(is)i(another)d(approach)f(to)j(e)o
(xtensibility)-5 b(.)48 b(In)26 b(man)o(y)f(systems)j(only)e(trusted)g
(users)h(can)0 282 y(do)n(wnload)f(code,)k(either)e(through)e
(dynamically\255loaded)f(k)o(ernel)i(e)o(xtensions)h(or)g(static)h
(con\002guration)d([33)o(,)i(43)o(].)54 b(In)29 b(the)f(SPIN)0
382 y(and)g(V)-5 b(ino)29 b(systems,)j(an)o(y)c(user)h(can)f(safely)h
(do)n(wnload)e(code)h(into)h(the)g(k)o(ernel)f([9)o(,)i(78)o(].)56
b(Safe)29 b(do)n(wnloading)d(of)i(code)h(through)0 482
y(type\255safety)e([9)o(,)j(75)o(])f(and)f(softw)o(are)g(f)o
(ault\255isolation)g([78)n(,)h(89)o(])g(is)h(complementary)c(to)j(the)g
(e)o(xok)o(ernel)e(approach)f(of)j(separating)0 581 y(protection)g
(from)h(management.)60 b(Exok)o(ernels)29 b(use)j(do)n(wnloading)c(of)j
(code)f(to)h(let)h(the)f(k)o(ernel)f(lea)n(v)o(e)h(decisions)g(to)g
(untrusted)0 681 y(softw)o(are)20 b([25)n(].)125 780
y(In)28 b(addition)f(to)i(these)g(structural)f(approaches,)g(much)g(w)o
(ork)g(has)h(been)f(done)f(on)h(better)h(OS)g(abstractions)f(that)h(gi)
n(v)o(e)e(more)0 880 y(control)22 b(to)h(applications,)f(such)h(as)h
(user)n(\255le)n(v)o(el)e(netw)o(orking)f([88)n(,)j(82)o(],)f(lottery)g
(scheduling)e([90)o(],)i(application\255controlled)c(virtual)0
980 y(memory)f([44)o(,)j(55)o(])f(and)g(\002le)h(systems)f([13)o(,)g
(72)o(].)30 b(All)21 b(of)f(this)g(w)o(ork)g(is)h(directly)e
(applicable)g(to)i(libOSes.)0 1192 y Fq(1.1.1)99 b(Recent)26
b(extensible)g(operating)f(systems)0 1340 y Fp(SP)-8
b(A)m(CE)27 b(is)h(a)f(\223submicro\255k)o(ernel\224)c(that)j(pro)o
(vides)f(only)h(lo)n(w\255le)n(v)o(el)f(k)o(ernel)h(abstractions)f
(de\002ned)h(by)g(the)g(trap)g(and)g(architecture)0 1439
y(interf)o(ace)c([73)o(].)39 b(Its)24 b(close)f(coupling)f(to)h(the)g
(architecture)f(mak)o(es)h(it)h(similar)g(in)f(man)o(y)f(w)o(ays)i(to)f
(an)h(e)o(xok)o(ernel,)d(b)n(ut)j(we)f(ha)n(v)o(e)g(not)0
1539 y(been)16 b(able)h(to)g(mak)o(e)g(detailed)f(comparisons)g
(because)g(its)i(design)e(methodology)e(and)j(performance)d(ha)n(v)o(e)
i(not)h(yet)g(been)f(published.)125 1639 y(The)k(SPIN)h(project)f(is)h
(b)n(uilding)f(a)h(microk)o(ernel)d(system)j(that)g(allo)n(ws)f
(applications)g(to)h(mak)o(e)f(polic)o(y)f(decisions)i([9)o(])g(by)f
(safely)0 1738 y(do)n(wnloading)14 b Fk(e)n(xtensions)i
Fp(into)h(the)g(k)o(ernel.)27 b(Unlik)o(e)17 b(SPIN,)g(the)f(focus)h
(in)g(the)f(e)o(xok)o(ernel)f(architecture)g(is)j(to)f(obtain)f(\003e)o
(xibility)g(and)0 1838 y(performance)j(by)i(securely)g(e)o(xposing)e
(lo)n(w\255le)n(v)o(el)h(hardw)o(are)h(primiti)n(v)o(es)f(rather)h
(than)g(e)o(xtending)e(a)j(traditional)f(operating)e(system)0
1938 y(in)h(a)h(secure)f(w)o(ay)-5 b(.)29 b(As)21 b(a)f(result,)g(e)o
(xok)o(ernel)e(interf)o(aces)i(tend)g(to)g(be)g(lo)n(wer)g(le)n(v)o(el)
g(and,)f(thus,)h(grant)f(more)h(control)f(to)h(applications.)125
2037 y(Anderson)13 b([3])i(mak)o(es)h(a)g(clear)f(ar)o(gument)e(for)i
(application\255speci\002c)f(library)g(operating)g(systems)i(and)f
(proposes)f(that)i(the)f(k)o(ernel)0 2137 y(concentrate)20
b(solely)i(on)g(the)g(adjudication)e(of)i(hardw)o(are)f(resources.)34
b(The)22 b(e)o(xok)o(ernel)e(design)h(addresses)h(ho)n(w)g(to)g(pro)o
(vide)e(secure)0 2236 y(multiple)o(xing)k(of)i(physical)e(resources)i
(in)g(such)f(a)i(system,)g(and)f(mo)o(v)o(es)f(the)h(k)o(ernel)f
(interf)o(ace)g(to)h(a)h(lo)n(wer)f(le)n(v)o(el)f(of)h(abstraction.)0
2336 y(In)d(addition,)f(our)h(e)o(xok)o(ernel)d(systems)k(demonstrate)e
(that)h(lo)n(w\255le)n(v)o(el)f(secure)g(multiple)o(xing)f(and)i
(library)f(operating)f(systems)j(can)0 2436 y(of)n(fer)19
b(e)o(xcellent)g(performance.)125 2535 y(Lik)o(e)24 b(an)g(e)o(xok)o
(ernel,)e(the)j(Cache)f(K)n(ernel)f([16)o(])h(pro)o(vides)f(a)h(lo)n
(w\255le)n(v)o(el)f(k)o(ernel)h(that)g(can)g(support)f(multiple)g
(application\255le)n(v)o(el)0 2635 y(operating)h(systems.)45
b(T)-7 b(o)26 b(the)f(best)h(of)f(our)g(kno)n(wledge)e(the)j(Cache)g(K)
n(ernel)e(and)h(ExOS,)h(the)f(libOS)h(used)f(on)g(three)g(generations)0
2735 y(of)h(e)o(xok)o(ernels)f([25)o(,)i(48)o(],)h(are)f(the)g(\002rst)
g(general\255purpose)c(library)j(operating)f(systems)i(implemented)e
(in)i(a)g(multiprogramming)0 2834 y(en)m(vironment.)f(The)19
b(dif)n(ference)f(between)h(the)h(Cache)g(K)n(ernel)f(and)g(an)h(e)o
(xok)o(ernel)e(is)j(mainly)e(one)g(of)g(high\255le)n(v)o(el)f
(philosophy)-5 b(.)26 b(The)0 2934 y(Cache)e(K)n(ernel)f(focuses)g
(primarily)g(on)g(reliability)-5 b(,)24 b(rather)f(than)g(securely)g(e)
o(xporting)f(hardw)o(are)g(resources)h(to)h(applications.)39
b(As)0 3033 y(result,)25 b(it)f(is)h(biased)e(to)n(w)o(ards)h(a)g(serv)
o(er)n(\255based)e(system)i(structure.)39 b(In)24 b(our)f(e)o
(xperience,)f(serv)o(ers)i(become)e(de)i(f)o(acto)g(pri)n(vile)o(ged)d
(in)0 3133 y(that)f(their)g(functionality)e(cannot)h(be)i(o)o(v)o
(erridden)16 b(by)k(applications.)125 3233 y(The)h(Nemesis)i(k)o(ernel)
e([76)o(,)h(56)o(])g(has)g(man)o(y)f(similarities)i(to)f(an)g(e)o(xok)o
(ernel,)e(despite)i(a)g(v)n(ast)h(dif)n(ference)c(in)k(goals.)34
b(Nemesis)23 b(is)0 3332 y(designed)d(to)h(impro)o(v)o(e)e
(quality\255of\255service)e(for)k(multimedia)e(applications.)31
b(The)20 b(problem)g(it)h(attacks)g(is)h(that)f(traditional)f(systems)0
3432 y(mak)o(e)32 b(resource)f(accounting)g(dif)n(\002cult)h(in)g(that)
h(code)e(running)g(on)h(behalf)f(of)i(an)f(application)f(may)h(be)g
(stre)n(wn)h(throughout)c(a)0 3532 y(collection)24 b(of)g(serv)o(ers)h
(and)f(the)h(k)o(ernel.)42 b(Lik)o(e)25 b(an)f(e)o(xok)o(ernel,)g
(their)g(solution)g(is)i(to)f(push)f(operating)f(system)i
(functionality)e(into)0 3631 y(applications.)32 b(In)21
b(this)h(w)o(ay)-5 b(,)21 b(code)f(running)f(on)i(behalf)g(of)g(the)g
(application)f(typically)h(runs)g(within)g(the)g(application)f(itself,)
i(which)0 3731 y(then)g(can)g(tri)n(vially)f(be)h(char)o(ged)e(for)i
(its)h(resource)e(consumption.)32 b(The)22 b(primary)e(parallels)i
(between)g(Nemesis)g(and)g(an)g(e)o(xok)o(ernel)0 3830
y(system)27 b(are)g(lo)n(w\255le)n(v)o(el)f(interf)o(aces)h(for)f
(resources)g(needed)g(by)g(multimedia)g(applications)g(\(e)n(v)o(ents,)
i(netw)o(ork,)f(disk,)i(and)d(CPU\),)0 3930 y(and)20
b(a)i(reliance)e(on)g(library)g(operating)f(systems.)32
b(Ho)n(we)n(v)o(er)m(,)19 b(the)h(dif)n(ference)f(in)i(goals)g(leads)g
(to)g(stark)g(contrasts.)31 b(While)21 b(Nemesis)0 4030
y(is)29 b(designed)e(to)h(simplify)f(accounting,)h(an)g(e)o(xok)o
(ernel)e(aims)i(to)g(impro)o(v)o(e)e(inno)o(v)n(ation.)50
b(It)28 b(does)g(so)g(by)g(ceding)f Fk(all)h Fp(control)f(not)0
4129 y(needed)20 b(for)g(protection)f(to)i(applications.)30
b(Thus,)20 b(an)h(e)o(xok)o(ernel')-5 b(s)19 b(interf)o(aces)h(grant)g
(more)g(perv)n(asi)n(v)o(e)g(po)n(wer)f(to)i(applications)f(and)0
4229 y(also)25 b(promote)e(sharing)h(of)g(resources)g(\(so)h(that)g
(dif)n(ferent)e(implementations)f(can)j(safely)g(share)f(the)h(same)g
(state\).)43 b(F)o(or)24 b(e)o(xample,)0 4329 y(applications)c(ha)n(v)o
(e)g(only)g(limited)h(control)f(o)o(v)o(er)f(virtual)h(memory)-5
b(,)19 b(since)i(Nemesis)h(forces)e(a)h(single\255address)f(space)h(on)
f(the)h(entire)0 4428 y(system.)44 b(Similarly)-5 b(,)25
b(Nemesis)h(disk)f(multiple)o(xing)e(lacks)i(the)g(po)n(wer)f(of)h(our)
f(disk)h(subsystem,)g(XN)h(\(discussed)e(in)i(Chapter)e(4\).)0
4528 y(W)-7 b(e)23 b(kno)n(w)f(of)g(no)f(e)o(xperimental)f(results)j
(for)e(Nemesis,)i(which)f(pre)n(v)o(ents)f(us)h(from)g(performing)d(a)k
(more)e(detailed)h(comparison)e(of)0 4627 y(the)g(relati)n(v)o(e)g
(strengths)f(of)h(the)g(tw)o(o)h(approaches.)0 4874 y
Fv(1.2)117 b(The)27 b(f)m(ocusing)i(questions)f(of)h(this)g(thesis)0
5060 y Fp(An)d(e)o(xok)o(ernel)d(attempts)j(to)g(mak)o(e)f(unpri)n
(vile)o(ged)e(library)h(operating)g(systems)i(as)h(po)n(werful)c(as)k
(pri)n(vile)o(ged)c(operating)h(systems.)0 5160 y(The)c(main)g(thrusts)
g(of)g(this)g(thesis)h(are:)104 5326 y(1.)41 b(Ho)n(w)20
b(to)g(b)n(uild)g(an)g(e)o(xok)o(ernel)e(system.)1908
5589 y(14)p eop
%%Page: 15 16
15 15 bop 104 83 a Fp(2.)41 b(Whether)19 b(it)i(is)g(possible)f(to)g(b)
n(uild)g(a)h(real)f(one.)104 249 y(3.)41 b(Whether)19
b(doing)g(so)i(is)g(a)f(good)f(idea.)125 415 y(The)i(\002rst)j(half)e
(of)g(the)g(thesis,)h(Chapters)f(2)h(and)e(4,)i(focuses)f(on)g(ho)n(w)f
(to)i(b)n(uild)f(an)g(e)o(xok)o(ernel)e(system,)j(and)f(the)g(later)g
(chapters)0 515 y(on)e(the)g(approach')-5 b(s)18 b(ef)n(\002cac)o(y)-5
b(.)125 614 y(The)26 b(te)o(xt)h(belo)n(w)g(pro)o(vides)e(an)i(o)o(v)o
(ervie)n(w)e(of)i(the)g(questions)f(each)h(issue)h(raises,)h(along)d
(with)i(a)f(sk)o(etch)g(of)g(their)g(associated)0 714
y(answers.)0 927 y Fq(1.2.1)99 b(Ho)o(w)24 b(to)h(b)n(uild)g(an)h(exok)
o(er)o(nel?)0 1074 y Fp(T)m(raditionally)-5 b(,)22 b(operating)g
(systems)i(ha)n(v)o(e)f(pro)o(vided)f(a)i(high\255le)n(v)o(el)d(interf)
o(ace)i(to)h(unpri)n(vile)o(ged)d(softw)o(are.)39 b(Chapter)23
b(2)h(pro)o(vides)e(a)0 1174 y(constructi)n(v)o(e)d(methodology)e(for)j
(ho)n(w)g(to)h(lo)n(wer)g(this)g(interf)o(ace)f(to)g(a)i(le)n(v)o(el)e
(suf)n(\002cient)g(for)g(libOSes)h(to)g(b)n(uild)g(abstractions)e(such)
i(as)0 1273 y(netw)o(orking,)i(virtual)g(memory)f(and)i(\002le)h
(systems.)41 b(The)24 b(six)g(principles)f(of)h(this)h(methodology)c
(are:)37 b(\(1\))23 b(separate)h(management)0 1373 y(from)18
b(protection;)f(\(2\))h(e)o(xpose)g(all)h(hardw)o(are)e(to)i
(applications;)f(\(3\))g(e)o(xpose)f(resource)h(allocation,)g(placing)f
(it)j(under)d(the)i(discretion)0 1473 y(of)h(applications;)g(\(4\))g(e)
o(xpose)f(re)n(v)n(ocation,)g(thereby)g(letting)i(applications)e
(determine)g(what)i(resources)e(to)i(relinquish;)f(\(5\))f(protect)0
1572 y(at)26 b(a)g(\002ne\255grained)d(le)n(v)o(el,)j(making)e(sharing)
h(and)g(management)e(lightweight;)k(and)e(\(6\))g(e)o(xpose)f
(information,)h(such)g(as)h(hardw)o(are)0 1672 y(capabilities,)20
b(physical)f(names,)g(and)h(global)f(system)i(statistics.)125
1771 y(A)j(k)o(e)o(y)g(aspect)g(of)g(e)o(xok)o(ernel)e(design)h(is)i
(lea)n(ving)f(implementation)e(decisions)h(to)i(the)f(client.)41
b(Rather)24 b(than)g(focusing)e(design)0 1871 y(on)k(deciding)e(ho)n(w)
i(to)g(implement)f(a)i(polic)o(y)e(or)g(mechanism,)i(focus)e(on)h
(constructing)e(an)i(interf)o(ace)f(that)i(lea)n(v)o(es)f(all)g
(interesting)0 1971 y(decisions)f(to)h(applications.)45
b(An)26 b(interf)o(ace)f(that)h(merely)f(checks)h(that)g(an)f
(application)g(has)h(performed)d(an)j(operation)e(correctly)0
2070 y(frequently)k(gi)n(v)o(es)i(greater)g(freedom)f(for)h(important)e
(decisions,)33 b(as)e(well)g(as)g(being)f(simpler)g(to)h(implement.)59
b(In)30 b(some)g(sense,)0 2170 y(e)o(xok)o(ernel)18 b(design)i(focuses)
f(on)h(the)g(art)h(of)f(transmuting)e(the)i(imperati)n(v)o(e)f
(\(deciding)f(ho)n(w)i(to)g(implement)f(a)i(polic)o(y)e(or)h(mechanism)
0 2270 y(in)f(the)g(k)o(ernel\))e(to)i(the)g(declarati)n(v)o(e)e
(\(specifying)g Fk(what)h Fp(interf)o(ace)g(an)h(application)e(must)i
(implement,)e(and)i(checking)e(that)h(it)i(does)e(so)0
2369 y(correctly\).)125 2469 y(Chapter)h(3)i(contains)f(a)h(number)e
(of)h(e)o(xamples)f(of)h(ho)n(w)g(to)h(apply)f(this)h(methodology)-5
b(,)16 b(and)k(Chapter)g(4)h(discusses)g(an)g(e)o(xtended)0
2568 y(e)o(xample)e(of)h(ho)n(w)f(to)i(multiple)o(x)e(a)h(hardw)o(are)f
(disk,)h(which)f(has)i(been)e(the)i(most)f(challenging)e(resource)h
(for)g(us)i(to)f(handle.)125 2668 y(The)f(follo)n(wing)g(four)g
(subsections)h(discuss)g(important)f(subproblems)f(of)i(e)o(xok)o
(ernel)e(construction.)0 2864 y Fo(Ho)o(w)i(to)g(r)o(ecaptur)o(e)e(r)o
(esour)o(ce)h(semantics?)0 3012 y Fp(By)33 b(dislodging)e(OS)j(code)e
(into)g(libraries,)k(an)c(e)o(xok)o(ernel)f(also)i(ejects)g(a)h
(signi\002cant)e(portion)f(of)i(the)f(code)h(that)f(understands)0
3111 y(resource)26 b(semantics.)50 b(F)o(or)27 b(e)o(xample,)g(in)g
(the)g(conte)o(xt)f(of)h(netw)o(orking,)g(because)f(the)h(e)o(xok)o
(ernel)e(dislocates)i(netw)o(ork)f(protocol)0 3211 y(code)15
b(\(e.g.,)h(TCP/IP)g(and)g(UDP\))g(into)f(untrusted)g(libraries,)h(it)g
(no)g(longer)e(understands)g(pack)o(et)i(semantics.)27
b(As)17 b(a)f(result,)h(it)g(lacks)f(the)0 3311 y(information)k
(necessary)h(to)i(decide)e(which)h(application)e(o)n(wns)i(what)h
(message:)33 b(a)23 b(decision)e(it)i(must)f(mak)o(e)g(if)g(it)h(is)g
(to)g(implement)0 3410 y(protection.)125 3510 y(W)-7
b(e)24 b(ha)n(v)o(e)f(used)g(do)n(wnloaded)d(code)j(as)h(a)f(po)n
(werful)f(mechanism)g(to)h(allo)n(w)g(untrusted)f(softw)o(are)h(to)g
(con)m(v)o(e)o(y)e(these)j(semantics)0 3609 y(back)d(into)g(the)g(e)o
(xok)o(ernel)f(in)h(a)h(general)e(w)o(ay)-5 b(.)33 b(In)21
b(the)g(conte)o(xt)g(of)g(netw)o(orking)e(we)j(use)f(pack)o(et)g
(\002lters)h(\(see)g(Chapter)f(2\),)g(for)g(disk,)0 3709
y(deterministic)e(meta)h(data)h(interpreters)d(\(see)j(Chapter)e(4\).)
125 3809 y(From)i(a)h(dif)n(ferent)e(perspecti)n(v)o(e,)g(an)i(e)o(xok)
o(ernel,)d(by)i(\223uploading\224)e(code)i(into)h(the)g(application,)e
(remo)o(v)o(es)g(the)i(need)f(to)g(protect)0 3908 y(man)o(y)e(pieces)h
(of)g(state,)h(and,)e(thus,)h(tri)n(vially)g(need)f(not)h(understand)e
(their)i(semantics.)125 4008 y(Chapter)d(6)h(re\003ects)h(on)e(our)h(e)
o(xperience)e(using)h(do)n(wnloading)f(code:)27 b(when)18
b(do)n(wnloaded)d(code)j(w)o(as)h(superior)e(\(or)g(inferior\))f(to)0
4108 y(a)i(functional)e(interf)o(ace,)h(our)g(mistak)o(es,)h(and)g(a)g
(number)e(of)h(surprises,)h(visible)f(only)g(in)h(much)f(delayed)f
(hindsight.)27 b(This)18 b(technique)0 4207 y(has)f(subtle)f
(implications,)g(resulting)g(from,)g(among)f(other)h(things:)27
b(the)17 b(asymmetry)e(in)i(trust)f(between)g(the)h(e)o(xtension)e(and)
h(the)h(host;)0 4307 y(the)24 b(f)o(act)h(that)f(code)f(for)h(most)g
(useful)g(languages)e(is)k(T)l(uring)d(complete,)g(while)i(most)f
(procedural)e(interf)o(aces)h(are)h(decidedly)f(not;)0
4406 y(and)g(that)g(do)n(wnloaded)e(code,)i(because)g(it)h(can)f(be)h
(restricted,)f(can)g(be)h(granted)e(abilities)i(that)f(unrestricted)f
(e)o(xternal)g(application)0 4506 y(code)f(cannot.)34
b(A)22 b(consequence)e(of)i(this)g(latter)h(attrib)n(ute)e(is)i(that)f
(most)g(of)g(our)f(uses)i(of)f(do)n(wnloaded)d(code)i(ha)n(v)o(e)h
(little)h(to)f(do)f(with)0 4606 y(speed)f(b)n(ut)g(rather)f(with)i
(granting)d(applications)h(po)n(wer)g(otherwise)h(not)g(possible.)0
4802 y Fo(Ho)o(w)g(to)g(pr)o(otect)f(shar)o(ed)h(state?)0
4949 y Fp(T)m(raditional)25 b(operating)f(systems)j(encapsulate)e(and)h
(enforce)e(well\255formed)h(updates)g(to)h(state)h(shared)f(amongst)f
(processes.)47 b(F)o(or)0 5049 y(e)o(xample,)17 b(a)i(Unix)f(k)o(ernel)
f(performs)g(modi\002cations)g(on)h(shared)g(\002le)h(descriptors,)e
(the)i(\002le)g(name)e(cache,)h(the)h(b)n(uf)n(fer)e(cache,)h(etc.)29
b(In)0 5148 y(contrast,)16 b(an)f(e)o(xok)o(ernel)f(dislocates)i(such)f
(state)i(into)e(unpri)n(vile)o(ged)e(applications,)i(which)g(then)g
(modify)f(it,)k(potentially)c(incorrectly)-5 b(.)0 5248
y(Ho)n(w)20 b(then)g(can)g(in)m(v)n(ariants)f(on)g(shared)h(state)h(be)
f(enforced?)27 b(W)-7 b(e)21 b(ha)n(v)o(e)f(used)g(a)h(plethora)d(of)i
(techniques)f(to)i(enforce)d(this.)1908 5589 y(15)p eop
%%Page: 16 17
16 16 bop 125 83 a Fp(The)32 b(most)g(general)f(solution)h(is)h(to)g
(apply)f(the)g(e)o(xok)o(ernel)e(precepts)i(recursi)n(v)o(ely:)52
b(di)n(vide)32 b(libraries)g(into)g(pri)n(vile)o(ged)e(and)0
183 y(unpri)n(vile)o(ged)e(parts,)33 b(where)d(the)g(\223pri)n(vile)o
(ged\224)e(part)j(contains)f(all)h(code)f(required)f(for)h(protection,)
h(and)f(must)h(be)f(used)h(by)f(all)0 282 y(applications)g(using)h(a)h
(piece)f(of)g(state,)j(while)d(the)h(unpri)n(vile)o(ged)c(contains)i
(all)i(management)d(code)i(and)g(can)g(be)g(replaced)f(by)0
382 y(an)o(yone.)43 b(F)o(orcing)24 b(applications)g(to)i(use)f(the)h
(pri)n(vile)o(ged)d(portion)h(of)h(a)h(libOS)g(can)f(be)g(done)g(by)g
(placing)f(it)i(in)g(a)g(serv)o(er)m(,)f(using)g(a)0
482 y(restricted)20 b(language)e(and)i(trusted)g(compiler)m(,)e(or)i
(do)n(wnloading)d(code)i(into)h(the)h(k)o(ernel.)28 b(W)-7
b(e)21 b(ha)n(v)o(e)f(used)g(all)h(three.)125 581 y(In)d(the)h(more)f
(common)f(case,)j(library)e(operating)f(systems)i(can)g(frequently)e
(be)i(designed)e(for)i(localization)e(of)i(state)h(and)e(to)h(use)0
681 y(standard)g(f)o(ault\255isolation)g(techniques)g(\(such)g(as)i
(type\255safe)e(languages)g(and)h(memory)e(protection\).)125
780 y(In)g(man)o(y)f(cases,)i(the)f(desire)g(to)g(protect)g(shared)f
(state)i(with)g(mechanisms)e(more)h(elaborate)f(and)g(read)h(and)g
(write)g(access)h(checks)0 880 y(mak)o(es)24 b(little)g(technical)f
(sense:)37 b(if)24 b(the)g(ra)o(w)f(data)h(itself)g(can)f(be)h
(corrupted,)e(it)j(is)f(unlik)o(ely)f(that)h(there)f(is)h(an)o(y)f
(reason)g(to)h(preserv)o(e)0 980 y(high\255le)n(v)o(el)19
b(in)m(v)n(ariants)g(on)h(the)h(resultant)f(garbage.)29
b(One)20 b(of)h(the)f(most)h(common)e(situations)h(where)g(this)i
(dynamic)d(arises)i(is)h(in)f(the)0 1079 y(protection)g(of)i(shared)f
(bookk)o(eeping)e(data)j(structures.)37 b(Consider)23
b(the)g(case)g(of)g(a)g(shared)g(b)n(uf)n(fer)f(\(say)g(a)i(Unix)f
(pipe\),)f(that)i(uses)f(a)0 1179 y(b)n(uf)n(fer)e(record)f(to)i(track)
g(the)g(number)e(of)i(bytes)f(in)i(the)f(b)n(uf)n(fer)-5
b(.)33 b(At)23 b(one)e(le)n(v)o(el,)h(one)f(w)o(ould)h(lik)o(e)g(to)g
(guarantee)e(that)i(an)g(application)0 1279 y(decrements)17
b(the)i(byte)f(count)f(on)h(data)h(remo)o(v)n(al,)e(and)h(increments)f
(it)i(on)f(insertion.)28 b(Ho)n(we)n(v)o(er)m(,)17 b(while)h(this)h
(desire)g(is)g(sensible)g(from)0 1378 y(a)g(softw)o(are)e(engineering)f
(perspecti)n(v)o(e,)h(it)i(is)g(not)f(a)g(protection)f(issue.)29
b(Since)18 b(there)g(are)g(no)g(guarantees)e(on)i(the)g(sensibleness)h
(of)f(the)0 1478 y(inserted)k(data,)g(kno)n(wing)f(ho)n(w)h(man)o(y)f
(bytes)h(of)h(garbage)d(are)i(in)h(the)f(b)n(uf)n(fer)f(gains)h(no)g
(security)-5 b(.)35 b(In)22 b(practice,)g(social,)h(rather)f(than)0
1577 y(technical,)d(methods)g(guarantee)f(these)i(sort)g(of)g(in)m(v)n
(ariants)e(\227)i(e.g.,)g(assemblers)f(adhere)g(to)h(standard)f(object)
g(code)g(formats)g(rather)0 1677 y(than)h(going)f(through)f(a)i(set)h
(of)f(system)h(enforced)d(methods)h(for)g(laying)h(out)g(deb)n(ugging)d
(and)j(linking)f(information.)0 1873 y Fo(Ho)o(w)h(to)g(pr)o(otect)f
(without)h(o)o(v)o(erhead?)0 2021 y Fp(An)29 b(e)o(xok)o(ernel)d(adds)j
(another)e(layer)h(to)h(the)f(system)h(in)g(that)g(it)g(tak)o(es)g
(operating)e(system)i(code,)h(which)e(formerly)f(ran)h(on)g(bare)0
2120 y(hardw)o(are,)d(and)g(places)g(it)h(in)f(an)h(unpri)n(vile)o(ged)
c(library)-5 b(,)24 b(which)h(runs)g(on)g(top)g(of)g(an)g(e)o(xok)o
(ernel)e(which)i(runs)g(on)g(bare)f(hardw)o(are.)0 2220
y(Since)c(performance)d(moti)n(v)n(ates)j(e)o(xok)o(ernels,)e(the)i
(cost)h(of)f(this)g(e)o(xtra)g(layer)g(must)g(be)g(ne)o(gligible.)125
2319 y(F)o(ortunately)-5 b(,)16 b(for)i(most)h(resources,)f(this)h(o)o
(v)o(erhead)d(has)j(been)f(a)i(non\255issue.)27 b(Exok)o(ernel)17
b(implementation)f(of)j(virtual)f(memory)-5 b(,)0 2419
y(netw)o(orking,)20 b(e)o(xceptions,)h(and)h(process)f(management)f(ha)
n(v)o(e)i(all)h(performed)c(well,)k(without)f(aggressi)n(v)o(e)e
(tuning.)34 b(In)22 b(f)o(act,)h(on)f(the)0 2519 y(\002rst)f(e)o(xok)o
(ernel)d(system)i(we)h(b)n(uilt,)f(Ae)o(gis)g([25)n(],)g(if)h(an)f(e)o
(xok)o(ernel)e(primiti)n(v)o(e)h(did)g(not)h(perform)e(signi\002cantly)
h(f)o(aster)i(than)e(that)h(of)g(a)0 2618 y(traditional)f(system)h
(from)g(the)g(be)o(ginning,)d(we)k(look)o(ed)e(for)g(\223what)h(w)o(as)
h(wrong.)-6 b(\224)2424 2588 y Fi(2)125 2718 y Fp(In)27
b(practice,)h(protection)e(does)h(not)g(impose)g(o)o(v)o(erhead.)48
b(As)28 b(we)g(discuss)g(in)f(Chapter)g(5,)i(it)f(tends)f(to)h(be)f(of)
n(f)g(of)g(the)g(critical)0 2818 y(path,)21 b(coupled)f(to)i(e)o
(xpensi)n(v)o(e)d(operations)h(that)i(dw)o(arf)f(its)h(o)o(v)o(erhead,)
d(or)i(reco)o(v)o(ered)e(by)i(other)g(features)g(of)g(the)h
(architecture)e(\(e.g.,)0 2917 y(libOSes)h(mak)o(e)e(man)o(y)g(system)i
(calls)g(into)f(function)e(calls\).)0 3113 y Fo(Can)i(applications)g
(be)h(trusted)f(to)g(track)g(o)o(wnership?)0 3261 y Fp(At)j(its)g(most)
g(basic)f(le)n(v)o(el,)g(protection)f(requires)g(a)i(table)f(lookup)f
(to)h(map)g(a)h(principal)e(to)h(access)h(rights.)36
b(While)22 b(maintaining)f(this)0 3360 y(table)f(adds)h(little)g(o)o(v)
o(erhead)d(for)h(most)i(resources,)e(for)h(others,)g(such)g(as)h(a)g
(disk,)f(it)h(is)h(infeasible.)29 b(Chapter)20 b(4)g(presents)h(the)f
(reasons)0 3460 y(for)g(this)g(in)h(detail.)125 3560
y(This)k(problem')-5 b(s)25 b(solution)f(comes)i(from)e(noticing)g
(that)i(correct)f(applications)f(track)h(what)h(resources)f(the)o(y)f
(ha)n(v)o(e)h(access)i(to,)0 3659 y(rendering)17 b(operating)h(system)i
(bookk)o(eeping)c(redundant.)27 b(F)o(or)19 b(e)o(xample,)g(a)h
(library)e(\002le)j(system)f(tracks)f(the)h(disk)f(blocks)h(each)f
(\002le)0 3759 y(maps)h(to.)30 b(Thus,)20 b(if)h(the)f(operating)f
(system)h(can)h(reuse)f(the)g(application')-5 b(s)20
b(data)g(structures,)f(it)j(can)e(eliminate)g(this)h(redundanc)o(y)-5
b(.)26 b(In)0 3858 y(the)d(case)h(of)e(\002le)i(systems,)g(if)f(the)g
(e)o(xok)o(ernel)e(can)i(reuse)g(the)g(library)f(\002le)i(system')-5
b(s)23 b(\223meta)g(data\224)g(\(the)g(data)g(structures)f(it)i(uses)f
(to)0 3958 y(map)15 b(\002les)i(to)e(blocks\),)g(then)g(it)i(need)e
(not)g(perform)e(duplicate)i(bookk)o(eeping.)24 b(W)-7
b(e)17 b(ha)n(v)o(e)e(in)m(v)o(ented)e(an)j(online)e(v)o(eri\002cation)
g(technique)0 4058 y(that)21 b(lets)i(an)e(e)o(xok)o(ernel)e(v)o(erify)
h(that)i(library)e(\002le)i(systems)g(correctly)e(track)h(what)g(disk)g
(blocks)g(the)o(y)g(o)n(wn,)f(without)h(the)g(operating)0
4157 y(system)f(ha)n(ving)f(to)i(understand)d(ho)n(w)i(the)o(y)f(do)h
(so.)0 4370 y Fq(1.2.2)99 b(Can)25 b(y)n(ou)f(b)n(uild)i(a)f(r)n(eal)g
(exok)o(er)o(nel)g(system?)0 4517 y Fp(Does)19 b(the)g(e)o(xok)o(ernel)
e(or)o(ganization)e(only)j(w)o(ork)g(for)h(relati)n(v)o(ely)e(simple,)i
(isolated)g(resources)f(such)g(as)i(physical)e(memory)-5
b(,)17 b(or)h(can)h(it)0 4617 y(apply)g(to)h(more)g(dif)n(\002cult)f
(shared)h(resources)f(such)h(as)g(disk?)30 b(Can)20 b(one)g(b)n(uild)f
(an)h(e)o(xok)o(ernel)e(system?)30 b(F)o(ortunately)18
b(for)h(this)i(thesis,)0 4717 y(one)j(can.)42 b(There)23
b(ha)n(v)o(e)h(been)g(three)g(e)o(xok)o(ernel)f(systems)i(b)n(uilt)f
(so)h(f)o(ar)m(,)g(in)g(increasing)e(v)o(erisimilitude:)37
b(Ae)o(gis)24 b([25)o(],)h(Glaze)g([60)o(],)0 4816 y(and)19
b(Xok)g([48)o(].)29 b(Most)19 b(of)h(our)e(performance)f(data)i(and)g
(e)o(xamples)g(come)f(from)h(Xok)g(and)g(ExOS,)g(its)h(def)o(ault)f
(libOS.)h(While)g(ExOS)0 4916 y(does)h(not)f(handle)g(some)h(Unix)g
(corner)f(cases,)h(it)h(is)g(not)f(a)g(to)o(y)g(either)-5
b(.)32 b(F)o(or)21 b(e)o(xample,)e(it)j(runs)e(most)i(Unix)e
(applications)g(\(e.g.,)g(perl,)p 0 4987 1560 4 v 90
5042 a Fh(2)120 5066 y Fg(Ae)o(gis)25 b(w)o(as)h(roughly)g(a)f(f)o
(actor)i(of)e(ten)h(f)o(aster)h(than)f(a)f(mature)h(monolithic)i
(system.)48 b(This)25 b(dif)n(ference)j(held)e(for)f(e)o(xceptions,)30
b(virtual)d(memory)e(primiti)n(v)o(e)0 5145 y(operations,)20
b(inter)o(\255process)g(communication,)g(system)d(calls,)i(and)f(e)n(v)
o(en)h(operations)h(with)e(lar)o(ge)h(\002x)o(ed)f(costs,)g(such)g(as)f
(message)h(round)h(trip)f(times)g(o)o(v)o(er)g(a)g(10Mb/s)0
5223 y(Ethernet.)g([25)q(])1908 5589 y Fp(16)p eop
%%Page: 17 18
17 17 bop 0 83 a Fp(gcc,)21 b(telnet,)g(and)g(csh\))g(without)f
(modi\002cation.)31 b(This)21 b(f)o(act)g(can)g(be)g(seen)h(in)f(that)g
(the)g(b)n(ulk)g(of)g(our)f(performance)f(data)i(comes)g(from)0
183 y(application)e(end\255to\255end)e(numbers)i(rather)g(than)h
(micro\255benchmarks.)0 395 y Fq(1.2.3)99 b(Ar)n(e)25
b(exok)o(er)o(nels)h(a)e(good)h(idea?)0 543 y Fp(Chapter)16
b(5)h(\(and)f(to)h(a)h(lesser)f(de)o(gree,)f(Chapter)g(3\))h(focuses)f
(primarily)g(on)g(e)n(v)n(aluating)g(e)o(xok)o(ernel)e(ef)n(\002cac)o
(y)-5 b(.)27 b(W)-7 b(e)18 b(use)f(a)g(performance)0
642 y(dri)n(v)o(en)i(approach;)f(our)h(e)o(xperiments)f(address)i(four)
f(questions,)g(discussed)h(belo)n(w)-5 b(.)0 839 y Fo(Do)20
b(common,)g(unalter)o(ed)g(applications)f(bene\002t?)0
986 y Fp(If)i(an)f(e)o(xok)o(ernel)f(only)h(impro)o(v)o(es)e(the)j
(performance)d(of)i(strange)g(niche)g(applications)g(or)g(requires)g
(that)h(applications)e(be)i(modi\002ed)0 1086 y(to)f(bene\002t,)g(then)
g(its)h(usefulness)e(is)j(se)n(v)o(erely)d(diminished.)125
1185 y(Our)e(e)o(xperiments)e(sho)n(w)j(that)f(an)h(e)o(xok)o(ernel)d
(matters,)j(e)n(v)o(en)e(for)h(common)f(applications.)27
b(W)-7 b(e)18 b(measure)f(the)g(performance)e(of)i(a)0
1285 y(softw)o(are)i(de)n(v)o(elopment)d(w)o(orkload)h(made)i(up)g(of)f
(mainstream)g(applications)g(\(most)h(are)g(found)f(in)h
(\223/usr/bin\224)f(on)h(a)g(Unix)g(system\).)0 1384
y(When)g(link)o(ed)g(against)g(an)h(optimized)e(library)g(\002le)i
(system)g(and)f(run)g(on)g(our)g(e)o(xok)o(ernel)e(system,)j(these)g
(programs)d(run)i(up)g(to)h(three)0 1484 y(times)h(f)o(aster)f(than)g
(identical)f(v)o(ersions)h(e)o(x)o(ecuted)e(on)i(competiti)n(v)o(e)e
(monolithic)h(operating)f(systems.)125 1584 y(In)f(general,)f(normal)h
(applications)f(bene\002t)h(from)f(an)i(e)o(xok)o(ernel)d(by)i(simply)g
(linking)f(in)i(an)f(optimized)f(libOS)i(that)g(implements)0
1683 y(a)30 b(standard)d(interf)o(ace.)55 b(Thus,)31
b(e)n(v)o(en)d(without)h(modi\002cations,)g(the)o(y)g(still)h(pro\002t)
e(from)h(an)g(e)o(xok)o(ernel.)3144 1653 y Fi(3)3234
1683 y Fp(While)h(an)f(e)o(xok)o(ernel)0 1783 y(allo)n(ws)20
b(e)o(xperimentation)c(with)k(completely)e(dif)n(ferent)g(OS)i(interf)o
(aces,)f(a)h(more)f(important)f(result)h(may)g(be)h(impro)o(ving)d(the)
i(rate)h(of)0 1883 y(inno)o(v)n(ation)e(of)i(implementations)e(of)i(e)o
(xistent)f(interf)o(aces.)0 2079 y Fo(Does)h(a)h(libOS)f(run)h(slo)o
(wer)g(than)f(an)h(OS?)0 2226 y Fp(An)28 b(e)o(xok)o(ernel)d(pro)o
(vides)h(e)o(xtreme)g(\003e)o(xibility)-5 b(.)50 b(Rightfully)-5
b(,)27 b(an)o(y)g(systems)h(b)n(uilder)f(w)o(ould)f(e)o(xpect)h(that)g
(this)i(\003e)o(xibility)d(w)o(ould)0 2326 y(ha)n(v)o(e)d(a)h
(performance)c(cost.)40 b(In)23 b(particular)m(,)f(gi)n(v)o(en)g(the)i
(same)g(application)e(code)g(and)h(same)h(OS)g(code)f(\(placed)f(in)i
(a)g(libOS)g(on)f(an)0 2425 y(e)o(xok)o(ernel,)16 b(in)j(the)g(k)o
(ernel)f(on)g(a)h(monolithic)e(system\),)h(does)h(a)g(traditional)e
(system)i(pro)o(vide)d(superior)i(performance?)25 b(Or)m(,)19
b(phrased)0 2525 y(another)h(w)o(ay)-5 b(,)21 b(if)h(an)f(optimization)
f(is)i(done)e(on)h(an)h(e)o(xok)o(ernel)d(and)i(gi)n(v)o(es)g(a)g(f)o
(actor)g(of)g(four)m(,)f(w)o(ould)h(the)g(same)h(optimization)e(done)0
2625 y(on)g(a)g(traditional)f(OS)i(gi)n(v)o(e)f(e)n(v)o(en)f(more?)125
2724 y(T)-7 b(o)24 b(partially)g(answer)g(this)h(question)f(we)h(ha)n
(v)o(e)f(tak)o(en)g(the)h(library)e(\002le)i(system)g(discussed)f(in)h
(the)g(pre)n(vious)e(e)o(xperiment)f(and)0 2824 y(re\255implemented)g
(it)j(in)f(the)g(k)o(ernel)g(of)g(a)g(traditional,)g(monolithic)f
(operating)f(system.)42 b(W)-7 b(e)26 b(then)d(run)h(the)g(same)h(w)o
(orkload)d(on)i(it.)0 2923 y(Our)e(results)g(sho)n(w)g(that,)g(at)h
(least)f(in)h(this)f(case,)h(an)f(e)o(xok)o(ernel)e(does)h(not)h(pay)g
(for)f(its)i(structure.)34 b(Or)m(,)22 b(in)g(the)g(alternati)n(v)o(e)f
(w)o(ay)-5 b(,)21 b(that)0 3023 y(an)f(optimization)f(done)g(on)h(an)g
(e)o(xok)o(ernel)e(can)i(gi)n(v)o(e)f(the)h(same)h(performance)c(impro)
o(v)o(ement)g(as)k(done)e(on)h(a)g(traditional)g(system.)0
3219 y Fo(Ar)o(e)g(aggr)o(essi)o(v)o(e)f(applications)h(ten)g(times)h
(faster?)0 3367 y Fp(In)26 b(part,)g(the)g(e)o(xok)o(ernel)e
(architecture)g(w)o(as)j(moti)n(v)n(ated)d(by)i(the)g(ability)f(to)h
(perform)e(application\255speci\002c)g(or)m(,)i(more)f(commonly)-5
b(,)0 3466 y(domain\255speci\002c)23 b(optimizations.)1054
3436 y Fi(4)1132 3466 y Fp(T)-7 b(w)o(o)25 b(natural)g(questions,)g
(then,)g(are)g(\002rst,)i(does)e(an)g(e)o(xok)o(ernel)e(gi)n(v)o(e)h
(suf)n(\002cient)g(po)n(wer)g(that)0 3566 y(interesting)g
(optimizations)f(can)h(be)h(done?)41 b(Second,)25 b(do)f
(domain\255speci\002c)f(optimizations)g(yield)h(signi\002cant)g(impro)o
(v)o(ements)e(or)0 3665 y(do)e(the)o(y)f(only)h(gi)n(v)o(e)f
(\223noise\224)h(le)n(v)o(el)g(impro)o(v)o(ements?)125
3765 y(Experiments)j(sho)n(w)i(that)g(an)g(e)o(xok)o(ernel)e(enables)h
(domain\255speci\002c)f(optimizations)h(that)h(gi)n(v)o(e)f(order)n
(\255of\255magnitude)c(perfor)n(\255)0 3865 y(mance)28
b(impro)o(v)o(ements)d([48)o(].)54 b(Our)28 b(speci\002c)h(results)g
(come)e(from)h(an)g(interf)o(ace)g(designed)f(for)h(f)o(ast)h(I/O,)f
(which)g(impro)o(v)o(es)f(the)0 3964 y(performance)17
b(of)j(applications)f(such)h(as)h(web)f(serv)o(ers.)0
4160 y Fo(Does)g(local)g(contr)o(ol)f(lead)h(to)g(bad)h(global)f(perf)n
(ormance?)0 4308 y Fp(An)g(e)o(xok)o(ernel)f(gi)n(v)o(es)g
(applications)h(signi\002cantly)f(more)g(control)h(than)f(traditional)h
(operating)e(systems)j(do.)29 b(A)21 b(positi)n(v)o(e)e(aspect)i(of)0
4407 y(this)26 b(po)n(wer)e(transfer)h(is)h(that)f(applications)g(can)g
(perform)e(optimizations)h(not)h(pre)n(viously)e(possible.)45
b(A)26 b(ne)o(gati)n(v)o(e)d(aspect)i(is)h(that)0 4507
y(their)16 b(sel\002sh)i(optimization)d(ef)n(forts)h(could)g(destro)o
(y)f(system)i(performance.)25 b(Thus)17 b(a)g(k)o(e)o(y)f(question)f
(is:)29 b(can)17 b(an)f(e)o(xok)o(ernel)f(reconcile)0
4607 y(local)20 b(control)f(with)h(good)f(global)h(performance?)125
4706 y(It)j(can,)g(for)f(tw)o(o)h(main)f(reasons.)37
b(First,)24 b(when)e(an)h(e)o(xok)o(ernel)e(structure)g(enables)i
(impro)o(v)o(ed)d(application)h(performance)f(there)0
4806 y(will)30 b(be)g(more)e(resources)h(to)g(go)g(around,)h(and)f
(thus,)j(global)c(performance)f(will)j(impro)o(v)o(e.)55
b(Second,)30 b(an)g(e)o(xok)o(ernel)d(mediates)0 4906
y(allocation)j(and)g(re)n(v)n(ocation)f(of)h(resources.)60
b(Therefore)29 b(it)j(has)f(the)f(po)n(wer)g(to)h(enforce)e(an)o(y)h
(global)g(polic)o(y)g(that)h(a)g(traditional)p 0 4977
1560 4 v 90 5032 a Fh(3)120 5055 y Fg(In)18 b(principle,)j(gi)n(v)o(en)
f(suf)n(\002cient)h(resources)f(a)f(traditional)j(OS)c(can)h(implement)
h(an)o(y)g(inno)o(v)n(ation)h(done)e(on)g(an)g(e)o(xok)o(ernel.)31
b(Ho)n(we)n(v)o(er)m(,)21 b(in)e(practice,)i(we)e(e)o(xpect)0
5134 y(an)e(e)o(xok)o(ernel)j(system)d(to)h(e)n(v)o(olv)o(e)g
(signi\002cantly)i(f)o(aster)f(than)f(traditional)i(systems.)90
5191 y Fh(4)120 5215 y Fg(In)i(f)o(act,)j(the)e(original)i(e)o(xok)o
(ernel)g(paper)f([25])f(focuses)g(almost)g(e)o(xclusi)n(v)o(ely)j(on)c
(application\255speci\002c)29 b(optimizations)c(rather)f(than)g(impro)o
(ving)g(the)f(rate)h(of)0 5294 y(general\255purpose)c(inno)o(v)n
(ations,)g(which)e(we)f(ha)o(v)o(e)h(come)f(to)g(re)o(gard)h(as)f(a)g
(more)g(signi\002cant)j(bene\002t.)1908 5589 y Fp(17)p
eop
%%Page: 18 19
18 18 bop 0 83 a Fp(operating)22 b(system)i(can.)40 b(The)23
b(single)h(ne)n(w)g(challenge)e(it)j(f)o(aces)f(is)h(deri)n(ving)d
(information)f(lost)k(by)e(dislocating)g(abstractions)g(into)0
183 y(application)i(space.)50 b(F)o(or)26 b(e)o(xample,)h(traditional)f
(operating)f(systems)j(manage)e(both)g(virtual)g(memory)f(and)i(\002le)
g(caching.)48 b(As)28 b(a)0 282 y(result,)c(the)o(y)e(can)h(perform)e
(global)h(resource)g(management)f(of)i(pages)g(that)g(tak)o(es)g(into)g
(account)f(the)h(manner)f(in)h(which)g(a)g(page)g(is)0
382 y(being)g(used.)38 b(In)23 b(contrast,)h(if)g(an)f(e)o(xok)o(ernel)
e(dislocates)j(virtual)f(memory)e(and)i(\002le)h(b)n(uf)n(fer)f
(management)e(into)i(library)f(operating)0 482 y(systems)f(it)g(no)g
(longer)e(can)h(mak)o(e)g(such)h(distinctions.)29 b(While)21
b(such)g(information)d(matters)i(in)h(theory)-5 b(,)19
b(in)i(practice)e(we)i(ha)n(v)o(e)f(found)0 581 y(it)g(either)f
(unnecessary)f(or)h(crude)f(enough)g(that)h(no)g(special)h(methods)e
(ha)n(v)o(e)h(been)f(necessary)h(to)h(deri)n(v)o(e)e(it.)29
b(Ho)n(we)n(v)o(er)m(,)18 b(whether)g(this)0 681 y(happ)o(y)h
(situation)h(al)o(w)o(ays)g(holds)g(is)h(an)f(open)f(question.)125
780 y(More)26 b(concretely)-5 b(,)27 b(our)f(e)o(xperiments)g
(demonstrate)f(that:)44 b(\(1\))26 b(gi)n(v)o(en)g(the)h(same)h(w)o
(orkload,)f(an)g(e)o(xok)o(ernel)e(performs)g(com\255)0
880 y(parably)e(to)i(widely)f(used)g(monolithic)f(systems,)j(and)e
(\(2\))g(that)h(when)f(local)g(optimizations)f(are)i(performed,)e(that)
h(whole)g(system)0 980 y(performance)17 b(impro)o(v)o(es,)h(and)i(can)g
(do)g(so)g(signi\002cantly)-5 b(.)0 1192 y Fq(1.2.4)99
b(Summary)0 1340 y Fp(T)-7 b(ak)o(en)23 b(as)g(a)h(whole,)f(these)g(e)o
(xperiments)e(sho)n(w)i(that,)g(compared)e(to)j(a)f(traditional)f
(system,)i(an)f(e)o(xok)o(ernel)d(pro)o(vides)i(comparable)0
1439 y(to)e(signi\002cantly)g(superior)e(performance)g(while)i
(simultaneously)e(gi)n(ving)h(tremendous)g(\003e)o(xibility)-5
b(.)0 1686 y Fv(1.3)117 b(Concer)n(ns)0 1872 y Fp(Belo)n(w)-5
b(,)19 b(we)h(discuss)h(\002v)o(e)e(concerns)f(about)h(the)h(e)o(xok)o
(ernel)e(architecture:)27 b(\(1\))19 b(that)h(an)g(it)g(will)h
(compromise)c(portability)-5 b(,)18 b(\(2\))h(that)h(it)0
1972 y(will)k(lead)g(to)f(a)h(Babel)g(of)f(incompatible)f(libOSes,)j
(\(3\))e(that)g(libOSes)h(are)g(too)f(costly)g(to)h(specialize,)g
(\(4\))f(that)h(the)o(y)f(consume)f(too)0 2071 y(much)h(space)h(per)f
(application,)g(and)h(\(5\))f(that)h(the)g(modi\002cation)e(of)i(a)g
(\223free)f(softw)o(are\224)g(OS)i(pro)o(vides)d(a)i(\223good)f
(enough\224)e(w)o(ay)j(to)0 2171 y(inno)o(v)n(ate.)125
2270 y(First,)h(it)f(is)h(a)f(virtue)g(for)f(an)g(e)o(xok)o(ernel)f(to)
i(e)o(xpose)f(the)h(details)g(of)f(the)h(system')-5 b(s)25
b(hardw)o(are)d(and)h(softw)o(are.)40 b(Our)23 b(e)o(xok)o(ernels)0
2370 y(e)o(xpose)f(information)f(such)j(as)g(the)f(number)f(of)h(netw)o
(ork)f(and)h(scatter/gather)f(DMA)i(b)n(uf)n(fers)e(a)n(v)n(ailable)h
(and)g(TLB)h(entry)f(format.)0 2470 y(Nai)n(v)o(ely)16
b(handled,)f(this)j(e)o(xposure)c(can)j(compromise)e(portability)-5
b(.)26 b(F)o(ortunately)-5 b(,)15 b(traditional)g(techniques)h(for)g
(retaining)f(portability)0 2569 y(w)o(ork)h(just)g(as)h(well)g(on)f(e)o
(xok)o(ernel)e(systems.)28 b(While)17 b(applications)e(that)h(use)g(an)
h(e)o(xok)o(ernel)d(interf)o(ace)h(directly)g(will)i(not)f(be)g
(portable,)0 2669 y(those)31 b(that)g(use)g(library)f(operating)f
(systems)j(that)f(implement)e(standard)h(interf)o(aces)h(\()p
Fk(e)o(.g)o(.,)h Fp(POSIX\))f(are)g(portable)e(across)i(an)o(y)0
2769 y(system)c(that)g(pro)o(vides)e(the)i(same)g(interf)o(ace.)48
b(Library)25 b(operating)g(systems)j(themselv)o(es)e(can)g(be)h(made)f
(portable)g(by)g(designing)0 2868 y(them)c(to)g(use)g(a)h(lo)n(w\255le)
n(v)o(el)e(machine\255independent)c(layer)22 b(to)g(hide)g(hardw)o(are)
f(details.)35 b(This)22 b(technique)f(has)h(been)g(widely)g(used)f(in)0
2968 y(the)f(conte)o(xt)f(of)h(more)f(traditional)g(operating)g
(systems)h([74)o(,)h(21)o(].)125 3067 y(As)h(in)g(traditional)f
(systems,)i(an)f(e)o(xok)o(ernel)d(can)j(pro)o(vide)e(backw)o(ard)g
(compatibility)h(in)h(three)f(w)o(ays:)34 b(one,)21 b(binary)g
(emulation)0 3167 y(of)k(the)g(operating)f(system)h(and)g(its)h
(programs;)g(tw)o(o,)h(implementing)c(its)j(hardw)o(are)e(abstraction)g
(layer)h(on)g(top)f(of)h(an)h(e)o(xok)o(ernel;)0 3267
y(and)20 b(three,)f(re\255implementing)e(the)j(operating)f(system')-5
b(s)21 b(abstractions)e(on)h(top)g(of)f(an)i(e)o(xok)o(ernel.)125
3366 y(Second,)30 b(since)g(library)e(operating)f(systems)j(are)g
(unpri)n(vile)o(ged,)e(an)o(yone)f(can)j(write)f(one.)57
b(An)29 b(ob)o(vious)f(problem)f(is)k(what)0 3466 y(happens)14
b(to)h(system)g(coherence)e(under)h(an)g(onslaught)g(of)h(\223hand)e
(rolled\224)h(operating)g(systems?)28 b(Similar)15 b(to)g(the)g(pre)n
(vious)e(challenge,)0 3566 y(applications)24 b(already)g(solv)o(e)h
(the)h(problem)d(of)j(chaos)f(from)f(freedom)f(through)h(the)h(use)h
(of)f(standards)f(and)h(good)f(programming)0 3665 y(practices.)k(The)19
b(adv)n(antage)e(of)i(standards)f(on)h(paper)f(rather)g(than)h(hard)f
(wired)h(in)g(the)g(k)o(ernel)g(is)h(that)f(the)o(y)f(can)h(be)g
(re\255implemented)0 3765 y(and)h(specialized,)f(selected)h(amongst,)f
(or)m(,)g(in)i(the)f(case)h(of)f(the)g(w)o(orst)g(ones,)g(ignored.)125
3864 y(Third,)k(does)h(specialization)f(require)f(writing)i(an)f
(entire)h(library)f(operating)f(system?)43 b(Our)25 b(e)o(xperience)d
(sho)n(ws)j(that)g(it)h(does)0 3964 y(not.)67 b(All)34
b(of)e(the)h(application)f(performance)e(impro)o(v)o(ements)g(in)j
(this)g(thesis,)k(e)n(v)o(en)32 b(the)h(most)g(dramatic,)i(were)e
(achie)n(v)o(ed)e(by)0 4064 y(inserting)18 b(the)h(specialized)f
(subsystem)g(within)g(the)h(def)o(ault)f(libOS,)h(rather)f(than)g(re)n
(writing)f(an)i(entire)f(libOS)h(from)f(scratch.)28 b(Gi)n(v)o(en)0
4163 y(a)17 b(modular)d(design,)i(other)f(library)g(operating)g
(systems)h(should)f(allo)n(w)i(similar)f(specialization.)27
b(It)16 b(is)h(possible)f(that)g(object\255oriented)0
4263 y(programming)e(methods,)i(o)o(v)o(erloading,)e(and)j(inheritance)
f(can)h(pro)o(vide)e(useful)i(operating)e(system)i(service)g
(implementations)e(that)0 4363 y(can)20 b(be)g(easily)h(specialized)e
(and)h(e)o(xtended,)e(as)j(in)f(the)g(VM++)g(library)g([51)n(].)125
4462 y(Most)f(libOS)h(code)e(is)i(no)f(more)g(dif)n(\002cult)f(to)i
(modify)d(than)i(other)g(systems)g(softw)o(are)g(such)g(as)h(memory)e
(allocators.)28 b(It)19 b(tends)g(to)0 4562 y(be)k(conceptually)e
(shallo)n(w)-5 b(,)23 b(and)g(concerned)e(chie\003y)i(with)g(managing)e
(v)n(arious)h(mappings)g(\(page)g(tables,)i(meta)f(data,)h(\002le)g
(tables,)0 4661 y(etc.\).)37 b(As)24 b(such,)f(once)f(operating)f
(system)i(softw)o(are)g(is)h(remo)o(v)o(ed)c(from)i(the)h(harsh)f(en)m
(viron)f(of)i(the)g(k)o(ernel)f(proper)m(,)f(modi\002cation)0
4761 y(does)f(not)g(require)f(e)o(xtraordinary)d(competence.)125
4861 y(F)o(ourth,)d(if)h(each)g(application)e(has)i(its)h(o)n(wn)e
(library)g(operating)e(system)j(link)o(ed)g(into)f(it,)j(what)d(about)g
(space?)27 b(As)15 b(in)f(other)f(domains)0 4960 y(with)21
b(lar)o(ge)f(libraries,)h(e)o(xok)o(ernel)e(systems)i(can)g(use)h
(dynamic)d(linking)h(and)g(shared)h(libraries)f(to)i(reduce)d(space)i
(o)o(v)o(erhead.)30 b(In)20 b(our)0 5060 y(e)o(xperience,)e(these)i
(techniques)e(reduce)h(o)o(v)o(erheads)f(to)i(ne)o(gligible)e(le)n(v)o
(els.)29 b(F)o(or)20 b(e)o(xample,)e(our)h(global)g(performance)e(e)o
(xperiments)0 5160 y(place)26 b(a)g(se)n(v)o(ere)f(strain)h(on)f
(system)h(memory)e(resources,)i(yet)g(an)g(e)o(xok)o(ernel)d(is)k
(comparable)d(to)h(or)h(surpasses)g(the)g(con)m(v)o(entional)0
5259 y(systems)21 b(we)f(compare)f(against.)1908 5589
y(18)p eop
%%Page: 19 20
19 19 bop 125 83 a Fp(Finally)-5 b(,)20 b(what)i(about)e(Linux,)h
(FreeBSD,)g(and)g(the)h(rest)g(of)f(the)g(public\255domain)d(operating)
i(systems?)33 b(Do)22 b(the)o(y)e(not)i(e)n(v)n(olv)o(e)e(as)0
183 y(quickly)e(as)j(an)f(e)o(xok)o(ernel)d(will?)30
b(W)-7 b(e)21 b(belie)n(v)o(e)e(that)h(an)f(e)o(xok)o(ernel)f
(structure)h(has)h(important)e(softw)o(are)h(engineering)e(bene\002ts)j
(o)o(v)o(er)0 282 y(these)e(systems.)28 b(First,)19 b(libraries)e(are)h
(f)o(ault\255isolated)e(from)g(each)i(other)m(,)e(allo)n(wing)h(dif)n
(ferent)f(operating)f(systems)j(to)g(co\255e)o(xist)e(on)i(the)0
382 y(same)g(system,)g(something)e(not)i(possible)f(with)h(the)f
(current)g(crop)g(of)g(operating)f(systems.)29 b(Second,)17
b(library)f(de)n(v)o(elopment)f(is)k(much)0 482 y(much)j(easier)g(than)
g(k)o(ernel)g(hacking.)35 b(F)o(or)22 b(e)o(xample,)g(standard)f(deb)n
(ugging)f(tools)i(w)o(ork,)h(and)f(errors)f(crash)i(only)e(the)i
(application)0 581 y(using)18 b(the)h(library)e(instead)h(of)h(the)f
(system,)h(allo)n(wing)f(easy)g(post\255mortem)f(e)o(xamination.)26
b(Third,)18 b(all)h(users)g(ha)n(v)o(e)f(the)g(po)n(wer)g(to)g(use)0
681 y(an)i(inno)o(v)n(ation,)d(simply)j(by)g(linking)f(an)h
(application)f(against)h(a)g(libOS.)0 928 y Fv(1.4)117
b(Summary)0 1113 y Fp(The)20 b(e)o(xok)o(ernel)e(in)i(a)h(nutshell:)104
1279 y(1.)41 b(What:)29 b(an)o(yone)19 b(can)h(safely)g(manage)f
(resources.)104 1445 y(2.)41 b(Ho)n(w:)54 b(separate)32
b(protection)f(from)h(management.)64 b(An)33 b(e)o(xok)o(ernel)d
(protects)j(resources,)h(applications)e(manage)f(them.)208
1545 y(Ev)o(erything)18 b(not)i(required)f(for)h(protection)g(is)h(mo)o
(v)o(ed)e(out)i(of)f(pri)n(vile)o(ged)f(k)o(ernels)h(and)h(serv)o(ers)f
(into)h(untrusted)e(application)208 1645 y(libraries.)28
b(This)21 b(is)g(the)f(one)g(idea)g(to)g(remember)e(for)i(an)g(e)o(xok)
o(ernel,)e(all)j(other)e(features)h(are)g(details)g(deri)n(v)o(ed)f
(from)g(it.)208 1778 y(The)14 b(e)o(xok)o(ernel)e(ideal:)26
b(the)15 b(libOS)g(made)e(as)j(po)n(werful)c(as)j(pri)n(vile)o(ged)e
(OS,)h(without)g(sacri\002cing)g(performance)d(or)k(protection.)104
1944 y(3.)41 b(Why?)h(Inno)o(v)n(ation.)d(An)25 b(e)o(xok)o(ernel)d
(mak)o(es)j(operating)d(systems)j(softw)o(are)g(co\255e)o(xist,)f
(unpri)n(vile)o(ged,)f(and)h(modi\002able)f(by)208 2043
y(orders)c(of)h(magnitude)e(more)h(programmers.)125 2209
y(The)f(follo)n(wing)g(chapter)f(articulates)i(the)g(principles)f(of)h
(the)g(e)o(xok)o(ernel)e(methodology)-5 b(.)25 b(Chapter)18
b(3)i(dra)o(ws)e(on)h(e)o(xamples)f(from)0 2309 y(tw)o(o)g(e)o(xok)o
(ernel)e(systems,)j(Ae)o(gis)f(and)f(Xok,)h(to)g(sho)n(w)g(ho)n(w)f
(these)i(principles)e(apply)g(in)h(practice.)28 b(The)17
b(most)h(challenging)e(problem)0 2408 y(for)f(protection,)f(disk)h
(multiple)o(xing,)f(is)j(discussed)e(in)g(detail)h(in)f(Chapter)g(4.)28
b(Chapter)14 b(5)i(presents)f(application)f(performance)e(results)0
2508 y(that)23 b(sho)n(w)f(that)h(that)f(such)h(separation)e(is)i
(pro\002table.)35 b(W)-7 b(e)24 b(re\003ect)f(on)f(using)g(do)n
(wnloaded)e(code)i(for)g(e)o(xtensibility)f(in)i(Chapter)f(6.)0
2608 y(Finally)-5 b(,)27 b(Chapter)f(7)g(discusses)h(future)e(w)o(ork,)
i(re\003ects)g(on)e(general)h(lessons)g(learned)g(while)g(b)n(uilding)f
(e)o(xok)o(ernel)f(systems,)k(and)0 2707 y(concludes.)1908
5589 y(19)p eop
%%Page: 20 21
20 20 bop 0 706 a Fj(Chapter)42 b(2)0 1121 y Fn(Ho)n(w)52
b(to)g(b)l(uild)g(an)g(exok)n(er)m(nel:)76 b(principles)208
1562 y Fp(W)-7 b(e)24 b(all)f(li)n(v)o(e)g(in)g(the)g(protection)e(of)h
(certain)h(co)n(w)o(ardices)f(which)g(we)h(call)h(our)e(principles)g(.)
37 b(\227)24 b(Mark)e(T)-7 b(w)o(ain)23 b(\(1835\255)208
1661 y(1910\))208 1794 y(It)d(is)h(impossible)f(to)g(design)g(a)g
(system)h(so)f(perfect)f(that)i(no)e(one)h(needs)g(to)g(be)g(good.)28
b(\227)21 b(T)-6 b(.)20 b(S.)h(Eliot:)125 1977 y(The)c(goal)g(of)h(an)f
(e)o(xok)o(ernel)f(is)j(to)f(gi)n(v)o(e)f(as)h(much)f(safe,)h(ef)n
(\002cient)f(control)g(o)o(v)o(er)f(system)i(resources)f(as)h
(possible.)28 b(The)18 b(challenge)0 2077 y(for)i(an)g(e)o(xok)o(ernel)
e(is)k(to)e(gi)n(v)o(e)g(library)f(operating)g(systems)i(maximum)e
(freedom)f(in)j(managing)d(resources)i(while)g(protecting)f(them)0
2176 y(from)29 b(each)h(other;)k(a)c(programming)d(error)i(in)h(one)f
(library)g(operating)g(system)h(should)f(not)g(af)n(fect)h(another)e
(library)h(operating)0 2276 y(system.)36 b(T)-7 b(o)22
b(achie)n(v)o(e)f(this)i(goal,)f(an)g(e)o(xok)o(ernel)e(separates)i
(protection,)f(which)h(must)g(be)g(pri)n(vile)o(ged,)f(from)g
(management,)f(which)0 2375 y(should)f(be)h(unpri)n(vile)o(ged.)125
2475 y(Figure)e(2\2551)f(sho)n(ws)i(a)g(simpli\002ed)g(e)o(xok)o(ernel)
d(system)j(that)g(is)g(running)e(tw)o(o)i(applications:)27
b(an)19 b(unmodi\002ed)d(UNIX)j(application)0 2575 y(link)o(ed)25
b(against)g(the)g(ExOS)h(libOS)g(and)f(a)h(specialized)f(e)o(xok)o
(ernel)e(application)h(using)h(its)i(o)n(wn)e(TCP)h(and)f(\002le)h
(system)g(libraries.)0 2674 y(Applications)15 b(communicate)f(with)j
(the)f(k)o(ernel)f(using)h(lo)n(w\255le)n(v)o(el)f(physical)g(names)h
(\(e.g.,)g(block)f(numbers\);)h(the)g(k)o(ernel)f(interf)o(ace)h(is)0
2774 y(as)h(close)f(to)g(the)g(hardw)o(are)f(as)i(possible.)27
b(LibOSes)16 b(handle)f(higher)n(\255le)n(v)o(el)f(names)i(\(e.g.,)g
(\002le)h(descriptors\))d(and)i(supply)f(abstractions.)0
2874 y(Protection)h(in)i(this)f(\002gure)g(consists)h(of)f(forcing)e
(applications)i(to)g(only)g(read)f(or)h(write)h(\(cached\))d(disk)j
(blocks)e(that)i(the)o(y)e(ha)n(v)o(e)h(access)0 2973
y(rights)h(to.)29 b(The)17 b(k)o(ernel)h(does)g(this)h(by)e(guarding)f
(all)j(operations)e(on)g(both)h(the)g(disk)g(blocks)g(themselv)o(es)f
(and)h(on)g(the)g(physical)f(pages)0 3073 y(that)j(hold)g(cached)f
(copies.)125 3172 y(In)f(general,)g(resource)f(protection)g(consists)j
(of)e(three)g(tasks:)30 b(\(1\))18 b(tracking)f(o)n(wnership)h(of)g
(resources,)g(\(2\))g(ensuring)f(protection)0 3272 y(by)k(guarding)e
(all)i(resource)f(usage)h(or)g(binding)f(points,)g(and)h(\(3\))g(re)n
(v)n(oking)e(access)j(to)f(resources.)31 b(T)-7 b(o)22
b(pre)n(v)o(ent)d(rogue)h(applications)0 3372 y(from)32
b(destro)o(ying)e(the)j(system,)j(most)c(e)o(xok)o(ernels)f(protect)h
(physical)f(resources)h(such)g(as)h(physical)f(memory)-5
b(,)33 b(the)g(CPU,)g(and)0 3471 y(netw)o(ork)18 b(de)n(vices)g(\(to)h
(pre)n(v)o(ent)e(theft)h(of)h(recei)n(v)o(ed)e(messages)i(and)g
(corruption)d(of)i(not\255yet\255transmitted)e(ones\).)28
b(Additionally)-5 b(,)17 b(the)o(y)0 3571 y(must)22 b(guard)e
(operations)g(that)i(change)e(pri)n(vile)o(ged)g(state)i(such)g(as)g
(the)g(ability)f(to)h(e)o(x)o(ecute)f(pri)n(vile)o(ged)e(instructions,)
i(and)g(writes)h(to)0 3671 y(\223special\224)e(memory)e(locations)i
(that)g(control)f(de)n(vices.)29 b(Finally)-5 b(,)19
b(the)o(y)h(may)g(guard)e(more)i(abstract)g(resources)f(such)h(as)h
(bandwidth.)125 3770 y(T)-7 b(o)29 b(mak)o(e)h(this)g(discussion)f
(concrete,)h(consider)f(the)h(protection)d(of)j(physical)e(pages.)57
b(The)30 b(core)f(requirement)e(is)k(that)f(the)0 3870
y(e)o(xok)o(ernel)25 b(must)j(check)f(that)g(e)n(v)o(ery)f(read)h(and)g
(write)h(to)g(an)o(y)e(page)h(has)h(suf)n(\002cient)f(access)h(rights.)
51 b(On)27 b(modern)f(architectures,)0 3969 y(encapsulation)31
b(in)m(v)n(olv)o(es)g(forcing)g(all)j(memory)d(operations)g(to)i
(either)f(go)h(through)d(the)j(k)o(ernel)f(\(which)g(checks)g
(permissions)0 4069 y(manually\))16 b(or)i(through)e(translation)i
(hardw)o(are)e(\(the)i(TLB\),)g(which)g(checks)g(them)f(against)h(a)g
(set)h(of)f(cached)g(pages.)28 b(T)-7 b(o)18 b(ensure)f(that)0
4169 y(malicious)k(processes)f(do)h(not)g(corrupt)e(the)j(TLB,)f(the)g
(k)o(ernel)f(must)i(check)e(modi\002cations)g(of)h(it)g(as)h(well.)33
b(In)21 b(practice)f(this)i(means)0 4268 y(that)f(applications)e
(cannot)g(issue)j(pri)n(vile)o(ged)c(instructions)i(directly)-5
b(,)19 b(b)n(ut)h(must)h(go)f(through)e(the)j(k)o(ernel.)29
b(The)20 b(ne)o(xt)g(three)g(chapters)0 4368 y(gi)n(v)o(e)f(man)o(y)g
(e)o(xamples)g(of)h(resources)g(to)g(protect)f(and)h(w)o(ays)g(to)h(do)
f(so.)125 4468 y(Applications)c(cannot)g(o)o(v)o(erride)e(pri)n(vile)o
(ged)h(softw)o(are.)28 b(This)18 b(in\003e)o(xibility)e(mak)o(es)h
(protection)e(possible.)28 b(Ho)n(we)n(v)o(er)m(,)15
b(if)j(it)g(spills)0 4567 y(o)o(v)o(er)24 b(into)g(non\255protection)e
(areas,)k(applications)e(will)h(needlessly)g(lose)g(the)g(ability)g(to)
g(control)f(important)f(decisions.)43 b(Thus,)26 b(an)0
4667 y(e)o(xok)o(ernel)18 b(only)h(o)o(v)o(errides)g(application)f
(decisions)i(to)g(the)h(e)o(xtent)e(necessary)g(to)i(b)n(uild)f(a)g
(secure)g(system.)125 4766 y(This)k(chapter)f(describes)h(\002v)o(e)g
(principles)f(that)h(gi)n(v)o(e)g(this)g(declarati)n(v)o(e)f(goal)h
(operational)e(teeth.)41 b(These)24 b(principles)f(illustrate)0
4866 y(the)j(mechanics)g(of)g(e)o(xok)o(ernel)e(systems)j(and)f(pro)o
(vide)e(important)h(moti)n(v)n(ation)f(for)i(man)o(y)f(design)h
(decisions)g(discussed)g(later)g(in)0 4966 y(this)e(thesis.)40
b(T)-7 b(o)24 b(better)f(understand)f(what)h(the)h(architecture)e(is,)j
(we)f(then)g(sho)n(w)f(what)h(it)g(is)g(not.)40 b(The)23
b(remainder)f(of)h(the)h(chapter)0 5065 y(discusses)d(ho)n(w)f(an)g(e)o
(xok)o(ernel)f(protects)h(the)g(state)i(of)e(higher)n(\255le)n(v)o(el)e
(abstractions,)h(and)h(performs)f(resource)g(re)n(v)n(ocation,)g(and)h
(then)0 5165 y(presents)g(a)g(general)g(technique,)e
Fk(secur)m(e)i(bindings)p Fp(,)f(we)h(ha)n(v)o(e)g(used)g(to)g(mak)o(e)
g(protection)e(ef)n(\002cient.)1908 5589 y(20)p eop
%%Page: 21 22
21 21 bop 1069 1322 a @beginspecial 0 @llx 22 @lly 289
@urx 221 @ury 2160 @rwi @setspecial
%%BeginDocument: exokernel.eps
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: 0 22 289 221
%%DocumentNeededFonts: Times-Roman Times-Italic 
%%EndComments


/thickarrow { % fromx fromy tox toy thickness
gsave
/@t exch def
2 index sub exch 3 index sub exch 4 2 roll translate exch
2 copy atan rotate
dup mul exch dup mul add sqrt /@x exch def

0 @t neg moveto
@x @t 2.35 mul sub dup @t neg lineto
@x @t 2.85 mul sub @t -2 mul 2 copy lineto
@x 0 lineto
neg lineto
@t lineto
0 @t lineto
closepath fill
grestore
} bind def

/thinarrowhead { % fromx fromy tox toy thickness
gsave newpath
/@t exch def
2 index sub exch 3 index sub exch 4 2 roll translate exch
2 copy atan rotate
dup mul exch dup mul add sqrt /@x exch @t 1.5 mul add def

@x @t 5.2 mul sub dup @t neg moveto
@x @t 7 mul sub @t -2 mul 2 copy lineto
@x 0 lineto
neg lineto
@t lineto
closepath fill
grestore
} bind def

/thinarrowpath { % from? to? thickness
/@t exch def /@to? exch def /@from? exch def
mark
{ counttomark 2 eq { } { stop } ifelse }
{ }
{ }
{ stop }
pathforall
@to? { 4 copy @t thinarrowhead } if
counttomark -4 roll 4 2 roll
@from? { @t thinarrowhead } if
cleartomark
stroke
} bind def

/min { 2 copy lt { pop } { exch pop } ifelse } bind def

/arrowbox { % x0 y0 w h x y thickness r g b
gsave 
/@t exch def /@y exch def /@x exch def 4 copy rectfill
2 copy min 2 div /@b exch def
2 index add exch 3 index add exch % now have x0 y0 x1 y1

/@cy @y def /@cx @x def
@b sub dup @cy lt { /@cy exch def } { pop } ifelse
@b sub dup @cx lt { /@cx exch def } { pop } ifelse
@b add dup @cy gt { /@cy exch def } { pop } ifelse
@b add dup @cx gt { /@cx exch def } { pop } ifelse

@cx @cy @x @y @t thinarrow
grestore
} bind def

/rrectpath {
/@t exch def /@y exch def /@x exch def
2 copy translate 
@t 0 moveto @x 0 @x @y @t arct @x @y 0 @y @t arct
0 @y 0 0 @t arct 0 0 @x 0 @t arct closepath
neg exch neg exch translate
} bind def

/#makecolor { 255 div 3 1 roll 255 div 3 1 roll 255 div 3 1 roll }
bind def
/#color { #makecolor setrgbcolor } bind def
/showpage {} def

/#grayprogram { [ exch dup dup /#color cvx ] cvx def } bind def
/#wid /setlinewidth load def

/##b		0   #grayprogram
/##w		255 #grayprogram

/@kerny		115 def
/@kernoff	48 def

/@bcrx		65 def
/@bcry		40 def
/@bcrw		100 def
/@bcrh		38 def
/@bcrn		3 def

/@diskx		185 def
/@disky		45 def
/@diskround	0.4 def
/@diskh		30 @diskround div def
/@diskw		20 def
/##disk		230 #grayprogram
/@blockx	10 def
/@blocky	7 def
/@blockw	14 def
/@blockh	16 def

/@pagex		133 def
/@pagey		90 def

##w
0 0 371 250 rectfill

##b


%%%%%%%%%%%%%%%%
% KERNEL

gsave
0 @kerny translate

gsave
4 setlinewidth 
0.5 setgray
0 0 moveto 288 0
rlineto stroke grestore

%GenText 0 -12 w=278 right
% ``Kernel''
% wx=25.612 bb=0.323,-0.095,25.4125,6.4885 nc=6
% at=(252.388, -12) wxgot=25.612
/k{0 rmoveto}bind def/s/show load def/as/ashow load def/sf/selectfont load def
252.388 -12 moveto
/Times-Roman 9.5 sf(K)s -0.237 k(er)s 0 k(nel)s

grestore


%%%%%%%%%%%%%%
% BCR

@bcrx @bcry translate

1 setlinewidth
0 0 @bcrw @bcrh rectstroke

0.5 setlinewidth
0 @bcrh @bcrn div @bcrh { 0 exch moveto @bcrw 0 rlineto } for stroke

gsave 0 -13 translate % 0 @bcrh translate
%GenText 0 3.5 
% ``Buffer Cache Registry''
% wx=85.101 bb=0.1615,-2.071,84.8635,6.4885 nc=21
% at=(0, 3.5) wxgot=85.101
0 3.5 moveto
/Times-Roman 9.5 sf(Buf)s -0.237 k(f)s 0 k(er\040Cac)s 0 k(he\040Re)s -0.142 k(g)s 0 k(istr)s 0 k(y)s
grestore

gsave 0 @bcrh @bcrn div @bcrn 1 sub mul translate
%GenText 5 3.5 
% ``Block b = Page p''
% wx=65.379 bb=0.1615,-2.071,65.0845,6.4885 nc=16
% at=(5, 3.5) wxgot=65.379
5 3.5 moveto
 currentpoint exch 5 sub exch 2 add transform % @exos-bcr-2
/Times-Roman 9.5 sf(Bloc)s 0 k(k\040)s currentpoint exch 3 add exch 2 sub transform % @bcr-disk-1
/Times-Italic 9.5 sf(b)s/Times-Roman 9.5 sf(\040=\040P)s -0.142 k(a)s 0 k(g)s 0 k(e\040)s/Times-Italic 9.5 sf(p)s currentpoint exch 1 add exch 6 add transform % @bcr-page-1

0 @bcrh @bcrn div neg translate
%GenText 5 3.5 
% ``. . .''
% wx=11.875 bb=0.2565,-0.1045,10.811,0.95 nc=5
% at=(5, 3.5) wxgot=11.875
5 3.5 moveto
/Times-Italic 9.5 sf(.\040.\040.)s
grestore

@bcrx neg @bcry neg translate

/@bcr-page-1 [ 4 2 roll itransform ] cvx def
/@bcr-disk-1 [ 4 2 roll itransform ] cvx def
/@exos-bcr-2 [ 4 2 roll itransform ] cvx def

%%%%%%%%%%%%%%%
% DISK

gsave
@diskx @disky translate
1 @diskround scale
0 @diskw @diskh add moveto
0 @diskw lineto
@diskw @diskw @diskw 180 360 arc
0 @diskh rlineto
@diskw @diskw @diskh add @diskw 0 360 arc
% closepath
gsave ##disk fill grestore 
1 1 @diskround div scale
1.3 setlinewidth stroke
grestore

@diskx @blockx add @disky @blocky add
gsave 2 copy translate
0.7 setlinewidth
0 0 @blockw @blockh ##w rectfill
0 0 @blockw @blockh ##b rectstroke
%GenText 5 5 
% ``b''
% wx=4.75 bb=0.2185,-0.1045,4.4935,6.4885 nc=1
% at=(5, 5) wxgot=4.75
5 5 moveto
/Times-Italic 9.5 sf(b)s
grestore
@blockh 2 div add
/@bcr-disk-2 [ 4 2 roll ] cvx def

%%%%%%%%%%
% PAGE

@pagex @pagey
gsave translate
0.7 setlinewidth
0 0 @blockw @blockh ##w rectfill
0 0 @blockw @blockh ##b rectstroke
%GenText 5 5 
% ``p''
% wx=4.75 bb=-0.7125,-1.9475,4.4555,4.1895 nc=1
% at=(5, 5) wxgot=4.75
5 5 moveto
/Times-Italic 9.5 sf(p)s
grestore
/@bcr-page-2 [ @pagex @blockw 2 div add @pagey ] cvx def
/@spec-page-2 [ @pagex @blockw 2 div add @pagey @blockh add ] cvx def

%%%%%%%%%%
% CHEETAH

/@appx		160 def
/@appy		125 def
/@appw		90 def
/@apph		80 def
/@libh		40 def
/##lib		200 #grayprogram

2.5 setlinewidth
gsave
@appx @appy @appw @apph 10 rrectpath clip
@appx @appy translate

% LIB
##lib 30 0 @appw @libh rectfill
##b
1 #wid
30 0 moveto 0 @libh rlineto @appw 0 rlineto stroke
0.5 #wid
0 @libh moveto 30 0 rlineto 15 0 moveto 0 @libh rlineto stroke

gsave @appw @libh translate 
%GenText -10 -15 w=0 right
% ``ExOS''
% wx=22.6955 bb=0.114,-0.133,22.078,6.422 nc=4
% at=(-32.6955, -15) wxgot=22.6955
-32.6955 -15 moveto
/Times-Roman 9.5 sf(ExOS)s
%GenText -10 -25 w=0 right
% ``Subset''
% wx=25.3365 bb=0.399,-0.133,25.346,6.4885 nc=6
% at=(-35.3365, -25) wxgot=25.3365
-35.3365 -25 moveto
/Times-Roman 9.5 sf(Subset)s
@appw neg 0 translate
%GenText 0.5 -12.5 w=15 center
% ``T''
% wx=5.8045 bb=0.1615,0,5.6335,6.289 nc=1
% at=(5.09775, -12.5) wxgot=5.8045
5.09775 -12.5 moveto
/Times-Roman 9.5 sf(T)s
%GenText 0.5 -21.5 w=15 center
% ``C''
% wx=6.3365 bb=0.266,-0.133,6.0135,6.422 nc=1
% at=(4.83175, -21.5) wxgot=6.3365
4.83175 -21.5 moveto
/Times-Roman 9.5 sf(C)s
%GenText 0.5 -30.5 w=15 center
% ``P''
% wx=5.282 bb=0.152,0,5.149,6.289 nc=1
% at=(5.359, -30.5) wxgot=5.282
5.359 -30.5 moveto
/Times-Roman 9.5 sf(P)s
%GenText 15 -12.5 w=15 center
% ``F''
% wx=5.282 bb=0.114,0,5.187,6.289 nc=1
% at=(19.859, -12.5) wxgot=5.282
19.859 -12.5 moveto
/Times-Roman 9.5 sf(F)s
%GenText 15 -21.5 w=15 center
% ``S''
% wx=5.282 bb=0.399,-0.133,4.6645,6.422 nc=1
% at=(19.859, -21.5) wxgot=5.282
19.859 -21.5 moveto
/Times-Roman 9.5 sf(S)s
grestore

% APP
gsave @appw @apph translate
%GenText -10 -15 w=0 right
% ``Specialized''
% wx=43.795 bb=0.399,-2.0615,43.7095,6.4885 nc=11
% at=(-53.795, -15) wxgot=43.795
-53.795 -15 moveto
/Times-Roman 9.5 sf(Specializ)s 0 k(ed)s
%GenText -10 -25 w=0 right
% ``Application''
% wx=44.859 bb=0.1425,-2.0615,44.7165,6.4885 nc=11
% at=(-54.859, -25) wxgot=44.859
-54.859 -25 moveto
/Times-Roman 9.5 sf(A)s 0 k(pplica)s 0 k(tion)s
grestore

20 @libh 20 add transform
grestore
@appx @appy @appw @apph 10 rrectpath stroke

/@spec-page-1 [ 4 2 roll itransform ] cvx def

%%%%%%%%%%
% APP

/@appx		30 def
/@appy		125 def
/@appw		90 def
/@apph		90 def
/@libh		40 def

2.5 setlinewidth
gsave
@appx @appy @appw @apph 10 rrectpath clip
@appx @appy translate

% LIB
##lib 0 0 @appw @libh rectfill
##b
1 setlinewidth
0 @libh moveto @appw 0 rlineto stroke

gsave @appw @libh translate 
%GenText -10 -15 w=0 right
% ``ExOS''
% wx=22.6955 bb=0.114,-0.133,22.078,6.422 nc=4
% at=(-32.6955, -15) wxgot=22.6955
-32.6955 -15 moveto
/Times-Roman 9.5 sf(ExOS)s
grestore

% APP
gsave @appw @apph translate
%GenText -10 -15 w=0 right
% ``UNIX Application''
% wx=70.452 bb=0.133,-2.0615,70.3095,6.4885 nc=16
% at=(-80.452, -15) wxgot=70.452
-80.452 -15 moveto
/Times-Roman 9.5 sf(UNIX\040)s -0.522 k(A)s 0 k(pplica)s 0 k(tion)s
grestore

% FD
gsave 20 @libh translate
%GenText 0 9 
% ``fd''
% wx=7.391 bb=-1.3965,-1.9665,7.6475,6.4885 nc=2
% at=(0, 9) wxgot=7.391
0 9 moveto
/Times-Italic 9.5 sf(fd)s currentpoint exch 2.5 add exch transform

grestore

grestore
@appx @appy @appw @apph 10 rrectpath stroke

itransform 2 copy
/@fn-exos-1 [ 4 2 roll 15 add ] cvx def
pop
/@fn-exos-2 [ 2 index @appy @libh .6 mul add ] cvx def
pop

gsave @fn-exos-2 exch 13 sub exch 13 sub translate
0.8 #wid
0 0 26 13 rectstroke
%GenText 0 3.5 w=26 center
% ``read''
% wx=17.062 bb=0.4275,-0.1235,17.3185,6.4885 nc=4
% at=(4.469, 3.5) wxgot=17.062
4.469 3.5 moveto
/Times-Italic 9.5 sf(r)s -0.351 k(ead)s
13 3 transform
grestore

/@exos-bcr-1 [ 4 2 roll itransform ] cvx def

%%%%%%%%%%%
% ARROWS

##b

0.7 setlinewidth
[2 2] 0 setdash
newpath

@bcr-disk-1 moveto
@bcr-disk-1 exch 20 add exch 20 sub
@bcr-disk-2 exch 20 sub exch
@bcr-disk-2 curveto
true true 0.8 thinarrowpath

@bcr-page-1 moveto
@bcr-page-1 exch 5 add exch 5 add
@bcr-page-2 5 sub
@bcr-page-2 curveto
true true 0.8 thinarrowpath

0.7 setlinewidth
[] 0 setdash

@fn-exos-1 moveto
@fn-exos-2 lineto
false true 1 thinarrowpath

@exos-bcr-1 3 sub moveto
@exos-bcr-1 40 sub
@exos-bcr-2 exch 40 sub exch
@exos-bcr-2 curveto
false true 1 thinarrowpath

gsave @exos-bcr-1 exch 4.2 sub exch 42 sub translate
%GenText -2 0 
% ``b''
% wx=4.75 bb=0.2185,-0.1045,4.4935,6.4885 nc=1
% at=(-2, 0) wxgot=4.75
-2 0 moveto
/Times-Italic 9.5 sf(b)s
grestore

1.5 #wid
@spec-page-1 moveto
@spec-page-1 exch 40 sub exch
@spec-page-2 50 add
@spec-page-2 curveto
true true 1.5 thinarrowpath

%%EOF

%%EOF

%%EndDocument
 @endspecial 0 1438 a Fp(Figure)24 b(2\2551:)36 b(A)25
b(simpli\002ed)f(e)o(xok)o(ernel)e(system)i(with)h(tw)o(o)f
(applications,)g(each)g(link)o(ed)f(with)i(its)g(o)n(wn)f(libOS)g(and)g
(sharing)f(pages)0 1538 y(through)18 b(a)j(b)n(uf)n(fer)d(cache)i(re)o
(gistry)-5 b(.)0 1805 y Fv(2.1)117 b(Exok)o(er)n(nel)27
b(principles)0 1990 y Fp(The)15 b(goal)g(of)g(an)h(e)o(xok)o(ernel)d
(is)k(to)e(gi)n(v)o(e)g(ef)n(\002cient)g(control)f(of)h(resources)g(to)
h(untrusted)e(applications)g(in)i(a)f(secure,)h(multi\255user)f
(system.)0 2090 y(W)-7 b(e)21 b(follo)n(w)f(these)g(principles)f(to)i
(achie)n(v)o(e)e(this)h(goal:)125 2190 y Fo(Separate)30
b(pr)o(otection)g(and)i(management.)63 b Fp(Exok)o(ernels)30
b(restrict)i(resource)e(management)f(to)j(functions)e(necessary)h(for)0
2289 y(protection:)58 b(allocation,)37 b(re)n(v)n(ocation,)g(sharing,)h
(and)d(the)g(tracking)f(of)g(o)n(wnership.)73 b(Gi)n(ving)34
b(applications)g(control)g(o)o(v)o(er)g(all)0 2389 y(non\255protection)
29 b(mechanisms)i(and)g(policies)h(mak)o(es)g(the)h(system)f
(\223optimally\224)f(e)o(xtensible,)j(in)e(that)g(an)o(y)f(further)g
(application)0 2489 y(customization)19 b(w)o(ould)g(compromise)f
(system)j(inte)o(grity)-5 b(.)125 2588 y(In)28 b(general,)h(an)f(e)o
(xok)o(ernel)e(stri)n(v)o(es)j(to)f(pro)o(vide)f(applications)g(access)
i(to)g(all)g(operations)e(that)h(a)h(pri)n(vile)o(ged)d(OS)j(has.)54
b(This)0 2688 y(requires)24 b(pro)o(viding)e(w)o(ays)k(for)e(libOSes)i
(to)f(recapture)f(aspects)h(of)g(the)g(k)o(ernel')-5
b(s)25 b(pri)n(vile)o(ged)e(e)o(x)o(ecution)g(conte)o(xt,)i(such)g(as)h
(being)0 2787 y(tightly)33 b(coupled)f(to)h(hardw)o(are)f(interrupts,)j
(which)e(the)o(y)g(ha)n(v)o(e)g(lost)h(by)f(running)e(as)j(application)
e(softw)o(are.)68 b(\(From)33 b(another)0 2887 y(perspecti)n(v)o(e,)18
b(the)i(pri)n(vile)o(ged)f(e)o(xok)o(ernel)f(adds)i(a)g(layer)g(of)g
(indirection)e(between)i(a)g(libOS)h(and)f(hardw)o(are)e(e)n(v)o(ents.)
29 b(The)20 b(e)o(xok)o(ernel)0 2987 y(must)g(tak)o(e)g(steps)h(to)g
(ensure)e(that)h(this)h(layer)f(does)g(not)g(preclude)e(\003e)o(xible)i
(application)e(control)h(of)h(hardw)o(are.\))125 3086
y Fo(Expose)31 b(hard)o(war)o(e.)63 b Fp(Exok)o(ernels)30
b(gi)n(v)o(e)h(applications)f(protected)g(access)j(to)e(all)i
(resources.)62 b(Applications)31 b(ha)n(v)o(e)g(access)0
3186 y(to)g(pri)n(vile)o(ged)e(instructions,)k(hardw)o(are)d(DMA)h
(capabilities,)j(and)c(machine)g(resources.)62 b(The)30
b(resources)h(e)o(xported)e(are)i(those)0 3286 y(pro)o(vided)19
b(by)i(the)h(underlying)c(hardw)o(are:)31 b(physical)20
b(memory)-5 b(,)20 b(the)h(CPU,)i(disk)e(memory)-5 b(,)19
b(translation)i(look\255aside)f(b)n(uf)n(fer)g(\(TLB\),)0
3385 y(and)g(addressing)f(conte)o(xt)g(identi\002ers.)28
b(Applications)20 b(ha)n(v)o(e)f(full)h(vie)n(w)g(of)g(resource)f
(attrib)n(utes,)h(such)g(as)h(the)f(number)m(,)e(format,)h(and)0
3485 y(current)h(set)i(of)f(TLB)g(mappings)f(or)h(the)g(number)e(and)i
(size)g(of)g(incoming)f(and)g(outgoing)f(netw)o(ork)h(b)n(uf)n(fers,)g
(as)i(well)g(as)g(the)f(ability)0 3585 y(to)h(modify)f(them)h
(\(inserting)f(TLB)h(entries\).)35 b(This)23 b(principle)e(e)o(xtends)g
(to)h(less)h(tangible)f(machine)f(resources)g(such)h(as)h(interrupts,)0
3684 y(e)o(xceptions,)18 b(and)i(cross\255domain)e(calls.)125
3784 y(An)f(e)o(xok)o(ernel)e(e)o(xposes)h(resources)g(and)h(e)n(v)o
(ents)g(at)g(the)h(lo)n(west)f(possible)g(le)n(v)o(el)g(required)e(for)
i(protection\227ideally)-5 b(,)14 b(at)k(the)f(le)n(v)o(el)0
3883 y(of)24 b(hardw)o(are)f(\(disk)i(blocks,)g(physical)e(pages,)i
(etc.\))42 b(rather)24 b(than)g(rather)g(than)g(encapsulating)f(them)h
(in)h(high\255le)n(v)o(el)d(abstractions)0 3983 y(such)e(as)h(\002les,)
g(or)f(Unix)f(signal)i(or)e(RPC)j(semantics.)125 4083
y(The)i(follo)n(wing)f(tw)o(o)i(principles)e(f)o(all)i(from)f(a)h
(general)e(pattern:)38 b(in)m(v)n(olv)o(e)23 b(applications)g(in)i
(important)e(decisions)h(rather)g(than)0 4182 y(subjecting)19
b(them)h(to)g(a)h(hard)e(wired)h(polic)o(y)-5 b(.)125
4282 y Fo(Expose)17 b(allocation.)27 b Fp(Applications)16
b(allocate)h(resources)f(e)o(xplicitly)-5 b(.)26 b(The)17
b(k)o(ernel)g(allo)n(ws)g(speci\002c)g(resources)f(to)i(be)f(requested)
0 4382 y(during)f(allocation,)i(gi)n(ving)e(applications)h(control)g(o)
o(v)o(er)g(abstraction)g(semantics)h(and)f(performance)e(decisions,)j
(such)g(as)h(when)e(and)0 4481 y(which)j(disk)g(blocks)f(to)i
(allocate.)125 4581 y Fo(Expose)k(r)o(e)o(v)o(ocation.)42
b Fp(Exok)o(ernels)24 b(e)o(xpose)g(re)n(v)n(ocation)g(policies)h(to)h
(applications.)43 b(The)o(y)24 b(let)i(applications)f(choose)f(which)0
4680 y(instance)h(of)g(a)g(resource)f(to)i(gi)n(v)o(e)e(up.)44
b(Each)24 b(application)g(has)h(control)f(o)o(v)o(er)g(its)i(set)g(of)f
(physical)f(resources.)43 b(Exok)o(ernels)24 b(allo)n(w)0
4780 y(applications)19 b(to)h(re)n(v)n(ok)o(e)f(resources)h(from)f
(processes)h(the)o(y)f(control,)g(thereby)g(allo)n(wing)g(enforcement)f
(of)i(local)g(policies.)125 4880 y Fo(Pr)o(otect)31 b
(\002ne\255grained)i(units.)69 b Fp(T)-7 b(o)33 b(mak)o(e)g(resource)f
(management)f(and)h(sharing)g(lightweight,)j(e)o(xok)o(ernel)c
(protection)h(is)0 4979 y(\002ne\255grained)21 b(\(e.g.,)i(at)h(the)g
(le)n(v)o(el)f(of)g(disk)h(blocks)e(rather)h(than)g(partitions\).)38
b(Fine\255grained)21 b(protection)h(reduces)h(the)g(o)o(v)o(erhead)e
(of)0 5079 y(mapping)g(high\255le)n(v)o(el)g(abstractions)h(do)n(wn)g
(to)h(the)g(discrete)g(resource)f(units)h(that)g(an)g(e)o(xok)o(ernel)d
(protects)j(\(e.g.,)f(mapping)f(\002les)j(to)0 5179 y(disk)f(blocks,)f
(virtual)g(memory)f(to)i(pages,)g(netw)o(ork)f(messages)h(to)g(message)
f(b)n(uf)n(fers,)g(etc.\).)37 b(Coarse\255grained)20
b(protection)h(w)o(astes)0 5278 y(space)h(as)g(well)g(as)h(time.)33
b(F)o(or)22 b(e)o(xample,)e(in)i(the)g(conte)o(xt)e(of)h(disk,)h(by)f
(increasing)g(the)g(length)g(of)h(disk)f(arm)h(sinks)f(after)h
(increasing)1908 5589 y(21)p eop
%%Page: 22 23
22 22 bop 0 83 a Fp(internal)18 b(fragmentation)f(through)g
(coarse\255grained)f(allocation.)28 b(Coarse\255grained)17
b(protection)g(also)i(mak)o(es)g(sharing)f(clumsy)-5
b(,)18 b(since)0 183 y(resources)h(cannot)g(be)h(shared)g(at)h(a)f
(\002ner)n(\255granularity)d(than)j(the)g(e)o(xok)o(ernel)e(protects.)
125 282 y Fo(Expose)27 b(names.)49 b Fp(Exok)o(ernels)25
b(use)i(physical)f(names)g(where)n(v)o(er)f(possible.)48
b(Physical)27 b(names)f(capture)g(useful)g(information)0
382 y(and)19 b(do)h(not)g(require)e(potentially)h(costly)h(or)g
(race\255prone)d(translations)i(from)g(virtual)h(names.)28
b(F)o(or)20 b(e)o(xample,)e(physical)h(disk)h(blocks)0
482 y(encode)j(position,)g(one)h(of)g(the)g(most)g(important)e(v)n
(ariables)h(for)h(\002le)g(system)g(performance.)38 b(V)-5
b(irtual)24 b(names,)g(in)g(contrast,)g(w)o(ould)0 581
y(not)18 b(necessarily)g(encode)f(this)i(information)e(and)h(w)o(ould)f
(require)h(on\255disk)f(translation)g(tables.)29 b(Using)19
b(these)f(tables)h(increases)g(disk)0 681 y(accesses)25
b(\(e)o(xtra)e(writes)i(for)f(persistence,)g(e)o(xtra)g(reads)g(for)g
(name)f(translation\))g(and)h(protecting)f(them)h(across)g(reboots)f
(de)o(grades)0 780 y(performance)17 b(\(e.g.,)i(by)h(ordering)e(writes)
j(to)f(disk,)g(and)g(causing)f(multiple)h(writes\).)125
880 y(In)e(practice,)f(physical)h(names)g(also)g(pro)o(vide)e(a)j
(uniform)e(mechanism)g(for)g(optimistic)h(synchronization.)26
b(The)o(y)17 b(allo)n(w)h(locks)g(to)0 980 y(be)k(replaced)f(with)h
(checks)f(that)h(\223e)o(xpected\224)f(conditions)f(hold)h(\(that)h(a)h
(directory)d(name)h(maps)h(to)g(a)h(speci\002c)f(disk)g(block)f(and)g
(has)0 1079 y(not)f(been)f(deleted)h(or)g(mo)o(v)o(ed,)e(etc.\).)125
1179 y Fo(Expose)31 b(inf)n(ormation.)60 b Fp(Exok)o(ernels)30
b(e)o(xpose)g(system)h(information,)g(and)f(collect)h(data)g(that)h
(applications)d(cannot)h(easily)0 1279 y(deri)n(v)o(e)g(locally)-5
b(.)63 b(F)o(or)31 b(e)o(xample,)i(applications)d(can)i(determine)e(ho)
n(w)h(man)o(y)f(hardw)o(are)g(netw)o(ork)h(b)n(uf)n(fers)f(there)h(are)
h(or)f(which)0 1378 y(pages)23 b(cache)h(\002le)g(blocks.)40
b(An)23 b(e)o(xok)o(ernel)f(might)h(also)h(record)f(an)g(approximate)f
(least\255recently\255used)f(ordering)h(of)h(all)i(physical)0
1478 y(pages,)18 b(something)e(indi)n(vidual)g(applications)h(cannot)g
(do)g(without)g(global)g(information.)26 b(Additionally)-5
b(,)16 b(e)o(xok)o(ernels)g(e)o(xport)g(book\255)0 1577
y(k)o(eeping)24 b(data)h(structures)f(such)h(as)h(free)f(lists,)i(disk)
e(arm)g(positions,)h(and)e(cached)h(TLB)g(entries)g(so)h(that)f
(applications)f(can)h(tailor)0 1677 y(their)20 b(allocation)f(requests)
h(to)g(a)n(v)n(ailable)g(resources.)125 1777 y(W)-7 b(e)17
b(ha)n(v)o(e)g(found)e(it)i(useful)f(in)h(practice)f(to)h(pro)o(vide)e
(space)h(for)h(protected)e(application\255speci\002c)f(data)j(in)g(k)o
(ernel)f(data)g(structures.)0 1876 y(F)o(or)31 b(e)o(xample,)i(the)e
(structures)g(describing)e(an)j(e)o(x)o(ecution)d(en)m(vironment)f(are)
k(impro)o(v)o(ed)c(if)k(application\255speci\002c)d(data)i(can)h(be)0
1976 y(associated)20 b(with)g(them)g(\(e.g.,)f(to)i(record)d(the)j
(numeric)d(id)j(of)f(an)g(process')f(parent,)g(its)i(running)d(status,)
j(program)d(name,)h(etc.\).)125 2076 y(These)26 b(principles)g(apply)g
(not)h(just)h(to)f(the)g(k)o(ernel,)g(b)n(ut)g(to)h(an)o(y)e(component)
e(of)j(an)g(e)o(xok)o(ernel)e(system.)50 b(Pri)n(vile)o(ged)25
b(serv)o(ers)0 2175 y(should)19 b(pro)o(vide)f(an)i(interf)o(ace)g
(boiled)f(do)n(wn)g(to)i(just)f(what)g(is)i(required)c(for)i
(protection.)0 2388 y Fq(2.1.1)99 b(P)n(olicy)0 2535
y Fp(An)26 b(e)o(xok)o(ernel)e(hands)i(o)o(v)o(er)e(resource)h(polic)o
(y)g(decisions)h(to)g(library)f(operating)g(systems.)47
b(Using)26 b(this)h(control)e(o)o(v)o(er)g(resources,)0
2635 y(an)j(application)e(or)h(collection)g(of)g(cooperating)e
(applications)i(can)g(mak)o(e)g(decisions)h(about)e(ho)n(w)h(best)h(to)
g(use)g(these)g(resources.)0 2735 y(Ho)n(we)n(v)o(er)m(,)15
b(as)j(in)f(all)g(systems,)h(an)e(e)o(xok)o(ernel)f(must)i(include)e
(polic)o(y)h(to)h(arbitrate)f(between)g(competing)e(library)i
(operating)f(systems:)0 2834 y(it)24 b(must)e(determine)g(the)h
(absolute)f(importance)f(of)h(dif)n(ferent)f(applications,)h(their)h
(share)g(of)f(resources,)g Fk(etc.)38 b Fp(This)23 b(situation)f(is)i
(no)0 2934 y(dif)n(ferent)h(than)g(in)i(traditional)e(k)o(ernels.)46
b(Appropriate)24 b(mechanisms)h(are)h(determined)f(more)g(by)h(the)g
(en)m(vironment)d(than)j(by)g(the)0 3033 y(operating)c(system)i
(architecture.)38 b(F)o(or)23 b(instance,)h(while)g(an)g(e)o(xok)o
(ernel)d(cedes)j(management)e(of)h(resources)g(to)h(library)e
(operating)0 3133 y(systems,)j(it)g(controls)e(the)h(allocation)g(and)f
(re)n(v)n(ocation)f(of)i(these)h(resources.)40 b(By)24
b(deciding)f(which)g(allocation)g(requests)h(to)g(grant)0
3233 y(and)e(from)f(which)h(applications)f(to)h(re)n(v)n(ok)o(e)f
(resources,)h(an)g(e)o(xok)o(ernel)e(can)i(enforce)f(traditional)g
(partitioning)f(strate)o(gies,)j(such)f(as)0 3332 y(quotas)j(or)h
(reserv)n(ation)e(schemes.)46 b(Since)25 b(polic)o(y)g(con\003icts)h
(boil)f(do)n(wn)g(to)h(resource)e(allocation)h(decisions)h(\()p
Fk(e)o(.g)o(.,)f Fp(allocation)g(of)0 3432 y(seek)20
b(time,)g(physical)f(memory)-5 b(,)18 b(or)i(disk)g(blocks\),)f(an)h(e)
o(xok)o(ernel)e(handles)i(them)g(in)g(a)h(similar)f(manner)-5
b(.)0 3679 y Fv(2.2)117 b(K)m(er)n(nel)28 b(support)g(f)m(or)g(pr)n
(otected)e(abstractions)0 3864 y Fp(Man)o(y)g(of)h(the)h(resources)e
(protected)g(by)h(traditional)f(operating)f(systems)j(are)f(themselv)o
(es)g(high\255le)n(v)o(el)e(abstractions.)49 b(Files,)30
b(for)0 3964 y(instance,)g(consist)e(of)g(meta)g(data,)i(disk)f
(blocks,)g(and)f(b)n(uf)n(fer)f(cache)g(pages,)j(all)f(of)f(which)g
(are)g(guarded)e(by)i(access)h(control)e(on)0 4064 y(high\255le)n(v)o
(el)17 b(\002le)i(objects.)29 b(While)19 b(e)o(xok)o(ernels)f(allo)n(w)
g(direct)h(access)h(to)f(lo)n(w\255le)n(v)o(el)e(resources,)h(e)o(xok)o
(ernel)f(systems)j(must)f(be)g(able)f(to)0 4163 y(pro)o(vide)i
(UNIX\255lik)o(e)i(protection,)e(including)h(access)i(control)e(on)h
(high\255le)n(v)o(el)e(objects)i(where)f(required)g(for)g(security)-5
b(.)35 b(One)22 b(of)g(the)0 4263 y(main)c(challenges)g(in)g(designing)
f(e)o(xok)o(ernels)g(is)i(to)g(\002nd)f(k)o(ernel)g(interf)o(aces)g
(that)g(allo)n(w)h(such)f(higher)n(\255le)n(v)o(el)e(access)j(control)e
(without)0 4363 y(either)j(mandating)e(a)j(particular)e(implementation)
f(or)h(hindering)f(application)h(control)g(of)h(hardw)o(are)f
(resources.)125 4462 y(W)-7 b(e)35 b(ha)n(v)o(e)e(met)h(this)g
(challenge)f(by)g(pro)o(viding)e(both)i(protection)f(machinery)g(in)i
(the)g(k)o(ernel)f(and)g(w)o(ays)i(for)e(applications)0
4562 y(to)g(do)n(wnload)d(code)h(to)i(augment)e(this)i(machinery)-5
b(.)63 b(In)32 b(the)g(former)f(cate)o(gory)-5 b(,)33
b(our)f(e)o(xok)o(ernels)e(pro)o(vide)g(pro)o(vides)h(softw)o(are)0
4661 y(abstractions)21 b(to)g(bind)g(hardw)o(are)f(resources)g
(together)-5 b(.)32 b(F)o(or)21 b(e)o(xample,)f(as)i(sho)n(wn)f(in)g
(Figure)g(2\2551,)f(the)i(Xok)f(b)n(uf)n(fer)f(cache)h(re)o(gistry)0
4761 y(binds)e(disk)g(blocks)g(to)h(the)f(memory)f(pages)h(caching)f
(them.)29 b(Applications)18 b(ha)n(v)o(e)h(control)f(o)o(v)o(er)g
(physical)h(pages)g(and)g(disk)g(I/O,)h(b)n(ut)0 4861
y(can)k(also)h(safely)f(use)h(each)f(other')-5 b(s)24
b(cached)g(pages.)41 b(Our)25 b(e)o(xok)o(ernel')-5 b(s)22
b(protection)h(mechanism)g(guarantees)g(that)i(a)g(process)f(can)0
4960 y(only)19 b(access)i(a)g(cache)e(page)h(if)g(it)h(has)g(the)f
(same)g(le)n(v)o(el)g(of)g(access)h(to)f(the)g(corresponding)d(disk)j
(block.)125 5060 y(More)e(generally)-5 b(,)17 b(by)h(allo)n(wing)g
(applications)f(to)i(do)n(wnload)e(code,)h(an)h(e)o(xok)o(ernel)d(gi)n
(v)o(es)i(them)h(a)g(mechanism)f(to)g(encapsulates)0
5160 y(an)c(abstraction')-5 b(s)13 b(state)i(and)e(can)h(thereby)f
(enforce)f(in)m(v)n(ariants)h(on)h(it.)27 b(This)15 b(strate)o(gy)e(is)
i(required)d(for)h(abstractions)h(whose)f(protection)0
5259 y(does)21 b(not)g(map)g(to)g(hardw)o(are)f(abstractions.)31
b(F)o(or)21 b(e)o(xample,)f(\002les)i(may)f(require)f(v)n(alid)h
(updates)f(to)i(their)f(modi\002cation)e(times.)33 b(Our)1908
5589 y(22)p eop
%%Page: 23 24
23 23 bop 0 83 a Fp(oldest)20 b(use)h(of)f(do)n(wnloaded)e(code)h(is)j
(pack)o(et)e(\002lters.)30 b(P)o(ack)o(et)20 b(\002lters)h(are)g
(application\255written)d(code)h(fragments)g(that)i(applications)0
183 y(do)n(wnload)d(into)i(the)g(k)o(ernel)g(to)g(select)h(what)f
(incoming)e(netw)o(ork)h(pack)o(ets)h(the)o(y)g(w)o(ant.)125
282 y(Ho)n(we)n(v)o(er)m(,)j(while)i(these)f(softw)o(are)g
(abstractions)g(reside)h(in)f(the)h(k)o(ernel,)f(the)o(y)g(could)g
(also)h(be)f(implemented)f(in)i(trusted)f(user)n(\255)0
382 y(le)n(v)o(el)29 b(serv)o(ers.)55 b(This)29 b(microk)o(ernel)e(or)o
(ganization)f(w)o(ould)i(cost)i(man)o(y)e(additional)f(\(potentially)h
(e)o(xpensi)n(v)o(e\))f(conte)o(xt)g(switches.)0 482
y(Furthermore,)18 b(partitioning)g(functionality)g(in)i(user)n(\255le)n
(v)o(el)f(serv)o(ers)h(tends)g(to)g(be)g(more)g(comple)o(x.)125
581 y(From)29 b(one)h(perspecti)n(v)o(e,)h(do)n(wnloaded)c(code)j(pro)o
(vides)f(a)h(conduit)f(for)h(pushing)f(semantics)h(across)g(the)h(user)
n(\255k)o(ernel)d(trust)0 681 y(boundary)-5 b(.)63 b(This)33
b(acti)n(vity)f(is)i(more)d(important)h(for)f(e)o(xok)o(ernels)g(than)h
(traditional)g(systems.)67 b(By)33 b(dislodging)e(OS)i(code)f(into)0
780 y(libraries,)20 b(an)h(e)o(xok)o(ernel)d(also)j(remo)o(v)o(es)e
(the)i(code)f(that)g(understands)f(resource)h(semantics)g(and,)g(thus,)
h(lose)g(the)f(ability)h(to)f(protect)0 880 y(these)h(resources.)29
b(F)o(or)20 b(netw)o(orking,)e(because)i(an)h(e)o(xok)o(ernel)d(ejects)
j(the)g(code)f(that)g(understands)f(netw)o(ork)g(protocol)g(semantics)i
(it)0 980 y(no)i(longer)g(understands)e(ho)n(w)i(to)h(bind)f(incoming)f
(pack)o(ets)h(to)h(applications.)38 b(P)o(ack)o(et)24
b(\002lters)g(pro)o(vide)e(a)i(w)o(ay)g(to)f(recapture)f(these)0
1079 y(semantics)f(by)f(encapsulating)e(them)j(in)f(a)h(black)f(box)g
(\(the)g(\002lter\),)h(which)f(is)h(then)f(injected)g(into)h(the)f(k)o
(ernel.)30 b(The)20 b(e)o(xok)o(ernel)f(thus)0 1179 y(trades)j(an)f
(intractable)g(problem)f(\227)i(anticipating)e(all)j(possible)e(in)m(v)
n(ariants)f(that)i(must)g(be)g(enforced)d(\227)j(for)g(one)f(that)g(is)
i(tractable:)0 1279 y(testing)18 b(the)g(do)n(wnloaded)d(code)i(for)g
(trustw)o(orthiness)g(\(in)h(this)h(case,)f(that)g(one)f(\002lter)i
(will)f(not)g(steal)h(another')-5 b(s)16 b(pack)o(ets\).)28
b(Chapter)17 b(6)0 1378 y(discusses)k(this)f(perspecti)n(v)o(e)f(in)h
(more)g(detail.)125 1478 y(The)e(k)o(e)o(y)h(to)g(these)h(e)o(xok)o
(ernel)d(softw)o(are)h(abstractions)h(is)h(that)f(the)o(y)g(neither)f
(hinder)g(lo)n(w\255le)n(v)o(el)g(access)h(to)h(hardw)o(are)e
(resources)0 1577 y(nor)k(unduly)f(restrict)j(the)f(semantics)g(of)f
(the)h(protected)f(abstractions)g(the)o(y)g(enable.)37
b(Gi)n(v)o(en)22 b(these)h(properties,)f(a)i(k)o(ernel)e(softw)o(are)0
1677 y(abstraction)d(does)h(not)g(violate)g(the)g(e)o(xok)o(ernel)e
(principles.)0 1890 y Fq(Pr)n(otected)26 b(sharing)0
2037 y Fp(The)16 b(lo)n(w\255le)n(v)o(el)f(e)o(xok)o(ernel)f(interf)o
(ace)i(gi)n(v)o(es)g(libOSes)h(enough)d(hardw)o(are)h(control)g(to)i
(implement)e(all)i(traditional)e(operating)f(system)0
2137 y(abstractions.)29 b(Library)18 b(implementations)h(of)h
(abstractions)f(ha)n(v)o(e)h(the)g(adv)n(antage)e(that)j(the)o(y)e(can)
h(trust)h(the)f(applications)f(the)o(y)h(link)0 2236
y(with)26 b(and)g(need)f(not)h(defend)f(against)g(malicious)h(use.)47
b(The)26 b(\003ip)g(side,)i(ho)n(we)n(v)o(er)m(,)d(is)i(that)f(a)h
(libOS)f(cannot)f(necessarily)h(trust)g(all)0 2336 y(other)d(libOSes)h
(with)g(access)h(to)f(a)g(particular)f(resource.)39 b(When)23
b(libOSes)i(guarantee)d(in)m(v)n(ariants)g(about)h(their)h
(abstractions,)f(the)o(y)0 2436 y(must)d(be)f(a)o(w)o(are)g(of)h(e)o
(xactly)e(which)h(resources)g(are)g(in)m(v)n(olv)o(ed,)f(what)h(other)g
(processes)g(ha)n(v)o(e)g(access)h(to)g(those)f(resources,)g(and)g
(what)0 2535 y(le)n(v)o(el)h(of)g(trust)g(the)o(y)g(place)g(in)g(those)
g(other)f(processes.)125 2635 y(As)g(an)g(e)o(xample,)f(consider)g(the)
h(semantics)g(of)f(the)h(UNIX)g(fork)f(system)h(call.)29
b(It)20 b(spa)o(wns)e(a)i(ne)n(w)f(process)f(initially)h(identical)f
(to)0 2735 y(the)g(currently)d(running)h(one.)28 b(This)17
b(in)m(v)n(olv)o(es)g(cop)o(ying)e(the)j(entire)f(virtual)g(address)g
(space)h(of)f(the)h(parent)e(process,)i(a)g(task)f(operating)0
2834 y(systems)25 b(typically)e(perform)f(lazily)i(through)e(cop)o
(y\255on\255write)f(to)k(a)n(v)n(oid)e(unnecessary)g(page)g(copies.)41
b(While)25 b(cop)o(y\255on\255write)c(can)0 2934 y(al)o(w)o(ays)i(be)f
(done)f(in)i(a)f(trusted,)h(in\255k)o(ernel)d(virtual)i(memory)f
(system,)h(a)h(libOS)g(must)f(e)o(x)o(ercise)f(care)h(to)h(a)n(v)n(oid)
f(compromising)e(the)0 3033 y(semantics)c(of)g(fork)g(when)f(sharing)h
(pages)g(with)g(potentially)f(untrusted)g(processes.)28
b(This)16 b(section)g(details)h(some)f(of)g(the)h(approaches)0
3133 y(we)k(ha)n(v)o(e)e(used)h(to)g(allo)n(w)h(a)f(libOS)h(to)f
(maintain)f(in)m(v)n(ariants)g(when)h(sharing)f(resources)g(with)i
(other)e(libOSes.)125 3233 y(Our)14 b(latest)i(e)o(xok)o(ernel,)e(Xok,)
h(pro)o(vides)e(three)i(mechanisms)f(libOSes)h(can)g(use)g(to)g
(maintain)g(in)m(v)n(ariants)e(in)i(shared)g(abstractions.)0
3332 y(First,)34 b Fk(softwar)m(e)d(r)m(e)m(gions)p Fp(,)h(areas)f(of)f
(memory)f(that)i(can)f(only)g(be)g(read)g(or)h(written)f(through)e
(system)j(calls,)j(pro)o(vide)28 b(sub\255page)0 3432
y(protection)34 b(and)h(f)o(ault)g(isolation.)75 b(Second,)38
b(Xok)d(allo)n(ws)h(on)f(the\255\003y\255creation)e(of)j
Fk(hier)o(ar)m(c)o(hically\255named)c(capabilities)i
Fp(and)0 3532 y(requires)14 b(that)i(these)f(capabilities)g(be)g
(speci\002ed)g(e)o(xplicitly)g(on)f(each)h(system)h(call)g([62)n(].)28
b(Thus,)16 b(a)f(b)n(uggy)f(child)h(process)g(accidentally)0
3631 y(requesting)h(write)i(access)g(to)g(a)g(page)f(or)g(softw)o(are)g
(re)o(gion)f(of)h(its)i(parent)d(will)j(lik)o(ely)e(pro)o(vide)f(the)h
(wrong)g(capability)f(and)h(be)h(denied)0 3731 y(permission.)26
b(Third,)14 b(Xok)g(pro)o(vides)e(rob)n(ust)i(critical)g(sections:)26
b(ine)o(xpensi)n(v)o(e)12 b(critical)i(sections)g(that)h(are)f
(implemented)e(by)h(logically)0 3830 y(disabling)19 b(softw)o(are)g
(interrupts)g([10)o(].)29 b(Using)20 b(critical)g(sections)f(instead)h
(of)g(locks)f(eliminates)h(the)g(need)f(to)h(trust)g(other)f
(processes.)125 3930 y(Three)g(le)n(v)o(els)h(of)g(trust)g(determine)f
(what)h(optimizations)f(can)h(be)g(used)g(by)g(the)g(implementation)e
(of)i(a)h(shared)e(abstraction.)125 4030 y Fo(Optimize)25
b(f)n(or)h(the)g(common)f(case:)41 b(Mutual)26 b(trust.)46
b Fp(It)26 b(is)h(often)e(the)g(case)i(that)e(applications)g(sharing)g
(resources)g(place)g(a)0 4129 y(considerable)18 b(amount)g(of)h(trust)g
(in)h(each)f(other)-5 b(.)29 b(F)o(or)19 b(instance,)g(an)o(y)f(tw)o(o)
i(UNIX)f(programs)f(run)g(by)h(the)h(same)f(user)h(can)f(arbitrarily)0
4229 y(modify)28 b(each)i(others')f(memory)f(through)g(the)i(deb)n
(ugger)d(system)j(call,)j(ptrace.)58 b(When)29 b(tw)o(o)h(e)o(xok)o
(ernel)e(processes)i(can)f(write)0 4329 y(each)f(others')g(memory)-5
b(,)29 b(their)g(libOSes)g(can)g(clearly)f(trust)h(each)f(other)g(not)h
(to)g(be)f(malicious.)55 b(This)29 b(reduces)f(the)h(problem)e(of)0
4428 y(guaranteeing)16 b(in)m(v)n(ariants)h(from)h(one)g(of)h(security)
f(to)h(one)f(of)g(f)o(ault\255isolation,)g(and)g(consequently)e(allo)n
(ws)j(libOS)g(code)f(to)h(resemble)0 4528 y(that)h(of)g(monolithic)f(k)
o(ernels)g(implementing)f(the)j(same)f(abstraction.)125
4627 y Fo(Unidir)o(ectional)k(trust.)46 b Fp(Another)24
b(common)g(scenario)g(occurs)h(when)g(tw)o(o)h(processes)f(share)h
(resources)e(and)h(one)g(trusts)i(the)0 4727 y(other)m(,)17
b(b)n(ut)i(the)g(trust)f(is)i(not)e(mutual.)28 b(Netw)o(ork)18
b(serv)o(ers)g(often)f(follo)n(w)h(this)h(or)o(ganization:)26
b(a)19 b(pri)n(vile)o(ged)d(process)i(accepts)h(netw)o(ork)0
4827 y(connections,)28 b(forks,)i(and)e(then)g(drops)f(pri)n(vile)o
(ges)g(to)i(perform)e(actions)h(on)g(behalf)f(of)i(a)f(particular)g
(user)-5 b(.)54 b(Man)o(y)27 b(abstractions)0 4926 y(implemented)15
b(for)i(mutual)g(trust)g(can)g(also)h(function)d(under)h
(unidirectional)f(trust)j(with)f(only)g(slight)g(modi\002cation.)27
b(In)17 b(the)g(e)o(xample)0 5026 y(of)26 b(cop)o(y\255on\255write,)e
(for)i(instance,)h(the)f(trusted)g(parent)f(process)h(must)g(retain)g
(e)o(xclusi)n(v)o(e)f(control)g(of)h(shared)f(pages)h(and)g(its)h(o)n
(wn)0 5126 y(page)21 b(tables,)g(pre)n(v)o(enting)e(a)i(child)g(from)f
(child)h(making)f(copied)g(pages)h(writable)f(in)i(the)f(parent.)31
b(While)22 b(this)g(requires)e(more)g(page)0 5225 y(f)o(aults)g(in)h
(the)f(parent,)f(it)i(does)f(not)g(increase)f(the)i(number)d(of)i(page)
f(copies)h(or)g(seriously)g(complicate)f(the)h(code.)1908
5589 y(23)p eop
%%Page: 24 25
24 24 bop 125 83 a Fo(Mutual)21 b(distrust.)34 b Fp(Finally)-5
b(,)21 b(there)g(are)g(situations)g(where)g(mutually)f(distrustful)h
(processes)g(must)h(share)f(high\255le)n(v)o(el)e(abstrac\255)0
183 y(tions)k(with)g(each)f(other)-5 b(.)37 b(F)o(or)22
b(instance,)h(tw)o(o)g(unrelated)e(processes)i(may)f(wish)h(to)g
(communicate)e(o)o(v)o(er)g(a)j(UNIX)f(domain)e(sock)o(et,)0
282 y(and)g(neither)f(may)h(ha)n(v)o(e)g(an)o(y)g(trust)g(in)h(the)f
(other)-5 b(.)32 b(F)o(or)21 b(OS)h(abstractions)f(that)g(can)g(be)h
(shared)e(by)h(mutually)f(distrustful)h(processes,)0
382 y(the)j(most)g(general)e(solution)h(is)i(to)f(apply)f(the)h(e)o
(xok)o(ernel)e(precepts)h(recursi)n(v)o(ely:)35 b(di)n(vide)22
b(libraries)i(into)g(pri)n(vile)o(ged)d(and)j(unpri)n(vi\255)0
482 y(le)o(ged)19 b(parts,)h(where)g(the)g(\223pri)n(vile)o(ged\224)d
(part)j(contains)g(all)g(code)g(required)e(for)i(protection,)e(and)h
(must)h(be)g(used)g(by)g(all)h(applications)0 581 y(using)h(a)h(piece)f
(of)g(state,)i(while)e(the)h(unpri)n(vile)o(ged)c(contains)j(all)h
(management)d(code)i(and)g(can)g(be)h(replaced)e(by)h(an)o(yone.)34
b(F)o(orcing)0 681 y(applications)21 b(to)h(use)g(the)g(pri)n(vile)o
(ged)d(portion)i(of)g(a)i(libOS)f(can)g(be)f(done)g(by)h(placing)e(it)j
(in)f(a)g(serv)o(er)m(,)f(using)h(compiler)e(techniques,)0
780 y(or)g(do)n(wnloading)d(code)j(it)h(into)e(the)i(k)o(ernel.)28
b(W)-7 b(e)21 b(ha)n(v)o(e)f(used)g(all)h(three.)125
880 y(F)o(ortunately)-5 b(,)22 b(sharing)h(with)i(mutual)e(distrust)h
(occurs)g(v)o(ery)f(infrequently)e(for)j(man)o(y)e(abstractions.)41
b(Man)o(y)23 b(types)h(of)g(sharing)0 980 y(occur)19
b(only)h(between)f(child)h(and)f(parent)h(processes,)f(where)h(mutual)f
(or)h(unidirectional)e(trust)i(almost)h(al)o(w)o(ays)f(holds.)0
1227 y Fv(2.3)117 b(Implementation\255de\002ned)24 b(Decisions)0
1412 y Fp(The)19 b(e)o(xok)o(ernel)e(architecture)g(de\002nes)i(a)h(f)o
(amily)f(of)g(implementations.)26 b(T)-7 b(o)20 b(understand)d(it,)j
(it)g(helps)f(to)g(understand)e(what)i(it)h(is)g(not.)0
1512 y(It)g(lea)n(v)o(es)h(the)f(follo)n(wing)f(\002v)o(e)h(decisions)f
(to)i(the)f(system)g(designer)-5 b(.)125 1611 y Fo(What)16
b(to)g(pr)o(otect.)26 b Fp(While)17 b(it)g(is)h(hard)d(to)i(imagine)e
(a)i(usable)f(system)g(that)h(elides)f(memory)f(and)h(disk)g
(protection,)f(the)i(e)o(xok)o(ernel)0 1711 y(architecture)28
b(does)h(not)g(mandate)f(what)h(should)f(be)h(protected.)55
b(It)29 b(only)g(says)h(that)f(once)g(this)g(decision)g(has)g(been)g
(made,)h(that)0 1811 y(all)g(functionality)e(not)i(needed)e(for)h
(protection)f(should)h(be)h(implemented)e(by)h(untrusted)f(softw)o
(are.)58 b(Example)29 b(resources)f(that)0 1910 y(our)i(e)o(xok)o
(ernel)f(implementations)g(deliberately)g(do)i(not)f(protect)h(are:)50
b(bandwidth)29 b(quality)i(of)f(service)h(guarantees,)h(deadline)0
2010 y(guarantees,)19 b(or)g(an)o(y)h(number)e(of)i(restrictions)g
(required)e(by)i(real)g(time)h(systems.)125 2110 y Fo(What)i(global)h
(system)g(policies)h(to)f(implement.)41 b Fp(Ev)o(ery)23
b(system)h(includes)f(global)h(policies)f(enforced)f(on)i(all)h
(applications)0 2209 y(that)15 b(decide)e(which)h(processes)g(to)h(re)n
(v)n(ok)o(e)e(resources)h(from)f(and)h(which)g(requests)g(to)g(grant)g
(or)g(den)o(y)f(\(e)n(v)o(en)g(if)i(this)g(polic)o(y)e(is)j(no)e(polic)
o(y)0 2309 y(at)26 b(all\).)46 b(What)25 b(speci\002c)h(global)f(polic)
o(y)f(is)j(enforced)c(\227)j(whether)f(it)h(be)g(optimized)e(for)h
(interacti)n(v)o(e)f(performance,)g(throughput,)0 2408
y(real)d(time,)h(etc.)33 b(\227)22 b(is)g(orthogonal)d(to)i(the)h
(architecture.)31 b(Ho)n(we)n(v)o(er)m(,)19 b(gi)n(v)o(en)i(a)g(polic)o
(y)-5 b(,)20 b(an)i(e)o(xok)o(ernel)d(designer)h(stri)n(v)o(es)h(to)h
(in)m(v)n(olv)o(es)0 2508 y(application)d(decisions)g(in)i(its)g
(implementation.)125 2608 y Fo(Ho)o(w)30 b(to)g(pr)o(otect.)58
b Fp(While)31 b(we)f(pro)o(vide)f(e)o(xamples)g(of)h(ho)n(w)g(our)f(e)o
(xok)o(ernel)g(systems)h(ha)n(v)o(e)g(multiple)o(x)o(ed)e(memory)-5
b(,)31 b(disk,)0 2707 y(netw)o(ork,)15 b(etc.,)i(these)g(w)o(ays)f(are)
g(not)g(the)g(only)f(ones.)28 b(Again,)15 b(what)h(is)h(important)e(in)
h(an)g(e)o(xok)o(ernel)e(is)j(allo)n(wing)e(untrusted)g(softw)o(are)0
2807 y(to)21 b(implement)f(e)n(v)o(erything)e(not)j(needed)f(for)g
(protection;)g(the)h(designer)f(has)h(discretion)f(in)h(ho)n(w)g(he)g
(achie)n(v)o(es)f(this.)32 b(This)21 b(decision)0 2907
y(includes)h(ho)n(w)h(to)g(track)f(access)i(rights:)34
b(our)22 b(\002rst)i(e)o(xok)o(ernel)d(used)i(self\255authenticating)d
(capabilities)j([15)n(],)h(then)e(access)i(control)0
3006 y(bitmaps)c([16)n(],)h(our)e(second)g(hierarchical)g(capabilities)
h([63)n(].)125 3106 y Fo(The)j(le)o(v)o(el)f(of)h(pr)o(otection.)34
b Fp(An)23 b(e)o(xok)o(ernel)d(interf)o(ace)i(may)g(contain)f
(high\255le)n(v)o(el)g(primiti)n(v)o(es.)35 b(The)22
b(e)o(xok)o(ernel)e(principles)i(are)0 3205 y(guides)16
b(for)g Fk(how)h Fp(to)g(gi)n(v)o(e)f(control)g(to)h(applications,)f
(and)g(are)h(only)f(applicable)g(after)g(it)i(has)f(been)f(determined)f
Fk(what)i Fp(le)n(v)o(el)f(of)h(control)0 3305 y(is)k(allo)n(w)o(able.)
125 3405 y(In)i(particular)m(,)f(state)i(shared)f(between)f
(applications)g(can)i(require)e(f)o(airly)h(high\255le)n(v)o(el)e
(semantic)i(guarantees)f(and,)h(hence,)g(an)o(y)0 3504
y(protected)f(interf)o(ace)g(will)i(be)f(high\255le)n(v)o(el.)36
b(F)o(or)23 b(e)o(xample,)f(processes)h(sharing)f(a)i(Unix\255\003a)n
(v)n(or)e(\002le)i(system)f(may)g(require)f(that)h(\002le)0
3604 y(modi\002cation)i(times)j(be)e(accurate,)i(which)e(in)m(v)n(olv)o
(es)g(ensuring)f(disk)i(operations)e(modify)g(\002le)j(access)f(times.)
50 b(An)27 b(e)o(xok)o(ernel)e(is)0 3704 y(about)d(protection.)36
b(If)23 b(such)g(protection)f(is)i(required,)e(pro)o(viding)e(it)k(in)f
(the)g(k)o(ernel)g(does)f(not)h(violate)g(e)o(xok)o(ernel)e(precepts.)
37 b(What)0 3803 y(the)27 b(e)o(xok)o(ernel)e(does)i(say)h(is)g(that)f
(non\255protection)d(related)j(functionality)e(should)h(be)h(migrated)f
(to)i(unpri)n(vile)o(ged)c(softw)o(are.)50 b(In)0 3903
y(addition,)17 b(applications)h(not)g(needing)f(these)i(\002le)g
(modi\002cation)e(guarantees)g(should)h(not)g(be)h(forced)e(to)h(use)h
(them.)29 b(The)o(y)17 b(should)h(be)0 4002 y(able)i(to)g(to)h(access)g
(the)f(lo)n(w\255le)n(v)o(el)f(disk)h(in)g(order)f(to)h(implement)f(an)
i(alternati)n(v)o(e)d(\002le)j(system.)125 4102 y Fo(Ho)o(w)j(the)i(k)o
(er)o(nel)f(is)h(or)o(ganized.)44 b Fp(It)25 b(is)h(easy)f(to)g(read)g
(the)g(e)o(xok)o(ernel)e(principles)h(as)i(an)f(e)o(xcessi)n(v)o(e)f
(concern)g(for)g(what)h(is)h(in)0 4202 y(the)g(k)o(ernel)g(proper)-5
b(.)46 b(This)27 b(is)g(not)f(what)h(is)g(intended.)46
b(The)26 b(central)g(question)f(of)h(an)h(e)o(xok)o(ernel)d(is)j(not)f
(about)g(ho)n(w)g(to)g(or)o(ganize)0 4301 y(pri)n(vile)o(ged)21
b(code.)37 b(It)23 b(does)g(not)g(matter)g(whether)f(an)h(e)o(xok)o
(ernel)e(is)j(implemented)d(as)j(a)f(monolithic)e(k)o(ernel)i(or)g(as)g
(a)h(collection)e(of)0 4401 y(trusted)h(processes)g(around)f(a)i
(micro\255k)o(ernel.)36 b(Rather)23 b(the)h(architecture')-5
b(s)22 b(central)h(question)f(is)j(ho)n(w)e(ho)n(w)g(to)g(mak)o(e)g
(traditionally)0 4501 y(pri)n(vile)o(ged)18 b(code)i(unpri)n(vile)o
(ged)d(by)i(limiting)h(the)g(duties)h(of)e(the)i(k)o(ernel)e(to)h(just)
h(these)g(required)d(for)h(protection.)125 4600 y Fo(Acceptable)g
(default)h(functionality)-6 b(.)28 b Fp(An)20 b(e)o(xok)o(ernel)e(may)i
(pro)o(vide)e(signi\002cant)h(def)o(ault)h(functionality)e(as)j(long)e
(as)i(it)g(can)f(be)0 4700 y(o)o(v)o(erridden)d(without)i(compromising)
f(either)i(protection)e(or)i(ef)n(\002cienc)o(y)-5 b(.)0
4947 y Fv(2.4)117 b(V)l(isible)29 b(Resour)n(ce)e(Re)n(v)o(ocation)0
5132 y Fp(Once)k(resources)g(ha)n(v)o(e)g(been)g(bound)f(to)i
(applications,)h(there)e(must)h(be)g(a)g(w)o(ay)g(to)f(reclaim)h(them)f
(and)g(break)g(their)g(bindings.)0 5232 y(Re)n(v)n(ocation)13
b(can)i(either)f(be)g Fk(visible)h Fp(or)f Fk(in)m(visible)g
Fp(to)g(applications.)26 b(T)m(raditionally)-5 b(,)13
b(operating)g(systems)i(ha)n(v)o(e)f(performed)d(re)n(v)n(ocation)0
5332 y(in)m(visibly)-5 b(,)23 b(deallocating)e(resources)i(without)g
(application)f(in)m(v)n(olv)o(ement.)36 b(F)o(or)23 b(e)o(xample,)g
(with)g(the)h(e)o(xception)d(of)j(some)f(e)o(xternal)1908
5589 y(24)p eop
%%Page: 25 26
25 25 bop 0 83 a Fp(pagers)15 b([2)o(,)i(77)o(],)g(most)f(operating)e
(systems)j(deallocate)e(\(and)g(allocate\))g(physical)g(memory)g
(without)g(informing)f(applications.)26 b(This)0 183
y(form)15 b(of)h(re)n(v)n(ocation)f(has)h(lo)n(wer)g(latenc)o(y)f(and)h
(is)h(simpler)f(than)g(visible)g(re)n(v)n(ocation)e(since)j(it)g
(requires)e(no)h(application)e(in)m(v)n(olv)o(ement.)0
282 y(Its)24 b(disadv)n(antages)e(are)h(that)h(library)e(operating)g
(systems)i(cannot)e(guide)h(deallocation)f(and)h(ha)n(v)o(e)g(no)g(kno)
n(wledge)e(that)j(resources)0 382 y(are)c(scarce.)125
482 y(An)26 b(e)o(xok)o(ernel)e(uses)i(visible)g(re)n(v)n(ocation)f
(for)g(most)i(resources.)46 b(Ev)o(en)25 b(the)h(processor)f(is)i(e)o
(xplicitly)e(re)n(v)n(ok)o(ed)f(at)j(the)f(end)g(of)0
581 y(a)32 b(time)f(slice;)38 b(a)32 b(library)f(operating)e(system)j
(might)f(react)g(by)g(sa)n(ving)g(only)g(the)g(required)f(processor)g
(state.)63 b(F)o(or)32 b(e)o(xample,)g(a)0 681 y(library)20
b(operating)f(system)i(could)e(a)n(v)n(oid)i(sa)n(ving)f(the)h
(\003oating)f(point)g(state)i(or)e(other)g(re)o(gisters)h(that)g(are)f
(not)h(li)n(v)o(e.)31 b(Ho)n(we)n(v)o(er)m(,)18 b(since)0
780 y(visible)25 b(re)n(v)n(ocation)e(requires)h(interaction)f(with)j
(a)f(library)f(operating)f(system,)j(in)m(visible)e(re)n(v)n(ocation)f
(can)i(perform)e(better)h(when)0 880 y(re)n(v)n(ocations)15
b(occur)g(v)o(ery)g(frequently)-5 b(.)26 b(Processor)15
b(addressing\255conte)o(xt)e(identi\002ers)j(are)g(a)h(stateless)h
(resource)d(that)h(may)g(be)g(re)n(v)n(ok)o(ed)0 980
y(v)o(ery)j(frequently)f(and)i(are)g(best)g(handled)f(by)h(in)m
(visible)f(re)n(v)n(ocation.)0 1192 y Fq(Re)o(v)o(ocation)24
b(and)i(Ph)o(ysical)e(Naming)0 1340 y Fp(The)c(use)i(of)e(physical)g
(resource)f(names)i(requires)f(that)g(an)h(e)o(xok)o(ernel)e(re)n(v)o
(eal)h(each)g(re)n(v)n(ocation)f(to)i(the)g(rele)n(v)n(ant)f(library)f
(operating)0 1439 y(system)25 b(so)g(that)g(it)g(can)f(relocate)g(its)i
(physical)e(names.)42 b(F)o(or)24 b(instance,)h(a)g(library)f
(operating)f(system)h(that)h(relinquishes)f(physical)0
1539 y(page)16 b(\2235\224)h(should)f(update)f(an)o(y)h(of)h(its)h
(page\255table)d(entries)i(that)g(refer)f(to)h(this)g(page.)27
b(This)17 b(is)h(easy)f(for)f(a)i(library)d(operating)g(system)i(to)0
1639 y(do)j(when)h(it)g(deallocates)f(a)i(resource)d(in)i(reaction)f
(to)h(an)f(e)o(xok)o(ernel)f(re)n(v)n(ocation)g(request.)30
b(An)21 b(abort)f(protocol)f(\(discussed)i(belo)n(w\))0
1738 y(allo)n(ws)f(relocation)f(to)i(be)f(performed)d(when)j(an)g(e)o
(xok)o(ernel)e(forcibly)h(reclaims)h(a)g(resource.)125
1838 y(W)-7 b(e)32 b(vie)n(w)g(the)f(re)n(v)n(ocation)f(process)h(as)i
(a)f(dialogue)e(between)g(an)i(e)o(xok)o(ernel)d(and)i(a)h(library)f
(operating)f(system.)63 b(Library)0 1938 y(operating)21
b(systems)h(should)g(or)o(ganize)e(resource)h(lists)j(so)f(that)f
(resources)g(can)g(be)g(deallocated)f(quickly)-5 b(.)34
b(F)o(or)22 b(e)o(xample,)g(a)h(library)0 2037 y(operating)c(system)i
(could)e(ha)n(v)o(e)h(a)h(simple)g(v)o(ector)e(of)i(physical)e(pages)h
(that)h(it)g(o)n(wns:)30 b(when)20 b(the)h(k)o(ernel)f(indicates)g
(that)h(some)f(page)0 2137 y(should)f(be)h(deallocated,)f(the)h
(library)f(operating)g(system)h(selects)h(one)f(of)g(its)h(pages,)e
(writes)i(it)g(to)f(disk,)g(and)g(frees)g(it.)0 2350
y Fq(The)26 b(Abort)f(Pr)n(otocol)0 2497 y Fp(An)e(e)o(xok)o(ernel)f
(must)h(also)h(be)f(able)h(to)f(tak)o(e)h(resources)e(from)h(library)f
(operating)g(systems)i(that)f(f)o(ail)h(to)f(respond)f(satisf)o
(actorily)h(to)0 2597 y(re)n(v)n(ocation)16 b(requests.)28
b(An)19 b(e)o(xok)o(ernel)d(can)h(de\002ne)h(a)h(second)e(stage)h(of)g
(the)g(re)n(v)n(ocation)e(protocol)h(in)h(which)g(the)g(re)n(v)n
(ocation)e(request)0 2696 y(\(\223please)27 b(return)g(a)h(memory)e
(page\224\))g(becomes)h(an)g(imperati)n(v)o(e)f(\(\223return)g(a)i
(page)f(within)h(50)f(microseconds\224\).)49 b(Ho)n(we)n(v)o(er)m(,)27
b(if)h(a)0 2796 y(library)18 b(operating)f(system)i(f)o(ails)h(to)f
(respond)e(quickly)-5 b(,)18 b(the)g(bindings)g(need)g(to)h(be)g(brok)o
(en)f(\223by)g(force.)-6 b(\224)28 b(The)19 b(actions)f(tak)o(en)h
(when)f(a)0 2895 y(library)h(operating)f(system)j(is)g(recalcitrant)e
(are)h(de\002ned)f(by)h(the)g Fk(abort)g(pr)l(otocol)p
Fp(.)125 2995 y(One)i(possible)h(abort)f(protocol)g(is)i(to)f(simply)g
(kill)g(an)o(y)f(library)g(operating)f(system)j(and)e(its)i(associated)
f(application)f(that)h(f)o(ails)0 3095 y(to)h(respond)e(quickly)g(to)h
(re)n(v)n(ocation)f(requests.)39 b(W)-7 b(e)24 b(rejected)f(this)h
(method)e(because)h(we)h(belie)n(v)o(e)e(that)i(most)f(programmers)e
(ha)n(v)o(e)0 3194 y(great)h(dif)n(\002culty)f(reasoning)f(about)h
(hard)g(real\255time)h(bounds.)33 b(Instead,)21 b(if)i(a)f(library)f
(operating)f(system)j(f)o(ails)f(to)h(comply)d(with)j(the)0
3294 y(re)n(v)n(ocation)17 b(protocol,)h(an)h(e)o(xok)o(ernel)e(simply)
i(breaks)g(all)g(e)o(xisting)g(bindings)f(to)h(the)g(resource)f(and)h
(informs)f(the)h(library)f(operating)0 3394 y(system.)125
3493 y(T)-7 b(o)16 b(record)e(the)i(forced)f(loss)i(of)e(a)i(resource,)
e(a)h Fk(r)m(epossession)g(vector)g Fp(can)g(be)g(used.)28
b(When)15 b(an)h(e)o(xok)o(ernel)e(tak)o(es)i(a)h(resource)e(from)0
3593 y(a)h(library)f(operating)f(system,)i(this)g(f)o(act)g(is)h(re)o
(gistered)d(in)i(the)g(v)o(ector)e(and)h(the)h(library)f(operating)f
(system)i(recei)n(v)o(es)e(a)j(\223repossession\224)0
3692 y(e)o(xception)f(so)i(that)g(it)g(can)g(update)f(an)o(y)g
(mappings)f(that)i(use)g(the)g(resource.)27 b(F)o(or)17
b(resources)g(with)h(state,)h(an)e(e)o(xok)o(ernel)f(can)i(write)g(the)
0 3792 y(state)j(into)e(another)f(memory)h(or)g(disk)h(resource.)28
b(In)19 b(preparation,)e(the)j(library)f(operating)f(system)i(can)g
(pre\255load)e(the)h(repossession)0 3892 y(v)o(ector)h(with)h(a)h(list)
g(of)f(resources)f(that)i(can)f(be)g(used)g(for)f(this)i(purpose.)30
b(F)o(or)21 b(e)o(xample,)f(it)i(could)e(pro)o(vide)f(names)i(and)g
(capabilities)0 3991 y(for)f(disk)g(blocks)f(that)i(should)e(be)h(used)
g(as)h(backing)d(store)i(for)g(physical)f(memory)g(pages.)125
4091 y(Another)31 b(complication)g(is)i(that)g(an)g(e)o(xok)o(ernel)d
(should)i(not)g(arbitrarily)g(choose)g(the)g(resource)g(to)h
(repossess.)66 b(A)34 b(library)0 4191 y(operating)20
b(system)i(may)f(use)h(some)f(physical)g(memory)f(to)h(store)h(vital)g
(bootstrap)e(information)f(such)j(as)g(e)o(xception)e(handlers)g(and)0
4290 y(page)30 b(tables.)59 b(The)30 b(simplest)h(w)o(ay)f(to)g(deal)h
(with)f(this)h(is)g(to)f(guarantee)f(each)h(library)f(operating)f
(system)j(a)g(small)f(number)f(of)0 4390 y(resources)g(that)g(will)i
(not)e(be)h(repossessed)f(\()p Fk(e)o(.g)o(.,)h Fp(\002v)o(e)f(to)h
(ten)g(physical)e(memory)g(pages\).)57 b(If)29 b(e)n(v)o(en)g(those)g
(resources)g(must)h(be)0 4489 y(repossessed,)g(some)f(emer)o(genc)o(y)d
(e)o(xception)i(that)h(tells)h(a)f(library)f(operating)f(system)i(to)g
(submit)g(itself)h(to)f(a)g(\223sw)o(ap)h(serv)o(er\224)e(is)0
4589 y(required.)0 4836 y Fv(2.5)117 b(Secur)n(e)26 b(Bindings)0
5022 y Fp(One)14 b(of)h(the)f(primary)f(tasks)i(of)f(an)h(e)o(xok)o
(ernel)d(is)k(to)e(multiple)o(x)g(resources)f Fk(secur)m(ely)p
Fp(,)j(pro)o(viding)11 b(protection)i(for)h(mutually)f(distrustful)0
5121 y(applications.)48 b(T)-7 b(o)27 b(implement)e(protection)g(an)i
(e)o(xok)o(ernel)e(must)i(guard)e(each)i(resource.)47
b(T)-7 b(o)27 b(perform)e(this)j(task)f(ef)n(\002ciently)-5
b(,)27 b(an)0 5221 y(e)o(xok)o(ernel)18 b(allo)n(ws)i(library)g
(operating)e(systems)j(to)f(bind)f(to)i(resources)e(using)h
Fk(secur)m(e)g(bindings)p Fp(.)1908 5589 y(25)p eop
%%Page: 26 27
26 26 bop 125 83 a Fp(A)19 b(secure)g(binding)e(is)j(a)f(protection)e
(mechanism)h(that)h(decouples)f(authorization)e(from)i(the)h(actual)g
(use)g(of)g(a)h(resource.)27 b(Secure)0 183 y(bindings)d(impro)o(v)o(e)
f(performance)f(in)k(tw)o(o)f(w)o(ays.)45 b(First,)27
b(the)e(protection)e(checks)i(in)m(v)n(olv)o(ed)e(in)j(enforcing)d(a)i
(secure)g(binding)f(are)0 282 y(e)o(xpressed)16 b(in)i(terms)g(of)f
(simple)h(operations)e(that)h(the)h(k)o(ernel)f(\(or)g(hardw)o(are\))f
(can)h(implement)g(quickly)-5 b(.)26 b(Second,)17 b(a)h(secure)f
(binding)0 382 y(performs)23 b(authorization)f(only)i(at)i(bind)e
(time,)h(which)g(allo)n(ws)g(management)d(to)j(be)g(decoupled)d(from)i
(protection.)41 b(Application\255)0 482 y(le)n(v)o(el)26
b(softw)o(are)h(is)g(responsible)f(for)g(man)o(y)f(resources)h(with)h
(comple)o(x)e(semantics)h(\()p Fk(e)o(.g)o(.,)h Fp(netw)o(ork)e
(connections\).)47 b(By)27 b(isolating)0 581 y(the)20
b(need)f(to)h(understand)e(these)i(semantics)g(to)g Fk(bind)f(time)p
Fp(,)h(the)g(k)o(ernel)f(can)h(ef)n(\002ciently)f(implement)g(access)h
(checks)f(at)i Fk(access)f(time)0 681 y Fp(because)i(it)h(need)f(no)g
(longer)f(in)m(v)n(olv)o(e)f(an)j(application.)34 b(Simply)22
b(put,)g(a)h(secure)f(binding)f(allo)n(ws)h(the)h(k)o(ernel)e(to)i
(protect)f(resources)0 780 y(without)d(understanding)f(them.)125
880 y(Operationally)-5 b(,)22 b(the)i(one)f(requirement)f(needed)g(to)i
(support)f(secure)g(bindings)g(is)i(a)f(set)h(of)e(primiti)n(v)o(es)g
(that)h(application\255le)n(v)o(el)0 980 y(softw)o(are)j(can)g(use)g
(to)h(e)o(xpress)e(protection)f(checks.)50 b(The)27 b(primiti)n(v)o(es)
f(can)h(be)g(implemented)e(either)i(in)h(hardw)o(are)d(or)i(softw)o
(are.)0 1079 y(A)32 b(simple)g(hardw)o(are)e(secure)h(binding)f(is)j(a)
f(TLB)g(entry:)52 b(when)31 b(a)h(TLB)g(f)o(ault)g(occurs)f(the)g
(comple)o(x)f(mapping)g(of)h(virtual)g(to)0 1179 y(physical)20
b(addresses)h(in)g(a)h(library)e(operating)f(system')-5
b(s)22 b(page)f(table)g(is)h(performed)d(and)h(then)h(loaded)f(into)h
(the)g(k)o(ernel)g(\(bind)f(time\))0 1279 y(and)j(then)g(used)h
(multiple)f(times)h(\(access)g(time\).)40 b(Another)22
b(e)o(xample)h(is)h(the)g(pack)o(et)f(\002lter)h([65)o(],)h(which)e
(allo)n(ws)h(predicates)f(to)h(be)0 1378 y(do)n(wnloaded)g(into)j(the)h
(k)o(ernel)e(\(bind)g(time\))h(and)g(then)f(run)h(on)f(e)n(v)o(ery)g
(incoming)g(pack)o(et)g(to)h(determine)f(which)h(application)f(the)0
1478 y(pack)o(et)18 b(is)j(for)d(\(access)h(time\).)29
b(W)m(ithout)18 b(a)i(pack)o(et)e(\002lter)m(,)h(the)h(k)o(ernel)e(w)o
(ould)g(need)h(to)g(query)e(e)n(v)o(ery)h(application)g(or)h(netw)o
(ork)e(serv)o(er)0 1577 y(on)i(e)n(v)o(ery)f(pack)o(et)h(reception)f
(to)h(determine)f(who)h(the)h(pack)o(et)e(w)o(as)j(for)-5
b(.)28 b(By)20 b(separating)e(protection)g(\(determining)f(who)i(the)g
(pack)o(et)0 1677 y(is)27 b(for\))f(from)f(authorization)f(and)i
(management)f(\(setting)h(up)g(connections,)g(sessions,)i(managing)d
(retransmissions,)i Fk(etc.)p Fp(\))48 b(v)o(ery)0 1777
y(f)o(ast)21 b(netw)o(ork)e(multiple)o(xing)f(is)j(possible)f(while)g
(still)h(supporting)d(complete)h(application\255le)n(v)o(el)f(\003e)o
(xibility)-5 b(.)125 1876 y(W)e(e)36 b(use)g(three)f(basic)h
(techniques)e(to)h(implement)f(secure)i(bindings:)58
b(hardw)o(are)34 b(mechanisms,)k(softw)o(are)d(caching,)j(and)0
1976 y(do)n(wnloading)17 b(application)i(code.)125 2076
y(Appropriate)j(hardw)o(are)g(support)h(allo)n(ws)i(secure)f(bindings)f
(to)h(be)h(couched)d(as)j(lo)n(w\255le)n(v)o(el)e(protection)g
(operations)f(such)i(that)0 2175 y(later)16 b(operations)f(can)h(be)h
(ef)n(\002ciently)e(check)o(ed)g(without)h(recourse)f(to)h(high\255le)n
(v)o(el)e(authorization)g(information.)26 b(F)o(or)16
b(e)o(xample,)f(a)i(\002le)0 2275 y(serv)o(er)f(can)h(b)n(uf)n(fer)f
(data)h(in)g(memory)e(pages)i(and)g(grant)f(access)i(to)f(authorized)e
(applications)h(by)h(pro)o(viding)d(them)j(with)g(capabilities)0
2374 y(for)24 b(the)g(physical)g(pages.)41 b(An)25 b(e)o(xok)o(ernel)d
(w)o(ould)i(enforce)f(capability)g(checking)g(without)g(needing)g(an)o
(y)h(information)e(about)i(the)0 2474 y(\002le)19 b(system')-5
b(s)18 b(authorization)e(mechanisms.)28 b(As)19 b(another)d(e)o
(xample,)h(some)h(Silicon)g(Graphics)f(frame)h(b)n(uf)n(fer)e(hardw)o
(are)h(associates)0 2574 y(an)23 b(o)n(wnership)d(tag)j(with)g(each)f
(pix)o(el.)36 b(This)22 b(mechanism)g(can)g(be)h(used)f(by)g(the)h
(windo)n(w)e(manager)g(to)i(set)g(up)g(a)g(binding)d(between)0
2673 y(a)26 b(library)f(operating)f(system)i(and)f(a)h(portion)e(of)i
(the)f(frame)g(b)n(uf)n(fer)-5 b(.)45 b(The)26 b(application)e(can)i
(access)g(the)g(frame)f(b)n(uf)n(fer)f(hardw)o(are)0
2773 y(directly)-5 b(,)19 b(because)g(the)h(hardw)o(are)f(checks)h(the)
g(o)n(wnership)f(tag)h(when)f(I/O)i(tak)o(es)f(place.)125
2873 y(Secure)i(bindings)g(can)h(be)h(cached)e(in)h(an)h(e)o(xok)o
(ernel.)36 b(F)o(or)23 b(instance,)h(an)f(e)o(xok)o(ernel)e(can)i(use)h
(a)g(lar)o(ge)e(softw)o(are)h(TLB)h([7)o(,)f(46)o(])0
2972 y(to)29 b(cache)f(address)g(translations)g(that)h(do)f(not)h
(\002t)g(in)g(the)g(hardw)o(are)e(TLB.)i(The)f(softw)o(are)g(TLB)h(can)
g(be)f(vie)n(wed)g(as)i(a)f(cache)f(of)0 3072 y(frequently\255used)17
b(secure)j(bindings.)125 3171 y(Secure)e(bindings)f(can)i(be)g
(implemented)e(by)h(do)n(wnloading)e(code)i(into)h(the)g(k)o(ernel.)28
b(This)19 b(code)f(is)i(in)m(v)n(ok)o(ed)d(on)h(e)n(v)o(ery)g(resource)
0 3271 y(access)33 b(or)g(e)n(v)o(ent)f(to)h(determine)e(o)n(wnership)g
(and)h(the)h(actions)f(that)h(the)g(k)o(ernel)f(should)g(perform.)65
b(Do)n(wnloading)30 b(code)i(into)0 3371 y(the)27 b(k)o(ernel)e(allo)n
(ws)i(an)g(application)e(thread)g(of)i(control)e(to)i(be)f(immediately)
f(e)o(x)o(ecuted)g(on)h(k)o(ernel)g(e)n(v)o(ents.)48
b(The)26 b(adv)n(antages)f(of)0 3470 y(do)n(wnloading)16
b(code)j(are)g(that)g(potentially)f(e)o(xpensi)n(v)o(e)f(crossings)i
(can)g(be)g(a)n(v)n(oided)g(and)f(that)h(this)h(code)f(can)g(run)f
(without)h(requiring)0 3570 y(the)i(application)e(itself)i(to)g(be)f
(scheduled.)29 b(T)-7 b(ype\255safe)19 b(languages)h([9)o(,)h(75)o(],)f
(interpretation,)f(and)h(sandboxing)e([89)n(])j(can)g(be)f(used)g(to)0
3670 y(e)o(x)o(ecute)f(untrusted)g(application)f(code)i(safely)g([26)n
(].)0 3910 y Fv(2.6)117 b(Methodology)28 b(Discussion)208
4096 y Fp(Y)-9 b(ou)21 b(can')o(t)g(learn)g(too)h(soon)f(that)h(the)g
(most)g(useful)f(thing)g(about)g(a)h(principle)f(is)i(that)f(it)g(can)g
(al)o(w)o(ays)g(be)g(sacri\002ced)g(to)208 4196 y(e)o(xpedienc)o(y)-5
b(.)25 b(\227)c(W)-8 b(.)21 b(Somerset)f(Maugham)f(\(1874\2551965\))125
4344 y(Stylistically)-5 b(,)29 b(e)o(xok)o(ernel)d(design)h(consists)h
(of)g(tw)o(o)g(dif)n(ferent)f(acti)n(vities:)45 b(gi)n(ving)26
b(applications)h(control)g(of)g(resources,)i(and)0 4443
y(implementing)18 b(protection)h(\226)i(i.e.,)f(making)g(sure)g(the)o
(y)g(control)f(only)h(their)g(resources.)30 b(Ideally)-5
b(,)19 b(a)i(library)f(operating)e(systems)j(has)0 4543
y(safe,)f(ef)n(\002cient)g(access)h(to)f(an)o(ything)e(a)j(pri)n(vile)o
(ged)d(OS)j(does.)125 4643 y(Exok)o(ernel)11 b(design)i(pro\002ts)h
(from)e(a)j(decepti)n(v)o(ely)c(simple)j(shift)g(in)g(goals.)26
b(Rather)14 b(than)f(focus)g(on)h(de\002ning)e(the)i(right)f
(abstraction,)0 4742 y(or)25 b(ho)n(w)f(to)h(implement)f(it)i(\227)g
(characteristic)e(of)g(almost)h(all)h(other)e(softw)o(are)h(design)f
(\(operating)f(system)i(related)g(or)g(otherwise\))0
4842 y(\227)f(an)g(e)o(xok)o(ernel)e(architecture)g(concentrates)g
(instead)i(deferring)e(these)i(decisions)f(to)h(untrusted)e(softw)o
(are,)i(and)g(then)f(v)o(erifying)0 4941 y(that)d(the)o(y)f(are)h
(implemented)e(correctly)-5 b(.)27 b(This)20 b(requires)f(constructing)
f(interf)o(aces)h(that)h(do)g(checking)e(of)h(an)h(operation)e(rather)h
(than)0 5041 y(imperati)n(v)o(ely)d(deciding)h(ho)n(w)g(to)i(do)e(it.)
29 b(Thus,)18 b(algorithmic)f(design)g(becomes)g(a)i(partitioning)d
(process)i(of)g(di)n(viding)e(problems)h(into)0 5141
y(tw)o(o)22 b(pieces.)34 b(The)22 b(\002rst)h(contains)e(the)h(most)g
(\223interesting\224)e(aspects,)j(which)e(the)h(e)o(xok)o(ernel)e(lea)n
(v)o(es)i(to)g(applications.)33 b(The)21 b(second)0 5240
y(part)k(contains)h(the)f(residue)h(that)f(an)h(e)o(xok)o(ernel)e(must)
i(perform)e(to)i(v)o(erify)e(correctness.)45 b(F)o(or)25
b(this)i(partitioning)d(to)i(be)f(practical,)0 5340 y(checking)18
b(must)j(be)f(comparati)n(v)o(ely)d(ine)o(xpensi)n(v)o(e.)1908
5589 y(26)p eop
%%Page: 27 28
27 27 bop 125 83 a Fp(As)29 b(an)g(e)o(xample,)h(consider)d(the)i
(problem)f(of)g(writing)h(cached)f(disk)h(blocks)f(to)h(stable)g
(storage)f(in)i(a)f(w)o(ay)g(that)g(guarantees)0 183
y(consistenc)o(y)23 b(across)i(reboots.)41 b(Rather)25
b(than)f(an)h(e)o(xok)o(ernel)d(deciding)h(on)h(a)i(particular)d(write)
i(ordering)d(and)i(ha)n(ving)g(to)h(struggle)0 282 y(with)15
b(the)f(associated)g(tradeof)n(fs)f(in)i(scheduling)d(heuristics)i(and)
g(caching)f(decisions)h(required,)g(it)h(can)f(instead)g(allo)n(w)h
(the)f(application)0 382 y(to)23 b(construct)e(schedules,)h(retaining)g
(for)f(the)i(much)e(simpli\002ed)i(task)g(of)f(merely)f(checking)g
(that)i(an)o(y)e(application)g(schedule)h(gi)n(v)o(es)0
482 y(appropriate)e(consistenc)o(y)i(guarantees.)35 b(Application)21
b(of)i(this)g(methodology)c(enables)j(an)h(e)o(xok)o(ernel)e(to)h(lea)n
(v)o(e)h(library)e(operating)0 581 y(systems)g(to)f(decide)f(on)h
(tradeof)n(fs)f(themselv)o(es)g(rather)h(than)g(forcing)e(a)j
(particular)e(set,)h(a)h(crucial)f(shift)g(of)g(labor)-5
b(.)125 681 y(While)21 b(this)h(style)g(of)f(design)f(may)h(seem)g(ob)o
(vious,)f(in)h(practice)g(it)h(has)f(been)g(depressingly)e(easy)j(to)f
(slide)h(into)f(\223the)g(old)g(w)o(ay\224)0 780 y(of)i(deciding)f(ho)n
(w)h(to)h(implement)e(a)i(particular)f(feature)f(rather)h(than)g
(asking)g(the)g(unusual)g(question)f(of)i(ho)n(w)f(one)g(can)g(get)h
(out)f(of)0 880 y(doing)f(so,)j(safely)-5 b(.)40 b(A)24
b(useful)f(heuristic)g(to)h(catch)g(such)f(slips)i(is)g(to)e(note)h
(when)f(one)g(is)i(making)d(man)o(y)h(tradeof)n(fs.)38
b(A)24 b(plethora)f(of)0 980 y(tradeof)n(fs)17 b(almost)i(in)m(v)n
(ariably)d(signals)j(a)g(decision)f(that)g(could)g(be)h(implemented)d
(or)j(optimized)e(in)i(dif)n(ferent)d(important)h(w)o(ays)i(and,)0
1079 y(thus,)h(should)f(be)h(left)h(to)f(applications.)125
1179 y(Because)f(libOSes)h(understand)e(the)h(higher)n(\255le)n(v)o(el)
e(semantics)j(of)f(their)g(abstractions,)g(the)o(y)g(\223just)g(kno)n
(w\224)g(man)o(y)f(things)h(that)h(an)0 1279 y(e)o(xok)o(ernel)k(does)h
(not.)47 b(F)o(or)25 b(e)o(xample,)h(that)g(related)f(\002les)i(will)g
(lik)o(ely)f(be)g(clustered)f(together)g(and)g(if)h(one)g(block)f(is)h
(fetched,)h(the)0 1378 y(succeeding)d(eight)g(blocks)h(should)f(be)h
(as)g(well.)45 b(Thus,)25 b(a)h(v)n(ariant)e(of)h(the)g(abo)o(v)o(e)e
(methodology)f(is)k(designing)e(interf)o(aces)g(where)0
1478 y(actions)f(do)f(not)g(require)g(justi\002cation.)36
b(As)24 b(an)e(e)o(xample,)g(consider)g(the)g(act)i(of)e(fetching)f(a)j
(disk)e(block)g(in)h(core.)36 b(If)23 b(a)g(\002le)g(system)0
1577 y(must)28 b(present)f(credentials)g(before)f(the)i(k)o(ernel)f
(will)i(allo)n(w)e(the)h(fetch)f(to)h(be)g(initiated,)h(then)e(it)i(f)o
(aces)f(serious)g(problems)e(doing)0 1677 y(the)c(prefetching)e(it)i
(needs,)g(since)g(it)h(w)o(ould)e(\002rst)i(ha)n(v)o(e)f(to)g(read)f
(in)h(all)h(\002le)g(directory)d(entries,)i(sho)n(w)g(each)f(\002le')-5
b(s)23 b(capability)e(to)i(the)0 1777 y(k)o(ernel,)h(and)f(only)h(then)
f(initiate)h(the)g(fetches.)41 b(In)24 b(contrast,)g(by)f(only)h
(performing)d(access)j(control)f(when)h(the)g(actual)f(data)h(in)h(the)
0 1876 y(block)19 b(or)h(read)g(or)g(written,)f(rather)h(then)f(when)h
(the)g(block)g(is)h(fetched,)d(these)j(disk)f(reads)g(can)g(be)g
(initiated)g(all)h(at)f(once.)1908 5589 y(27)p eop
%%Page: 28 29
28 28 bop 0 706 a Fj(Chapter)42 b(3)0 1121 y Fn(Practice:)75
b(A)-5 b(pplying)52 b(exok)n(er)m(nel)g(principles)208
1553 y Fp(When)29 b(a)h(man)f(says)h(he)f(appro)o(v)o(es)e(of)i
(something)f(in)i(principle,)g(it)g(means)f(he)g(hasn')o(t)g(the)g
(slightest)h(intention)e(of)208 1652 y(putting)19 b(it)i(into)e
(practice.)29 b(\227)21 b(Otto)f(v)n(on)g(Bismarck)g(\(1815\2551898\))
125 1831 y(T)-7 b(o)20 b(illustrate)h(the)g(e)o(xok)o(ernel)d
(principles,)i(this)h(chapter)e(discusses)j(ho)n(w)e(to)g(e)o(xport)f
(lo)n(w\255le)n(v)o(el)h(primiti)n(v)o(es)f(such)i(as)g(e)o(xceptions)0
1931 y(and)e(inter)n(\255process)g(communication,)e(and)i(multiple)o(x)
f(physical)h(resources)g(such)g(as)i(memory)-5 b(,)17
b(CPU,)k(and)e(the)h(netw)o(ork.)28 b(T)-7 b(o)20 b(mak)o(e)0
2031 y(this)k(discussion)e(concrete,)h(we)g(dra)o(w)g(on)g(e)o(xamples)
f(from)g(tw)o(o)h(e)o(xok)o(ernel)e(systems:)36 b(Ae)o(gis)23
b([25)o(],)h(and)f(Xok)f([48)o(].)38 b(Ae)o(gis)23 b(is)i(the)0
2130 y(\002rst)18 b(e)o(xok)o(ernel)d(we)i(b)n(uilt.)28
b(It)17 b(runs)g(on)g(the)g(MIPS)g([50)o(])g(DECstation)g(f)o(amily)-5
b(.)27 b(Xok)17 b(is)g(the)g(second.)28 b(It)17 b(runs)f(on)h(the)g
(x86)f(architecture)0 2230 y(and)f(is)h(the)f(more)g(mature)g(of)g(the)
g(tw)o(o.)28 b(Construction)14 b(of)h(these)g(systems)h(spanned)e(four)
g(years:)27 b(tw)o(o)16 b(for)f(Ae)o(gis,)h(tw)o(o)f(\(and)g
(counting\))0 2330 y(for)20 b(Xok.)125 2429 y(Xok)28
b(and)g(Ae)o(gis)h(dif)n(fer)f(in)h(important)e(w)o(ays,)k(helping)d
(to)g(sho)n(w)h(ho)n(w)f(the)h(application)f(of)g(e)o(xok)o(ernel)f
(principles)h(changes)0 2529 y(in)f(the)g(f)o(ace)g(of)f(dif)n(ferent)f
(constraints.)49 b(Most)27 b(of)f(these)h(dif)n(ferences)e(result)i
(from)f(the)h(f)o(act)g(that)g(the)g(x86)f(and)g(MIPS)h(hardw)o(are)0
2628 y(ha)n(v)o(e)35 b(radically)f(dif)n(ferent)g(architectural)f
(interf)o(aces)i(\(e.g.,)j(softw)o(are)d(page)g(tables)g(for)g(the)g
(MIPS,)h(hardw)o(are)d(for)i(x86\))f(and)0 2728 y(implementation)18
b(performance)f(\(an)j(order)f(of)h(magnitude)e(in)i(f)o(a)n(v)n(or)g
(of)g(the)g(x86\).)125 2828 y(The)e(implementations)e(we)j(discuss)g
(are)g(merely)f(e)o(xamples)f(of)h(ho)n(w)g(resources)g
Fk(can)g(be)h Fp(multiple)o(x)o(ed,)d(not)i(ho)n(w)g(the)o(y)g(must)h
(be.)0 2927 y(Other)h(implementations)e(are)i(possible.)125
3027 y(Stylistically)-5 b(,)23 b(the)h(discussion)f(of)g(each)g
(resource)f(focuses)h(on)g(tw)o(o)h(questions:)35 b(\(1\))23
b(ho)n(w)g(to)h(gi)n(v)o(e)e(applications)h(control)f(o)o(v)o(er)0
3127 y(the)i(resource)f(and)h(\(2\))g(ho)n(w)f(to)i(protect)e(it.)42
b(Some)24 b(of)g(the)h(resources)e(we)i(discuss)f(ha)n(v)o(e)g(little)h
(to)g(do)e(with)i(protection)d(due)i(to)h(the)0 3226
y(lack)e(of)g(\223sharing.)-6 b(\224)37 b(F)o(or)23 b(e)o(xample,)f
(besides)h(memory)f(protection)f(issues,)j(e)o(xceptions)e(are)h
(contained)f(within)h(a)g(single)g(process.)0 3326 y(Lack)d(of)g
(multiple)o(xing)e(mak)o(es)i(protection)e(a)j(non\255issue.)28
b(Others,)19 b(such)h(as)h(netw)o(orking,)d(focus)i(more)f(hea)n(vily)h
(on)f(it.)125 3425 y(W)-7 b(e)19 b(pro)o(vide)e(a)i(quick)f(o)o(v)o
(ervie)n(w)f(of)i(Ae)o(gis)f(and)h(Xok)f(belo)n(w)-5
b(.)28 b(The)18 b(remainder)f(of)i(the)f(chapter)g(discusses)i(ho)n(w)e
(the)o(y)g(multiple)o(x)0 3525 y(resources.)0 3737 y
Fq(3.0.1)99 b(Xok)25 b(o)o(v)o(er)o(view)0 3885 y Fp(Xok)k(multiple)o
(x)o(es)f(most)h(standard)f(machine)g(resources:)47 b(netw)o(ork,)30
b(CPU,)g(physical)f(memory)-5 b(,)29 b(and)g(disk.)56
b(It)30 b(currently)d(lacks)0 3984 y(support)g(for)h(display)g(de)n
(vices.)54 b(Its)29 b(def)o(ault)f(library)g(operating)f(system,)j
(ExOS,)f(pro)o(vides)d(\223Unix)i(in)h(a)g(library)-5
b(.)f(\224)53 b(ExOS)29 b(does)0 4084 y(not)c(handle)g(some)g(Unix)g
(corner)f(cases,)j(b)n(ut)f(it)g(is)g(not)g(a)f(to)o(y)-5
b(.)45 b(Man)o(y)24 b(sophisticated)h(applications,)g(such)h(as)g(csh,)
h(perl,)f(gcc,)g(and)0 4183 y(telnet,)e(run)f(without)g
(modi\002cation.)37 b(The)23 b(tw)o(o)h(main)f(ca)n(v)o(eats)g(of)h
(ExOS)f(are)g(lack)h(of)f(virtual)g(memory)f(paging)g(support)g(\(the)h
(\002le)0 4283 y(b)n(uf)n(fer)f(cache)g(is)i(paged\),)e(and)g(that)h
(some)g(shared)f(data)h(structures)g(\(such)f(as)i(the)f(global)f
(\002le)h(descriptor)f(table\))g(reside)h(in)g(shared)0
4383 y(memory)18 b(and)g(could)h(be)g(corrupted)e(by)i(a)h(malicious)e
(process.)29 b(Neither)19 b(is)h(an)f(inherent)f(limitation,)h(b)n(ut)g
(simply)g(the)g(result)h(of)f(lack)0 4482 y(of)24 b(time.)40
b(F)o(or)24 b(e)o(xample,)f(Ae)o(gis/ExOS)g(had)h(paging)e(and)i(we)g
(are)g(adding)e(more)h(protection)g(to)h(data)f(structures)h(as)g(time)
h(allo)n(ws.)0 4582 y(Neither)f(does)h(either)f(impro)o(v)o(e)f(our)h
(performance.)40 b(If)25 b(an)o(ything,)e(lack)i(of)g(paging)e(hurts)h
(our)g(e)o(xperiments)f(since)i(it)h(means)e(that)0 4682
y(memory)d(that)h(could)g(be)g(used)g(for)g(the)g(\002le)h(b)n(uf)n
(fer)e(cache)h(is)h(w)o(asted)g(on)f(backing)f(virtual)g(memory)-5
b(.)34 b(As)23 b(discussed)f(in)h(Chapter)e(5)0 4781
y(our)e(e)o(xperiments)g(compensate)f(for)i(this)h(lack)f(of)g
(protection.)0 4993 y Fq(3.0.2)99 b(Aegis)24 b(o)o(v)o(er)o(view)0
5141 y Fp(Ae)o(gis,)31 b(while)f(older)f(then)f(Xok,)k(is)e(more)e
(primiti)n(v)o(e,)j(lacking)d(solid)i(support)e(for)g(disk)i(and)f(ha)n
(ving)f(a)i(more)e(crude)h(approach)0 5240 y(to)g(access)g(control)f
(\(\003at)h(access)g(control)e(lists\).)56 b(Its)29 b(v)o(ersion)f(of)g
(ExOS)h(\(from)e(which)h(that)h(of)f(Xok)g(descends\))g(also)h(is)h
(not)e(as)0 5340 y(de)n(v)o(eloped.)f(Most)20 b(of)g(our)f(Ae)o(gis)i
(measurements)d(use)j(micro\255benchmarks)16 b(rather)j(application)g
(timings.)1908 5589 y(28)p eop
%%Page: 29 30
29 29 bop 125 83 a Fp(The)24 b(micro\255benchmarks)d(discussed)k(in)h
(this)f(section)g(compare)f(Ae)o(gis)h(and)f(ExOS)h(with)h(the)f
(performance)d(of)j(Ultrix4.2)e(\(a)0 183 y(mature)18
b(monolithic)f(UNIX)h(operating)f(system\))h(on)g(the)h(same)g(hardw)o
(are.)27 b(While)19 b(Ae)o(gis)f(and)g(ExOS)h(do)f(not)g(of)n(fer)g
(the)g(same)h(le)n(v)o(el)0 282 y(of)h(functionality)e(as)j(Ultrix,)f
(we)g(do)g(not)g(e)o(xpect)f(these)i(additions)e(to)h(cause)g(lar)o(ge)
f(increases)h(in)h(our)e(timing)h(measurements.)125 382
y(Ultrix,)d(despite)f(its)i(poor)e(performance)e(relati)n(v)o(e)i(to)h
(Ae)o(gis,)h(is)g Fk(not)e Fp(a)i(poorly)d(tuned)h(system;)i(it)g(is)g
(a)f(mature)f(monolithic)f(system)0 482 y(that)24 b(performs)d(quite)i
(well)h(in)g(comparison)d(to)j(other)f(operating)e(systems)j([69)o(].)
39 b(F)o(or)23 b(e)o(xample,)g(it)h(performs)e(tw)o(o)h(to)h(three)f
(times)0 581 y(better)g(than)h(Mach)f(3.0)h(in)g(a)g(set)h(of)e(I/O)h
(benchmarks)e([67)o(].)40 b(Also,)25 b(its)g(virtual)e(memory)f
(performance)f(is)k(approximately)c(twice)0 681 y(that)f(of)g(Mach)g
(2.5)g(and)f(three)h(times)h(that)f(of)g(Mach)g(3.0)f([5)o(].)125
780 y(Our)26 b(measurements)g(were)h(tak)o(en)g(on)f(a)i
(DECstation5000/125)c(\(25MHz\),)j(with)g(an)g(R3000)f(processor)g(and)
g(a)i(SPECint92)0 880 y(rating)19 b(of)h(25.)0 1127 y
Fv(3.1)117 b(Multiplexing)28 b(Ph)n(ysical)i(Memory)0
1313 y Fp(Physical)22 b(memory)e(is)j(one)f(of)g(the)g(simplest)g
(resources)g(to)g(multiple)o(x.)34 b(When)22 b(a)g(library)f(operating)
g(system)h(allocates)g(a)h(physical)0 1412 y(memory)f(page,)h(the)g(e)o
(xok)o(ernel)f(records)g(the)h(o)n(wner)g(and)g(permissions)f(\(e.g.,)h
(read)g(and)g(write\))g(of)h(the)f(allocating)f(process.)39
b(The)0 1512 y(o)n(wner)19 b(of)h(a)h(page)e(has)i(the)f(po)n(wer)f(to)
h(change)f(the)h(capabilities)g(associated)g(with)h(it,)f(to)h(share)f
(it,)g(and)g(to)g(deallocate)g(it.)125 1611 y(T)-7 b(o)18
b(ensure)g(protection,)e(the)j(e)o(xok)o(ernel)d(guards)h(e)n(v)o(ery)g
(access)i(to)g(a)g(physical)e(memory)g(page)g(by)h(requiring)f(that)h
(the)h(capability)0 1711 y(be)j(presented)f(by)h(the)h(library)e
(operating)g(system)h(requesting)f(access.)36 b(If)23
b(the)f(capability)f(is)j(insuf)n(\002cient,)d(the)i(request)f(is)h
(denied.)0 1811 y(T)-7 b(ypically)i(,)20 b(the)i(processor)e(contains)h
(a)h(TLB,)g(and)f(the)g(e)o(xok)o(ernel)f(must)h(check)g(memory)f
(capabilities)h(when)g(a)h(library)e(operating)0 1910
y(system)29 b(attempts)f(to)h(enter)f(a)h(ne)n(w)f
(virtual\255to\255physical)d(mapping.)52 b(T)-7 b(o)29
b(impro)o(v)o(e)d(library)h(operating)g(system)h(performance)e(by)0
2010 y(reducing)14 b(the)g(number)g(o)o(f)f(times)h(secu)o(re)g(b)o
(ind)o(ing)o(s)g(mu)o(st)g(be)g(e)o(stablished)o(,)9
b(an)14 b(e)o(xok)o(ernel)g(may)g(cache)g(v)o(irtu)o(al\255to\255)o(ph)
o(y)o(sical)g(map)o(pin)o(gs)0 2110 y(in)20 b(a)h(lar)o(ge)e(softw)o
(are)h(TLB.)125 2209 y(If)i(the)h(underlying)e(hardw)o(are)g(de\002nes)
i(a)h(page\255table)d(interf)o(ace,)i(then)f(an)h(e)o(xok)o(ernel)e
(must)i(guard)f(the)h(page)f(table)h(instead)g(of)0 2309
y(the)d(TLB.)g(Although)f(the)h(details)g(of)g(ho)n(w)f(to)i(implement)
d(secure)i(memory)f(bindings)f(will)j(v)n(ary)e(depending)f(on)h(the)h
(details)h(of)f(the)0 2408 y(address)g(translation)f(hardw)o(are,)g
(the)h(basic)h(principle)e(is)i(straightforw)o(ard:)27
b(pri)n(vile)o(ged)18 b(machine)h(operations)g(such)h(as)h(TLB)g(loads)
0 2508 y(and)g(DMA)g(must)g(be)h(guarded)d(by)i(an)g(e)o(xok)o(ernel.)
30 b(As)22 b(dictated)f(by)f(the)i(e)o(xok)o(ernel)d(principle)h(of)h
(e)o(xposing)e(k)o(ernel)h(book\255k)o(eeping)0 2608
y(structures,)f(the)i(page)e(table)h(should)f(be)h(visible)h(\(read)e
(only\))g(at)i(application)d(le)n(v)o(el.)125 2707 y(T)-7
b(o)19 b(reclaim)g(a)h(page,)f(an)h(e)o(xok)o(ernel)d(must)j(change)e
(the)i(associated)f(capabilities,)g(mark)g(the)h(resource)e(as)i(free,)
f(and)g(remo)o(v)o(e)f(all)0 2807 y(bindings.)28 b(In)20
b(the)g(e)o(xample)f(of)h(physical)f(memory)-5 b(,)17
b(bindings)i(include)g(TLB)i(mappings)e(and)g(an)o(y)h(queued)e(DMA)j
(requests.)0 3020 y Fq(3.1.1)99 b(Aegis:)35 b(application)25
b(virtual)g(memory)0 3167 y Fp(The)c(MIPS)h(architecture)e(has)h(softw)
o(are)g(de\002ned)g(page)f(tables.)33 b(Thus,)21 b(in)h(accordance)d
(with)j(deferring)d(management)g(to)j(applica\255)0 3267
y(tions,)e(Ae)o(gis)h(allo)n(ws)f(applications)f(to)i(de\002ne)f(their)
g(o)n(wn)f(page)h(tables.)30 b(W)-7 b(e)22 b(look)d(at)i(tw)o(o)g
(issues)g(in)f(supporting)e(application\255le)n(v)o(el)0
3366 y(virtual)i(memory:)27 b(bootstrapping)18 b(and)h(ef)n(\002cienc)o
(y)-5 b(.)125 3466 y(T)e(o)19 b(bootstrap)f(the)i(virtual)f(naming)f
(system,)i(there)f(must)g(be)h(support)e(for)h(translation)g(e)o
(xceptions)f(on)h(both)g(application)f(page\255)0 3566
y(tables)24 b(and)g(e)o(xception)e(code.)41 b(Ae)o(gis)24
b(pro)o(vides)e(a)j(simple)f(bootstrapping)e(mechanism)h(through)f(the)
i(use)g(of)g(a)h(small)f(number)f(of)0 3665 y(guaranteed)g(mappings.)43
b(A)26 b(miss)g(on)e(a)i(guaranteed)d(mapping)h(will)i(be)f(handled)e
(automatically)h(by)h(Ae)o(gis.)44 b(This)26 b(or)o(ganization)0
3765 y(frees)21 b(the)g(application)f(from)g(dealing)g(with)i(the)f
(intricacies)g(of)g(boot\255strapping)d(TLB)j(miss)h(and)f(e)o
(xception)e(handlers,)h(which)h(can)0 3864 y(tak)o(e)g(TLB)h(misses.)33
b(T)-7 b(o)22 b(implement)e(guaranteed)f(mappings)h(ef)n(\002ciently)-5
b(,)20 b(an)h(application')-5 b(s)20 b(virtual)h(address)g(space)g(is)h
(partitioned)0 3964 y(into)c(tw)o(o)h(se)o(gments.)28
b(The)18 b(\002rst)h(se)o(gment)f(holds)g(normal)f(application)g(data)h
(and)g(code.)28 b(V)-5 b(irtual)18 b(addresses)g(in)h(this)g(se)o
(gment)e(can)i(be)0 4064 y(\223pinned\224)f(using)i(guaranteed)e
(mappings.)28 b(T)-7 b(ypically)19 b(libOSes)i(pin)f(e)o(xception)e
(handling)g(code)i(and)f(page\255tables.)125 4163 y(On)h(a)g(TLB)h
(miss,)g(the)f(follo)n(wing)e(actions)i(occur:)104 4329
y(1.)41 b(Ae)o(gis)19 b(checks)h(which)f(se)o(gment)g(the)g(virtual)g
(address)h(resides)g(in.)29 b(If)19 b(it)i(is)f(in)g(the)g(standard)f
(user)g(se)o(gment,)g(the)h(e)o(xception)e(is)208 4429
y(dispatched)i(directly)g(to)i(the)f(application.)31
b(If)21 b(it)h(is)g(in)g(the)f(second)g(re)o(gion,)f(Ae)o(gis)h
(\002rst)h(checks)f(to)g(see)h(if)g(it)g(is)g(a)g(guaranteed)208
4529 y(mapping.)27 b(If)20 b(so,)g(Ae)o(gis)g(installs)h(the)g(TLB)f
(entry)g(and)f(continues;)g(otherwise,)h(Ae)o(gis)g(forw)o(ards)f(it)i
(to)f(the)g(application.)104 4695 y(2.)41 b(The)25 b(application)f
(looks)g(up)h(the)h(virtual)f(address)g(in)g(its)i(page\255table)c
(structure)i(and,)h(if)f(the)h(access)g(is)g(not)f(allo)n(wed)g(raises)
208 4794 y(the)i(appropriate)e(e)o(xception)g(\()p Fk(e)o(.g)o(.,)i
Fp(\223se)o(gmentation)e(f)o(ault\224\).)50 b(If)27 b(the)g(mapping)e
(is)j(v)n(alid,)g(the)g(application)d(constructs)i(the)208
4894 y(appropriate)17 b(TLB)k(entry)e(and)h(its)h(associated)f
(capability)f(and)h(in)m(v)n(ok)o(es)f(the)h(appropriate)e(Ae)o(gis)i
(system)h(routine.)104 5060 y(3.)41 b(Ae)o(gis)22 b(checks)g(that)g
(the)h(gi)n(v)o(en)e(capability)g(corresponds)g(to)h(the)h(access)g
(rights)f(requested)f(by)h(the)g(application.)35 b(If)22
b(it)h(does,)208 5160 y(the)d(mapping)e(is)j(installed)f(in)h(the)f
(TLB)g(and)g(control)f(is)i(returned)e(to)h(the)g(application.)28
b(Otherwise)20 b(an)g(error)f(is)i(returned.)104 5326
y(4.)41 b(The)19 b(application)g(performs)g(cleanup)g(and)g(resumes)h
(e)o(x)o(ecution.)1908 5589 y(29)p eop
%%Page: 30 31
30 30 bop 125 83 a Fp(In)18 b(order)f(to)h(support)f(application\255le)
n(v)o(el)f(virtual)i(memory)f(ef)n(\002ciently)-5 b(,)17
b(TLB)i(re\002lls)g(must)f(be)h(f)o(ast.)29 b(T)-7 b(o)18
b(this)h(end,)f(Ae)o(gis)h(caches)0 183 y(TLB)28 b(entries)g(\(a)f
(form)g(of)g(secure)g(bindings\))f(in)i(the)g(k)o(ernel)f(by)g(o)o(v)o
(erlaying)e(the)i(hardw)o(are)f(TLB)i(with)g(a)g(lar)o(ge)f(softw)o
(are)g(TLB)0 282 y(\(STLB\))22 b(to)f(absorb)g(capacity)g(misses)i([7)o
(,)f(46)o(].)34 b(On)22 b(a)g(TLB)g(miss,)h(Ae)o(gis)e(\002rst)i
(checks)e(to)h(see)g(whether)f(the)h(required)e(mapping)g(is)0
382 y(in)g(the)h(STLB.)f(If)g(so,)g(Ae)o(gis)h(installs)g(it)g(and)e
(resumes)h(e)o(x)o(ecution;)e(otherwise,)h(the)i(miss)g(is)g(forw)o
(arded)d(to)i(the)g(application.)125 482 y(The)i(STLB)h(contains)e
(4096)h(entries)g(of)g(8)h(bytes)f(each.)36 b(It)22 b(is)i
(direct\255mapped)19 b(and)j(resides)h(in)g(unmapped)d(physical)h
(memory)-5 b(.)0 581 y(An)23 b(STLB)i(\223hit\224)e(tak)o(es)h(18)f
(instructions)f(\(approximately)f(one)i(to)g(tw)o(o)h(microseconds\).)
37 b(In)23 b(contrast,)g(performing)e(an)i(upcall)g(to)0
681 y(application)15 b(le)n(v)o(el)h(on)g(a)h(TLB)g(miss,)h(follo)n
(wed)d(by)h(a)h(system)g(call)g(to)g(install)g(a)g(ne)n(w)f(mapping)f
(is)i(at)g(least)h(three)e(to)g(six)h(microseconds)0
780 y(more)i(e)o(xpensi)n(v)o(e.)125 880 y(As)g(dictated)e(by)h(the)g
(e)o(xok)o(ernel)e(principle)h(of)h(e)o(xposing)f(k)o(ernel)g
(book\255k)o(eeping)e(structures,)i(the)h(STLB)h(can)f(be)g(mapped)f
(using)0 980 y(a)k(well\255kno)n(wn)d(capability)-5 b(,)18
b(which)i(allo)n(ws)h(applications)e(to)h(ef)n(\002ciently)f(probe)g
(for)h(entries.)125 1079 y(Using)31 b(the)g(control)e(gi)n(v)o(en)h(by)
h(libOS\255de\002ned)e(page)i(tables)g(ExOS)g(has)g(a)h(v)n(ariety)e
(of)h(dif)n(ferent)e(page)i(table)g(structures)3846 1049
y Fi(1)3879 1079 y Fp(,)0 1179 y(high\255performance)16
b(netw)o(ork)j(paging,)f(and)i(application\255speci\002c)e(page)h
(coloring)g(\(for)g(impro)o(v)o(ed)e(cache)j(performance\).)125
1279 y(No)g(other)f(protected)g(operating)f(system)j(architecture)d
(allo)n(ws)j(this)f(de)o(gree)f(of)h(freedom.)0 1491
y Fq(3.1.2)99 b(Xok:)36 b(hard)o(war)n(e\255de\002ned)28
b(page)d(tables)0 1639 y Fp(Unlik)o(e)i(the)h(MIPS)g(architecture,)f
(the)h(x86)e(architecture)g(on)h(which)g(Xok)g(runs)g(de\002nes)g(the)h
(page\255table)e(structure.)50 b(Since)27 b(x86)0 1738
y(TLB)e(re\002lls)h(are)f(handled)f(in)h(hardw)o(are,)f(this)i
(structure)e(cannot)g(be)h(o)o(v)o(erridden)d(by)i(applications.)43
b(Ho)n(we)n(v)o(er)m(,)24 b(applications)g(are)0 1838
y(able)19 b(to)g(control)e(all)j(hardw)o(are\255de\002ned)15
b(per)n(\255page)i(attrib)n(utes,)i(including)e(protection)g(le)n(v)o
(els)i(\(read\255only)-5 b(,)16 b(writable,)i(e)o(x)o(ecute\255only\))0
1938 y(and)k(caching.)36 b(Additionally)-5 b(,)21 b(each)h(v)n(alid)h
(page\255table)e(entry)h(contains)g(three)g(softw)o(are\255de\002ned)f
(bits,)i(which)f(Xok)h(gi)n(v)o(es)f(o)o(v)o(er)f(to)0
2037 y(application)k(control.)46 b(In)m(v)n(alid)25 b(entries)h
(\(those)g(without)g(the)g(\223present)g(bit\224)g(set\))h(can)f
(contain)g(an)o(y)f(v)n(alue)h(the)g(library)f(operating)0
2137 y(system)j(wishes.)53 b(Example)27 b(uses)h(of)g(this)g(location)f
(are)h(to)g(store)g(the)g(names)g(of)f(disk)h(blocks)f(used)h(as)h
(backing)d(store)i(or)g(e)n(v)o(en)0 2236 y(netw)o(ork)19
b(addresses)h(for)f(remote)h(pages.)125 2336 y(Since)e(the)h(hardw)o
(are)e(does)h(not)g(v)o(erify)f(that)i(the)g(physical)e(page)h(of)g(a)h
(translation)f(can)g(be)h(mapped)d(by)j(a)g(process,)f(applications)0
2436 y(are)24 b(pre)n(v)o(ented)e(from)h(directly)g(modifying)e(the)j
(page)g(table)g(and)f(must)h(instead)g(use)g(system)g(calls.)42
b(Although)22 b(these)i(restrictions)0 2535 y(mak)o(e)16
b(Xok)g(less)h(e)o(xtensible)f(than)g(Ae)o(gis,)h(the)o(y)e(simplify)h
(the)g(implementation)e(of)j(libOSes)f(\(see)h(Chapter)f(7)g(for)g
(more)g(discussion\).)125 2635 y(Lik)o(e)23 b(Ae)o(gis,)h(Xok)e(allo)n
(ws)i(ef)n(\002cient)f(and)g(po)n(werful)e(virtual)i(memory)e
(abstractions)i(to)g(be)h(b)n(uilt)f(at)h(the)f(application)f(le)n(v)o
(el.)38 b(It)0 2735 y(does)15 b(so)h(by)f(e)o(xposing)f(the)h
(capabilities)h(of)f(the)g(hardw)o(are)f(\(e.g.,)i(all)g(MMU)f
(protection)f(and)h(dirty)g(bits\))h(and)e(e)o(xposing)g(man)o(y)g(k)o
(ernel)0 2834 y(data)27 b(structures)f(\(e.g.,)h(free)g(lists,)i(in)m
(v)o(erse)d(page)g(mappings\).)47 b(Xok')-5 b(s)27 b(lo)n(w\255le)n(v)o
(el)e(interf)o(ace)h(means)h(that)g(paging)e(is)j(handled)d(by)0
2934 y(applications.)i(As)18 b(such,)g(it)g(can)f(be)g(done)f(from)h
(disk,)g(across)h(the)f(netw)o(ork,)f(or)i(by)e(data)i(re)o
(generation.)25 b(Additionally)-5 b(,)16 b(applications)0
3033 y(can)j(readily)f(perform)e(per)n(\255page)h(transformations)g
(such)h(as)i(compression,)d(v)o(eri\002cation)g(of)i(contents)f(using)g
(digital)h(signatures)f(\(to)0 3133 y(allo)n(w)i(untrusted)f(nodes)g
(in)i(a)f(netw)o(ork)f(to)i(cache)e(pages\),)h(or)f(encryption.)0
3380 y Fv(3.2)117 b(Multiplexing)28 b(the)g(Netw)o(ork)0
3566 y Fp(This)20 b(subsection)g(discusses)g(ho)n(w)g(to)g(gi)n(v)o(e)g
(applications)f(control)g(o)o(v)o(er)g(the)h(netw)o(ork,)e(and)i(ho)n
(w)g(to)g(implement)f(protection.)27 b(There)0 3665 y(are)j(tw)o(o)h
(primary)e(requirements)f(for)i(ef)n(\002cient)g(netw)o(orking.)57
b(First,)34 b(elimination)29 b(of)h(data)g(copies,)i(which)e(comes)g
(from)f(both)0 3765 y(gi)n(ving)c(applications)g(access)j(to)e(an)o(y)g
(scatter)n(\255gather)f(DMA)h(pro)o(vided)e(by)i(the)h(hardw)o(are)e
(and)h(allo)n(wing)f(them)h(to)h(direct)f(where)0 3864
y(messages)h(are)g(placed.)48 b(Second,)27 b(tight)g(coupling)e(to)i
(interrupt)e(e)n(v)o(ents,)j(primarily)-5 b(,)26 b(message)h(reception)
e(and)h(timer)h(interrupts.)0 3964 y(In)d(order)f(to)h(initiate)g(lo)n
(w\255latenc)o(y)e(responses)i(to)g(messages,)h(application)d
(messaging)h(code)h(must)g(be)g(able)g(to)g(run)f(quickly)g(after)0
4064 y(message)g(arri)n(v)n(al.)37 b(Ae)o(gis)24 b(performs)d(this)j
(by)f(do)n(wnloading)d(application)i(code)g(into)h(the)g(k)o(ernel)g
(and)f(running)g(it)h(in)h(the)f(interrupt)0 4163 y(handler)e([92)o(].)
37 b(Xok,)23 b(due)f(to)h(the)g(v)n(ast)g(relati)n(v)o(e)f(increase)g
(in)h(the)g(ratio)g(of)f(processor)g(speed)g(to)h(netw)o(ork)f(latenc)o
(y)g(\(about)f(a)i(f)o(actor)0 4263 y(of)g(\002v)o(e)g(to)g(ten)h(for)e
(small)i(messages\),)g(does)e(not)h(need)g(to)g(eliminate)g(boundary)e
(crossings,)i(and)g(simply)f(yields)i(to)f(the)g(recei)n(ving)0
4363 y(application.)35 b(T)m(imer)22 b(interrupts)f(are)i(needed)e(to)i
(b)n(uild)f(ef)n(\002cient)g(retransmission)f(timers,)i(which)f(are)h
(needed)e(to)i(implement)e(f)o(ast)0 4462 y(reliable)f(messaging)f(on)h
(unreliable)f(netw)o(ork)g(hardw)o(are.)125 4562 y(T)-7
b(o)14 b(enable)g(application)e(resource)h(management,)h(an)g(e)o(xok)o
(ernel)e(dislocates)i(operating)f(system)h(code)g(into)g(libraries.)27
b(Ho)n(we)n(v)o(er)m(,)0 4661 y(there)22 b(are)g(important)f(dif)n
(ferences)f(between)h(a)i(library')-5 b(s)21 b(e)o(x)o(ecution)g(conte)
o(xt)f(and)i(that)g(of)g(the)h(k)o(ernel.)34 b(One)22
b(of)g(the)g(challenges)f(in)0 4761 y(an)e(e)o(xok)o(ernel)e(is)j
(recapturing)d(these)i(aspects.)29 b(T)m(ight)19 b(coupling)e(of)i
(libOS)g(code)f(to)h(e)n(v)o(ents)g(can)g(be)g(vie)n(wed)f(as)i(an)f(e)
o(xample)e(of)i(this.)0 4861 y(Compared)f(to)h(Ultrix,)g(Ae)o(gis')-5
b(s)20 b(pro)o(vision)d(of)i(ef)n(\002cient)g(access)h(to)f(these)h(tw)
o(o)f(abilities)h(gi)n(v)o(es)f(library)f(operating)g(systems)i(a)f(f)o
(actor)0 4960 y(of)h(ten)g(performance)d(impro)o(v)o(ement)g(in)k
(round)d(trip)i(Ethernet)f(times)i([25)o(].)p 0 5031
1560 4 v 90 5087 a Fh(1)120 5110 y Fg(Illustrati)n(v)o(e)g(of)d(the)h
(customizability)k(of)18 b(an)g(e)o(xok)o(ernel)j(system,)d(T)-5
b(om)17 b(Pinckne)o(y)j(while)f(still)h(an)e(under)o(graduate)k(w)o(as)
c(able)i(to)e(implement)i(a)e(ne)n(w)h(page)g(table)0
5189 y(structure)f(in)f(a)f(week,)h(while)g(taking)h(his)f(\002nal)f(e)
o(xams.)24 b(As)16 b(a)g(testament)j(to)d(the)h(dif)n(\002culty)i(of)d
(modifying)i(current)g(operating)h(systems,)d(the)h(proposers)g(of)f
(this)h(page)0 5268 y(table)i(structure)g(were)e(only)h(able)g(to)g
(simulate)g(it)g([83].)1908 5589 y Fp(30)p eop
%%Page: 31 32
31 31 bop 125 83 a Fp(Protection)24 b(for)i(netw)o(orking)e(is)j
(answering)d(the)i(question:)41 b(gi)n(v)o(en)24 b(a)j(message,)g(who)e
(o)n(wns)h(it?)48 b(On)26 b(a)g(connection\255oriented)0
183 y(netw)o(ork,)18 b(answering)g(this)i(question)e(is)i(easy:)29
b(whiche)n(v)o(er)18 b(connection)f(\(or)i(\003o)n(w\))g(it)h(belongs)e
(to.)29 b(Binding)18 b(of)h(application)f(to)h(\003o)n(w)0
282 y(can)i(happen)e(at)j(connection)d(initiation,)h(remo)o(ving)f(the)
i(need)f(to)h(mak)o(e)g(decisions)f(based)h(on)f(pack)o(et)h(contents.)
31 b(An)21 b(e)o(xample)e(of)i(a)0 382 y(hardw)o(are\255based)c
(mechanism)i(is)i(the)f(use)g(of)g(the)g(virtual)g(circuit)f(in)h(A)-9
b(TM)20 b(cells)h(to)f(securely)f(bind)h(streams)g(to)g(applications)f
([23)o(].)0 482 y(Ho)n(we)n(v)o(er)m(,)31 b(answering)e(this)h
(question)g(is)h(more)e(dif)n(\002cult)h(on)g(a)g(connectionless)f
(netw)o(ork)g(such)h(as)h(Ethernet,)g(where)f(message)0
581 y(o)n(wnership)d(requires)g(understanding)f(header)h(semantics.)54
b(Since)28 b(the)h(e)o(xok)o(ernel)d(has)j(dislocated)e(all)i(netw)o
(ork)f(protocol)e(code)0 681 y(that)g(understands)d(pack)o(et)i
(semantics)h(into)f(library)g(operating)e(systems)j(it)g(lacks)g(the)g
(information)d(necessary)i(to)g(decide)g(which)0 780
y(application)19 b(o)n(wns)h(what)g(message.)125 880
y(T)-7 b(o)26 b(solv)o(e)g(this)g(problem,)g(an)g(e)o(xok)o(ernel)e
(requires)h(that)i(netw)o(orking)d(libraries)i(do)n(wnload)e(pack)o(et)
h(\002lters)i([65)o(])f(to)h(select)g(the)0 980 y(messages)e(the)o(y)f
(w)o(ant.)713 950 y Fi(2)791 980 y Fp(Conceptually)-5
b(,)24 b(e)n(v)o(ery)f(\002lter)j(is)g(in)m(v)n(ok)o(ed)d(on)h(e)n(v)o
(ery)g(arri)n(ving)f(pack)o(et)i(and)f(returns)g(\223accept\224)h
(\(the)f(\002lter)0 1079 y(w)o(ants)d(the)g(message\))f(or)h
(\223reject\224)f(\(the)h(\002lter)g(does)f(not)h(w)o(ant)g(the)g
(message\).)30 b(The)20 b(operating)f(system)i(thus)g(need)f(not)h
(understand)0 1179 y(the)f(actual)g(bits)h(in)f(a)h(message)f(in)g
(order)f(to)i(bind)e(an)h(arri)n(ving)f(pack)o(et)g(to)i(its)g(o)n
(wner)-5 b(.)125 1279 y(F)o(or)25 b(protection,)g(the)g(e)o(xok)o
(ernel)e(must)j(ensure)f(that)g(that)h(a)g(\002lter)g(does)f(not)g
(\223lie\224)h(and)f(accept)g(pack)o(ets)h(destined)e(to)i(another)0
1378 y(process.)67 b(T)-7 b(o)33 b(pre)n(v)o(ent)e(this)j(theft)f(we)g
(intentionally)e(designed)h(our)g(\002lter)h(language)f(to)h(mak)o(e)f
(\223o)o(v)o(erlap\224)f(detection)h(simple.)0 1478 y(\(Alternati)n(v)o
(ely)-5 b(,)28 b(simple)h(security)e(precautions)g(such)i(as)g(only)f
(allo)n(wing)f(a)i(trusted)f(serv)o(er)g(to)h(install)g(\002lters)g
(could)f(be)g(used)g(to)0 1577 y(address)19 b(this)g(problem.\))27
b(Finally)-5 b(,)18 b(we)h(ensure)g(f)o(ault)g(isolation)f(through)f(a)
i(combination)e(of)i(language)e(design)h(\(to)h(bound)e(runtime\))0
1677 y(and)j(runtime)f(checks)g(\(to)h(protect)g(against)f(wild)i
(memory)d(references)h(and)g(unsafe)h(operations\).)125
1777 y(Both)33 b(Ae)o(gis)g(and)g(Xok)g(use)h(pack)o(et)f(\002lters,)k
(because)c(our)f(current)h(netw)o(ork)f(does)h(not)g(pro)o(vide)f
(hardw)o(are)g(mechanisms)0 1876 y(for)c(message)h(demultiple)o(xing.)
52 b(One)29 b(challenge)e(with)i(a)g(language\255based)d(approach)h(is)
j(to)f(mak)o(e)f(\002lters)h(f)o(ast.)56 b(T)m(raditionally)-5
b(,)0 1976 y(pack)o(et)27 b(\002lters)i(ha)n(v)o(e)e(been)g
(interpreted,)h(making)f(them)g(less)i(ef)n(\002cient)f(than)f(in\255k)
o(ernel)g(demultiple)o(xing)e(routines.)51 b(One)28 b(of)g(the)0
2076 y(distinguishing)21 b(features)h(of)g(the)h(pack)o(et)f(\002lter)h
(engine)e(used)i(by)f(our)g(prototype)e(e)o(xok)o(ernel)g(is)k(that)f
(it)g(compiles)f(pack)o(et)g(\002lters)h(to)0 2175 y(machine)c(code)h
(at)g(runtime,)f(increasing)g(demultiple)o(xing)e(performance)h(by)h
(more)h(than)f(an)i(order)d(of)i(magnitude)f([28)n(,)i(31)o(].)3704
2145 y Fi(3)125 2275 y Fp(Sharing)c(the)i(netw)o(ork)e(interf)o(ace)h
(for)g(outgoing)e(messages)j(is)g(easier)-5 b(.)30 b(Messages)19
b(are)f(simply)g(copied)g(from)f(application)h(space)0
2374 y(into)h(a)g(transmit)g(b)n(uf)n(fer)-5 b(.)28 b(In)19
b(f)o(act,)g(with)g(appropriate)e(hardw)o(are)g(support,)h
(transmission)g(b)n(uf)n(fers)g(can)h(be)g(mapped)e(into)i(application)
0 2474 y(space)h(just)h(as)g(easily)f(as)h(physical)e(memory)g(pages)g
([23)o(].)125 2574 y(An)27 b(e)o(xok)o(ernel)e(defers)h(message)h
(construction)e(to)i(applications.)49 b(A)27 b(protection)f(problem)f
(this)j(creates)f(is)h(ho)n(w)e(to)h(pre)n(v)o(ent)0
2673 y(applications)14 b(from)h(\223spoo\002ng\224)f(other)h
(applications)f(by)i(sending)e(bogus)h(messages.)28 b(Our)15
b(tw)o(o)h(e)o(xok)o(ernel)e(systems)i(do)f(not)g(pre)n(v)o(ent)0
2773 y(this)j(attack,)g(since)g(the)o(y)e(were)i(designed)e(for)h(an)h
(insecure)f(netw)o(orking)e(en)m(vironment.)25 b(Ho)n(we)n(v)o(er)m(,)
16 b(within)i(the)f(conte)o(xt)g(of)g(a)h(trusted)0 2873
y(netw)o(ork,)32 b(an)f(e)o(xok)o(ernel)e(could)i(use)g(\223in)m(v)o
(erse\224)f(pack)o(et)g(\002lters)i(to)f(reject)g(messages)h(that)f(do)
f(not)h(\002t)h(a)g(speci\002ed)f(pattern)f(\(or)m(,)0
2972 y(alternati)n(v)o(ely)-5 b(,)18 b(reject)i(messages)g(that)h
(do\).)28 b(The)20 b(techniques)f(that)h(w)o(ork)o(ed)f(for)h(DPF)h
(could)e(be)h(applied)f(here)h(as)h(well.)0 3219 y Fv(3.3)117
b(Multiplexing)28 b(the)g(CPU)0 3405 y Fp(Control)22
b(o)o(v)o(er)g(the)h(CPU)h(in)m(v)n(olv)o(es)e(the)h(ability)g(to:)35
b(\(1\))23 b(allocate)g(and)f(share)h(CPU)h(time\255slices)g(\(similar)
e(to)i(other)e(resources\),)g(\(2\))0 3504 y(yield)g(a)h(time\255slice)
f(to)g(a)h(speci\002c)f(named)g(process)f(and)h(\(3\))g(recei)n(v)o(e)f
(noti\002cation)g(\(e.g.,)h(via)g(an)g(upcall\))g(when)f
(time\255slices)i(be)o(gin)0 3604 y(and)g(end.)39 b(The)23
b(attrib)n(utes)h(of)f(time)h(slices)h(are)f(quantity)e(and)h
(\223timeliness.)-6 b(\224)40 b(Applications)22 b(should)h(be)h(able)f
(to)h(allocate)f(speci\002c)0 3704 y(time)f(slices)h(to)f(control)f
(either)h(of)f(these)h(attrib)n(utes.)35 b(Finally)-5
b(,)21 b(the)h(notion)f(of)h(\223process\224)f(should)g(be)h(lo)n
(w\255le)n(v)o(el,)f(consisting)g(of)h(the)0 3803 y(information)17
b(required)h(by)h(hardw)o(are,)g(such)g(as)h(program)e(counters)g(to)i
(v)o(ector)f(machine)f(e)o(xceptions)g(to,)i(and)f
(protection\255required)0 3903 y(information)f(such)i(as)h(a)f(binding)
f(between)g(the)h(process)g(and)g(a)g(principal.)125
4002 y(The)i(follo)n(wing)f(discussion)h(mak)o(es)h(these)f(rules)h
(concrete)e(by)i(considering)d(Ae)o(gis')j(treatment)e(of)i(the)g(CPU)g
(and)f(its)i(process)0 4102 y(and)c(e)o(xception)e(f)o(acilities.)0
4315 y Fq(3.3.1)99 b(Aegis)24 b(and)i(Xok)f(CPU)f(multiplexing)0
4462 y Fp(Both)k(Xok)g(and)g(Ae)o(gis)g(multiple)o(x)f(the)h(CPU)h(in)g
(the)f(same)h(w)o(ay)-5 b(.)52 b(The)o(y)28 b(represent)f(the)h(CPU)h
(as)g(a)g(linear)f(v)o(ector)m(,)g(where)g(each)0 4562
y(element)g(corresponds)e(to)i(a)h(time)g(slice.)54 b(T)m(ime)29
b(slices)g(are)f(partitioned)f(at)i(the)f(clock)g(granularity)f(and)g
(can)i(be)f(allocated)g(in)g(a)0 4661 y(manner)18 b(similar)i(to)f
(physical)g(memory)-5 b(.)27 b(Scheduling)17 b(is)k(done)d(\223round)g
(robin\224)g(by)h(c)o(ycling)f(through)f(the)j(v)o(ector)e(of)h(time)h
(slices.)30 b(A)0 4761 y(crucial)16 b(property)e(of)i(this)h
(representation)d(is)j Fk(position)p Fp(,)f(which)g(encodes)f(an)h
(ordering)e(and)i(an)g(approximate)e(upper)h(bound)f(on)i(when)p
0 4832 1560 4 v 90 4887 a Fh(2)120 4911 y Fg(P)o(ack)o(et)j(\002lters)f
(originated)j(to)d(solv)o(e)g(the)g(equi)n(v)n(alent)k(dif)n(\002culty)
e(brought)e(about)h(by)e(another)j(\003a)o(v)o(or)d(of)h(operating)h
(system)f(code)h(motion)f(\227)f(microk)o(ernels)k(\227)0
4990 y(which,)c(because)i(the)o(y)f(mo)o(v)o(ed)f(netw)o(orking)i(code)
f(from)e(out)h(of)g(the)h(operating)h(system)e(into)g(pri)n(vile)o(ged)
j(serv)o(ers,)e(rendered)g(an)f(operating)j(system)c(too)i(ignorant)g
(to)0 5069 y(demultiple)o(x)i(pack)o(ets.)90 5126 y Fh(3)120
5149 y Fg(Ho)n(we)n(v)o(er)m(,)d(recently)i(we)d(ha)o(v)o(e)g(e)o
(xperimented)k(with)c(the)h(use)f(of)g(an)g(aggressi)n(v)o(e)i
(interpreter)h(that,)e(by)f(preprocessing)j(\002lters)e(and)f(e)o
(xploiting)j(\223super)o(\255operator\224)0 5228 y(instructions,)30
b(runs)25 b(roughly)i(within)g(a)e(f)o(actor)i(of)f(four)f(of)h
(hand\255tuned)i(code)e(\227)f(a)h(perfectly)i(adequate)g(speed)e(gi)n
(v)o(en)h(that)g(demultiple)o(xing)i(is)d(coupled)h(to)f(a)0
5307 y(high\255latenc)o(y)21 b(I/O)c(e)n(v)o(ent)i(\(pack)o(et)g
(reception\).)1908 5589 y Fp(31)p eop
%%Page: 32 33
32 32 bop 1069 1523 a @beginspecial -35 @llx -26 @lly
160 @urx 139 @ury 2160 @rwi @setspecial
%%BeginDocument: stride.ps
%!PS-Adobe-2.0 EPSF-1.2
%%Page: 1 1
%%BoundingBox: -35 -26 160 139
%%EndComments
1 setlinecap 1 setlinejoin
0.700 setlinewidth
0.00 setgray

/Jrnd { exch cvi exch cvi dup 3 1 roll idiv mul } def
/JDEdict 8 dict def
JDEdict /mtrx matrix put
/JDE {
  JDEdict begin
  /yrad exch def
  /xrad exch def
  /savematrix mtrx currentmatrix def
  xrad yrad scale
  0 0 1 0 360 arc
  savematrix setmatrix
  end
} def
/JSTR {
  gsave 1 eq { gsave 1 setgray fill grestore } if
    exch neg exch neg translate 
    clip                        
    rotate                      
    4 dict begin
      pathbbox  /&top exch def
                /&right exch def
                /&bottom exch def
                &right sub /&width exch def
      newpath
      currentlinewidth mul round dup               
      &bottom exch Jrnd exch &top             
      4 -1 roll currentlinewidth mul setlinewidth  
      { &right exch moveto &width 0 rlineto stroke } for    
    end
  grestore
  newpath
} bind def
 gsave /Times-Roman findfont 9.000000 scalefont setfont
0.000000 0.000000 translate
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 154.080002 0.000000 lineto stroke
newpath 0.000000 0.000000 moveto 0.000000 -5.000000 lineto stroke
newpath 15.408000 0.000000 moveto 15.408000 -5.000000 lineto stroke
newpath 30.816000 0.000000 moveto 30.816000 -5.000000 lineto stroke
newpath 46.223999 0.000000 moveto 46.223999 -5.000000 lineto stroke
newpath 61.632000 0.000000 moveto 61.632000 -5.000000 lineto stroke
newpath 77.040001 0.000000 moveto 77.040001 -5.000000 lineto stroke
newpath 92.447998 0.000000 moveto 92.447998 -5.000000 lineto stroke
newpath 107.855995 0.000000 moveto 107.855995 -5.000000 lineto stroke
newpath 123.264000 0.000000 moveto 123.264000 -5.000000 lineto stroke
newpath 138.671997 0.000000 moveto 138.671997 -5.000000 lineto stroke
newpath 154.080002 0.000000 moveto 154.080002 -5.000000 lineto stroke
/Times-Roman findfont 7.000000 scalefont setfont
gsave 0.000000 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (0) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 15.408000 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (10) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 30.816000 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (20) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 46.223999 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (30) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 61.632000 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (40) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 77.040001 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (50) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 92.447998 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (60) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 107.855995 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (70) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 123.264000 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (80) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 138.671997 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (90) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 154.080002 -8.000000 translate 0.000000 rotate
0 -4.200000 translate (100) dup stringwidth pop 2 div neg 0 moveto
show
grestore
/Times-Bold findfont 8.000000 scalefont setfont
gsave 77.040001 -20.200001 translate 0.000000 rotate
0 -4.800000 translate (Time \(quanta\)) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 0.000000 136.800003 lineto stroke
newpath 0.000000 0.000000 moveto -5.000000 0.000000 lineto stroke
newpath 0.000000 13.680000 moveto -5.000000 13.680000 lineto stroke
newpath 0.000000 27.360001 moveto -5.000000 27.360001 lineto stroke
newpath 0.000000 41.040001 moveto -5.000000 41.040001 lineto stroke
newpath 0.000000 54.720001 moveto -5.000000 54.720001 lineto stroke
newpath 0.000000 68.400002 moveto -5.000000 68.400002 lineto stroke
newpath 0.000000 82.080002 moveto -5.000000 82.080002 lineto stroke
newpath 0.000000 95.760002 moveto -5.000000 95.760002 lineto stroke
newpath 0.000000 109.440002 moveto -5.000000 109.440002 lineto stroke
newpath 0.000000 123.119995 moveto -5.000000 123.119995 lineto stroke
newpath 0.000000 136.800003 moveto -5.000000 136.800003 lineto stroke
/Times-Roman findfont 7.000000 scalefont setfont
gsave -8.000000 0.000000 translate 0.000000 rotate
0 -2.100000 translate (0) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 13.680000 translate 0.000000 rotate
0 -2.100000 translate (250) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 27.360001 translate 0.000000 rotate
0 -2.100000 translate (500) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 41.040001 translate 0.000000 rotate
0 -2.100000 translate (750) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 54.720001 translate 0.000000 rotate
0 -2.100000 translate (1000) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 68.400002 translate 0.000000 rotate
0 -2.100000 translate (1250) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 82.080002 translate 0.000000 rotate
0 -2.100000 translate (1500) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 95.760002 translate 0.000000 rotate
0 -2.100000 translate (1750) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 109.440002 translate 0.000000 rotate
0 -2.100000 translate (2000) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 123.119995 translate 0.000000 rotate
0 -2.100000 translate (2250) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 136.800003 translate 0.000000 rotate
0 -2.100000 translate (2500) dup stringwidth pop neg 0 moveto
show
grestore
/Times-Bold findfont 8.000000 scalefont setfont
gsave -29.439999 68.400002 translate 90.000000 rotate
0 0.000000 translate (Cumulative Iterations \(thousands\)) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
 gsave 
 gsave 0.600000 setgray
0.700000 setlinewidth  [] 0 setdash
6.163200 2.629077 moveto   15.408000 5.258209 lineto
  24.652800 7.887286 lineto
  33.897599 10.516418 lineto
  43.142399 13.145495 lineto
  52.387199 15.774626 lineto
  61.631999 18.403704 lineto
  70.876799 21.032836 lineto
  80.121599 23.661968 lineto
  89.366399 26.291044 lineto
  98.611198 28.920178 lineto
  107.855998 31.549253 lineto
  117.100798 34.178384 lineto
  126.345598 36.807462 lineto
  135.590398 39.436594 lineto
  144.835198 42.065672 lineto
stroke
0.700000 setlinewidth  [] 0 setdash
 grestore 
 gsave 0.600000 setgray
0.700000 setlinewidth  [] 0 setdash
1.540800 2.629077 moveto   7.704000 5.258209 lineto
  10.785600 7.887286 lineto
  16.948800 10.516418 lineto
  20.030400 13.145495 lineto
  26.193600 15.774626 lineto
  29.275200 18.403704 lineto
  35.438399 21.032836 lineto
  38.519999 23.661968 lineto
  44.683199 26.291044 lineto
  47.764799 28.920178 lineto
  53.927999 31.549253 lineto
  57.009599 34.178384 lineto
  63.172799 36.807462 lineto
  66.254399 39.436594 lineto
  72.417599 42.065672 lineto
  75.499199 44.694804 lineto
  81.662399 47.323936 lineto
  84.743999 49.953010 lineto
  90.907199 52.582145 lineto
  93.988798 55.211220 lineto
  100.151998 57.840355 lineto
  103.233598 60.469427 lineto
  109.396798 63.098558 lineto
  112.478398 65.727690 lineto
  118.641598 68.356768 lineto
  121.723198 70.985900 lineto
  127.886398 73.614978 lineto
  130.967998 76.244110 lineto
  137.131198 78.873188 lineto
  140.212798 81.502320 lineto
  146.375998 84.131398 lineto
  149.457598 86.760530 lineto
stroke
0.700000 setlinewidth  [] 0 setdash
 grestore 
 gsave 0.600000 setgray
0.700000 setlinewidth  [] 0 setdash
0.000000 2.629077 moveto   3.081600 5.258209 lineto
  4.622400 7.887286 lineto
  9.244800 10.516418 lineto
  12.326400 13.145495 lineto
  13.867200 15.774626 lineto
  18.489600 18.403704 lineto
  21.571200 21.032836 lineto
  23.112000 23.661968 lineto
  27.734400 26.291044 lineto
  30.816000 28.920178 lineto
  32.356799 31.549253 lineto
  36.979199 34.178384 lineto
  40.060799 36.807462 lineto
  41.601599 39.436594 lineto
  46.223999 42.065672 lineto
  49.305599 44.694804 lineto
  50.846399 47.323936 lineto
  55.468799 49.953010 lineto
  58.550399 52.582145 lineto
  60.091199 55.211220 lineto
  64.713599 57.840355 lineto
  67.795199 60.469427 lineto
  69.335999 63.098558 lineto
  73.958399 65.727690 lineto
  77.039999 68.356768 lineto
  78.580799 70.985900 lineto
  83.203199 73.614978 lineto
  86.284799 76.244110 lineto
  87.825599 78.873188 lineto
  92.447999 81.502320 lineto
  95.529598 84.131398 lineto
  97.070398 86.760530 lineto
  101.692798 89.389661 lineto
  104.774398 92.018739 lineto
  106.315198 94.647871 lineto
  110.937598 97.276949 lineto
  114.019198 99.906081 lineto
  115.559998 102.535153 lineto
  120.182398 105.164291 lineto
  123.263998 107.793362 lineto
  124.804798 110.422494 lineto
  129.427198 113.051626 lineto
  132.508798 115.680711 lineto
  134.049598 118.309836 lineto
  138.671998 120.938920 lineto
  141.753598 123.568045 lineto
  143.294398 126.197117 lineto
  147.916798 128.826255 lineto
  150.998398 131.455380 lineto
  152.539198 134.084465 lineto
stroke
0.700000 setlinewidth  [] 0 setdash
 grestore 
 gsave  gsave  6.163200 2.618133 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  15.408000 5.253777 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  24.652800 7.889912 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  33.897598 10.526158 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  43.142399 13.162403 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  52.387199 15.798594 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  61.632000 18.434893 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  70.876801 21.071194 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  80.121597 23.707439 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  89.366402 26.343575 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  98.611198 28.979820 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  107.855995 31.616066 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  117.100800 34.252312 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  126.345596 36.888447 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  135.590393 39.524693 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  144.835205 42.160938 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  1.540800 2.593783 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  7.704000 5.226143 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  10.785600 7.862389 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  16.948799 10.498633 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  20.030399 13.134825 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  26.193600 15.770961 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  29.275200 18.407206 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  35.438400 21.043451 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  38.520000 23.679586 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  44.683201 26.315832 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  47.764801 28.952076 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  53.927998 31.588322 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  57.009598 34.224567 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  63.172798 36.860649 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  66.254402 39.496895 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  72.417603 42.133141 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  75.499199 44.769276 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  81.662399 47.405521 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  84.743996 50.041767 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  90.907196 52.678013 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  93.988800 55.314259 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  100.152000 57.950397 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  109.396797 63.222889 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  112.478401 65.859070 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  118.641602 68.495377 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  121.723198 71.131622 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  127.886398 73.767807 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  130.968002 76.404053 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  137.131195 79.040192 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  140.212799 81.676384 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  146.375992 84.312630 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  149.457596 86.948875 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  0.000000 1.996295 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  3.081600 4.627506 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  4.622400 7.263697 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  9.244800 9.899505 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  12.326400 12.535695 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  13.867200 15.171776 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  18.489599 17.808022 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  21.571199 20.444323 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  23.112000 23.080513 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  27.734400 25.716648 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  30.816000 28.352896 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  32.356800 30.989141 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  36.979198 33.625385 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  40.060799 36.261520 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  41.601601 38.897766 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  46.223999 41.534012 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  49.305599 44.170258 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  50.846397 46.806339 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  55.468800 49.442585 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  58.550400 52.078773 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  60.091198 54.715019 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  64.713600 57.351154 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  67.795197 59.987400 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  69.335999 62.623646 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  73.958397 65.259842 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  77.040001 67.895973 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  78.580795 70.533859 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  83.203201 73.168465 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  86.284798 75.804710 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  87.825600 78.440842 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  92.447998 81.077087 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  95.529602 83.713280 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  97.070396 86.349579 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  101.692795 88.985657 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  104.774399 91.621902 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  106.315201 94.258148 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  110.937599 96.894394 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  114.019196 99.530479 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  115.559998 102.166725 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  120.182396 104.802917 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  123.264000 107.439217 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  124.804794 110.075348 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  129.427200 112.711548 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  132.508804 115.347725 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  134.049591 117.983917 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  138.671997 120.620056 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  141.753601 123.256248 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  143.294403 125.892441 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  147.916794 128.528687 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  150.998398 131.164825 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  gsave  152.539200 133.800964 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  grestore 
 grestore 
 gsave 15.408000 120.383995 translate 0.000000 rotate
 gsave 0.600000 setgray
0.700000 setlinewidth  [] 0 setdash
0.000000 4.200000 moveto   24.000000 4.200000 lineto
stroke
0.700000 setlinewidth  [] 0 setdash
 grestore 
/Times-Roman findfont 7.000000 scalefont setfont
gsave 28.000000 6.300000 translate 0.000000 rotate
0 -4.200000 translate (Ideal) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  12.000000 -4.200000 translate 0.000000 rotate
newpath 1.001520 1.001520 JDE
gsave  fill grestore
stroke
 grestore  grestore 
gsave 28.000000 -2.100000 translate 0.000000 rotate
0 -4.200000 translate (Measured) dup stringwidth pop pop 0 0 moveto
show
grestore
 grestore 
-0.000000 -0.000000 translate
 grestore 

%%EndDocument
 @endspecial 1180 1639 a Fp(Figure)20 b(3\2551:)29 b(Application\255le)
n(v)o(el)17 b(stride)j(scheduler)-5 b(.)0 1906 y(the)19
b(time)f(slice)i(will)f(be)f(run.)28 b(Position)18 b(can)h(be)f(used)h
(to)f(meet)h(deadlines)e(and)h(to)h(trade)f(of)n(f)g(latenc)o(y)g(for)f
(throughput.)26 b(F)o(or)18 b(e)o(xample,)0 2006 y(a)g(long\255running)
13 b(scienti\002c)18 b(application)e(could)h(allocate)g(contiguous)e
(time)j(slices)g(in)g(order)e(to)i(minimize)e(the)i(o)o(v)o(erhead)d
(of)i(conte)o(xt)0 2105 y(switching,)i(while)i(an)f(interacti)n(v)o(e)f
(application)f(could)i(allocate)g(se)n(v)o(eral)f(equidistant)g(time)i
(slices)g(to)f(maximize)f(responsi)n(v)o(eness.)125 2205
y(The)h(k)o(ernel)g(pro)o(vides)f(a)j(yield)e(primiti)n(v)o(e)g(to)h
(donate)f(the)h(remainder)e(of)i(a)g(process')f(current)g(time)h(slice)
h(to)f(another)e(\(speci\002c\))0 2304 y(process.)29
b(Applications)19 b(can)h(use)g(this)h(simple)f(mechanism)f(to)h
(implement)f(their)h(o)n(wn)g(scheduling)e(algorithms.)125
2404 y(T)m(imer)k(interrupts)f(denote)g(the)i(be)o(ginning)d(and)i(end)
g(of)g(time)g(slices,)i(and)e(are)h(deli)n(v)o(ered)d(in)j(a)g(manner)e
(similar)i(to)f(e)o(xceptions)0 2504 y(\(discussed)14
b(belo)n(w\):)23 b(a)14 b(re)o(gister)g(is)g(sa)n(v)o(ed)g(in)g(the)g
(\223interru)o(pt)g(sa)n(v)n(e)g(ar)o(ea,)-6 b(\224)9
b(the)14 b(e)o(xception)g(program)f(co)o(un)o(ter)h(is)g(lo)o(ade)o(d,)
9 b(and)14 b(the)g(k)o(ernel)0 2603 y(jumps)20 b(to)h(user)n
(\255speci\002ed)f(interrupt)g(handling)e(code)j(with)g(interrupts)e
(re\255enabled.)29 b(The)21 b(application')-5 b(s)19
b(handlers)h(are)h(responsible)0 2703 y(for)g(general\255purpose)d
(conte)o(xt)i(switching:)32 b(sa)n(ving)21 b(and)g(restoring)f(li)n(v)o
(e)i(re)o(gisters,)f(releasing)g(locks,)g Fk(etc)p Fp(.)34
b(This)22 b(frame)n(w)o(ork)d(gi)n(v)o(es)0 2803 y(applications)k(a)j
(lar)o(ge)d(de)o(gree)g(of)i(control)e(o)o(v)o(er)g(conte)o(xt)h
(switching.)42 b(F)o(or)24 b(e)o(xample,)g(because)g(it)i(noti\002es)e
(applications)g(of)g(clock)0 2902 y(interrupts,)g(and)g(gi)n(v)o(es)g
(them)g(control)f(o)o(v)o(er)g(conte)o(xt)g(switching')-5
b(s)24 b(state)i(sa)n(ving)e(and)g(restoration,)f(it)j(can)e(be)g(used)
g(to)h(implement)0 3002 y(scheduler)19 b(acti)n(v)n(ations)g([4)o(].)
125 3101 y(F)o(airness)g(is)i(achie)n(v)o(ed)d(by)h(bounding)e(the)j
(time)g(an)f(application)g(tak)o(es)h(to)f(sa)n(v)o(e)h(its)h(conte)o
(xt:)28 b(each)19 b(subsequent)g(timer)g(interrupt)0
3201 y(\(which)25 b(demarcates)h(a)h(time)f(slice\))h(is)g(recorded)e
(in)h(an)g(e)o(xcess)h(time)f(counter)-5 b(.)47 b(Applications)25
b(pay)h(for)g(each)g(e)o(xcess)g(time)h(slice)0 3301
y(consumed)e(by)h(forfeiting)f(a)j(subsequent)d(time)i(slice.)50
b(If)27 b(the)f(e)o(xcess)h(time)g(counter)f(e)o(xceeds)g(a)h
(predetermined)d(threshold,)j(the)0 3400 y(en)m(vironment)17
b(is)22 b(destro)o(yed.)28 b(In)20 b(a)h(more)f(friendly)f
(implementation,)f(the)i(k)o(ernel)g(could)g(perform)e(a)j(complete)e
(conte)o(xt)g(switch)i(for)0 3500 y(the)f(application.)125
3600 y(This)g(simple)h(scheduler)e(can)h(support)g(a)h(wide)f(range)g
(of)g(higher)n(\255le)n(v)o(el)e(scheduling)h(policies.)30
b(As)21 b(we)g(demonstrate)e(belo)n(w)-5 b(,)20 b(an)0
3699 y(application)f(can)h(enforce)e(proportional)g(sharing)h(on)h(a)g
(collection)f(of)h(sub\255processes.)0 3895 y Fo(Extensible)h
(Schedulers)g(on)f(Aegis)125 4043 y Fp(Using)29 b(the)h(Ae)o(gis)f
(yield)h(primiti)n(v)o(e)e(and)h(control)g(o)o(v)o(er)f(time)i(slices,)
j(we)d(ha)n(v)o(e)f(b)n(uilt)h(an)f(application\255le)n(v)o(el)e
(scheduler)h(that)0 4142 y(implements)19 b Fk(stride)i(sc)o(heduling)d
Fp([91)n(],)i(a)h(deterministic,)e(proportional\255share)c(scheduling)k
(mechanism)f(that)j(impro)o(v)o(es)d(on)h(recent)0 4242
y(w)o(ork)34 b([90)o(].)72 b(The)35 b(ExOS)f(implementation)f
(maintains)h(a)h(list)h(of)e(processes)g(for)g(which)g(it)i(is)f
(responsible,)i(along)d(with)h(the)0 4342 y(proportional)18
b(share)j(the)o(y)g(are)g(to)h(recei)n(v)o(e)e(of)h(its)h(time)g
(slice\(s\).)32 b(On)22 b(e)n(v)o(ery)e(time)h(slice)h(w)o(ak)o(eup,)f
(the)g(scheduler)f(calculates)h(which)0 4441 y(process)f(is)h(to)f(be)g
(scheduled)f(and)h(yields)g(to)g(it)h(directly)-5 b(.)125
4541 y(W)e(e)33 b(measure)f(the)h(ef)n(fecti)n(v)o(eness)e(of)i(this)g
(scheduler)f(by)g(creating)g(three)g(processes)h(that)f(increment)g
(counters)f(in)i(shared)0 4640 y(memory)-5 b(.)38 b(The)24
b(processes)g(are)f(assigned)h(a)g(3:2:1)f(relati)n(v)o(e)h(allocation)
f(of)g(the)h(scheduler')-5 b(s)23 b(time)h(slice)h(quanta.)39
b(By)25 b(plotting)e(the)0 4740 y(cumulati)n(v)o(e)18
b(v)n(alues)i(of)g(the)g(shared)g(counters,)e(we)j(can)f(determine)e
(ho)n(w)i(closely)g(this)h(scheduling)d(allocation)h(is)i(realized.)29
b(As)21 b(can)0 4840 y(be)k(seen)g(in)f(Figure)h(3\2551,)f(the)h(achie)
n(v)o(ed)e(ratios)i(are)g(v)o(ery)e(close)i(to)g(idealized)f(ones,)i
(sho)n(wing)d(that)i(applications)f(can)g(ef)n(fecti)n(v)o(ely)0
4939 y(control)19 b(scheduling.)125 5039 y(It)e(is)h(important)e(to)h
(note)g(that)g(there)g(is)h(nothing)e(special)h(about)g(this)g
(scheduler)f(either)h(in)h(terms)f(of)g(pri)n(vile)o(ges)f(\()p
Fk(any)g Fp(application)0 5139 y(can)26 b(perform)f(identical)h
(actions\))g(or)g(in)h(its)g(comple)o(xity)e(\(the)h(entire)g
(implementation)f(is)i(less)h(than)e(100)f(lines)i(of)g(code\).)47
b(As)27 b(a)0 5238 y(result,)20 b(an)o(y)f(application)g(can)h(easily)h
(manage)d(processes.)1908 5589 y(32)p eop
%%Page: 33 34
33 33 bop 0 83 a Fq(3.3.2)99 b(Aegis)24 b(Pr)n(ocessor)h(En)l(vir)n
(onments)0 230 y Fp(An)19 b(Ae)o(gis)h(processor)e(en)m(vironment)e(is)
k(a)g(structure)f(that)g(stores)h(the)f(information)e(needed)h(to)i
(deli)n(v)o(er)e(e)n(v)o(ents)h(to)g(applications.)28
b(All)0 330 y(resource)18 b(consumption)e(is)k(associated)e(with)h(an)g
(en)m(vironment)d(because)i(Ae)o(gis)h(must)g(deli)n(v)o(er)f(e)n(v)o
(ents)g(associated)g(with)i(a)f(resource)0 430 y(\(such)h(as)g(re)n(v)n
(ocation)f(e)o(xceptions\))f(to)j(its)g(designated)e(o)n(wner)-5
b(.)125 529 y(F)o(our)33 b(kinds)h(of)g(e)n(v)o(ents)g(are)g(deli)n(v)o
(ered)f(by)h(Ae)o(gis:)57 b(e)o(xceptions,)37 b(interrupts,)f
(protected)d(control)g(transfers,)k(and)d(address)0 629
y(translations.)29 b(Processor)19 b(en)m(vironments)e(contain)j(the)g
(four)f(conte)o(xts)g(required)g(to)h(support)f(these)h(e)n(v)o(ents:)
125 729 y Fo(Exception)e(context)p Fp(:)28 b(for)18 b(each)h(e)o
(xception,)e(an)i(e)o(xception)e(conte)o(xt)g(contains)i(a)g(program)e
(counter)g(for)h(where)h(to)g(jump)f(to)h(and)0 828 y(a)i(pointer)e(to)
h(physical)f(memory)f(for)i(sa)n(ving)g(re)o(gisters.)125
928 y Fo(Interrupt)25 b(context)p Fp(:)37 b(for)24 b(each)h(interrupt)e
(an)i(interrupt)e(conte)o(xt)h(includes)g(a)h(program)e(counters)g(and)
i(re)o(gister)n(\255sa)n(v)o(e)e(re)o(gion.)0 1027 y(In)35
b(the)g(case)g(of)g(timer)g(interrupts,)i(the)e(interrupt)f(conte)o(xt)
f(speci\002es)j(separate)e(program)f(counters)h(for)g
(start\255time\255slice)h(and)0 1127 y(end\255time\255slice)19
b(cases,)h(as)h(well)g(as)g(status)g(re)o(gister)e(v)n(alues)h(that)g
(control)f(co\255processor)f(and)i(interrupt\255enable)d(\003ags.)125
1227 y Fo(Pr)o(otected)e(Entry)j(context)p Fp(:)27 b(a)18
b(protected)e(entry)h(conte)o(xt)f(speci\002es)i(program)d(counters)i
(for)g(synchronous)d(and)j(asynchronous)0 1326 y(protected)23
b(control)h(transfers)g(from)g(other)g(applications.)41
b(Ae)o(gis)25 b(allo)n(ws)g(an)o(y)f(processor)g(en)m(vironment)d(to)k
(transfer)f(control)g(into)0 1426 y(an)o(y)19 b(other;)h(access)h
(control)e(is)i(managed)d(by)i(the)g(application)f(itself.)125
1526 y Fo(Addr)o(essing)25 b(context)p Fp(:)37 b(an)24
b(addressing)g(conte)o(xt)f(consists)i(of)g(a)g(set)g(of)g
Fk(guar)o(anteed)d(mappings)p Fp(.)41 b(A)25 b(TLB)g(miss)h(on)e(a)h
(virtual)0 1625 y(address)e(that)g(is)h(mapped)d(by)i(a)h(guaranteed)c
(mapping)i(is)i(handled)d(by)i(Ae)o(gis.)38 b(Library)22
b(operating)f(systems)i(rely)g(on)g(guaranteed)0 1725
y(mappings)e(for)g(bootstrapping)e(page\255tables,)i(e)o(xception)g
(handling)f(code,)i(and)f(e)o(xception)f(stacks.)36 b(The)22
b(addressing)e(conte)o(xt)h(also)0 1824 y(includes)i(an)h(address)f
(space)h(identi\002er)m(,)f(a)h(status)h(re)o(gister)m(,)e(and)g(a)h
(tag)g(used)g(to)g(hash)f(into)h(the)f(Ae)o(gis)h(softw)o(are)f(TLB.)h
(T)-7 b(o)24 b(switch)0 1924 y(from)19 b(one)h(en)m(vironment)d(to)j
(another)m(,)e(Ae)o(gis)j(must)f(install)h(these)f(three)g(v)n(alues.)
125 2024 y(These)d(are)g(the)g(e)n(v)o(ent\255handling)c(conte)o(xts)k
(required)e(to)i(de\002ne)g(a)h(process.)27 b(Each)17
b(conte)o(xt)f(depends)g(on)h(the)g(others)g(for)f(v)n(alidity:)0
2123 y(for)26 b(e)o(xample,)h(an)f(addressing)g(conte)o(xt)f(does)i
(not)f(mak)o(e)g(sense)i(without)e(an)g(e)o(xception)f(conte)o(xt,)i
(since)g(it)g(does)g(not)f(de\002ne)g(an)o(y)0 2223 y(action)20
b(to)g(tak)o(e)g(when)g(an)g(e)o(xception)e(or)i(interrupt)f(occurs.)0
2436 y Fq(3.3.3)99 b(Implementing)26 b(Unix)e(Pr)n(ocesses)h(on)g(Xok)0
2583 y Fp(The)19 b Fk(pr)l(ocess)g(map)g Fp(maps)g(UNIX)g(process)f
(identi\002ers)h(to)g(Xok)g(en)m(vironment)d(numbers)i(using)g(a)i
(shared)e(table.)29 b(The)18 b Fk(pr)l(ocess)i(table)0
2683 y Fp(records)25 b(the)i(process)f(identi\002ers)g(of)g(each)g
(process,)h(that)f(of)g(its)i(parent,)e(the)h(ar)o(guments)d(with)j
(which)f(the)g(process)g(w)o(as)h(called,)0 2782 y(its)f(run)e(status,)
i(and)f(the)g(identity)f(of)g(its)i(children.)42 b(The)24
b(table)h(is)h(partitioned)d(across)i(application\255reserv)o(ed)c
(memory)i(of)i(Xok')-5 b(s)0 2882 y(en)m(vironment)22
b(structure,)i(which)g(is)i(mapped)d(readable)g(for)h(all)h(processes)g
(and)f(writeable)g(for)g(only)f(the)i(en)m(vironment')-5
b(s)22 b(o)n(wning)0 2982 y(process.)28 b(ExOS)20 b(uses)f(Xok')-5
b(s)20 b(IPC)g(to)f(safely)g(update)f(parent)h(and)f(child)h(process)g
(state.)30 b(The)19 b(UNIX)g Fk(ps)h Fp(\(process)e(status\))i(program)
0 3081 y(is)h(implemented)d(by)i(reading)f(all)i(the)f(entries)g(of)g
(the)g(process)g(table.)125 3181 y(UNIX)k(pro)o(vides)e(the)j
Fk(fork)g Fp(system)f(call)h(to)f(duplicate)g(the)g(current)f(process)h
(and)g Fk(e)n(xec)g Fp(to)h(o)o(v)o(erlay)d(it)j(with)g(another)-5
b(.)40 b Fk(Exec)25 b Fp(is)0 3280 y(implemented)c(by)i(creating)f(a)h
(ne)n(w)g(address)f(space)h(for)g(the)g(ne)n(w)f(process,)h(loading)f
(on)h(demand)e(the)i(disk)g(image)f(of)h(the)g(process)0
3380 y(into)g(the)g(ne)n(w)g(address)f(space,)i(and)e(then)h
(discarding)e(the)i(address)g(space)g(that)g(called)g
Fk(e)n(xec)p Fp(.)38 b(Implementing)20 b(fork)i(in)h(a)h(library)e(is)0
3480 y(peculiar)16 b(since)i(it)g(requires)e(that)h(a)h(process)e
(create)h(a)h(replica)f(of)g(its)h(address)f(space)g(and)g(state)h
Fk(while)f(it)h(is)g(e)n(xecuting)p Fp(.)28 b(T)-7 b(o)17
b(mak)o(e)g(fork)0 3579 y(ef)n(\002cient,)j(ExOS)g(uses)h(cop)o
(y\255on\255write)c(to)j(lazily)h(create)f(separate)g(copies)g(of)g
(the)g(parent')-5 b(s)20 b(address)f(space.)30 b(ExOS)20
b(scans)h(through)0 3679 y(its)k(page)f(tables,)h(which)e(are)h(e)o
(xposed)f(by)g(Xok,)i(marking)d(all)j(pages)f(as)g(cop)o
(y\255on\255write)e(e)o(xcept)h(those)h(data)g(se)o(gment)f(and)g
(stack)0 3779 y(pages)c(that)g(the)g Fk(fork)h Fp(call)f(itself)h(is)g
(using.)28 b(These)19 b(pages)g(must)g(be)g(duplicated)f(so)h(as)h(not)
f(to)g(generate)f(cop)o(y\255on\255write)e(f)o(aults)k(while)0
3878 y(running)i(the)h Fk(fork)h Fp(and)f(page)g(f)o(ault)h(handling)e
(code.)39 b(Groups)22 b(of)i(page)f(table)g(entries)h(are)g(updated)e
(at)i(once)f(by)g(batching)f(system)0 3978 y(calls)f(to)f(amortize)g
(the)g(system)g(call)h(o)o(v)o(erhead)c(o)o(v)o(er)i(man)o(y)g
(updates.)0 4225 y Fv(3.4)117 b(Exposing)28 b(Machine)g(Ev)o(ents)0
4410 y Fp(An)20 b(e)o(xok)o(ernel)e(gi)n(v)o(es)i(applications)f(lo)n
(w\255le)n(v)o(el)g(ef)n(\002cient)h(access)g(to)h(machine)e(e)n(v)o
(ents)g(such)h(as)h(e)o(xceptions)e(and)g(interrupts)g(\(which)0
4510 y(we)14 b(ha)n(v)o(e)f(already)f(seen)i(in)f(the)h(conte)o(xt)e
(of)h(netw)o(orking)f(and)h(the)g(CPU\).)h(It)g(also)f(pro)o(vides)f
(primiti)n(v)o(es)h(for)g(inter)n(\255domain)e(calls,)k(which)0
4610 y(safely)g(change)e(the)i(program)d(counter)h(in)i(one)f(process)h
(to)f(an)h(agreed)e(upon)h(v)n(alue)g(in)h(another')-5
b(s)13 b(address)h(space.)28 b(Belo)n(w)-5 b(,)15 b(we)g(discuss)0
4709 y(Ae)o(gis')20 b(mechanisms)f(for)h(e)o(xceptions)e(and)i(control)
f(transfer)m(,)g(along)g(with)h(Xok')-5 b(s)20 b(f)o(acilities)h(for)f
(interprocess)f(communication.)0 4922 y Fq(3.4.1)99 b(Aegis)24
b(Exceptions)0 5069 y Fp(Ae)o(gis)35 b(dispatches)g(all)h(hardw)o(are)e
(e)o(xceptions)f(to)j(applications)e(\(sa)n(v)o(e)h(for)g(system)g
(calls\))h(using)f(techniques)f(independently)0 5169
y(de)n(v)o(eloped)23 b(b)n(ut)j(similar)g(to)f(those)h(described)e(in)i
(Thekkath)e(and)h(Le)n(vy)g([87)n(].)46 b(T)-7 b(o)26
b(dispatch)f(an)g(e)o(xception,)g(Ae)o(gis)h(performs)e(the)0
5269 y(follo)n(wing)19 b(actions:)1908 5589 y(33)p eop
%%Page: 34 35
34 34 bop 104 83 a Fp(1.)41 b(It)29 b(sa)n(v)o(es)g(three)f(scratch)h
(re)o(gisters)f(into)h(an)g(agreed\255upon)c(\223sa)n(v)o(e)k(area.)-6
b(\224)55 b(\(T)-7 b(o)29 b(a)n(v)n(oid)f(TLB)h(e)o(xceptions,)h(Ae)o
(gis)e(does)h(this)208 183 y(operation)18 b(using)i(physical)f
(addresses.\))104 349 y(2.)41 b(It)26 b(loads)g(the)h(e)o(xception)d
(program)h(counter)m(,)h(the)g(last)h(virtual)f(address)g(that)h(f)o
(ailed)f(to)g(ha)n(v)o(e)g(a)h(v)n(alid)f(translation,)h(and)f(the)208
448 y(cause)20 b(of)g(the)g(e)o(xception.)104 614 y(3.)41
b(It)18 b(uses)h(the)g(cause)f(of)g(the)h(e)o(xception)d(to)j(perform)d
(an)i(indirect)g(jump)g(to)g(an)h(application\255speci\002ed)c(program)
i(counter)f(v)n(alue,)208 714 y(where)j(e)o(x)o(ecution)f(resumes)i
(with)g(the)h(appropriate)c(permissions)j(set)h(\()p
Fk(i.e)o(.,)e Fp(in)i(user)n(\255mode)d(with)i(interrupts)f
(re\255enabled\).)0 880 y(After)j(processing)e(an)i(e)o(xception,)e
(applications)g(can)i(immediately)e(resume)h(e)o(x)o(ecution)f(without)
h(entering)f(the)i(k)o(ernel.)33 b(Ensuring)0 980 y(that)25
b(applications)g(can)g(return)f(from)g(their)h(o)n(wn)g(e)o(xceptions)f
(\(without)g(k)o(ernel)g(interv)o(ention\))f(requires)h(that)i(all)f(e)
o(xception)f(state)0 1079 y(be)h(a)n(v)n(ailable)f(for)h(user)g
(reconstruction.)41 b(This)25 b(means)g(that)g(all)g(re)o(gisters)g
(that)g(are)g(sa)n(v)o(ed)g(must)g(be)g(in)g(user)n(\255accessible)f
(memory)0 1179 y(locations.)125 1279 y(Currently)-5 b(,)17
b(Ae)o(gis)h(dispatches)g(e)o(xceptions)f(in)i(18)f(instructions)g
(\(1.5)f(microseconds)g(on)h(our)g(25MHz)f(DECstation5000/125\),)0
1378 y(roughly)k(a)j(f)o(actor)e(of)h(a)g(hundred)e(f)o(aster)i(than)g
(Ultrix,)h(a)f(monolithic)f(OS)h(running)e(on)i(the)g(same)h(hardw)o
(are,)e(and)g(o)o(v)o(er)g(\002v)o(e)h(times)0 1478 y(f)o(aster)c(than)
g(the)g(most)g(highly\255tuned)d(implementation)h(in)i(the)g
(literature.)28 b(Mainly)18 b(this)i(impro)o(v)o(ement)c(comes)j(from)f
(the)h(tw)o(o)g(f)o(acts)0 1577 y(that)g(\(1\))e(e)o(xok)o(ernel)g
(primiti)n(v)o(es)g(are)i(lo)n(w\255le)n(v)o(el,)e(which)h(means)g
(applications)f(do)h(not)h(pay)f(for)f(unnecessary)g(functionality)-5
b(,)16 b(and)i(\(2\))0 1677 y(the)h(e)o(xok)o(ernel)e(concentrates)h
(on)g(doing)g(a)i(fe)n(w)f(things)g(well.)29 b(F)o(or)19
b(e)o(xample,)e(Ae)o(gis)j(is)g(small,)f(and)g(does)g(not)f(need)h(to)g
(page)g(its)h(data)0 1777 y(structures.)28 b(Because,)20
b(all)g(k)o(ernel)f(addresses)h(are)f(physical)g(the)o(y)g(ne)n(v)o(er)
f(miss)i(in)g(the)g(TLB,)g(and)f(Ae)o(gis)g(does)h(not)f(ha)n(v)o(e)g
(to)h(separate)0 1876 y(k)o(ernel)f(TLB)i(misses)g(from)e(the)i(more)e
(general)g(class)i(of)f(e)o(xceptions)f(in)h(its)h(e)o(xception)d
(demultiple)o(xing)g(routine.)125 1976 y(F)o(ast)i(e)o(xceptions)d
(enable)i(a)h(number)d(of)i(intriguing)e(applications:)28
b(ef)n(\002cient)19 b(page\255protection)d(traps)j(can)g(be)h(used)f
(by)g(applica\255)0 2076 y(tions)24 b(such)g(as)h(distrib)n(uted)e
(shared)g(memory)f(systems,)k(persistent)d(object)h(stores,)h(and)f
(garbage)d(collectors)j([5)o(,)g(87)o(].)41 b(Exception)0
2175 y(times)21 b(are)f(discussed)g(further)e(in)j([25)n(].)0
2388 y Fq(3.4.2)99 b(Aegis)24 b(Pr)n(otected)j(Contr)n(ol)e(T)-7
b(ransfers)0 2535 y Fp(Ae)o(gis)27 b(pro)o(vides)e(a)i
Fk(pr)l(otected)f(contr)l(ol)h(tr)o(ansfer)g Fp(mechanism)e(as)i(a)h
(substrate)e(for)g(ef)n(\002cient)h(implementations)d(of)j(inter)n
(\255process)0 2635 y(compunction)16 b(\(IPC\))k(abstractions.)28
b(This)19 b(mechanism)f(illustrates)h(the)h(principle)e(of)g(not)h
(encapsulating)f(primiti)n(v)o(es)g(within)h(high\255)0
2735 y(le)n(v)o(el)i(abstractions.)33 b(It)22 b(consists)g(of)f(the)h
(minimum)e(operations)g(needed)h(to)g(transfer)g(e)o(x)o(ecution)f
(from)g(one)h(process)g(to)h(another)e(in)0 2834 y(a)h(safe)g(w)o(ay:)
30 b(it)21 b(changes)e(the)i(program)d(counter)h(to)i(an)f
(agreed\255upon)d(v)n(alue)j(in)h(the)f(callee,)h(donates)e(the)i
(current)e(time)i(slice)g(to)g(the)0 2934 y(callee')-5
b(s)18 b(processor)e(en)m(vironment,)e(and)j(installs)h(the)g(required)
d(elements)i(of)g(the)h(callee')-5 b(s)17 b(processor)f(conte)o(xt)g
(\(addressing\255conte)o(xt)0 3033 y(identi\002er)m(,)j
(address\255space)g(tag,)h(and)f(processor)g(status)i(w)o(ord\).)125
3133 y(Ae)o(gis)g(pro)o(vides)f(tw)o(o)h(forms)g(of)g(protected)f
(control)g(transfers:)31 b Fk(sync)o(hr)l(onous)20 b
Fp(and)h Fk(async)o(hr)l(onous)p Fp(.)30 b(The)21 b(dif)n(ference)e
(between)0 3233 y(the)g(tw)o(o)h(is)g(what)g(happens)e(to)h(the)h
(processor)e(time)i(slice.)29 b(Asynchronous)17 b(calls)j(donate)e
(only)h(the)g(remainder)f(of)h(the)g(current)f(time)0
3332 y(slice)h(to)f(the)g(callee.)29 b(Synchronous)15
b(calls)k(donate)e(the)h(current)e(time)j(and)e(all)i(future)e
(instantiations)g(of)h(it;)i(the)e(callee)g(can)g(return)f(the)0
3432 y(time)22 b(slice)h(via)f(a)g(synchronous)d(control)i(transfer)f
(call)j(back)e(to)h(the)g(original)f(caller)-5 b(.)34
b(Both)22 b(forms)f(of)h(control)e(transfer)h(guarantee)0
3532 y(tw)o(o)i(important)e(properties.)34 b(First,)23
b(to)g(applications,)f(a)g(protected)f(control)g(transfer)h(is)h
(atomic:)34 b(once)21 b(initiated)i(it)g(will)g(reach)f(the)0
3631 y(callee.)29 b(Second,)19 b(Ae)o(gis)h(will)h(not)e(o)o(v)o
(erwrite)f(an)o(y)i(application\255visible)d(re)o(gister)-5
b(.)29 b(These)20 b(tw)o(o)g(properties)e(allo)n(w)i(the)g(lar)o(ge)f
(re)o(gister)0 3731 y(sets)i(of)f(modern)f(processors)g(to)h(be)g(used)
g(as)h(a)g(temporary)d(message)i(b)n(uf)n(fer)f([17)n(].)125
3830 y(Currently)-5 b(,)13 b(our)f(synchronous)f(protected)h(control)g
(transfer)h(operation)f(tak)o(es)i(30)f(instructions)f(\(1.4)h
(microseconds)e(on)i(a)h(25MHz)0 3930 y(DECstation5000/125\))i([25)n
(].)29 b(Roughly)18 b(ten)h(of)g(these)g(instructions)g(are)g(used)g
(to)g(distinguish)f(the)i(system)f(call)h(\223e)o(xception\224)d(from)0
4030 y(other)34 b(hardw)o(are)g(e)o(xceptions)g(on)g(the)h(MIPS)h
(architecture.)72 b(Setting)35 b(the)g(status,)40 b(co\255processor)m
(,)c(and)e(address\255tag)g(re)o(gisters)0 4129 y(consumes)20
b(the)h(remaining)e(20)h(instructions,)g(and)h(could)f(bene\002t)g
(from)g(additional)g(optimizations.)30 b(Because)21 b(Ae)o(gis)g
(implements)0 4229 y(the)27 b(minimum)f(functionality)f(required)h(for)
g(an)o(y)h(control)f(transfer)g(mechanism,)i(applications)e(can)h(ef)n
(\002ciently)g(construct)f(their)0 4329 y(o)n(wn)21 b(IPC)i
(abstractions.)33 b(As)22 b(an)g(e)o(xample,)f(we)h(ha)n(v)o(e)f
(implemented)f(a)i(\223trusted\224)f(local)h(remote)f(procedure)e(call)
j(for)f(use)h(between)0 4428 y(a)e(client)g(and)g(a)g(serv)o(er)f(that)
i(the)f(client)g(trusts)g(to)g(sa)n(v)o(e)g(and)g(restore)f
(callee\255sa)n(v)o(ed)g(re)o(gisters.)29 b(By)20 b(eliminating)f(the)h
(need)g(to)g(sa)n(v)o(e)g(all)0 4528 y(re)o(gisters,)g(trusted)f(LRPC)j
(impro)o(v)o(es)c(performance)f(by)j(roughly)e(a)j(f)o(actor)e(of)h(tw)
o(o.)125 4627 y(Hardw)o(are)i(dif)n(ferences)f(mak)o(e)i(comparing)d
(our)j(numbers)e(to)j(others)e(in)h(the)h(literature)e(dif)n(\002cult.)
37 b(W)-7 b(e)24 b(attempt)f(an)g(e)o(xtremely)0 4727
y(crude)13 b(comparison)f(of)h(our)g(protected)f(control)h(transfer)g
(operation)f(to)i(the)g(equi)n(v)n(alent)e(operation)g(on)h(L3)h([57)o
(],)h(the)e(f)o(astest)i(published)0 4827 y(result)25
b(by)f(normalizing)f(the)h(IPC)i(on)e(both)g(systems)h(using)g
(SPECint92)f(rating)g(of)h(Ae)o(gis')-5 b(s)25 b(DEC5000)e(and)h(L3')-5
b(s)25 b(486)f(\(16.1)f(vs.)0 4926 y(30.1\).)28 b(Ae)o(gis')-5
b(s)20 b(trusted)g(control)f(transfer)g(mechanism)g(is)i(6.6)f(times)g
(f)o(aster)h(than)f(the)g(scaled)g(time)g(for)g(L3')-5
b(s)20 b(RPC)i(mechanism.)125 5026 y(Gi)n(v)o(en)g(the)h(dif)n(ference)
e(in)i(architectures,)g(this)h(scaling)f(should)f(be)h(treated)f(as)i
(a)g(\223back)e(of)h(the)g(en)m(v)o(elop\224)e(computation.)36
b(The)0 5126 y(main)20 b(conclusion)e(to)j(dra)o(w)e(is)i(that)g(Ae)o
(gis')e(control)g(transfer)h(is)h(f)o(ast.)1908 5589
y(34)p eop
%%Page: 35 36
35 35 bop 0 83 a Fq(3.4.3)99 b(Implementing)26 b(Unix)e(IPC)h(on)g(Xok)
0 230 y Fp(UNIX)16 b(de\002nes)g(a)g(v)n(ariety)f(of)h(interprocess)e
(communication)f(primiti)n(v)o(es:)27 b(signals)16 b(\(softw)o(are)f
(interrupts)g(that)h(can)f(be)h(sent)g(between)0 330
y(processes)g(or)g(to)h(a)g(process)f(itself\),)h(pipes)f(\(producer)n
(\255consumer)c(untyped)j(message)h(queues\),)g(and)g(sock)o(ets)g
(\(dif)n(fering)e(from)i(pipes)0 430 y(in)k(that)h(the)o(y)e(can)h(be)g
(established)g(between)f(non\255related)f(processes,)i(potentially)f(e)
o(x)o(ecuting)f(on)i(dif)n(ferent)e(machines\).)125 529
y(Signals)k(are)h(layered)f(on)g(top)g(of)h(Xok)f(IPC.)h(Pipes)g(are)g
(implemented)e(using)h(Xok')-5 b(s)23 b Fk(softwar)m(e)g(r)m(e)m(gions)
p Fp(,)f(which)g(pro)o(vide)f(sub\255)0 629 y(page)g(memory)f
(protection,)g(coupled)g(with)i(a)h(\223directed)d(yield\224)h(to)h
(the)g(other)f(party)g(when)g(it)i(is)g(required)c(to)j(do)g(w)o(ork)f
(\(i.e.,)g(if)i(the)0 729 y(queue)16 b(is)i(full)f(or)g(empty\).)27
b(Sock)o(ets)17 b(communicating)d(on)j(the)g(same)g(machine)f(are)h
(currently)f(implemented)f(using)i(a)g(shared)g(b)n(uf)n(fer)-5
b(.)125 828 y(Inter)n(\255machine)14 b(sock)o(ets)g(are)g(imp)o(lemen)o
(ted)f(thro)o(ug)o(h)g(user)n(\255le)m(v)o(el)g(netw)o(o)o(rk)g(libr)o
(aries)h(f)o(or)f(UDP)h(a)o(nd)f(TCP)-9 b(.)13 b(The)g(ne)o(tw)o(ork)g
(libr)o(aries)0 928 y(are)23 b(implemented)f(using)h(Xok')-5
b(s)23 b(timers,)h(upcalls,)g(and)f(pack)o(et)g(rings,)g(which)g(allo)n
(w)h(protected)e(b)n(uf)n(fering)f(of)i(recei)n(v)o(ed)f(netw)o(ork)0
1027 y(pack)o(et,)0 1308 y Fv(3.5)117 b(Discussion)0
1493 y Fp(This)23 b(chapter)f(has)i(discussed)f(ho)n(w)f(an)h(e)o(xok)o
(ernel)e(can)i(safely)g(e)o(xport)f(a)h(v)n(ariety)f(of)h(resources)f
(\227)i(physical)e(memory)-5 b(,)22 b(the)h(CPU,)0 1593
y(the)c(netw)o(ork,)f(and)h(hardw)o(are)f(e)n(v)o(ents)h(\227)h(to)f
(applications.)28 b(The)19 b(lo)n(w\255le)n(v)o(el)f(of)h(the)g(e)o
(xok)o(ernel)e(interf)o(ace)i(allo)n(ws)g(library)f(operating)0
1692 y(systems,)31 b(w)o(orking)26 b(abo)o(v)o(e)h(the)i(e)o(xok)o
(ernel)d(interf)o(ace,)j(to)g(implement)e(higher)n(\255le)n(v)o(el)f
(abstractions)h(and)h(de\002ne)g(special\255purpose)0
1792 y(implementations)19 b(that)j(best)g(meet)f(the)g(performance)e
(and)h(functionality)g(goals)h(of)g(applications.)31
b(This)22 b(or)o(ganization)c(allo)n(ws)k(the)0 1892
y(rede\002nition)15 b(of)g(fundamental)f(operating)g(system)j
(abstractions)e(by)h(simply)f(changing)f(application\255le)n(v)o(el)g
(libraries.)27 b(Furthermore,)0 1991 y(these)20 b(dif)n(ferent)f(v)o
(ersions)g(can)h(co\255e)o(xist)f(on)h(the)g(same)h(machine)e(and)g
(are)i(fully)e(protected)g(by)h(Ae)o(gis.)125 2091 y(The)k(ne)o(xt)h
(chapter)f(presents)g(the)h(resource)f(we)i(ha)n(v)o(e)e(found)f(most)j
(challenging,)e(disk,)i(along)e(with)h(our)f(solution)g(to)i(it)f
(\(and)0 2191 y(\002v)o(e)20 b(f)o(ailed)g(solutions\).)1908
5589 y(35)p eop
%%Page: 36 37
36 36 bop 0 706 a Fj(Chapter)42 b(4)0 1121 y Fn(The)53
b(Hardest)g(Multiplexing)e(Pr)l(oblem:)75 b(Disk)0 1553
y Fp(An)28 b(e)o(xok)o(ernel)d(must)j(pro)o(vide)d(a)k(means)e(to)h
(safely)f(multiple)o(x)f(disks)i(among)e(multiple)h(library)g(\002le)h
(systems)h(\(libFSes\).)51 b(Each)0 1652 y(libOS)26 b(contains)f(one)g
(or)g(more)g(libFSes.)45 b(Multiple)25 b(libFSes)i(can)e(be)g(used)h
(to)f(share)h(the)f(same)h(\002les)g(with)g(dif)n(ferent)e(semantics.)0
1752 y(In)29 b(addition)f(to)i(accessing)f(e)o(xisting)g(\002les,)k
(libFSes)d(can)f(de\002ne)g(ne)n(w)g(on\255disk)g(\002le)h(types)f
(with)h(arbitrary)e(meta)h(data)h(formats.)0 1851 y(An)d(e)o(xok)o
(ernel)e(must)i(gi)n(v)o(e)g(libFSes)h(as)g(much)e(control)g(o)o(v)o
(er)g(\002le)i(management)d(as)j(possible)e(while)i(still)g(protecting)
d(\002les)k(from)0 1951 y(unauthorized)22 b(access.)43
b(It)24 b(therefore)f(cannot)h(rely)g(on)g(simple\255minded)e
(solutions)i(lik)o(e)h(partitioning)e(to)h(multiple)o(x)g(a)h(disk:)38
b(each)0 2051 y(\002le)21 b(w)o(ould)e(require)g(its)i(o)n(wn)f
(partition.)125 2150 y(T)-7 b(o)30 b(allo)n(w)g(libFSes)i(to)e(perform)
e(their)j(o)n(wn)e(\002le)i(management,)g(an)f(e)o(xok)o(ernel)f
(stable)h(storage)g(system)h(must)f(satisfy)h(four)0
2250 y(requirements.)50 b(First,)31 b(creating)c(ne)n(w)g(\002le)i
(formats)e(should)g(be)h(simple)g(and)f(lightweight.)51
b(It)28 b(should)f(not)h(require)e(an)o(y)h(special)0
2350 y(pri)n(vile)o(ge.)45 b(Second,)26 b(the)h(protection)d(substrate)
i(should)f(allo)n(w)h(multiple)f(libFSes)i(to)f(safely)g(share)g
(\002les)h(at)g(the)f(ra)o(w)f(disk)i(block)0 2449 y(and)22
b(meta)h(data)g(le)n(v)o(el.)37 b(Third,)22 b(the)h(storage)g(system)g
(must)g(be)f(ef)n(\002cient\227as)h(close)g(to)g(ra)o(w)g(hardw)o(are)e
(performance)f(as)k(possible.)0 2549 y(F)o(ourth,)d(the)h(storage)f
(system)i(should)e(f)o(acilitate)h(cache)f(sharing)g(among)g(libFSes,)i
(and)e(allo)n(w)h(them)g(to)g(easily)g(address)g(problems)0
2648 y(of)e(cache)g(coherence,)e(security)-5 b(,)19 b(and)g(concurrenc)
o(y)-5 b(.)125 2748 y(The)28 b(goal)g(of)g(disk)h(multiple)o(xing)d(is)
j(to)g(mak)o(e)f(untrusted)f(library)h(\002le)h(systems)g(\(libFSes\))f
(as)i(po)n(werful)c(as)j(pri)n(vile)o(ged)e(\002le)0
2848 y(systems.)39 b(As)24 b(listed)g(abo)o(v)o(e,)e(there)h(are)g(a)h
(number)d(of)i(engineering)e(challenges)h(to)i(reaching)d(this)j(goal.)
38 b(The)23 b(hardest)g(challenge)0 2947 y(by)f(f)o(ar)m(,)f(ho)n(we)n
(v)o(er)m(,)f(is)j(access)f(control:)32 b(i.e.,)22 b(answering)f(the)h
(decepti)n(v)o(ely)e(simple)i(question)f(\223who)g(can)h(use)g(a)g(gi)n
(v)o(en)f(disk)h(block?\224)0 3047 y(In)m(v)o(enting)i(a)k(satisf)o
(actory)e(solution)g(to)i(this)f(problem)f(took)g(us)h(three)g(years)g
(and)f(four)g(systems.)50 b(This)28 b(chapter)e(describes)g(ho)n(w)0
3147 y(we)f(multiple)o(x)e(stable)h(storage,)h(both)e(to)i(sho)n(w)f
(ho)n(w)g(we)h(address)e(these)i(problems)e(and)h(to)g(pro)o(vide)f(a)h
(concrete)f(e)o(xample)g(of)i(the)0 3246 y(e)o(xok)o(ernel)17
b(principles)i(in)g(practice.)29 b(W)-7 b(e)20 b(\002rst)g(describe)f
(out)g(solution)g(to)h(ef)n(\002cient)f(access)h(control.)27
b(An)20 b(interesting)e(aspect)i(of)f(this)0 3346 y(solution)d(is)i
(that)f(it)h(uses)f(the)g(libFSes)h(o)n(wn)e(data)h(structures)f(to)i
(track)e(what)h(the)g(libFS)h(o)n(wns.)27 b(Another)16
b(is)i(the)f(the)g(code)f(v)o(eri\002cation)0 3445 y(technique)j(we)i
(in)m(v)o(ented)d(to)j(do)f(such)g(re\255use)g(without)g(impinging)e
(on)i(libFS)h(\003e)o(xibility)-5 b(.)29 b(W)-7 b(e)22
b(then)e(gi)n(v)o(e)f(an)i(o)o(v)o(ervie)n(w)d(XN,)j(Xok')-5
b(s)0 3545 y(e)o(xtensible,)20 b(lo)n(w\255le)n(v)o(el)f(in\255k)o
(ernel)h(stable)h(storage)f(system.)31 b(W)-7 b(e)22
b(also)g(describe)e(the)g(general)g(interf)o(ace)g(between)g(XN)i(and)e
(libFSes)0 3645 y(and)g(present)f(one)h(particular)f(libFS,)h
(C\255FFS,)h(the)f(co\255locating)f(f)o(ast)i(\002le)f(system)h([37)n
(].)0 3892 y Fv(4.1)117 b(Ef\002cient,)26 b(\002ne\255grained)h(disk)i
(multiplexing)0 4077 y Fp(T)-7 b(o)18 b(pro)o(vide)d(protection,)h(the)
i(operating)e(system)h(must)h(force)f(each)g(libFS)h(to)g(only)e
(access)j(those)e(disk)g(blocks)g(for)g(which)g(the)o(y)g(ha)n(v)o(e)0
4177 y(access)23 b(rights.)36 b(F)o(or)22 b(\003e)o(xibility)g(and)g
(speed)g(an)g(e)o(xok)o(ernel)f(pro)o(vides)f(\002ne\255grained)h
(protection:)32 b(i.e.,)23 b(at)g(the)f(le)n(v)o(el)h(of)f(disk)g
(blocks)0 4276 y(rather)k(than)g(partitions.)47 b(T)-7
b(o)26 b(do)g(so)h(we)g(must)f(answer)g(the)h(simple)f(question)g
(\223who)f(can)i(use)f(this)h(block?\224)47 b(Doing)26
b(so)h(requires)0 4376 y(constructing)20 b(a)j(mapping)d(of)i(each)g
(disk)g(block)f(to)h(e)n(v)o(ery)f(principal)g(that)h(can)g(use)g(it,)h
(which)f(turns)f(out)h(to)g(be)g(quite)g(dif)n(\002cult)g([48)n(])0
4476 y(mainly)27 b(because)h(it)g(requires)f(b)n(uilding)g(the)h(moral)
f(equi)n(v)n(alent)g(of)h(a)g(\002le)h(system.)53 b(F)o(or)27
b(e)o(xample,)i(the)f(mapping)e(table)i(will)h(be)0 4575
y(enormous)15 b(\(since)j(its)g(size)g(is)h(proportional)14
b(to)k(the)f(size)i(of)e(disk\))g(and,)g(hence,)g(not)g(\002t)i(in)e
(main)g(memory)-5 b(.)26 b(As)19 b(a)f(result,)f(managing)f(it)0
4675 y(as)j(it)g(is)g(is)g(mo)o(v)o(ed)d(between)h(both)h(memory)e(and)
i(disk)g(requires)f(solving)g(all)i(the)f(standard)f(\002le)i(systems)g
(issues)g(\227)f(deciding)f(which)0 4775 y(pieces)k(to)g(cache,)f
(prefetch)f(and)h(e)n(vict,)h(ho)n(w)f(to)h(perform)e(allocation)h(of)g
(the)h(table)g(on)f(disk,)h(ho)n(w)f(to)h(reconstruct)e(the)i(table')-5
b(s)21 b(state)0 4874 y(after)i(a)h(system)f(crash,)g(etc.)39
b(Ob)o(viously)-5 b(,)22 b(if)h(an)g(e)o(xok)o(ernel)e(already)h
(implements)h(a)g(\002le)h(system,)g(libFSes)g(b)n(uilt)f(on)g(top)g
(of)g(it)h(will)0 4974 y(ha)n(v)o(e)g(little)i(freedom.)40
b(F)o(ortunately)-5 b(,)24 b(there)g(are)g(a)i(series)f(of)f(insights)h
(that)g(can)f(allo)n(w)h(us)g(to)g(trust)f(the)h(libFS)g(itself)h(to)e
(ef)n(\002ciently)0 5073 y(track)c(the)g(blocks)f(it)i(o)n(wns,)f
(thereby)f(eliminating)g(the)h(need)g(for)f(duplicate)g(bookk)o
(eeping.)125 5173 y(The)g(\002rst)h(insight)f(is)i(to)f(notice)f(that)h
(a)g(correct)e(libFS)j(will)f(already)e(track)i(what)f(disk)h(blocks)f
(it)h(o)n(wns;)g(doing)e(so)i(ef)n(\002ciently)f(is,)0
5273 y(after)f(all,)h(one)f(of)g(the)h(main)f(purposes)f(of)h(a)h
(\002le)h(system.)28 b(Therefore,)17 b(an)o(y)g(bookk)o(eeping)f(an)i
(e)o(xok)o(ernel)e(does)j(is)g(redundant.)26 b(Thus,)1908
5589 y(36)p eop
%%Page: 37 38
37 37 bop 0 83 a Fp(if)24 b(it)g(can)g(reuse)f(the)h(bookk)o(eeping)c
(data)k(structures)f(of)g(the)h(libFS)g(then)f(we)h(can)f(eliminate)h
(this)g(redundanc)o(y)-5 b(.)3325 53 y Fi(1)3399 83 y
Fp(F)o(or)23 b(e)o(xample,)g(a)0 183 y(Unix)f(\002le)h(system)g(tracks)
f(what)h(blocks)f(are)g(associated)h(with)f(it)i(\(and)d(what)i
(principals)e(are)i(allo)n(wed)f(to)g(use)h(them\))f(using)g(\223meta)0
282 y(data\224)29 b(consisting)g(of)g(directory)f(blocks,)j(inodes,)g
(as)f(well)g(as)g(single,)i(double,)e(and)f(triple)g(indirect)g
(blocks.)56 b(In)29 b(other)g(w)o(ords,)0 382 y(e)n(v)o(erything)16
b(the)j(k)o(ernel)f(needs)h(to)g(track)f(to)h(perform)e(access)j
(control.)27 b(If)19 b(it)h(can)e(reuse)h(libFS)g(meta)g(data,)g(then,)
f(it)i(does)f(not)f(need)g(to)0 482 y(perform)g(duplicate)h(tracking)g
(of)h(what)g(blocks)g(are)g(associated)g(with)g(which)g(libFS.)125
581 y(Our)i(ne)n(w)g(problem)f(is)j(that)f(reusing)e(libFS)j(bookk)o
(eeping)19 b(structures)j(requires)g(that)g(we)h(understand)e(them,)i
(both)e(so)i(that)g(we)0 681 y(can)h(force)g(them)g(to)g(be)h(correct,)
f(and)g(so)g(that)h(we)g(can)f(e)o(xtract)f(o)n(wnership)g(information)
f(from)i(them.)41 b(One)24 b(traditional)f(solution)0
780 y(w)o(ould)k(be)h(to)g(pro)o(vide)e(a)i(\002x)o(ed)f(set)i(of)e
(components)f(\(e.g.,)j(pointers)e(to)h(disk)g(blocks,)g(disk)g(block)f
(e)o(xtents,)i(etc.\))52 b(from)27 b(which)0 880 y(libFSes)f(could)f(b)
n(uild)g(their)h(meta)f(data)h(from.)44 b(Ho)n(we)n(v)o(er)m(,)25
b(creating)g(a)h(set)g(of)g(uni)n(v)o(ersal)e(b)n(uilding)g(blocks)h
(for)g(\002le)i(system)f(meta)0 980 y(data)19 b(is)g(so)h(hard)d(as)j
(to)f(be)g(infeasible:)28 b(\002le)19 b(system)g(research)f(is)i(still)
g(an)f(acti)n(v)o(e)f(area)h(e)n(v)o(en)e(after)i(three)f(decades.)28
b(A)19 b(component)e(set)0 1079 y(capable)i(of)i(describing)d(all)j
(results)g(of)f(this)h(research)f(does)g(not)g(seem)g(possible.)30
b(Instead,)19 b(we)i(solv)o(e)f(this)h(problem)d(by)i(ha)n(ving)g(the)0
1179 y(libFS)h(interpret)e(its)i(meta)f(data)g(for)g(us)g(in)h(a)f(w)o
(ay)h(that)f(we)g(can)g(test)h(for)f(correctness.)0 1392
y Fq(Determinism)25 b(+)g(induction)h(=)f(v)o(eri\002cation)0
1539 y Fp(Our)19 b(struggle)g(has)g(tw)o(o)h(con\003icting)e(pieces:)29
b(\003e)o(xibility)19 b(\(in)g(that)g(we)h(w)o(ant)g(to)f(allo)n(w)h
(client)f(meta)g(data)h(to)f(ha)n(v)o(e)g(an)o(y)g(\223syntax\224)f
(and)0 1639 y(semantics)26 b(whatsoe)n(v)o(er)m(,)f(including)f(those)h
(that)h(we)g(ha)n(v)o(e)f(not)h(anticipated\))e(and)h(v)n(alidity)g
(\(in)h(that)f(we)i(require)d(that)i(the)o(y)f(do)g(so)0
1738 y(correctly)-5 b(,)18 b(e)n(v)o(en)g(when)i(we)g(don')o(t)e
(understand)f(its)k(representation\).)27 b Fk(Untrusted)19
b(deterministic)h(functions)e Fp(\(UDFs\))i(let)h(us)f(achie)n(v)o(e)0
1838 y(both)f(goals:)30 b(clients)20 b(can)g(use)g(an)o(y)g(possible)f
(meta)h(data)g(representation,)e(while)i(we)h(still)g(can)f(v)o(erify)f
(correctness,)g(no)g(matter)h(ho)n(w)0 1938 y(mysterious)f(the)h
(representation)e(the)o(y)i(chose.)125 2037 y(Fle)o(xibility)13
b(comes)g(from)g(adding)g(a)h(layer)f(of)h(indirection:)25
b(rather)13 b(than)g(ha)n(v)o(e)g(meta)h(data)g(b)n(uilt)g(from)f
(components)f(the)h(operating)0 2137 y(system)26 b(understands,)f
(libFSes)h(pro)o(vide)d(an)j(\223interpreter\224)e(function,)g
Fl(owns)p Fp(,)29 b(for)24 b(each)i(meta)f(data)h(type.)44
b(Gi)n(v)o(en)25 b(an)h(instance)f(of)0 2236 y(that)19
b(type,)f(the)h Fl(owns)h Fp(UDF)f(produces)e(the)i(set)g(of)f(blocks)g
(that)h(that)g(instance)f(controls:)28 b Fl(owns:)f(\(meta\))21
b Ff(!)d Fl(set)h(of)g(blocks)h(contr)o(olled)g(by)0
2336 y(meta)p Fp(.)29 b(F)o(or)16 b(e)o(xample,)g(a)h(Unix)e(\002le)i
(system)g(will)g(pro)o(vide)d(an)j Fl(owns)g Fp(function)e(for)h(each)g
(of)g(the)g(types)g(of)g(meta)g(data)h(it)g(uses)g(\227)f(inodes,)0
2436 y(directory)h(blocks,)i(indirect)f(nodes,)g(double)g(indirect)g
(nodes,)h(triple)g(indirect)f(nodes,)g(etc.)30 b(Thus,)18
b(when)h(the)g(the)g(operating)e(system)0 2535 y(needs)h(to)h(kno)n(w)e
(what)i(disk)f(blocks)g(a)h(piece)f(of)g(meta)h(data)f(controls,)f(it)j
(simply)e(runs)g(that)g(meta)h(data)f(through)e(its)k(associated)e
Fl(owns)0 2635 y Fp(function.)27 b(Since)20 b Fl(owns)h
Fp(is)f(written)g(in)g(a)g(T)l(uring)e(complete)h(language)f(\(in)h
(our)g(implementation)e(a)j(pseudo\255assembly)d(language\))h(it)0
2735 y(can)i(describe)f(an)o(y)h(possible)g(\002le)h(system)f(meta)g
(data)g(layout.)125 2834 y(At)i(this)g(point,)f(while)h(we)g(ha)n(v)o
(e)f(\003e)o(xibility)-5 b(,)21 b(guarantees)f(of)h(correctness)g(ha)n
(v)o(e)g(become)g(more)f(challenging.)32 b Fl(owns)23
b Fp(is)g(written)0 2934 y(in)g(general)f(purpose)f(code.)36
b(V)-9 b(eri\002cation)22 b(\(i.e.,)g(that)h Fl(owns)h
Fp(correctly)e(implements)g(its)h(speci\002cation\))f(is)i(be)o(yond)c
(current)i(formal)0 3033 y(methods.)35 b(The)22 b(UDF)h(techniques)e
(discussed)i(in)f(the)h(remainder)d(of)i(the)h(chapter)e(are)i(an)f
(online)g(alternati)n(v)o(e)f(that)i(is)g(both)f(simple)0
3133 y(and)e(rob)n(ust.)125 3233 y(UDFs)e(start)f(from)f(the)i(f)o(act)
f(that)g(if)h(a)f(deterministic)f(T)l(uring)g(machine)g(terminates)h
(and)g(produces)e(an)i(output)f Fl(O)i Fp(then,)f(gi)n(v)o(en)f(the)0
3332 y(same)22 b(initial)h(state)g(and)e(input,)h(it)h(will)g(al)o(w)o
(ays)f(terminate)g(and)f(produce)f Fl(O)p Fp(.)j(The)e(k)o(e)o(y)h(to)g
(v)o(eri\002cation)f(is)i(that)f(determinism)f(gi)n(v)o(es)0
3432 y(persistence:)38 b(once)24 b Fl(owns\(meta\))29
b Fp(produces)23 b(a)i(v)n(alid)f(result,)i(it)g(will)f(al)o(w)o(ays)h
(do)e(so,)i(until)f Fl(meta)h Fp(is)g(allo)n(wed)e(to)h(change.)42
b(W)m(ithout)0 3532 y(persistence)20 b(past)g(tests)h(can)f(tell)h(us)g
(nothing)d(about)i(present)f(or)h(future)f(beha)n(vior)-5
b(.)125 3631 y(T)e(o)20 b(mak)o(e)g(UDFs)h(deterministic)e(we)i(must)f
(guarantee)e(three)i(conditions:)104 3797 y(1.)41 b(The)19
b(instructions)h(the)g(UDF)h(e)o(x)o(ecutes)e(ha)n(v)o(e)g
(deterministic)h(semantics.)104 3963 y(2.)41 b(No)32
b(information)e(can)j(be)f(allo)n(wed)g(to)h(\003o)n(w)g(into)f(the)h
(uni)n(v)o(erse)e(of)h(the)h(UDF)g(and)f(its)i(state.)67
b(F)o(or)33 b(e)o(xample,)h(on)e(each)208 4063 y(in)m(v)n(ocation)21
b(of)i(the)g(UDF)h(all)g(re)o(gisters)e(and)h(stack)g(locations)g(must)
g(be)g(initialized)g(to)h(the)f(same)g(v)n(alues,)h(the)f(UDF)h(cannot)
208 4163 y(use)f(self\255modifying)e(code,)i(call)h
(non\255deterministic)c(functions)i(\(such)h(as)h(a)g(\223get)f(time)h
(of)f(day\224)f(routine\),)h(ha)n(v)o(e)f(access)i(to)208
4262 y(c)o(ycle)19 b(counters,)g(etc.)104 4428 y(3.)41
b(All)20 b(state)h(that)f(persists)g(across)g(a)g(UDF')-5
b(s)21 b(in)m(v)n(ocations)d(is)j(visible)f(to)g(the)g(v)o(eri\002er)f
(so)h(that)g(it)h(can)e(retest)h(the)g(UDF)h(when)e(this)208
4528 y(state)h(is)i(modi\002ed.)0 4694 y(W)-7 b(e)17
b(assume)e(that)g(UDFs)i(are)e(made)g(of)g(immutable)f(code)h(and)g
(protected)f(data)h(and)g(that)g(the)h(e)o(x)o(ecution)d(of)i(this)h
(code)f(has)g(been)g(made)0 4793 y(\223safe\224)i(to)f(protect)g(the)h
(testing)f(e)n(v)n(aluator)f(from)h(malice:)27 b(the)17
b(code)f(is)h(pre)n(v)o(enting)d(from)i(corrupting)e(the)i(e)n(v)n
(aluator')-5 b(s)15 b(state,)j(looping)0 4893 y(\223too)23
b(long,)-6 b(\224)22 b(etc.)38 b(The)23 b(implementation)e(discussed)i
(in)g(this)g(section)g(guarantees)f(these)h(conditions)e(using)i(a)g
(safe)h(interpreter)-5 b(.)36 b(A)0 4993 y(trusted)20
b(compiler)f(could)g(also)h(be)h(used.)p 0 5064 1560
4 v 90 5119 a Fh(1)120 5142 y Fg(Note)d(that)g(this)g(insight)h
(applies)g(to)e(all)i(all)f(areas)g(that)h(deal)f(with)g(protection,)i
(not)e(just)g(\002le)g(systems:)25 b(correct)19 b(applications)i(track)
e(what)f(resources)g(the)o(y)h(o)n(wn.)0 5221 y(Future)f(w)o(ork)f
(will)h(in)m(v)o(olv)o(e)h(e)o(xploiting)h(this)e(f)o(act)g(more)f
(aggressi)n(v)o(ely)l(.)1908 5589 y Fp(37)p eop
%%Page: 38 39
38 38 bop 125 83 a Fp(Determinism)24 b(gi)n(v)o(es)h(persistence)g
(and,)h(as)g(a)g(result,)h(allo)n(ws)f(us)g(to)f(use)h(induction)e(to)h
(v)o(erify)g(UDF)h(correctness.)44 b(Inducti)n(v)o(e)0
183 y(testing)24 b(has)h(tw)o(o)g(phases:)38 b(initialization)24
b(and)g(modi\002cation.)40 b(Initialization)24 b(tests)h(that)g(the)f
(UDF')-5 b(s)26 b(initial)f(state)g(is)g(a)g(v)n(alid)f(one.)0
282 y(Modi\002cation)19 b(tests)i(that)f(when)g(a)h(UDF')-5
b(s)21 b(state)g(is)g(mutated,)e(the)h(mutation)f(lea)n(v)o(es)h(the)h
(UDF)f(in)h(a)f(v)n(alid)g(state.)125 382 y(Thus,)g(to)g(trust)h(libFS)
g(meta)g(data)f(and)g(its)i(associated)e Fl(owns)i Fp(function,)d(we)h
(need)g(to)h(check)f(that)g Fl(owns\(meta\))k Fp(produces)19
b(a)i(v)n(alid)0 482 y(output)j(when)g Fl(meta)i Fp(is)g(initialized,)f
(and)g(then)f(retest)h(it)h(after)f(each)f(modi\002cation.)42
b(Once)24 b(we)h(can)g(force)f(all)h(libFS)h(meta)f(data)f(to)0
581 y(produce)19 b(v)n(alid)i(results,)g(we)g(ha)n(v)o(e)g
(accomplished)e(the)i(goal)g(of)g(this)g(section:)31
b(libFSes)22 b(can)f(no)n(w)f(track)h(their)g(disk)g(blocks)f(without)0
681 y(the)g(k)o(ernel)g(ha)n(ving)f(to)h(duplicate)f(this)i(bookk)o
(eeping.)125 780 y(More)d(speci\002cally)-5 b(,)18 b(initialization)g
(checks)h(that)g(when)f(the)h(libFS)g(allocates)g(a)h(piece)e(of)h
(meta)g(data,)g(it)g(should)f(not)h(control)e(an)o(y)0
880 y(disk)j(blocks:)208 1112 y Fl(\045)g(verify)j(owns\(meta\))h(is)d
(in)g(a)h(valid)f(initial)g(state:)208 1212 y(\045)f(i.e.,)g(meta)i
(should)h(contr)o(ol)g(no)e(disk)h(blocks.)208 1312 y(pr)o(oc)g
(initialize\(meta\))271 1411 y(if)f(owns\(meta\))j(!=)d(\340\341)335
1511 y(err)o(or)i("Bogus)g(initial)e(state!";)208 1611
y(end;)125 1910 y Fp(If)30 b Fl(owns\(meta\))k Fp(does)c(not)g(yield)g
(the)h(empty)f(set)h(then)f(we)h(kno)n(w)e(that)i(either)f
Fl(owns)i Fp(is)g(incorrect)d(or)h Fl(meta)i Fp(is)g(not)e(properly)0
2009 y(initialized.)36 b(In)22 b(either)g(case)h(we)g(reject)f
Fl(meta)p Fp(.)37 b(\(W)-7 b(e)24 b(do)e(not)g(actually)g(care)g(if)h
Fl(owns)g Fp(itself)g(is)h(correct)d(\227)i(i.e.,)g(that)g(it)g(w)o
(orks)f(on)g(all)0 2109 y(possible)d(inputs)h(\227)g(just)g(that)g(it)g
(w)o(ork)f(on)h(the)f(current)g(set)h(of)f(used)h(inputs.\))28
b(Otherwise,)19 b(we)h(can)g(accept)f Fl(meta)p Fp(.)31
b(Because)20 b Fl(owns)h Fp(is)0 2208 y(deterministic)e(we)i(are)f
(guaranteed)e(that)i(until)g(meta)g(is)i(modi\002ed)d
Fl(owns\(meta\))k Fp(will)e(al)o(w)o(ays)g(produce)d(the)i(empty)f
(set.)125 2308 y(Ne)o(xt,)j(when)h(a)g(\002le)g(system)g(w)o(ants)h(to)
f(modify)e(its)j(meta)e(data)h(\(say)g(to)g(allocate)f(a)i(disk)e
(block)g(to)h(a)g(\002le\))h(we)f(v)o(erify)e(that)i
Fl(meta)0 2408 y Fp(goes)d(from)f(its)i(current)e(v)n(alid)h(state)h
(to)f(a)h(ne)n(w)f(v)n(alid)g(state,)g(where,)g(because)f(of)h
(determinism,)f(it)i(must)f(remain.)125 2507 y(Allocation)f(is)i(thus:)
208 2740 y Fl(\045)f(Give)i(meta)g(contr)o(ol)h(of)f(disk)g(block)g(b)
208 2839 y(pr)o(oc)g(allocate\(meta,)i(b\))250 2939 y(old)p
348 2939 22 4 v 25 w(set)f(=)e(owns\(meta\))45 b(\045)21
b(r)o(ecor)o(d)j(original)e(state)250 3039 y(\344let)g(libFS)f
(scribble)i(on)e(meta)h(as)g(it)g(will\345)250 3138 y(new)p
383 3138 V 26 w(set)g(=)g(owns\(meta\))87 b(\045)21 b(r)o(ecor)o(d)j
(new)d(state)250 3337 y(\045)g(check)h(that)h(owned)f(set)g(gr)o(ew)h
(by)f(exactly)g(b.)250 3437 y(if)f(new)p 443 3437 V 26
w(set)h(!=)g(old)p 758 3437 V 25 w(set)g(U)g(\340)f(b)h(\341)313
3537 y(err)o(or)i("Bogus)f(modi\014cation!";)208 3636
y(end;)125 3935 y Fp(Because)c Fl(owns)i Fp(is)g(deterministic)e(we)h
(can)f(\002nd)h(out)f(its)i(current)d(state)j(by)e(simply)g(querying)f
(it.)29 b(This)20 b(is)h(the)f(crucial)f(part)g(of)h(the)0
4035 y(process)f(that)g(frees)g(us)g(from)f(duplicating)f(an)o(y)i
(bookk)o(eeping)c(data)k(structures.)28 b(Using)19 b(that)g(current)f
(state)i(we)f(can)g(ensure)f(that)i(the)0 4134 y(modi\002cation)f(goes)
g(to)i(a)f(v)n(alid)g(ne)o(xt)g(state)h(with)f(a)h(straightforw)o(ard)c
(process)j(of)g(computing)e(set)j(union)e(and)g(equality)-5
b(.)125 4234 y(Deallocation)19 b(is)i(similar)f(to)g(allocation:)208
4467 y Fl(\045)g(Deallocate)j(disk)f(block)g(b)f(fr)o(om)i(meta)208
4566 y(pr)o(oc)f(deallocate\(meta,)i(b\))271 4666 y(old)p
369 4666 V 26 w(set)e(=)g(owns\(meta\);)129 b(\045)21
b(r)o(ecor)o(d)j(original)d(state)271 4765 y(\344let)h(libFS)f
(scribble)i(on)f(meta)g(as)g(it)f(will\345)271 4865 y(new)p
404 4865 V 26 w(set)h(=)g(owns\(meta\);)235 b(\045)21
b(r)o(ecor)o(d)j(new)d(state)271 4965 y(\045)g(check)h(that)h(owned)f
(set)h(shrunk)g(by)e(exactly)i(b.)271 5064 y(if)e(set)p
420 5064 V 27 w(dif)o(f\(new)p 699 5064 V 27 w(set,)h(b\))g(!=)f(old)p
1118 5064 V 26 w(set)313 5164 y(err)o(or)j("Bogus)f(modi\014cation!";)
208 5264 y(end;)1908 5589 y Fp(38)p eop
%%Page: 39 40
39 39 bop 125 249 a Fp(While)23 b(we)h(must)g(run)e Fl(owns)j
Fp(in)f(a)f(safe)h(e)n(v)n(aluation)e(conte)o(xt)g(after)h
Fl(meta)i Fp(has)e(been)g(modi\002ed,)g(an)o(y)f(subsequent)g(in)m(v)n
(ocation)g(of)0 349 y Fl(owns\(meta\))g Fp(can)d(run)f(without)g
(safety)g(checks)h(since)g Fl(owns)h Fp(is)f(deterministic)f(and,)h
(after)f(testing,)h(we)g(kno)n(w)f(that)h(it)g(e)o(x)o(ecutes)f(safely)
0 448 y(on)e(this)h(v)n(alue)f(of)g Fl(meta)p Fp(.)30
b(In)16 b(the)h(pseudo\255code)d(abo)o(v)o(e,)h(while)i
Fl(new)p 1932 448 22 4 v 25 w(set)h(=)f(owns\(meta\))j
Fp(must)d(be)f(run)g(in)h(a)g(safe)f(conte)o(xt,)g(the)h(statement)0
548 y Fl(old)p 98 548 V 26 w(set)k(=)f(owns\(meta\))k
Fp(can)c(run)g(uncheck)o(ed.)28 b(One)20 b(w)o(ay)h(to)g(look)e(at)i
(this)g(f)o(act)g(is)h(that)e(halting)g(problem)f(is)i(tri)n(vial)g
(for)e(deterministic)0 648 y(T)l(uring)g(machines)g(that)i(one)e(kno)n
(ws)h(ha)n(v)o(e)f(halted)h(in)g(the)h(past.)125 747
y(Nai)n(v)o(ely)-5 b(,)26 b(UDF)h(induction)d(might)h(appear)h(to)g(be)
g(nothing)f(more)g(than)h(a)g(simplistic)h(application)e(of)h(testing)g
(pre\255)f(and)h(post\255)0 847 y(conditions.)41 b(The)25
b(crucial)f(dif)n(ference)e(is)k(that)f(the)g(pre\255condition)c(is)26
b(supplied)d(by)i(the)f(untrusted)g(UDF)h(implementor)m(,)e(who)h(has)0
946 y(been)c(rendered)e(a)i(trustw)o(orthy)f(partner)f(through)h
(determinism.)125 1046 y(Determinism)j(and)h(XN')-5 b(s)24
b(trusted)e(set)i(implementation)d(\(used)i(to)g(check)g(UDF)h
(output\))d(pre)n(v)o(ents)h(UDFs)i(from)e(\223cheat\224)h(and)0
1146 y(producing)17 b(bogus)j(output)e(after)i(testing.)125
1245 y(At)d(this)g(point)f(we)h(can)f(incrementally)f(v)o(erify)h(that)
g Fl(owns)i Fp(implements)e(its)i(speci\002cation)e(correctly)-5
b(.)26 b(As)17 b(a)h(result,)f(the)f(operating)0 1345
y(system)23 b(can)g(no)n(w)g(rely)f(on)h(potentially)f(malicious)g
(libFSes)i(to)f(track)g(what)g(disk)g(blocks)f(the)o(y)h(o)n(wn,)g(in)g
(w)o(ays)g(that)g(the)g(operating)0 1445 y(system)33
b(does)f(not)g(understand,)h(while)g(still)h(being)d(able)i(to)f
(guarantee)f(correctness.)65 b(Figure)32 b(4\2551)g(sk)o(etches)h(ho)n
(w)f(the)g(abo)o(v)o(e)0 1544 y(v)o(eri\002cation)19
b(steps)h(are)h(embedded)d(in)i(the)g(conte)o(xt)f(of)h(a)h(block)e
(allocation)g(system)h(call.)125 1644 y(Because)g(our)g(approach)f
(merely)g(v)o(eri\002es)i Fk(what)f Fp(a)h(UDF)g(did)g(rather)e(than)h
Fk(how)h Fp(it)g(did)g(so)g(it)g(is)g(both)f(more)g(rob)n(ust)g(and)g
(simpler)0 1743 y(than)h(traditional)f(v)o(eri\002cation)f(approaches.)
30 b(Only)21 b(a)h(handful)d(of)i(lines)h(of)f(pseudo\255code)d(are)j
(required)e(to)j(v)o(erify)d(the)j(correctness)0 1843
y(of)c(code)f(that)h(is)h(written)f(in)g(an)g(untyped,)f
(general\255purpose)d(assembly)k(language)e(that)i(allo)n(ws)g
(pointers)f(\(including)f(casts)j(between)0 1943 y(inte)o(gers)27
b(and)h(pointers\),)g(aliasing,)h(stores,)h(dynamic)d(memory)f
(allocation,)j(arbitrary)d(loops,)j(and)f(unstructured)d(control)i
(\003o)n(w)-5 b(.)0 2042 y(Automated)19 b(theorem)g(pro)o(v)o(ers,)f
(in)i(contrast,)f(are)h(both)g(comple)o(x)e(and)i(unable)f(to)h(v)o
(erify)f(such)h(code.)0 2280 y Fq(4.1.1)99 b(Ef\002ciency:)38
b(State)25 b(P)o(artitioning)0 2436 y Fp(Since)f(an)g(instance)g(of)g
(meta)g(data)g(can)g(control)f(a)h(lar)o(ge)f(number)g(of)h(blocks,)g
(enumerating)e(all)i(blocks)g(after)f(each)h(modi\002cation)0
2535 y(can)18 b(be)g(inef)n(\002cient.)27 b(\(F)o(or)18
b(e)o(xample,)e(the)i(Unix)g(\223indirect)f(block\224)g(in)h(Figure)f
(4\2552)g(controls)g(up)h(to)g(1024)f(disk)h(blocks.\))27
b(F)o(ortunately)-5 b(,)0 2635 y(the)24 b(computation)e(to)j(produce)d
(a)j(gi)n(v)o(en)e(element)g(in)i(a)g(UDF')-5 b(s)25
b(o)n(wns)f(set)h(typically)e(uses)i(only)f(a)g(limited)h(portion)d(of)
i(the)h(UDF')-5 b(s)0 2735 y(state.)39 b(This)24 b(sk)o(e)n(wed)f
(usage)f(can)h(be)h(e)o(xploited)d(by)i Fk(state)h(partitioning)p
Fp(,)e(which)h(at)g(a)h(high)f(le)n(v)o(el)f(allo)n(ws)i(UDFs)g(to)g
(partition)e(their)0 2834 y(associated)e(state)h(into)f(sets)i(of)e
(disjoint)g(ranges,)f(where)h(each)g(set)h(contains)f(all)h(the)f
(state)h(needed)e(to)i(compute)d(a)j(subset)g(of)f(o)n(wned)0
2934 y(blocks)d(\(much)f(smaller)i(in)f(size)h(than)f(the)h(o)n(wn)f
(set)h(controlled)e(by)h(the)h(meta)f(data\).)28 b(Our)17
b(inducti)n(v)o(e)f(steps)i(proceed)e(as)i(before,)e(with)0
3033 y(the)k(tw)o(o)h(changes)e(that)i(at)g(initialization)e(we)i(need)
f(to)g(v)o(erify)f(that)i(the)f(partitions)g(are)g(non\255o)o(v)o
(erlapping)15 b(and)20 b(at)h(modi\002cation)d(that)0
3133 y(the)i(libFS)h(only)e(modi\002es)h(state)h(in)f(the)h(indicated)e
(partition.)125 3233 y(More)c(concretely)-5 b(,)14 b(we)i(number)e
(partitions)g(from)h Fl(0)h Fp(to)g Fl(n-1)h Fp(and,)f(on)f
(initialization,)h(v)o(erify)e(that)h(these)h(partitions)f(do)g(not)h
(o)o(v)o(erlap)0 3332 y(\(calling)j(the)i Fl(access)h
Fp(function)d(for)h(a)g(partition)f(id)i(gi)n(v)o(es)e(the)h(set)h(of)f
(bytes)g(in)h(that)f(partition\):)208 3565 y Fl(set)i(=)f(\340\341;)208
3664 y(for)o(each)i(partition)g(id)250 3764 y(if\()q(set)p
402 3764 V 27 w(overlap\(set,)h(access\(id\)\))313 3864
y(err)o(or)g("Partitions)g(cannot)f(overlap!";)250 3963
y(set)f(=)g(set)g(U)f(access\(id\);)125 4262 y Fp(Allocation)e(checks)g
(that)i(the)f(gi)n(v)o(en)f(partition)g(id)h(is)h(v)n(alid,)f(and)g
(then)f(adds)h(the)g(block)g(to)g(the)g(set:)208 4495
y Fl(if)h(id)g Ff(\025)g Fl(the)h(number)g(of)g(partitions)250
4594 y(err)o(or)h("Bogus)g(partition!";)208 4793 y(old)p
306 4793 V 25 w(set)g(=)e(owns\(id\);)208 4893 y(\344let)h(libFS)f
(modify)h(state)h(in)e(access\(id\)\345)208 4993 y(new)p
341 4993 V 25 w(set)i(=)e(owns\(id\);)208 5192 y(if)g(old)p
366 5192 V 25 w(set)i(U)e(db)h(!=)f(new)p 887 5192 V
26 w(set)271 5292 y(err)o(or)j("Bogus)e(modi\014cation";)1908
5589 y Fp(39)p eop
%%Page: 40 41
40 40 bop 208 436 a Fl(/)p Ff(\003)229 536 y(\003)20
b Fl(C\343pseudo)k(code)e(sketch)h(of)f(how)g(to)g(allocate)g(block)g
('r)o(eq')g(and)g(stuf)o(f)h(a)e(pointer)i(to)229 635
y Ff(\003)d Fl(it)i(in)f(the)h(par)o(ent.)65 b(For)23
b(simplicity)e(we)h(assume)g(meta)g(is)g(BLOCKSIZE)g(big)f(and)h(that)
229 735 y Ff(\003)e Fl(setting)j(a)f(block)g(to)g(all)f(zer)o(os)i(is)e
(a)h(valid)f(initialization.)229 834 y Ff(\003)p Fl(/)208
934 y(int)g(sys)p 400 934 22 4 v 27 w(alloc)p 564 934
V 25 w(blk\(blk)p 792 934 V 27 w(t)g(r)o(eq,)h(blk)p
1091 934 V 26 w(t)g(par)o(ent,)h(void)e Ff(\003)p Fl(new)p
1719 934 V 26 w(meta\))h(\340)271 1034 y(set)p 360 1034
V 27 w(t)f(old)p 525 1034 V 26 w(owns,)h(new)p 882 1034
V 25 w(owns;)271 1133 y(set)p 360 1133 V 27 w(t)f(\()p
Ff(\003)p Fl(owns\)\(void)j Ff(\003)p Fl(\);)148 b(/)p
Ff(\003)21 b Fl(pointer)h(to)g(owns)g(function)h Ff(\003)p
Fl(/)271 1233 y(void)f Ff(\003)p Fl(old)p 562 1233 V
25 w(meta,)f Ff(\003)p Fl(kid)p 912 1233 V 26 w(meta;)271
1432 y(if\()r(!isfr)o(ee\(disk)p 661 1432 V 28 w(fr)o(eemap,)i(r)o
(eq\)\))341 b(/)p Ff(\003)21 b Fl(Is)g(r)o(equested)j(block)e(is)g(on)f
(the)i(fr)o(eelist?)g Ff(\003)p Fl(/)335 1532 y(r)o(eturn)g(NOT)p
692 1532 V 26 w(FREE;)271 1631 y(if\()r(!can)p 468 1631
V 25 w(r)o(ead\(new)p 776 1631 V 28 w(meta,)f(BLOCKSIZE\)\))256
b(/)p Ff(\003)21 b Fl(Is)g([new)p 1966 1631 V 27 w(meta,new)p
2294 1631 V 26 w(meta+BLOCKSIZE\))j(valid)d(memory?)i
Ff(\003)p Fl(/)335 1731 y(r)o(eturn)g(NOT)p 692 1731
V 26 w(V)l(ALID;)271 1831 y(if\()r(!\(old)p 480 1831
V 25 w(meta)f(=)g(buf)o(fer)p 924 1831 V 27 w(cache)p
1122 1831 V 27 w(lookup\(par)o(ent\)\)\))k(/)p Ff(\003)21
b Fl(Is)h(par)o(ent)h(in)e(cor)o(e?)i Ff(\003)p Fl(/)335
1930 y(r)o(eturn)g(NOT)p 692 1930 V 26 w(IN)p 789 1930
V 25 w(CORE;)271 2030 y(if\()r(!can)p 468 2030 V 25 w(write\(par)o
(ent\)\))513 b(/)p Ff(\003)21 b Fl(Can)h(the)g(curr)o(ent)i(pr)o(ocess)
g(write)e(to)g(par)o(ent?)i Ff(\003)p Fl(/)335 2130 y(r)o(eturn)f
(CANNOT)p 837 2130 V 26 w(ACCESS;)271 2329 y(owns)f(=)g(owns)p
681 2329 V 26 w(lookup\(par)o(ent\);)406 b(/)p Ff(\003)21
b Fl(get)h(owns)g(function)h(for)g(par)o(ent.)g Ff(\003)p
Fl(/)271 2528 y(owns)p 435 2528 V 26 w(old)f(=)f(owns\(old)p
917 2528 V 27 w(meta\);)424 b(/)p Ff(\003)21 b Fl(compute)i(curr)o(ent)
h(and)e(potential)h(owned)f(sets.)h Ff(\003)p Fl(/)271
2628 y(owns)p 435 2628 V 26 w(new)f(=)f(safe)p 795 2628
V 27 w(eval\(owns\(new)p 1278 2628 V 28 w(meta\)\);)271
2827 y(/)p Ff(\003)g Fl(if)g(owns\(new)p 741 2827 V 28
w(meta\))h(did)f(an)h(illegal)f(operation)i(will)d(be)i(nil.)e
Ff(\003)p Fl(/)271 2927 y(if\()r(\(owns)p 522 2927 V
26 w(new)i(=)f(safe)p 882 2927 V 27 w(eval\(owns)p 1213
2927 V 28 w(function\(new)p 1642 2927 V 28 w(meta\)\)\))335
3026 y(r)o(eturn)i(ILLEGAL)p 801 3026 V 26 w(OP;)271
3225 y(/)p Ff(\003)e Fl(compar)o(e:)i(old)e(U)g(r)o(eq)i(=)e(new)h
Ff(\003)p Fl(/)271 3325 y(if\()r(!set)p 448 3325 V 26
w(equal\(owns)p 821 3325 V 27 w(new)-5 b(,)21 b(set)p
1098 3325 V 27 w(union\(owns)p 1480 3325 V 27 w(old,)g(r)o(eq\)\)\))335
3425 y(r)o(eturn)i(BOGUS)p 778 3425 V 26 w(UPDA)-5 b(TE;)271
3624 y(/)p Ff(\003)21 b Fl(allocate)i(a)e(buf)o(fer)i(cache)g(entry)g
(to)f(hold)f(kid.)g Ff(\003)p Fl(/)271 3724 y(if\()r(!\(kid)p
476 3724 V 25 w(meta)h(=)g(buf)o(fer)p 920 3724 V 27
w(cache)p 1118 3724 V 27 w(alloc\(r)o(eq\)\)\))335 3823
y(r)o(eturn)h(CANNOT)p 837 3823 V 26 w(ALLOC;)271 4023
y(memcpy\(old)p 650 4023 V 27 w(meta,)f(new)p 1000 4023
V 25 w(meta,)g(BLOCKSIZE\);)171 b(/)p Ff(\003)21 b Fl(overwrite)i(par)o
(ent)h(with)d(new)h(value.)f Ff(\003)p Fl(/)271 4122
y(memset\(kid)p 626 4122 V 27 w(meta,)h(0,)f(BLOCKSIZE\);)463
b(/)p Ff(\003)21 b Fl(initialize)g(kid)g(buf)o(fer)o(e)j(cache)f(entry)
g(to)e(all)g(zer)o(os.)i Ff(\003)p Fl(/)271 4222 y(set)p
360 4222 V 27 w(dirty\(par)o(ent\);)1003 b(/)p Ff(\003)21
b Fl(ensur)o(e)i(par)o(ent)h(will)c(be)h(\015ushed)i(back)g(to)e(disk.)
h Ff(\003)p Fl(/)271 4421 y(r)o(eturn)i(SUCCESS;)208
4521 y(\341)0 4919 y Fp(Figure)d(4\2551:)32 b(Implementation)19
b(sk)o(etch)j(of)g(a)g(disk)g(block)f(allocation)f(system)i(call)h
(that)f(uses)g(UDFs)h(to)f(let)g(untrusted)f(\002le)h(systems)0
5019 y(track)e(the)g(blocks)f(the)o(y)h(control.)1908
5589 y(40)p eop
%%Page: 41 42
41 41 bop 208 133 a Fl(\045)20 b(Unix)i(\014le)f(system)i(indir)o(ect)g
(block.)208 232 y(struct)g(indir)o(ect)p 622 232 22 4
v 27 w(block)f(\340)292 332 y(unsigned)h(blocks[1024];)208
432 y(\341;)208 631 y(\045)d(UDF)i(that)g(r)o(eturns)j(the)d
(\(singleton\))h(set)g(of)208 731 y(\045)d([of)o(fset,)k(nbyte\))f
(tuples)g(of)e(all)g(bytes)i(in)e(partition)i(i.)208
830 y(set)f(indir)o(ect)p 540 830 V 27 w(access\(int)i(id\))e(\340)271
930 y(r)o(eturn)i(\340)d([sizeof\(unsigned\))26 b Ff(\003)21
b Fl(id,)g(sizeof\(unsigned\)])k(\341;)208 1029 y(\341)208
1229 y(\045)20 b(r)o(eturn)k(number)f(of)e(partitions)j(in)d(an)h
(indir)o(ect)h(block.)208 1328 y(int)e(indir)o(ect)p
532 1328 V 27 w(npartitions\(void\))k(\340)271 1428 y(r)o(eturn)f
(1024;)208 1528 y(\341)0 1926 y Fp(Figure)f(4\2552:)36
b(Unix)24 b(indirect)f(block)f(and)i(its)g(associated)g(state)h
(partitioning)c(UDFs,)26 b Fl(indir)o(ect)p 2760 1926
V 27 w(access)g Fp(and)e Fl(indir)o(ect)p 3365 1926 V
27 w(npartitions)p Fp(.)43 b(The)0 2026 y(UDFs)26 b(are)f
(\223constant\224)g(in)g(that)g(the)o(y)g(do)g(not)f(use)i(the)f(meta)g
(data)g(block)g(to)g(compute)f(partitions.)43 b(Non\255constant)23
b(UDFs)k(can)e(be)0 2125 y(used)20 b(as)h(long)e(as)i(the)o(y)f(are)g
(retested)g(when)f(the)h(state)h(the)o(y)f(depend)e(on)i(has)h(been)e
(modi\002ed.)125 2559 y(P)o(artitioning)k(of)i(state)h(is)g(controlled)
e(by)g(UDFs,)j(since)f(it)g(is)g(their)f(implementor)e(that)i(kno)n(ws)
g(the)g(natural)f(partitions)h(of)g(the)0 2658 y(problem.)47
b(F)o(or)26 b(instance,)i(in)e(the)h(simple)g(case)g(of)f(the)h(Unix)f
(indirect)g(block)f(gi)n(v)o(en)h(in)h(Figure)f(4\2552,)h(which)f(is)h
(simply)g(a)g(v)o(ector)0 2758 y(of)d(1024)e(disk)i(block)f(pointers,)h
(a)g(partition)f(corresponds)f(to)i(the)g(32)g(bits)g(in)g(which)g(a)g
(single)g(block)f(pointer)g(is)i(stored.)40 b(In)24 b(most)0
2857 y(situations)c(we)h(ha)n(v)o(e)e(encountered)f(state)j
(partitioning)d(can)i(reduce)f(output)g(sets)i(to)f(singleton)g
(entries.)125 2957 y(In)j(some)h(sense,)h(we)g(ha)n(v)o(e)e(already)g
(been)g(doing)g(coarse\255grain)f(state)j(partitioning,)d(since)j(we)f
(only)f(rerun)g(a)i(UDF)f(when)g(the)0 3057 y(disk)h(block)g(it)h(is)g
(associated)f(with)g(is)h(modi\002ed)f(rather)f(than)h(requiring)e
(that)i(a)h(\002le)g(system)f(ha)n(v)o(e)g(a)h(single)f(UDF)h(that)f
(is)h(run)f(on)0 3156 y(modi\002cation)19 b(to)h(an)o(y)f(block)g(on)h
(disk.)29 b(P)o(artitioning)19 b(simply)h(tak)o(es)g(this)h(subdi)n
(vision)e(to)h(\002ner)g(le)n(v)o(els.)125 3256 y(A)26
b(natural)e(question)h(is)i(ho)n(w)e(to)g(track)h(the)f(state)i(in)e
(each)h(partition.)44 b(Our)25 b(original)g(implementation)e(use)j(a)g
(static)h(partition)0 3356 y(table)19 b(for)e(each)i(type,)f(where)g
Fl(partition)p 1130 3356 V 27 w(table\(i\))j Fp(ga)n(v)o(e)c(the)i(set)
g(of)g(state)g(sets)h(associated)e(with)h(partition)e
Fl(i)p Fp(.)29 b(Such)18 b(tables)h(can)f(be)h(lar)o(ge.)0
3455 y(In)j(the)h(case)g(of)f(\002le)h(systems,)h(this)f(size)g(is)h
(mitigated)d(by)h(the)h(f)o(act)g(that)f(\002le)i(systems)f(ha)n(v)o(e)
f(only)f(a)i(fe)n(w)g(templates)f(\(one)g(for)g(each)0
3555 y(meta)27 b(data)f(type\).)48 b(Unfortunately)-5
b(,)25 b(partitioning)f(via)j(a)g(data)f(structure)g(means)g(that,)i
(in)f(man)o(y)f(cases,)i(the)f(partitioning)e(cannot)0
3654 y(be)f(adjusted)g(dynamically)-5 b(,)23 b(as)i(is)h(required)c
(for)i(dynamically)f(resized)h(structures.)41 b(Of)25
b(course,)f(the)h(ob)o(vious)e(solution)g(is)j(to)e(use)0
3754 y(UDFs:)30 b(the)o(y)19 b(were)g(de)n(v)o(eloped,)e(after)i(all)h
(to)f(describing)f(meta)h(data)g(layout.)28 b(This)20
b(solution)e(turns)h(out)g(to)h(be)f(quite)g(w)o(orkable,)f(and)0
3854 y(has)i(signi\002cantly)g(reduced)e(the)i(size)h(of)f(templates)g
(that)g(we)h(use)f(to)h(store)f(\002le)h(system)f(meta)g(data)g
(descriptions.)3371 3824 y Fi(2)125 3953 y Fp(T)-7 b(o)23
b(simplify)g(writing)f(UDFs)j(we)e(can)h(re\002ne)f(the)g(partition)f
(scheme)h(to)h(mak)o(e)e(the)i(enumeration)d(of)i(a)h(partition')-5
b(s)22 b(\223read)h(set\224)0 4053 y(implicit)g(rather)f(than)h(e)o
(xplicit.)37 b(Instead)22 b(of)h(requiring)e(the)i(UDF)h(client)f
(supply)f(an)h(access)h(function,)e(we)h(instead)g(ha)n(v)o(e)f(the)h
(safe)0 4153 y(UDF)g(e)n(v)n(aluator)d(trace)i(the)g(memory)f
(locations)g(e)o(xamined)f(by)i(a)g(particular)f(UDF)i(in)m(v)n
(ocation.)33 b(Initialization)21 b(checks)g(that)h(these)0
4252 y(read)i(sets)h(do)f(not)g(o)o(v)o(erlap)e(by)i(tracing)f
Fl(owns)j Fp(on)e(each)g(partition)f(id)h(rather)g(than)g(calling)g
Fl(access)p Fp(.)44 b(Modi\002cation)22 b(checks)i(that)h(the)0
4352 y(read)d(set)i(of)f(the)f(modi\002ed)g(meta)h(data)g(on)f(a)h(gi)n
(v)o(en)f(id)h(is)h(the)e(same)h(as)h(the)f(original)f(read)g(set.)38
b(One)23 b(complication)d(of)j(this)g(model)0 4451 y(is)f(handling)e
(the)i(case)g(where)f(the)g(read)g(set)i(gro)n(ws)e(or)g(shrinks.)32
b(Due)22 b(to)g(space)f(limitations)h(we)f(elide)h(a)g(discussion)f(of)
g(ho)n(w)g(to)h(do)0 4551 y(this)f(gracefully;)d(interested)i(readers)f
(can)h(refer)g(to)g([30)o(].)0 4789 y Fq(4.1.2)99 b(Mor)n(e)25
b(sophisticated)h(partitioning)0 4944 y Fp(Of)19 b(course,)f(forcing)g
(partitions)g(to)h(be)g(non\255o)o(v)o(erlapping)13 b(restricts)20
b(implementation)c(freedom.)27 b(This)20 b(subsection)e(proposes)f(a)j
(w)o(ay)0 5044 y(to)g(allo)n(w)h(more)e(sophisticated)g(partitionings.)
p 0 5115 1560 4 v 90 5170 a Fh(2)120 5194 y Fg(The)14
b(UDF)h(in)g(this)h(case)g(is)e(a)i(nice)g(e)o(xample)g(of)f
Fe(semantic)i(compr)n(ession)p Fg(,)f(where)g(domain\255speci\002c)i
(information)f(is)e(used)g(to)g(generate)j(smaller)e(representations)0
5273 y(than)i(a)f(content\255blind)k(algorithm)e(w)o(ould)f(produce.)
1908 5589 y Fp(41)p eop
%%Page: 42 43
42 42 bop 125 83 a Fp(The)25 b(core)h(problem)e(partitioning)g(must)i
(solv)o(e)f(is)i(ho)n(w)f(to)g(bind)f(state)i(to)f(inputs:)40
b(i.e.,)27 b(gi)n(v)o(en)e(a)h(modi\002cation)f(to)h(a)g(piece)g(of)0
183 y(meta)20 b(data)h Fl(f)p Fp(')-5 b(s)21 b(state,)g(we)g(must)g
(test)g(all)g(inputs)f(that)g(depend)f(on)h(that)g(state.)31
b(State)21 b(partitioning)d(does)i(this)h(by)f(grouping)e(all)j(inputs)
0 282 y(to)g Fl(owns)h Fp(within)e(a)i(single)e(partition.)30
b(A)21 b(more)f(sophisticated)g(alternati)n(v)o(e)f(is)j(to)f(allo)n(w)
f(o)o(v)o(erlap)f(between)h(partitions.)30 b(Nai)n(v)o(ely)-5
b(,)19 b(we)0 382 y(might)k(e)o(xpect)g(that)g(allo)n(wing)g(o)o(v)o
(erlap)f(requires)g(that)i(we)g(ha)n(v)o(e)f(a)h(function)e
Fl(enum)i Fp(that,)h(gi)n(v)o(en)d(a)i(piece)f(of)h(state,)h
(enumerates)d(all)0 482 y(inputs)c(that)h(depend)e(on)i(it.)29
b(The)18 b(need)h(for)f(such)g(a)h(function)e(w)o(ould)h(se)n(v)o
(erely)g(restrict)h(the)g(data)f(structures)g(we)i(could)d(v)o(erify)-5
b(,)17 b(since)0 581 y(most)g(do)g(not)h(naturally)e(support)g(the)h
(ability)g(to)h(enumerate)e(all)i(inputs)f(gi)n(v)o(en)f(an)h
(arbitrary)f(byte)h(of)g(state.)29 b(Ho)n(we)n(v)o(er)m(,)16
b(if)i(we)g(e)o(xploit)0 681 y(the)j(libFS,)g(we)g(can)g(ha)n(v)o(e)f
(it)i(gi)n(v)o(e)e(us)h(the)g(inputs)f(that)h(could)f(be)h(ef)n(fected)
e(by)i(a)g(state)g(modi\002cation)f(and)g(yet)h(be)g(able)f(to)h(test)h
(that)f(it)0 780 y(does)f(so)g(correctly)-5 b(.)125 880
y(W)e(e)25 b(do)f(this)g(using)g(reference)f(counting:)35
b(if)25 b(we)f(can)g(reliably)g(determine)e(ho)n(w)i(man)o(y)f(inputs)h
(use)g(a)h(piece)f(of)g(state,)h(we)g(can)0 980 y(trust)20
b(the)g(libFS)h(to)f(\002nd)g(which)f(inputs)h(are)g(dependent.)27
b(Reference)19 b(counting)f(enables)i(this)g(split)h(because,)e(gi)n(v)
o(en)g(the)h(number)e(of)0 1079 y(inputs)23 b(that)h(use)g(a)g(piece)g
(of)f(state)h(and)g(a)g(libFS\255supplied)e(set)i(of)g(inputs,)g(we)g
(can)f(v)o(erify)g(that)g(the)h(set)h(is)f(suf)n(\002cient)f(by)h(in)m
(v)n(oking)0 1179 y Fl(owns)g Fp(on)e(each)h(element)f(and)g(v)o
(erifying)e(that)j(it)h(indeed)d(touches)h Fl(s)p Fp(.)38
b(If)22 b(it)i(does,)f(then)f(we)h(kno)n(w)f(we)h(ha)n(v)o(e)f(all)h
(inputs)f(that)h(depend)0 1279 y(on)f Fl(s)p Fp(,)h(otherwise)e(we)h
(return)f(an)h(error)-5 b(.)34 b(Reference)21 b(counts)g(are)h
(computed)e(by)h(the)h(libFS)h(using)e(a)i Fl(r)o(efcnt)i
Fp(UDF)-7 b(,)23 b(which)e(associates)0 1378 y(each)i(byte)g(of)g(data)
g(with)h(a)g(reference)e(count.)37 b(Note)24 b(that)f(a)h(correct)f
(libFS)h(already)e(tracks)h(roughly)e(the)j(information)d(that)i
Fl(r)o(efcnt)0 1478 y Fp(needs)18 b(in)h(order)f(to)h(implement)f
(memory)f(management.)26 b(I.e.,)19 b(it)g(cannot)f(free)g(memory)f
(that)i(is)h(still)g(needed)e(by)g(inputs)g(to)h Fl(f)p
Fp(.)30 b(Thus,)0 1577 y(it)19 b(does)g(not)f(seem)h(that)g(the)f
(requirement)f(that)h(the)h(libFS)g(can)f(write)h Fl(r)o(efcnt)j
Fp(restricts)d(its)h(freedom)d(in)h(an)o(y)g(real)h(w)o(ay)-5
b(.)28 b(Lack)18 b(of)h(space)0 1677 y(pre)n(v)o(ents)g(further)f
(discussion;)i(interested)g(readers)f(can)h(refer)g(to)g([30)o(].)0
1924 y Fv(4.2)117 b(Ov)o(er)o(view)28 b(of)h(XN)0 2110
y Fp(Designing)h(a)h(\003e)o(xible)f(e)o(xok)o(ernel)f(stable)i
(storage)f(system)h(has)g(pro)o(v)o(en)e(dif)n(\002cult:)50
b(XN)31 b(is)h(our)e(fourth)f(design.)61 b(This)31 b(section)0
2209 y(pro)o(vides)e(an)i(o)o(v)o(ervie)n(w)e(of)i(ho)n(w)g(we)g(use)h
(UDFs,)i(the)d(cornerstone)e(of)i(XN;)h(the)f(follo)n(wing)f(sections)h
(describe)f(some)h(earlier)0 2309 y(approaches)18 b(\(and)h(why)h(the)o
(y)f(f)o(ailed\),)h(and)f(aspects)i(of)f(XN)g(in)h(greater)e(depth.)125
2408 y(XN)j(pro)o(vides)e(access)i(to)g(stable)g(storage)f(at)h(the)g
(le)n(v)o(el)g(of)f(disk)h(blocks,)f(e)o(xporting)e(a)k(b)n(uf)n(fer)d
(cache)h(re)o(gistry)g(\(Section)g(4.4\))g(as)0 2508
y(well)j(as)f(free)g(maps)g(and)g(other)f(on\255disk)g(structures.)37
b(The)22 b(main)h(purpose)f(of)g(XN)i(is)g(to)f(determine)f(the)h
(access)h(rights)f(of)f(a)i(gi)n(v)o(en)0 2608 y(principal)h(to)i(a)g
(gi)n(v)o(en)e(disk)h(block)g(as)h(ef)n(\002ciently)e(as)i(possible.)48
b(XN)27 b(must)f(pre)n(v)o(ent)f(a)i(malicious)f(user)g(from)f
(claiming)h(another)0 2707 y(user')-5 b(s)24 b(disk)g(blocks)f(as)i
(part)e(of)h(her)f(o)n(wn)h(\002les.)41 b(On)24 b(a)g(con)m(v)o
(entional)d(OS,)j(this)h(task)f(is)h(easy)-5 b(,)24 b(since)g(the)g(k)o
(ernel)f(itself)h(kno)n(ws)g(the)0 2807 y(\002le')-5
b(s)29 b(meta)f(data)g(format.)51 b(On)28 b(an)g(e)o(xok)o(ernel,)f
(where)h(\002les)h(ha)n(v)o(e)e(application\255de\002ned)d(meta)k(data)
g(layouts,)h(the)f(task)h(is)f(more)0 2907 y(dif)n(\002cult.)33
b(On)21 b(XN)h(libFSes)h(pro)o(vide)c(UDFs)k(that)e(act)h(as)g(meta)g
(data)f(translation)g(functions)f(speci\002c)i(to)g(each)f(\002le)h
(type.)33 b(XN)22 b(uses)0 3006 y(UDFs)j(to)f(analyze)f(meta)g(data)h
(and)f(translate)h(it)h(into)e(a)i(simple)e(form)g(the)h(k)o(ernel)f
(understands.)38 b(A)25 b(libFS)f(de)n(v)o(eloper)d(can)j(install)0
3106 y(UDFs)h(to)f(introduce)e(ne)n(w)i(on\255disk)e(meta)i(data)g
(formats.)39 b(UDFs)25 b(allo)n(w)f(the)g(k)o(ernel)f(to)h(safely)f
(and)h(ef)n(\002ciently)f(handle)g(an)o(y)g(meta)0 3205
y(data)d(layout)f(without)h(understanding)d(the)j(layout)g(itself.)125
3305 y(UDFs)d(are)g(stored)g(on)f(disk)h(in)h(structures)e(called)h
Fk(templates.)28 b Fp(Each)16 b(template)h(corresponds)d(to)k(a)f
(particular)f(meta)h(data)g(format;)0 3405 y(for)g(e)o(xample,)f(a)i
(UNIX)f(\002le)h(system)f(w)o(ould)g(ha)n(v)o(e)g(templates)g(for)g
(data)g(blocks,)g(inode)f(blocks,)h(inodes,)g(indirect)f(blocks,)h
(etc.)29 b(Each)0 3504 y(template)20 b Fm(T)32 b Fp(has)21
b(tw)o(o)g(UDFs:)31 b Fk(owns\255udf)1223 3516 y Fd(T)1295
3504 y Fp(and)20 b Fk(r)m(efcnt\255udf)1762 3516 y Fd(T)1813
3504 y Fp(,)h(and)f(tw)o(o)h(untrusted)e(and)h(potentially)g
(nondeterministic)e(functions:)0 3604 y Fk(acl\255uf)195
3616 y Fd(T)268 3604 y Fp(and)j Fk(size\255uf)627 3616
y Fd(T)680 3604 y Fp(.)34 b(All)22 b(four)f(functions)f(are)i
(speci\002ed)f(in)h(the)g(same)g(language)e(b)n(ut)h(only)g
Fk(owns\255udf)3124 3616 y Fd(T)3197 3604 y Fp(and)h
Fk(r)m(efcnt\255udf)3666 3616 y Fd(T)3739 3604 y Fp(must)0
3704 y(be)g(deterministic.)33 b(The)22 b(other)f(tw)o(o)h(can)g(ha)n(v)
o(e)f(access)h(to,)h(for)e(e)o(xample,)f(the)i(time)g(of)g(day)-5
b(.)33 b(The)22 b(limited)g(language)e(used)h(to)h(write)0
3803 y(these)h(functions)e(is)i(a)h(pseudo\255RISC)d(assembly)h
(language,)f(check)o(ed)h(by)g(the)h(k)o(ernel)e(to)i(ensure)f
(determinac)o(y)-5 b(.)34 b(Once)22 b(a)h(template)0
3903 y(is)e(speci\002ed,)f(it)h(cannot)e(be)h(changed.)125
4002 y(The)h Fk(owns\255udf)f Fp(function)g(allo)n(ws)i(XN)g(to)f
(check)g(the)h(correctness)e(of)h(libFS)h(meta)g(data)f
(modi\002cations)f(\(speci\002ed)h(as)h(a)g(list)h(of)0
4102 y(byte)d(range)f(modi\002cations\))f(using)i(techniques)f(from)g
(the)h(pre)n(vious)f(subsection.)125 4202 y(The)h Fk(r)m(efcnt\255udf)h
Fp(function)e(allo)n(ws)j(libFSes)g(to)f(represent)f(reference)g
(counts)g(ho)n(we)n(v)o(er)g(the)o(y)g(wish.)33 b(F)o(or)21
b(simplicity)-5 b(,)20 b(reference)0 4301 y(count)27
b(are)h(stored)g(in)g(the)g(block)g(that)g(is)h(pointed)e(to)h(\(and,)h
(thus,)h(the)o(y)e(are)g(persistent\).)52 b(Whene)n(v)o(er)27
b(an)h(edge)f(to)i(this)f(block)g(is)0 4401 y(formed,)18
b(XN)j(v)o(eri\002es)f(that)g Fk(r)m(efcnt\255udf)f Fp(increases)h(by)g
(one.)29 b(And,)19 b(when)h(an)g(edge)f(is)i(deleted,)f(that)g(the)g
(count)f(is)j(decremented.)125 4501 y(The)h Fk(acl\255uf)h
Fp(function)e(implements)h(template\255speci\002c)g(access)i(control)e
(and)h(semantics;)i(its)f(input)e(is)i(a)g(piece)f(of)g(meta)g(data,)0
4600 y(a)29 b(proposed)d(modi\002cation)h(to)i(that)f(meta)g(data,)j
(and)c(set)j(of)e(credentials)g(\(e.g.,)h(capabilities\).)53
b(Its)29 b(output)e(is)j(a)f(Boolean)e(v)n(alue)0 4700
y(appro)o(ving)16 b(or)k(disappro)o(ving)c(of)j(the)g(modi\002cation.)
28 b(XN)20 b(runs)f(the)g(proper)f Fk(acl\255uf)g Fp(function)g(before)
g(an)o(y)h(meta)g(data)g(modi\002cation.)0 4800 y Fk(acl\255uf)p
Fp(s)i(can)g(implement)f(access)h(control)f(lists,)j(as)f(well)f(as)h
(pro)o(viding)d(certain)h(other)g(guarantees;)h(for)f(e)o(xample,)g(an)
h Fk(acl\255uf)g Fp(could)0 4899 y(ensure)e(that)i(inode)e
(modi\002cation)f(times)j(are)f(k)o(ept)g(current)f(by)h(rejecting)f
(an)o(y)g(meta)i(data)f(changes)f(that)h(do)g(not)g(update)f(them.)125
4999 y(The)g Fk(size\255uf)i Fp(function)d(simply)i(returns)g(the)g
(size)h(of)e(a)i(data)f(structure)f(in)i(bytes.)1908
5589 y(42)p eop
%%Page: 43 44
43 43 bop 0 83 a Fv(4.3)117 b(XN:)28 b(Pr)n(oblem)g(and)h(history)0
269 y Fp(The)22 b(most)g(dif)n(\002cult)g(requirement)e(for)h(XN)i(is)g
(ef)n(\002ciently)f(determining)e(the)i(access)h(rights)f(of)g(a)h(gi)n
(v)o(en)e(principal)g(to)h(a)h(gi)n(v)o(en)e(disk)0 368
y(block.)28 b(W)-7 b(e)22 b(discuss)e(the)g(successi)n(v)o(e)g
(approaches)e(that)j(we)f(ha)n(v)o(e)g(pursued.)125 468
y Fo(Disk\255block\255le)o(v)o(el)27 b(multiplexing)o(.)51
b Fp(One)28 b(approach)d(is)k(to)f(associate)g(with)g(each)f(block)g
(or)g(e)o(xtent)g(a)h(capability)f(\(or)g(access)0 567
y(control)i(list\))i(that)f(guards)f(it.)59 b(Unfortunately)-5
b(,)30 b(if)g(the)g(capability)f(is)i(spatially)f(separated)f(from)g
(the)i(disk)f(block)f(\(e.g.,)i(stored)0 667 y(separately)26
b(in)g(a)h(table\),)g(accessing)g(a)f(block)g(can)g(require)f(tw)o(o)i
(disk)f(accesses)i(\(one)d(to)i(fetch)f(the)g(capability)g(and)g(one)f
(to)i(fetch)0 767 y(the)22 b(block\).)31 b(While)22 b(caching)e(can)i
(mitigate)f(this)h(problem)d(to)j(a)g(de)o(gree,)e(we)i(are)f(nerv)n
(ous)g(about)f(its)j(o)o(v)o(erhead)18 b(on)j(disk\255intensi)n(v)o(e)0
866 y(w)o(orkloads.)34 b(An)22 b(alternati)n(v)o(e)f(approach)f(is)j
(to)g(co\255locate)e(capabilities)h(with)g(disk)h(blocks)e(by)h
(placing)f(them)h(immediately)f(before)0 966 y(a)i(disk)f(block')-5
b(s)22 b(data)g([54)o(].)35 b(Unfortunately)-5 b(,)20
b(on)i(common)e(hardw)o(are,)h(reserving)g(space)h(for)g(a)h
(capability)e(w)o(ould)h(pre)n(v)o(ent)e(blocks)0 1066
y(from)f(being)g(multiples)h(of)g(the)g(page)g(size,)g(adding)f(o)o(v)o
(erhead)f(and)h(comple)o(xity)f(to)j(disk)f(operations.)125
1165 y Fo(Self\255descripti)o(v)o(e)27 b(meta)h(data.)51
b Fp(Our)27 b(\002rst)i(serious)e(attempt)h(at)g(ef)n(\002cient)g(disk)
f(multiple)o(xing)f(pro)o(vided)f(a)j(means)g(for)f(each)0
1265 y(instance)35 b(of)f(meta)h(data)g(to)g(describe)f(itself.)74
b(F)o(or)35 b(e)o(xample,)i(a)e(disk)g(block)f(w)o(ould)g(start)h(with)
h(some)e(number)f(of)i(bytes)g(of)0 1364 y(application\255speci\002c)15
b(data)i(and)g(then)g(say)h(\223the)f(ne)o(xt)g(ten)g(inte)o(gers)g
(are)g(disk)h(block)e(pointers.)-6 b(\224)27 b(The)18
b(comple)o(xity)d(of)i(space\255ef)n(\002cient)0 1464
y(self\255description)k(caused)h(us)h(to)g(limit)g(what)g(meta)g(data)g
(could)e(be)i(described.)36 b(W)-7 b(e)24 b(disco)o(v)o(ered)c(that)j
(this)h(approach)c(both)i(caused)0 1564 y(unacceptable)d(amounts)h(of)h
(space)g(o)o(v)o(erhead)e(and)h(required)g(e)o(xcessi)n(v)o(e)g(ef)n
(fort)g(to)i(modify)d(e)o(xisting)i(\002le)g(system)h(code,)e(because)h
(it)0 1663 y(w)o(as)g(dif)n(\002cult)f(to)g(shoehorn)e(e)o(xisting)i
(\002le)g(system)h(data)f(structures)f(into)h(a)h(uni)n(v)o(ersal)e
(format.)125 1763 y Fo(T)-8 b(emplate\255based)14 b(description.)28
b Fp(Self\255description)12 b(and)i(its)i(problems)d(were)i(eliminated)
e(by)h(the)h(insight)f(that)h(each)f(\002le)h(system)0
1863 y(is)27 b(b)n(uilt)e(from)g(only)g(a)h(handful)e(of)h(dif)n
(ferent)f(on\255disk)h(data)g(structures,)i(each)e(of)g(which)g(can)h
(be)g(considered)d(a)k(type.)45 b(Since)26 b(the)0 1962
y(number)20 b(of)i(types)f(is)i(small,)f(it)h(is)g(feasible)e(to)h
(describe)f(each)h(type)f(only)g(once)g(per)h(\002le)g
(system\227rather)f(than)g(once)h(per)f(instance)0 2062
y(of)f(a)h(type\227using)d(a)j Fk(template)p Fp(.)125
2161 y(Originally)-5 b(,)28 b(templates)f(were)h(written)g(in)g(a)g
(declarati)n(v)o(e)e(description)h(language)f(\(similar)i(to)g(that)g
(used)f(in)h(self\255descripti)n(v)o(e)0 2261 y(meta)e(data\))f(rather)
g(than)h(UDFs.)47 b(This)26 b(system)g(w)o(as)h(simple)e(and)h(better)f
(than)h(self\255descripti)n(v)o(e)e(meta)h(data,)i(b)n(ut)f(still)h(e)o
(xhibited)0 2361 y(what)22 b(we)g(ha)n(v)o(e)f(come)g(to)h(appreciate)e
(as)i(an)g(indication)e(that)i(applications)f(do)g(not)g(ha)n(v)o(e)g
(enough)f(control:)31 b(the)22 b(system)g(made)f(too)0
2460 y(man)o(y)26 b(tradeof)n(fs.)48 b(W)-7 b(e)29 b(had)d(to)i(mak)o
(e)e(a)i(myriad)e(of)h(decisions)f(about)h(which)f(base)h(types)g(were)
g(a)n(v)n(ailable)g(and)g(ho)n(w)f(the)o(y)h(were)0 2560
y(represented)21 b(\(ho)n(w)h(lar)o(ge)g(disk)g(block)g(pointers)g
(could)g(be,)h(ho)n(w)f(the)h(type)f(layout)g(could)g(change,)f(ho)n(w)
i(e)o(xtents)f(were)g(speci\002ed\).)0 2660 y(Gi)n(v)o(en)f(the)h(v)n
(ariety)f(of)h(on\255disk)f(data)g(structures)h(described)f(in)h(the)g
(\002le)g(system)h(literature,)e(it)i(seems)f(unlik)o(ely)f(that)h(an)o
(y)f(\002x)o(ed)h(set)0 2759 y(of)e(components)e(will)j(e)n(v)o(er)e
(be)h(enough)e(to)j(describe)e(all)i(useful)f(meta)g(data.)125
2859 y(Our)13 b(current)g(solution)g(uses)g(templates,)c(b)n(ut)k
(trades)g(the)g(declarati)n(v)o(e)g(description)f(lang)o(uag)o(e)h(fo)o
(r)g(a)g(m)o(or)o(e)g(e)o(x)o(pr)o(essi)n(v)o(e,)8 b(interpreted)0
2958 y(language\227UDFs.)26 b(This)14 b(lets)i(libFSes)f(track)f(their)
g(o)n(wn)g(access)h(rights)f(without)f(XN)i(understanding)c(ho)n(w)j
(the)o(y)g(do)g(so;)j(XN)d(merely)0 3058 y(v)o(eri\002es)20
b(that)g(libFSes)h(track)f(block)f(o)n(wnership)g(correctly)-5
b(.)0 3305 y Fv(4.4)117 b(XN:)28 b(Design)h(and)f(implementation)0
3491 y Fp(W)-7 b(e)21 b(\002rst)g(describe)f(the)g(requirements)e(for)i
(XN)g(and)g(then)g(present)f(the)h(design.)0 3703 y Fq(Requir)n(ements)
27 b(and)e(appr)n(oach)0 3851 y Fp(In)16 b(our)g(e)o(xperience)f(so)i
(f)o(ar)m(,)g(the)f(follo)n(wing)f(requirements)g(ha)n(v)o(e)h(been)g
(suf)n(\002cient)g(to)h(reconcile)f(application)f(control)g(with)i
(protected)0 3950 y(sharing.)104 4133 y(1.)41 b(T)-7
b(o)29 b(pre)n(v)o(ent)f(unauthorized)e(access,)32 b(e)n(v)o(ery)c
(operation)g(on)h(disk)g(data)h(must)f(be)h(guarded.)54
b(F)o(or)29 b(speed,)j(XN)d(uses)h Fk(secur)m(e)208 4233
y(bindings)h Fp([25)n(])i(to)f(mo)o(v)o(e)f(access)i(checks)f(to)h
(bind)e(time)i(rather)f(than)g(checking)e(at)j(e)n(v)o(ery)e(access.)67
b(F)o(or)32 b(e)o(xample,)i(the)208 4332 y(permission)23
b(to)h(read)f(a)i(cached)e(disk)h(block)f(is)i(check)o(ed)e(when)g(the)
h(page)g(is)h(inserted)e(into)h(the)g(page)g(table)g(of)g(the)g(libFS')
-5 b(s)208 4432 y(en)m(vironment,)16 b(rather)k(than)g(on)f(e)n(v)o
(ery)g(access.)104 4598 y(2.)41 b(XN)28 b(must)g(be)g(able)g(to)g
(determine)f(unambiguously)e(what)j(access)g(rights)g(a)h(principal)d
(has)j(to)f(a)g(gi)n(v)o(en)f(disk)h(block.)52 b(F)o(or)208
4698 y(speed,)21 b(it)i(uses)g(the)f(UDF)h(mechanism)e(to)h(protect)f
(disk)h(blocks)g(using)f(the)h(libFS')-5 b(s)23 b(o)n(wn)f(meta)g(data)
g(rather)f(than)h(guarding)208 4797 y(each)d(block)h(indi)n(vidually)-5
b(.)104 4963 y(3.)41 b(XN)24 b(must)g(guarantee)f(that)h(disk)g
(updates)f(are)h(ordered)f(such)g(that)i(a)f(crash)g(will)h(not)f
(incorrectly)e(grant)h(a)i(libFS)g(access)f(to)208 5063
y(data)k(it)g(either)g(has)g(freed)f(or)h(has)h(not)e(allocated.)52
b(This)29 b(requirement)d(means)h(that)h(meta)h(data)e(that)i(is)g
(persistent)f(across)208 5163 y(crashes)c(cannot)g(be)g(written)h(when)
f(it)h(contains)f(pointers)g(to)h(uninitialized)e(meta)i(data,)g(and)f
(that)h(reallocation)e(of)h(a)h(freed)208 5262 y(block)19
b(must)h(be)g(delayed)f(until)h(all)h(persistent)f(pointers)f(to)h(it)h
(ha)n(v)o(e)f(been)f(remo)o(v)o(ed.)1908 5589 y(43)p
eop
%%Page: 44 45
44 44 bop 125 83 a Fp(While)13 b(isolation)g(allo)n(ws)g(separate)g
(libFSes)g(to)g(coe)o(xist)g(safely)-5 b(,)10 b(protected)j(sharing)g
(of)g(\002le)g(system)g(state)g(by)g(mutually)g(distru)o(stful)0
183 y(libFSes)21 b(requires)e(three)h(additional)f(features:)104
351 y(1.)41 b(Coherent)22 b(caching)g(of)h(disk)g(blocks.)38
b(Distrib)n(uted,)23 b(per)n(\255application)e(disk)i(block)f(caches)i
(create)f(a)g(consistenc)o(y)f(problem:)208 450 y(if)k(tw)o(o)h
(applications)f(obli)n(viously)e(cache)i(the)h(same)g(disk)f(block)g
(in)g(tw)o(o)h(dif)n(ferent)e(physical)g(pages,)j(then)e
(modi\002cations)208 550 y(will)d(not)f(be)g(shared.)35
b(XN)23 b(solv)o(es)f(this)h(problem)e(with)i(an)f(in\255k)o(ernel,)f
(system\255wide,)h(protected)f(cache)h(re)o(gistry)f(that)i(maps)208
650 y(cached)c(disk)h(blocks)f(to)i(the)f(physical)f(pages)h(holding)e
(them.)104 810 y(2.)41 b(Atomic)24 b(meta)h(data)g(updates.)42
b(Man)o(y)24 b(\002le)i(system)f(updates)f(ha)n(v)o(e)g(multiple)g
(steps.)44 b(T)-7 b(o)25 b(ensure)f(that)h(shared)f(state)i(al)o(w)o
(ays)208 909 y(ends)i(up)g(in)g(a)h(consistent)f(and)f(correct)h
(state,)j(libFSes)e(can)f(lock)g(cache)g(re)o(gistry)f(entries.)53
b(\(Future)28 b(w)o(ork)f(will)i(e)o(xplore)208 1009
y(optimistic)19 b(concurrenc)o(y)e(control)i(based)h(on)g(v)o
(ersioning.\))104 1169 y(3.)41 b(W)-7 b(ell\255formed)18
b(updates.)28 b(File)20 b(abstractions)f(abo)o(v)o(e)f(the)i(XN)g
(interf)o(ace)f(may)g(require)f(that)i(meta)f(data)h(modi\002cations)e
(satisfy)208 1269 y(in)m(v)n(ariants)f(\(e.g.,)i(that)g(link)g(counts)g
(in)g(inodes)g(match)g(the)g(number)e(of)i(associated)g(directory)f
(entries\).)28 b(UDFs)20 b(allo)n(w)g(XN)f(to)208 1369
y(guarantee)j(such)i(in)m(v)n(ariants)f(in)h(a)g
(\002le\255system\255speci\002c)g(manner)m(,)f(allo)n(wing)g(mutually)g
(distrustful)h(applications)e(to)j(safely)208 1468 y(share)19
b(meta)i(data.)125 1636 y(XN)e(controls)f(only)g(what)h(is)g(necessary)
g(to)g(enforce)e(these)i(protection)e(rules.)29 b(All)19
b(other)f(abilities\227I/O)h(initiation,)g(disk)g(block)0
1736 y(layout)g(and)h(allocation)f(policies,)h(reco)o(v)o(ery)e
(semantics,)i(and)f(consistenc)o(y)g(guarantees\227are)f(left)j(to)f
(untrusted)f(libFSes.)0 1946 y Fq(Order)n(ed)26 b(disk)f(writes)0
2093 y Fp(Another)f(dif)n(\002culty)h(XN)h(must)f(f)o(ace)h(is)g
(guaranteeing)d(the)i(rules)h(Ganger)e(and)h(P)o(att)h([36)o(])g(gi)n
(v)o(e)e(for)h(achie)n(ving)f(strict)i(\002le)g(system)0
2193 y(inte)o(grity)d(across)i(crashes:)38 b(First,)27
b(ne)n(v)o(er)c(reuse)h(an)h(on\255disk)e(resource)h(before)f
(nullifying)g(all)i(pre)n(vious)e(pointers)h(to)h(it.)43
b(Second,)0 2293 y(ne)n(v)o(er)16 b(create)g(persistent)h(pointers)f
(to)h(structures)f(before)f(the)o(y)i(are)f(initialized.)28
b(Third,)16 b(when)h(mo)o(ving)e(an)h(on\255disk)g(resource,)g(ne)n(v)o
(er)0 2392 y(reset)21 b(the)f(old)g(pointer)f(in)h(persistent)g
(storage)f(before)g(the)h(ne)n(w)g(one)g(has)g(been)g(set.)125
2492 y(The)d(\002rst)h(tw)o(o)f(rules)h(are)f(required)f(for)g(global)h
(system)h(inte)o(grity\227and)d(thus)i(must)g(be)h(enforced)d(by)i
(XN\227while)g(a)h(\002le)g(system)0 2591 y(violating)h(the)h(third)g
(rule)g(will)h(only)e(af)n(fect)h(itself.)125 2691 y(The)27
b(rules)h(are)g(simple)g(b)n(ut)g(dif)n(\002cult)f(to)h(enforce)f(ef)n
(\002ciently:)44 b(a)28 b(nai)n(v)o(e)f(implementation)f(will)j(incur)e
(frequent)f(costly)i(syn\255)0 2791 y(chronous)16 b(disk)i(writes.)29
b(XN)19 b(allo)n(ws)f(libFSes)h(to)f(address)g(this)g(by)g(enforcing)e
(the)i(rules)g(without)g(le)o(gislating)f(ho)n(w)h(to)g(follo)n(w)f
(them.)0 2890 y(In)j(particular)m(,)e(libFSes)j(can)f(choose)f(an)o(y)h
(operation)e(order)h(which)h(satis\002es)h(the)g(constraints.)125
2990 y(The)f(\002rst)j(rule)d(is)j(implemented)c(by)i(deferring)e(a)j
(block')-5 b(s)20 b(deallocation)g(until)h(all)h(on\255disk)e(pointers)
g(to)i(that)f(block)g(ha)n(v)o(e)f(been)0 3090 y(deleted;)g(a)g
(reference)f(count)g(performed)f(at)i(crash)g(reco)o(v)o(ery)e(time)i
(helps)g(libFSes)h(implement)e(the)h(third)g(rule.)125
3189 y(The)28 b(second)f(rule)h(is)h(the)g(hardest)f(of)g(the)g(three.)
53 b(T)-7 b(o)29 b(implement)e(it,)k(XN)e(k)o(eeps)f(track)g(of)g
Fk(tainted)f Fp(blocks.)54 b(An)o(y)27 b(block)h(is)0
3289 y(considered)23 b(tainted)i(if)g(it)h(points)f(either)g(to)g(an)g
(uninitialized)f(block)g(or)h(to)g(a)h(tainted)e(block.)43
b(LibFSes)26 b(must)f(not)g(be)g(allo)n(wed)f(to)0 3388
y(write)c(a)h(tainted)f(block)f(to)h(disk.)29 b(Ho)n(we)n(v)o(er)m(,)18
b(tw)o(o)j(e)o(xceptions)e(allo)n(w)h(XN)g(to)h(enforce)d(the)j
(general)e(rule)g(more)h(ef)n(\002ciently:)125 3488 y(First,)29
b(XN)f(allo)n(ws)g(entire)f(\002le)h(systems)g(to)f(be)g(mark)o(ed)g
(\223temporary\224)d(\(i.e.,)29 b(not)e(persistent)g(across)h
(reboots\).)49 b(Since)27 b(these)0 3588 y(\002le)i(systems)f(are)g
(not)g(persistent,)i(the)o(y)d(are)h(not)g(required)e(to)j(adhere)d(to)
j(an)o(y)e(of)h(the)g(inte)o(grity)f(rules.)53 b(This)28
b(technique)e(allo)n(ws)0 3687 y(memory\255based)17 b(\002le)k(systems)
g(to)f(be)g(implemented)e(with)j(no)f(loss)h(of)e(ef)n(\002cienc)o(y)-5
b(.)125 3787 y(The)29 b(second)g(e)o(xception)f(is)j(based)f(on)g(the)g
(observ)n(ation)e(that)i(unattached)e(subtrees\227trees)h(whose)h(root)
f(is)i(not)f(reachable)0 3887 y(from)19 b(an)o(y)h(persistent)g
(root\227will)g(not)g(be)g(preserv)o(ed)f(across)h(reboots)g(and)f
(thus,)h(lik)o(e)h(temporary)d(trees,)j(are)f(free)g(of)g(an)o(y)g
(ordering)0 3986 y(constraints.)28 b(Thus,)20 b(XN)h(does)f(not)f
(track)h(tainted)g(blocks)f(in)i(an)f(unreachable)e(tree)i(until)g(it)h
(is)g(connected)d(to)j(a)f(persistent)g(root.)0 4196
y Fq(The)26 b(b)n(uffer)h(cache)e(r)n(egistry)0 4344
y Fp(Finally)-5 b(,)23 b(we)g(discuss)g(the)g(XN)h(b)n(uf)n(fer)d
(cache)i(re)o(gistry)-5 b(,)22 b(which)g(allo)n(ws)h(protected)f
(sharing)g(of)g(disk)h(blocks)f(among)g(libFSes.)38 b(The)0
4443 y(re)o(gistry)28 b(tracks)i(the)f(mapping)f(of)h(cached)f(disk)i
(blocks)e(and)h(their)g(meta)h(data)f(to)h(physical)e(pages)h(\(and)g
(vice)g(v)o(ersa\).)56 b(Unlik)o(e)0 4543 y(traditional)27
b(b)n(uf)n(fer)h(caches,)i(it)f(only)f(records)g(the)g(mapping,)h(not)f
(the)h(disk)f(blocks)g(themselv)o(es.)54 b(Because)29
b(the)g(re)o(gistry)e(e)o(xists)0 4643 y(independently)19
b(of)i(libFSes,)i(it)f(allo)n(ws)h(cached)d(blocks)h(to)h(persist)h
(across)e(process)h(in)m(v)n(ocations.)32 b(The)22 b(disk)f(blocks)g
(are)h(stored)f(in)0 4742 y(application\255managed)g
(physical\255memory)g(pages.)44 b(The)24 b(re)o(gistry)g(tracks)h(both)
f(the)i(mapping)d(and)h(its)i(state)g(\(dirty)-5 b(,)25
b(out)g(of)f(core,)0 4842 y(uninitialized,)30 b(lock)o(ed\).)55
b(T)-7 b(o)29 b(allo)n(w)g(libFSes)h(to)f(see)h(which)e(disk)i(blocks)e
(are)h(cached,)h(the)g(b)n(uf)n(fer)d(cache)i(re)o(gistry)f(is)i
(mapped)0 4941 y(read\255only)18 b(into)i(application)f(space.)125
5041 y(Access)h(control)e(is)i(performed)d(when)i(a)h(libFS)g(attempts)
g(to)f(map)g(a)h(physical)f(page)g(containing)e(a)j(disk)g(block)e
(into)h(its)i(address)0 5141 y(space,)k(rather)e(than)g(when)g(that)h
(block)f(is)i(requested)e(from)g(disk.)40 b(That)23 b(is,)j(re)o
(gistry)d(entries)h(can)f(be)h(inserted)f(without)h(requiring)0
5240 y(that)d(the)f(object)g(the)o(y)g(describe)g(be)h(in)f(memory)-5
b(.)29 b(Blocks)20 b(can)h(also)g(be)f(installed)h(in)f(the)h(re)o
(gistry)f(before)f(their)h(template)g(or)h(parent)0 5340
y(is)g(kno)n(wn.)28 b(As)21 b(a)f(result,)g(libFSes)h(ha)n(v)o(e)f
(signi\002cant)g(freedom)e(to)i(prefetch.)1908 5589 y(44)p
eop
%%Page: 45 46
45 45 bop 125 83 a Fp(Re)o(gistry)20 b(entries)h(are)f(installed)h(in)g
(tw)o(o)g(w)o(ays.)32 b(First,)21 b(an)g(application)e(that)i(has)g
(write)g(access)g(to)g(a)h(block)d(can)i(directly)f(install)0
183 y(a)25 b(mapping)e(to)i(it)g(into)g(the)f(re)o(gistry)-5
b(.)42 b(Second,)24 b(applications)g(that)g(do)h(not)f(ha)n(v)o(e)g
(write)h(access)g(to)g(a)g(block)f(can)h(indirectly)e(install)0
282 y(an)30 b(entry)e(for)h(it)i(by)e(performing)e(a)j(\223read)f(and)g
(insert,)-6 b(\224)32 b(which)d(tells)i(the)e(k)o(ernel)g(to)h(read)f
(a)h(disk)g(block,)g(associate)g(it)h(with)f(an)0 382
y(application\255pro)o(vided)22 b(physical)k(page,)i(set)f(the)g
(protection)e(of)i(that)g(page)f(page)h(appropriately)-5
b(,)25 b(and)h(insert)h(this)h(mapping)d(into)0 482 y(the)e(re)o
(gistry)-5 b(.)37 b(This)23 b(latter)g(mechanism)f(is)i(used)f(to)h
(pre)n(v)o(ent)d(applications)h(that)h(do)g(not)g(ha)n(v)o(e)f
(permission)g(to)i(write)f(a)g(block)g(from)0 581 y(modifying)18
b(it)j(by)e(installing)h(a)h(bogus)e(in\255core)g(cop)o(y)-5
b(.)125 681 y(XN)16 b(does)g(not)g(replace)f(physical)g(pages)h(from)f
(the)i(re)o(gistry)e(\(e)o(xcept)g(for)g(those)h(freed)g(by)f
(applications\),)g(allo)n(wing)h(applications)0 780 y(to)31
b(determine)e(the)i(most)g(appropriate)d(caching)i(polic)o(y)-5
b(.)59 b(Because)31 b(applications)e(also)i(manage)f(virtual)g(memory)f
(paging,)j(the)0 880 y(partitioning)17 b(of)h(disk)h(cache)g(and)f
(virtual)g(memory)f(backing)h(store)g(is)i(under)e(application)f
(control.)28 b(T)-7 b(o)19 b(simplify)f(the)h(application')-5
b(s)0 980 y(task)20 b(and)f(because)g(it)i(is)f(ine)o(xpensi)n(v)o(e)d
(to)j(pro)o(vide,)e(XN)i(maintains)f(an)h(LR)m(U)g(list)g(of)g(unused)e
(b)n(ut)i(v)n(alid)f(b)n(uf)n(fers.)28 b(By)20 b(def)o(ault,)f(when)0
1079 y(LibOSes)h(need)g(pages)g(and)f(none)g(are)i(free,)e(the)o(y)h
(rec)o(ycle)f(the)h(oldest)g(b)n(uf)n(fer)f(on)h(this)g(LR)m(U)h(list.)
125 1179 y(XN)d(allo)n(ws)g(an)o(y)f(process)g(to)h(write)g(\223uno)n
(wned\224)e(dirty)h(blocks)g(to)h(disk)g(\(i.e.,)f(blocks)h(not)f
(associated)h(with)g(a)g(running)e(process\),)0 1279
y(e)n(v)o(en)k(if)h(that)g(process)g(does)f(not)h(ha)n(v)o(e)f(write)i
(permission)d(for)i(the)g(dirty)f(blocks.)31 b(This)21
b(allo)n(ws)g(the)g(construction)e(of)i(daemons)e(that)0
1378 y(asynchronously)e(write)k(dirty)e(blocks.)29 b(LibFSes)21
b(do)f(not)g(ha)n(v)o(e)g(to)g(trust)h(daemons)e(with)h(write)h(access)
g(to)f(their)g(\002les,)h(only)f(to)h(\003ush)0 1478
y(the)28 b(blocks.)50 b(This)28 b(ability)f(has)h(three)f(bene\002ts.)
51 b(First,)30 b(the)e(contents)e(of)i(the)f(re)o(gistry)g(can)g(be)h
(safely)f(retained)f(across)i(process)0 1577 y(in)m(v)n(ocations)20
b(rather)g(than)h(ha)n(ving)g(to)g(be)h(brought)d(in)j(and)f(paged)f
(out)h(on)g(creation)g(and)f(e)o(xit.)33 b(Second,)21
b(this)h(design)f(simpli\002es)h(the)0 1677 y(implementations)j(of)i
(libFSes,)h(since)g(a)f(libFS)g(can)g(rely)f(on)h(a)g(daemon)e(of)i
(its)h(choice)e(to)h(\003ush)g(dirty)f(blocks)g(e)n(v)o(en)g(in)h(dif)n
(\002cult)0 1777 y(situations)21 b(\(e.g.,)g(if)h(the)f(application)f
(containing)g(the)h(libFS)h(is)h(sw)o(apped)e(out\).)32
b(Third,)21 b(this)h(design)e(allo)n(ws)i(dif)n(ferent)e(write\255back)
0 1876 y(policies.)0 2123 y Fv(4.5)117 b(XN)28 b(usage)0
2309 y Fp(T)-7 b(o)21 b(illustrate)f(ho)n(w)g(XN)h(is)g(used,)f(we)h
(sk)o(etch)f(ho)n(w)g(a)g(libFS)h(can)g(implement)e(common)f(\002le)j
(system)g(operations.)28 b(These)20 b(tw)o(o)h(setup)0
2408 y(operations)e(are)h(used)g(to)g(install)h(a)f(libFS:)125
2508 y Fo(T)-6 b(ype)28 b(cr)o(eation.)50 b Fp(The)28
b(libFS)g(describes)g(its)g(types)g(by)g(storing)f(templates,)i
(described)d(abo)o(v)o(e)h(in)h(Section)f(4.2,)i(into)e(a)i
Fk(type)0 2608 y(catalo)o(gue)o(.)50 b Fp(Each)28 b(template)f(is)i
(identi\002ed)e(by)g(a)i(unique)d(string)h(\(e.g.,)i(\223FFS)g
(Inode\224\).)50 b(Once)28 b(installed,)h(types)f(are)g(persistent)0
2707 y(across)20 b(reboots.)125 2807 y Fo(LibFS)k(persistence.)38
b Fp(T)-7 b(o)23 b(ensure)f(that)h(libFS)h(data)e(is)i(persistent)f
(across)g(reboots,)g(a)g(libFS)h(can)e(re)o(gister)h(the)g(root)f(of)h
(its)h(tree)0 2907 y(in)c(XN')-5 b(s)21 b Fk(r)l(oot)g(catalo)o(gue)o
(.)27 b Fp(A)20 b(root)g(entry)f(consists)h(of)g(a)h(disk)f(e)o(xtent)f
(and)h(corresponding)c(template)k(type,)f(identi\002ed)h(by)f(a)i
(unique)0 3006 y(string)f(\(e.g.,)f(\223mylibFS\224\).)125
3106 y(After)d(a)g(crash,)h(XN)g(uses)f(these)h(roots)f(to)g
(garbage\255collect)d(the)k(disk)f(by)g(reconstructing)e(the)i(free)g
(map.)27 b(It)17 b(does)f(so)h(by)e(logically)0 3205
y(tra)n(v)o(ersing)21 b(all)h(roots)g(and)f(all)i(blocks)e(reachable)g
(from)g(them:)33 b(it)23 b(marks)e(reachable)g(blocks)g(as)i
(allocated,)e(non\255reachable)e(blocks)0 3305 y(as)i(free.)31
b(If)20 b(this)h(step)g(is)h(too)e(e)o(xpensi)n(v)o(e,)f(it)i(could)f
(be)g(eliminated)g(by)g(ordering)f(writes)i(to)g(the)f(free)h(map)f
(\(so)g(that)h(the)g(map)f(al)o(w)o(ays)0 3405 y(held)g(a)g(conserv)n
(ati)n(v)o(e)e(picture)i(of)g(what)g(blocks)f(were)h(free\))g(or)g
(using)f(a)i(log.)125 3504 y(During)d(reconstruction)g(XN)j(also)f
(checks)g(for)f(errors)g(in)i(meta)f(data)g(reference)e(counts)i(by)f
(counting)g(all)h(pointers)g(to)g(all)h(meta)0 3604 y(data)i
(instances.)40 b(If)23 b(this)h(count)f(does)g(not)g(match)g(a)h(meta)g
(data')-5 b(s)24 b(reference)d(count,)j(XN)g(records)e(this)i
(violation)f(in)g(an)h(error)e(log.)0 3704 y(After)e(\002nding)g(all)h
(errors,)f(it)h(then)f(runs)g(libFS\255supplied)g(patch)g(programs)e
(to)j(\002x)g(these)g(and)f(an)o(y)g(libFS\255speci\002c)g(errors.)30
b(If)20 b(errors)0 3803 y(remain)26 b(after)h(this)g(process,)h(XN)f
(marks)f(the)h(root)g(of)f(an)o(y)g(tree)h(that)g(contains)f(a)i(bogus)
d(reference)h(count)f(as)j(\223tainted.)-6 b(\224)49
b(These)0 3903 y(errors)19 b(must)i(be)f(\002x)o(ed)f(before)g(the)h
(tree)g(can)g(be)h(used.)29 b(W)-7 b(e)21 b(discuss)f(reconstruction)e
(further)h(in)h(the)g(ne)o(xt)g(section.)125 4002 y(After)f
(initialization,)h(the)g(ne)n(w)g(libFS)h(can)f(use)g(XN.)g(W)-7
b(e)22 b(describe)d(a)i(simpli\002ed)f(v)o(ersion)f(of)h(the)g(most)g
(common)e(operations.)125 4102 y Fo(Startup.)29 b Fp(T)-7
b(o)20 b(start)h(using)f(XN,)g(a)h(libFS)g(loads)f(its)i(root\(s\))d
(and)h(an)o(y)f(types)h(it)h(needs)f(from)g(the)g(root)f(catalogue)h
(into)g(the)g(b)n(uf)n(fer)0 4202 y(cache)g(re)o(gistry)-5
b(.)27 b(Usually)20 b(both)g(will)h(already)e(be)h(cached.)125
4301 y Fo(Read.)28 b Fp(Reading)18 b(a)h(block)e(from)h(disk)g(is)h(a)g
(tw)o(o\255stage)f(process,)g(where)g(the)g(stages)h(can)g(be)f
(combined)e(or)j(separated.)27 b(First,)20 b(the)0 4401
y(libFS)h(creates)g(entries)g(in)g(the)g(re)o(gistry)e(by)i(passing)f
(block)g(addresses)g(for)h(the)f(requested)g(disk)h(blocks)f(and)g(the)
h(meta)g(data)f(blocks)0 4501 y(controlling)i(them)i(\(their)g
Fk(par)m(ents)p Fp(\).)40 b(The)24 b(parents)g(must)g(already)f(e)o
(xist)h(in)h(the)f(re)o(gistry\227libFSes)f(are)h(responsible)f(for)h
(loading)0 4600 y(them.)35 b(XN)23 b(uses)g Fk(owns\255udf)f
Fp(to)g(determine)f(if)i(the)f(requested)f(blocks)h(are)g(controlled)f
(by)h(the)g(supplied)g(meta)g(data)g(blocks)g(and,)g(if)0
4700 y(so,)e(installs)h(re)o(gistry)e(entries.)125 4800
y(In)27 b(the)h(second)g(stage,)i(the)e(libFS)g(initiates)h(a)g(read)e
(request,)i(optionally)e(supplying)f(pages)i(to)g(place)g(the)g(data)g
(in.)53 b(Access)0 4899 y(control)20 b(through)g Fk(acl\255uf)g
Fp(is)j(performed)c(at)j(the)f(parent)g(\(e.g.,)f(if)i(the)g(data)f
(loaded)f(is)j(a)f(bare)f(disk)g(block\),)f(at)i(the)g(child)f(\(e.g.,)
g(if)h(the)0 4999 y(data)e(is)h(an)f(inode\),)f(or)h(both.)125
5098 y(A)14 b(libFS)g(can)g(load)f(an)o(y)g(block)g(in)h(its)g(tree)g
(by)f(tra)n(v)o(ersing)g(from)g(its)h(root)f(entry)-5
b(,)14 b(or)g(optionally)e(by)h(starting)g(from)g(an)o(y)g
(intermediate)0 5198 y(node)19 b(cached)g(in)i(the)f(re)o(gistry)-5
b(.)28 b(Note)20 b(that)g(XN)h(speci\002cally)f(disallo)n(ws)g(meta)g
(data)g(blocks)g(from)f(being)g(mapped)g(read/write.)1908
5589 y(45)p eop
%%Page: 46 47
46 46 bop 125 83 a Fp(T)-7 b(o)19 b(speculati)n(v)o(ely)e(read)i(a)g
(block)f(before)g(its)i(parent)e(is)i(kno)n(wn,)d(a)j(libFS)f(can)g
(issue)h(a)f(ra)o(w)g(read)f(command.)27 b(If)19 b(the)g(block)f(is)i
(not)0 183 y(in)i(the)f(re)o(gistry)-5 b(,)20 b(it)i(will)g(be)g(mark)o
(ed)e(as)i(\223unkno)n(wn)d(type\224)i(and)g(a)g(disk)h(request)f
(initiated.)32 b(The)21 b(block)g(cannot)f(be)h(used)h(until)f(after)0
282 y(it)i(is)f(bound)e(to)i(a)g(parent)f(by)h(the)f(\002rst)i(stage)f
(of)f(the)h(read)g(process,)f(which)g(will)i(determine)d(its)j(type)e
(and)h(allo)n(w)f(access)i(control)d(to)0 382 y(be)g(performed.)125
482 y Fo(Allocate.)35 b Fp(A)24 b(libFS)f(selects)g(blocks)f(to)h
(allocate)g(by)f(reading)f(XN')-5 b(s)24 b(map)e(of)h(free)f(blocks,)g
(allo)n(wing)g(libFSes)i(to)e(control)g(\002le)0 581
y(layout)f(and)g(grouping.)31 b(Free)22 b(blocks)f(are)h(allocated)f
(to)h(a)g(gi)n(v)o(en)f(meta)g(data)h(node)f(by)g(calling)g(XN)i(with)f
(the)f(meta)h(data)g(node,)f(the)0 681 y(blocks)e(to)g(allocate,)g(and)
g(the)g(proposed)f(modi\002cation)f(to)j(the)f(meta)h(data)f(node.)28
b(XN)20 b(checks)e(that)i(the)f(requested)f(blocks)h(are)g(free,)0
780 y(runs)d(the)h(appropriate)e Fk(acl\255uf)h Fp(to)h(see)g(if)g(the)
g(libFS)g(has)g(permission)f(to)h(allocate,)g(and)f(runs)h
Fk(owns\255udf)p Fp(,)f(as)i(described)d(in)i(Section)f(4.2,)0
880 y(to)26 b(see)h(that)f(the)g(correct)f(block)g(is)i(being)e
(allocated.)46 b(If)25 b(these)i(checks)e(all)i(succeed,)f(the)g(meta)g
(data)g(is)h(changed,)e(the)h(allocated)0 980 y(blocks)20
b(are)g(remo)o(v)o(ed)d(from)j(the)g(free)g(list,)h(and)e(an)o(y)h
(allocated)f(meta)h(data)g(blocks)g(are)g(mark)o(ed)f(tainted)h(\(see)g
(Section)g(4.4\).)125 1079 y Fo(Write.)33 b Fp(A)22 b(libFS)g(writes)g
(dirty)f(blocks)g(to)h(disk)f(by)h(passing)f(the)g(blocks)g(to)h(write)
g(to)g(XN.)f(If)h(the)f(blocks)g(are)h(not)f(in)h(memory)-5
b(,)0 1179 y(or)23 b(the)o(y)f(ha)n(v)o(e)g(been)g(pinned)f(in)i
(memory)e(by)i(some)g(other)f(application,)f(the)i(write)g(is)h(pre)n
(v)o(ented.)35 b(The)22 b(write)h(also)g(f)o(ails)h(if)f(an)o(y)f(of)0
1279 y(the)d(blocks)g(are)g(tainted)g(and)g(reachable)f(from)g(a)i
(persistent)f(root.)28 b(Otherwise,)19 b(the)h(write)f(succeeds.)29
b(If)19 b(the)g(block)f(w)o(as)j(pre)n(viously)0 1378
y(tainted)f(and)g(no)n(w)g(is)i(not)e(\(either)g(by)g(eliminating)f
(pointers)h(to)h(uninitialized)e(meta)i(data)f(or)g(by)h(becoming)d
(initialized)i(itself\),)h(XN)0 1478 y(modi\002es)f(its)h(state)g(and)f
(remo)o(v)o(es)e(it)j(from)e(the)h(tainted)g(list.)125
1577 y(Since)g(applications)f(control)h(what)g(is)i(fetched)d(and)h
(what)g(is)i(paged)d(out)h(when)g(\(and)g(in)g(what)h(order\),)d(the)o
(y)i(can)h(control)e(man)o(y)0 1677 y(disk)h(management)e(policies)i
(and)g(can)g(enforce)e(strong)i(stability)g(guarantees.)125
1777 y Fo(Deallocate.)52 b Fp(XN)29 b(uses)g(UDFs)g(to)g(check)f
(deallocate)f(operations)g(analogously)g(to)h(allocate)h(operations.)52
b(If)29 b(there)f(are)g(no)0 1876 y(on\255disk)d(pointers)g(to)h(a)g
(deallocated)f(disk)h(block,)g(XN)g(places)g(it)h(on)f(the)g(free)f
(list.)48 b(Otherwise,)27 b(XN)f(enqueues)f(the)h(block)f(on)g(a)0
1976 y(\223will)d(free\224)f(list)i(until)f(the)f(block')-5
b(s)22 b(reference)e(count)g(is)j(zero.)33 b(Reference)21
b(counts)g(are)g(decremented)f(when)h(a)h(parent)f(that)g(had)h(an)0
2076 y(on\255disk)d(pointer)g(to)h(the)g(block)g(deletes)g(that)g
(pointer)f(via)h(a)h(write.)0 2323 y Fv(4.6)117 b(Crash)28
b(Reco)o(v)o(ery)f(Issues)0 2508 y Fp(This)c(section)g(discusses)h(tw)o
(o)f(issues)i(of)d(reconstruction:)33 b(the)24 b(dif)n(\002culty)e(of)h
(resolving)e(\002le)j(system)g(errors)e(due)g(to)i(XN')-5
b(s)24 b(lack)f(of)0 2608 y(understanding)15 b(of)i(libFS)i(semantics,)
f(and)f(pro)o(viding)e(more)i(\003e)o(xible)g(mechanisms)g(for)g
(guaranteeing)e(in)m(v)n(ariants)i(in)h(the)g(presence)0
2707 y(of)i(crashes.)125 2807 y(As)28 b(we)h(discussed)f(abo)o(v)o(e,)g
(XN)g(marks)g(\002le)g(system)g(roots)g(that)g(contain)f(meta)h(data)g
(with)g(erroneous)e(reference)g(counts)i(as)0 2907 y(\223tainted.)-6
b(\224)27 b(An)17 b(apparently)e(simpler)h(solution)g(w)o(ould)g(be)h
(to)g(\002x)g(the)f(counts)g(directly)-5 b(.)27 b(There)16
b(are)h(tw)o(o)g(reasons)f(XN)h(does)g(not)f(do)g(so.)0
3006 y(First,)h(it)g(does)f(not)g(understand)e(libFS)i(meta)g(data)g
(syntax.)27 b(While)17 b(it)f(could)f(use)i(libFS)f(\223helper\224)f
(functions)g(to)h(\002x)g(reference)e(counts,)0 3106
y(it)21 b(cannot)e(rely)h(on)g(being)f(able)i(to)f(do)g(so,)g(since)h
(the)o(y)e(could)h(contain)f(errors.)28 b(Second,)20
b(while)g(XN)h(could)e(perhaps)g(use)h(UDF\255style)0
3205 y(techniques)25 b(to)i(v)o(erify)e(helper)g(functions,)i(the)f
(action)g(to)h(tak)o(e)g(in)f(the)h(f)o(ace)f(of)g(a)h(violation)f
(depends)f(on)h(libFS)h(semantics.)48 b(F)o(or)0 3305
y(e)o(xample,)26 b(consider)f(the)i(case)g(of)f(a)g(erroneously)e(high)
i(reference)e(count.)47 b(It)27 b(is)g(not)f(clear)g(ho)n(w)g(to)g
(correct)g(this)h(count,)f(since)h(it)0 3405 y(could)22
b(ha)n(v)o(e)g(arisen)h(in)g(multiple)g(w)o(ays.)37 b(The)23
b(meta)g(data)g(could)f(ha)n(v)o(e)g(been)g(being)g(mo)o(v)o(ed)f(from)
h(one)h(directory)e(to)i(another)f(by)g(a)0 3504 y(libFS)f(that)f
(conserv)n(ati)n(v)o(ely)d(deletes)k(the)f(old)g(\223source\224)f(edge)
g(only)h(after)f(the)i(ne)n(w)f(\223destination\224)e(edge)i(has)g
(been)g(written)g(to)g(disk.)0 3604 y(\(In)k(which)g(case)i(the)e(old)h
(edge)f(w)o(ould)g(ha)n(v)o(e)g(to)h(be)g(remo)o(v)o(ed.\))40
b(Or)25 b(an)g(edge)f(could)f(ha)n(v)o(e)i(been)f(remo)o(v)o(ed)e
(before)h(the)i(reference)0 3704 y(count)d(w)o(as)h(persistently)f
(decremented.)34 b(\(In)22 b(which)h(case)g(the)f(reference)f(count)h
(should)g(be)g(decremented.\))34 b(XN)23 b(tak)o(es)g(the)g(vie)n(w)0
3803 y(that)d(resolving)f(these)h(ambiguities)g(is)h(best)f(left)h(to)f
(libFSes.)125 3903 y(Guaranteeing)c(that)j(\002le)h(system)f(in)m(v)n
(ariants)f(hold)g(across)h(system)g(crashes)g(has)h(been)e(an)h(acti)n
(v)o(e)f(area)h(of)g(\002le)g(system)h(research.)0 4002
y(Ho)n(we)n(v)o(er)m(,)25 b(other)g(than)h(control)f(o)o(v)o(er)f
(write)i(orders,)g(XN)h(pro)o(vides)d(little)j(\003e)o(xibility)e(in)h
(this)h(area.)46 b(W)-7 b(e)27 b(discuss)f(impro)o(v)o(ements)0
4102 y(belo)n(w)-5 b(.)33 b(A)23 b(simple)f(w)o(ay)g(to)g(impro)o(v)o
(e)e(XN)i(w)o(ould)f(be)h(to)g(incorporate)e(the)i(notion)e(of)i
(logging)e(into)i(it.)35 b(V)-5 b(iolations)22 b(and)f(\(possibly\))0
4202 y(libFS)d(annotations)d(could)h(be)h(written)g(into)f(a)i
(\223write\255ahead\224)d(log)i(that)g(w)o(as)h(written)e(to)h(disk)g
(before)f(persistent)h(state)h(w)o(as)f(updated.)0 4301
y(In)22 b(this)h(case,)h(an)o(y)e(on)g(disk)h(violations)e(can)i(be)f
(remo)o(v)o(ed)e(by)j(simply)f(performing)e(the)i(log)h(actions.)36
b(T)-7 b(o)23 b(increase)f(\003e)o(xibility)-5 b(,)22
b(the)0 4401 y(format)d(of)h(log)g(records)f(could)g(be)h(controlled)f
(by)g(a)i(UDF)-7 b(.)125 4501 y(This)21 b(approach)d(w)o(orks,)j(and)f
(does)g(not)h(appear)f(too)g(hard)g(to)h(implement.)30
b(Unfortunately)-5 b(,)17 b(it)22 b(has)f(serious)g(problems.)29
b(First,)22 b(it)0 4600 y(requires)e(that)i(XN)g(pre\255empt)e(man)o(y)
g(design)h(decisions)g(about)g(ho)n(w)f(to)i(implement)e(logging.)32
b(Second,)20 b(and)h(more)g(seriously)-5 b(,)20 b(it)j(is)0
4700 y(not)c(rob)n(ust:)28 b(it)20 b(requires)e(that)h(we)g(anticipate)
g(logging)e(and)h(put)h(support)f(for)g(it)i(in)f(XN)h(rather)e(than)g
(ha)n(ving)g(logging)g(\223f)o(all)h(out\224)f(of)h(a)0
4800 y(general)i(reco)o(v)o(ery)f(mechanism)h(in)h(XN.)g(The)g(main)g
(game)f(of)h(e)o(xok)o(ernels)e(is)j(e)o(xtensibility)e(\227)i(that)f
(all)h(uses)g(of)f(a)g(system)h(can)f(be)0 4899 y(implemented)c(using)i
(its)h(interf)o(ace)f(\227)g(ha)n(ving)f(to)i(anticipate)e(a)i
(particular)e(e)o(xtension)g(\(logging\))e(sho)n(ws)k(its)g(interf)o
(ace)e(is)i(weak.)125 4999 y(F)o(ortunately)-5 b(,)23
b(it)j(appears)e(that)h(we)h(can)e(use)i(UDF)f(techniques)f(to)h(allo)n
(w)g(libFSes)h(to)f(implement)f(reco)o(v)o(ery)e(in)k(a)f(completely)0
5098 y(general)c(w)o(ay)-5 b(.)35 b(Consider)21 b(what)h(XN)h(really)e
(needs)h(for)g(v)n(alid)f(crash)h(reco)o(v)o(ery:)31
b(all)23 b(it)f(must)h(guarantee)d(is)j(that)f(if)h(a)f(libFS)h
(violates)0 5198 y(an)i(in)m(v)n(ariant)e(that)i(XN)h(cares)f(about,)g
(that)g(on)g(reboot)e(either)i(\(1\))f(the)i(violation)d(goes)i(a)o(w)o
(ay)g(\(because)f(it)i(only)e(af)n(fected)g(v)n(olatile)0
5298 y(state\))18 b(or)f(\(2\))g(that)g(the)h(libFS)g(tells)g(XN)g
(about)f(it.)29 b(A)18 b(log)f(is)h(one)f(w)o(ay)h(to)f(get)h(the)f
(latter)h(guarantee,)e(there)h(are)g(others.)28 b(One)17
b(w)o(ay)h(is)g(to)1908 5589 y(46)p eop
%%Page: 47 48
47 47 bop 0 83 a Fp(ha)n(v)o(e)17 b(the)h(libFS)g(signal)g(violations:)
28 b(rather)17 b(than)g(forcing)f(libFSes)j(to)f(write)f(blocks)h(out)f
(in)h(certain)f(order)g(to)h(pre)n(v)o(ent)e(violations)h(or)0
183 y(using)j(a)h(log)g(to)g(track)f(them)h(persistently)-5
b(,)19 b(XN)i(has)g(libFSes)h(pro)o(vide)d(a)i(\223reboot)e(UDF\224)i
(\()p Fl(r)o(eboot)p Fp(\))i(that,)e(when)f(gi)n(v)o(en)g(a)h(\002le)g
(system)0 282 y(tree)d(w)o(alks)g(do)n(wn)e(the)i(tree)f(emitting)g(an)
o(y)g(violations.)28 b(Ho)n(w)17 b(it)h(detects)g(violations)f(is)h
(not)g(XN')-5 b(s)18 b(concern,)e(it)j(need)e(only)f(v)o(erify)g(that)0
382 y Fl(r)o(eboot)k Fp(will.)28 b(XN)18 b(performs)d(this)i(v)o
(eri\002cation)e(as)j(follo)n(ws)e(by)h(\002rst)g(recording)e(all)i
(violations)f(in)h(v)n(olatile)g(memory)e(and)h(then,)h(when)0
482 y(a)22 b(libFS)g(w)o(ants)g(to)g(do)f(a)h(write)f(that)h(w)o(ould)f
(violate)g(some)g(in)m(v)n(ariant)f(\(e.g.,)h(a)h(stably)f(writing)g(a)
h(pointer)e(to)i(an)g(uninitialized)e(piece)0 581 y(of)i(meta)h
(data\),)f(XN)h(checks)f(that)g(the)h(associated)f(libFS')g(reboot)g
(UDF)h(w)o(ould)e(inform)g(it)i(about)f(this)h(violation.)35
b(XN)22 b(does)h(so)f(in)0 681 y(a)f(w)o(ay)g(similar)g(to)g
Fl(owns)h Fp(v)o(eri\002cation)e(by)g(\(conceptually\))e(running)g(the)
j(reboot)f(UDF)h(on)g(the)f(pre\255write)g(stable)h(state,)g
(performing)0 780 y(the)j(disk)g(write,)h(then)f(running)d(the)k
(reboot)d(UDF)j(on)f(the)g(post\255write)f(stable)h(state.)42
b(The)23 b(ob)o(vious)g(problem)f(with)i(this)h(approach)0
880 y(is)g(ef)n(\002cienc)o(y)-5 b(.)37 b(It)24 b(is)h(ob)o(viously)c
(not)i(practical)g(to)h(e)o(xamine)e(the)i(entire)f(disk)h(on)f(e)n(v)o
(ery)f(disk)i(write.)39 b(F)o(ortunately)-5 b(,)22 b(it)j(appears)d
(that)0 980 y(by)h(using)h(both)f(a)h(v)n(ariation)e(of)i(state)g
(partitioning)e(\(based)h(on)h(continuation)d(passing)j([29)n(]\))g
(and)f(checkable)f(hints)i(from)f(the)h(\002le)0 1079
y(system,)g(we)g(can)f(checkpoint)e(the)i(UDF)h(precisely)-5
b(,)23 b(to)g(the)h(point)e(that)i(v)o(eri\002cation)e(need)g(only)h(e)
o(xamine)f(a)h(fe)n(w)g(bytes)h(in)f(one)g(or)0 1179
y(tw)o(o)d(cached)g(disk)g(blocks.)28 b(W)-7 b(e)22 b(are)e(currently)e
(designing)h(this)i(scheme.)0 1424 y Fv(4.7)117 b(C\255FFS:)28
b(a)h(library)f(\002le)h(system)0 1610 y Fp(This)35 b(subsection)f
(brie\003y)h(describes)f(C\255FFS)i(\(co\255locating)d(f)o(ast)j
(\002le)f(system)h([37)n(]\)\227a)f(UNIX\255lik)o(e)f(library)g(\002le)
i(system)f(we)0 1710 y(b)n(uilt\227with)20 b(special)g(reference)f(to)h
(additional)f(protection)f(guarantees)h(it)i(pro)o(vides.)125
1809 y(XN)f(pro)o(vides)e(the)j(basic)f(protection)e(guarantees)h
(needed)g(for)g(\002le)i(system)f(inte)o(grity)f(\227)i(that)f(both)f
(meta)h(data)g(block)g(pointers)0 1909 y(and)g(reference)e(counts)i
(are)g(correct,)f(and)h(that)h(block)e(pointers)g(are)h(correctly)f
(typed.)29 b(But)21 b(real\255w)o(orld)e(\002le)i(systems)f(often)g
(require)0 2009 y(other)m(,)d(\002le\255system\255speci\002c)h(in)m(v)n
(ariants.)27 b(F)o(or)17 b(instance,)h(UNIX)g(\002le)h(systems)g(must)f
(ensure)f(the)i(uniqueness)d(of)i(\002le)h(names)f(within)0
2108 y(a)g(directory)-5 b(.)26 b(This)18 b(type)f(of)h(guarantee)e(can)
h(be)h(pro)o(vided)d(in)j(an)o(y)f(number)f(of)h(w)o(ays:)29
b(in)18 b(the)f(k)o(ernel,)h(in)f(a)i(serv)o(er)m(,)d(or)m(,)i(in)g
(some)f(cases,)0 2208 y(by)25 b(simple)g(defensi)n(v)o(e)e
(programming.)40 b(C\255FFS)27 b(currently)c(do)n(wnloads)g(methods)h
(into)h(the)g(k)o(ernel)f(to)i(check)e(its)i(in)m(v)n(ariants.)42
b(W)-7 b(e)0 2307 y(are)22 b(currently)e(de)n(v)o(eloping)g(a)i(system)
h(similar)f(to)g(UDFs)h(that)g(can)e(be)i(used)e(to)i(enforce)d
(type\255speci\002c)h(in)m(v)n(ariants)g(in)h(an)g(ef)n(\002cient,)0
2407 y(e)o(xtensible)d(w)o(ay)-5 b(.)125 2507 y(Our)32
b(e)o(xperience)e(with)i(C\255FFS)i(sho)n(ws)e(that,)j(e)n(v)o(en)d
(with)g(the)h(strongest)e(desired)h(guarantees,)i(a)e(protected)f
(interf)o(ace)h(can)0 2606 y(still)25 b(pro)o(vide)d(signi\002cant)h
(\003e)o(xibility)h(to)g(unpri)n(vile)o(ged)c(softw)o(are,)25
b(and)e(that)h(the)g(e)o(xok)o(ernel)e(approach)f(can)j(deal)g(as)g
(readily)f(with)0 2706 y(high\255le)n(v)o(el)18 b(protection)g
(requirements)h(as)i(it)g(can)f(with)g(those)g(closer)g(to)g(hardw)o
(are.)125 2806 y(C\255FFS)h(mak)o(es)f(four)f(main)h(additions)f(to)h
(XN')-5 b(s)21 b(protection)e(mechanisms:)104 2965 y(1.)41
b(Access)22 b(control:)32 b(it)22 b(maps)g(the)g(UNIX)g(representation)
d(and)j(semantics)f(of)h(access)g(control)f(\(uids)g(and)h(gids,)g
(etc.\))34 b(to)22 b(those)208 3065 y(of)d(e)o(xok)o(ernel)g
(capabilities.)104 3228 y(2.)41 b(W)-7 b(ell\255formed)27
b(updates:)45 b(C\255FFS)29 b(guarantees)e(UNIX\255speci\002c)h(\002le)
h(semantics:)45 b(for)28 b(e)o(xample,)h(that)f(directories)g(contain)
208 3327 y(le)o(gal,)19 b(aligned)g(\002le)i(names.)104
3490 y(3.)41 b(Atomicity:)26 b(C\255FFS)18 b(performs)c(locking)h(to)i
(ensure)e(that)i(its)g(data)f(is)h(al)o(w)o(ays)g(reco)o(v)o(erable)d
(and)h(disk)i(writes)f(only)g(occur)f(when)208 3590 y(meta)20
b(data)g(is)h(internally)e(consistent.)104 3753 y(4.)41
b(Implicit)18 b(updates:)27 b(C\255FFS)20 b(ensures)e(that)h(certain)f
(state)h(transitions)f(are)g(implicit)h(on)f(certain)g(actions.)28
b(Some)18 b(e)o(xamples)g(are)208 3852 y(that)j(modi\002cation)e(times)
i(are)g(updated)f(when)g(\002le)i(data)f(are)g(changed,)e(and)h(that)h
(renaming)e(or)i(deleting)f(a)i(\002le)f(updates)g(the)208
3952 y(name)e(cache.)125 4112 y(It)13 b(is)g(not)g(dif)n(\002cult)g(to)
g(implement)g(UNIX)g(pr)o(otec)o(tion)g(w)o(ithou)o(t)g(signi\002ca)o
(ntly)g(d)o(e)o(g)o(rad)o(ing)f(app)o(lication)g(po)m(wer)-6
b(.)22 b(C\255FFS)13 b(protection)0 4211 y(is)25 b(implemented)d
(mainly)i(by)f(a)i(small)f(number)f(of)g(if\255statements)h(rather)f
(than)h(by)f(procedures)f(that)i(limit)h(\003e)o(xibility)-5
b(.)40 b(The)24 b(most)0 4311 y(intricate)j(operation\227ensuring)c
(that)k(\002les)i(in)e(a)h(directory)d(ha)n(v)o(e)i(unique)e
(names\227is)j(less)g(than)f(100)f(lines)h(of)g(code)g(that)g(scans)0
4411 y(through)18 b(a)j(link)o(ed)e(list)i(of)f(cached)g(directory)e
(blocks)i(to)g(ensure)f(name)h(uniqueness.)0 4656 y Fv(4.8)117
b(Discussion)0 4842 y Fp(Similar)30 b(to)g(ho)n(w)f(XN)i(uses)f(UDFs)h
(to)f(interpret)f(libFS)i(meta)e(data,)j(libFSes)f(can)f(use)g(UDFs)h
(to)f(tra)n(v)o(erse)f(other)g(\002le)i(system')-5 b(s)0
4941 y(meta,)21 b(e)n(v)o(en)f(when)h(the)o(y)f(do)h(not)g(understand)e
(its)j(syntax.)31 b(\(Of)21 b(course,)f(modi\002cation)g(of)h(this)g
(meta)g(data)g(typically)g(requires)f(such)0 5041 y(understanding.\))
125 5141 y(UDFs)25 b(add)g(a)g(ne)o(gligible)e(cost)i(to)g(XN.)g(As)h
(the)f(ne)o(xt)f(section)g(discusses,)j(we)e(ha)n(v)o(e)f(run)g(\002le)
i(system)f(benchmarks)d(with)j(and)0 5240 y(without)d(XN)h(enabled)e
(and)h(its)i(o)o(v)o(erhead)c(\(and,)i(thus,)h(the)g(o)o(v)o(erhead)c
(of)k(UDFs\))g(is)g(lost)h(in)e(e)o(xperimental)f(noise.)36
b(There)22 b(are)g(tw)o(o)0 5340 y(reasons)k(for)g(this.)50
b(First,)29 b(protection)c(tends)i(to)g(be)f(of)n(f)g(of)h(the)g
(critical)g(path.)48 b(Second,)27 b(XN)h(operations)d(tend)h(to)h(be)g
(embedded)1908 5589 y(47)p eop
%%Page: 48 49
48 48 bop 0 83 a Fp(in)24 b(hea)n(vy\255weight)d(disk)j(operations.)38
b(F)o(or)23 b(e)o(xample,)g(most)g(block)g(operations)f(on)h(cached)g
(blocks)g(can)g(simply)h(interact)f(with)h(the)0 183
y(b)n(uf)n(fer)f(cache)h(re)o(gistry)-5 b(,)23 b(rather)g(than)h(using)
g(to)g(UDFs.)42 b(Ev)o(en)23 b(if)i(neither)e(of)h(these)g(tw)o(o)h
(conditions)d(held,)j(UDFs)g(w)o(ould)e(not)h(add)0 282
y(signi\002cant)f(o)o(v)o(erhead:)34 b(most)24 b(UDFs)g(tend)f(to)h(be)
g(f)o(airly)f(simple,)h(and)f(if)h(the)o(y)f(were)h(directly)f(e)o(x)o
(ecuted)f(rather)g(than)i(interpreted,)0 382 y(cost)d(a)f(fe)n(w)g
(tens)h(of)f(instructions.)125 482 y(XN)f(allo)n(ws)g(\223nestable\224)
f(e)o(xtension)f(of)i(\002le)g(systems.)30 b(Because)19
b(XN)g(v)o(eri\002es)f(the)h(correctness)f(of)g(reference)g(counts,)g
(pointers,)0 581 y(and)23 b(meta)g(data)g(interpreters,)g(it)h(allo)n
(ws)g(untrusted)e(implementors)f(to)j(e)o(xtend)e(an)h(e)o(xisting)g
(\002le)h(system)g(without)e(compromising)0 681 y(its)j(inte)o(grity)-5
b(.)38 b(Thus,)24 b(it)g(is)h(possible)e(to)h(add)f(an)h(entirely)e(ne)
n(w)i(directory)e(type)h(to)h(a)g(\002le)g(system)g(and)f(ha)n(v)o(e)g
(it)i(point)e(to)h(old)f(types,)0 780 y(perform)h(access)j(control)e
(on)g(them,)i(etc.)48 b(without)25 b(the)h(e)o(xisting)g
(implementation)d(open)j(to)g(malice.)47 b(W)-7 b(e)27
b(do)f(not)f(kno)n(w)h(of)f(an)o(y)0 880 y(other)19 b(w)o(ay)i(to)f
(achie)n(v)o(e)f(this)i(same)f(result.)125 980 y(Stable)i(storage)f(is)
i(the)f(most)g(challenging)e(resource)h(we)h(ha)n(v)o(e)f(multiple)o(x)
o(ed.)33 b(Future)21 b(w)o(ork)g(will)i(focus)e(on)h(tw)o(o)g(areas.)35
b(First,)0 1079 y(we)18 b(plan)f(to)g(implement)f(a)i(range)e(of)h
(\002le)h(systems)g(\(log\255structured)c(\002le)k(systems,)g(RAID,)g
(and)f(memory\255based)d(\002le)k(systems\),)g(thus)0
1179 y(testing)g(if)h(the)g(XN)f(interf)o(ace)g(is)h(po)n(werful)e
(enough)f(to)j(support)e(concurrent)f(use)i(by)g(radically)g(dif)n
(ferent)f(\002le)i(systems.)29 b(Second)17 b(we)0 1279
y(will)i(in)m(v)o(estigate)d(using)i(lightweight)f(protected)g(methods)
g(lik)o(e)h(UDFs)h(to)f(implement)f(the)i(simple)f(protection)e(checks)
i(required)e(by)0 1378 y(higher)n(\255le)n(v)o(el)i(abstractions.)1908
5589 y(48)p eop
%%Page: 49 50
49 49 bop 0 706 a Fj(Chapter)42 b(5)0 1121 y Fn(P)l(erf)-5
b(ormance)52 b(of)g(exok)n(er)m(nel)g(systems)208 1553
y Fp(The)18 b(fundamental)e(principle)h(of)h(science,)g(the)h
(de\002nition)e(almost,)h(is)i(this:)29 b(the)18 b(sole)h(test)g(of)f
(the)h(v)n(alidity)e(of)i(an)o(y)e(idea)208 1652 y(is)k(e)o(xperiment.)
27 b(\226)20 b(Richard)g(P)-9 b(.)20 b(Fe)o(ynman)208
1785 y(No)n(w)-5 b(,)27 b(here,)h(you)e(see,)j(it)f(tak)o(es)f(all)g
(the)g(running)e(you)h(can)h(do,)h(to)f(k)o(eep)f(in)h(the)g(same)g
(place.)49 b(If)27 b(you)f(w)o(ant)h(to)g(get)208 1885
y(some)n(where)21 b(else,)k(you)d(must)i(run)e(at)i(least)g(twice)g(as)
g(f)o(ast)g(as)g(that!)38 b(Charles)24 b(Lutwidge)e(Dodgson)f(\(Le)n
(wis)j(Carroll\))208 1984 y(\(1832\2551898\))15 b(\223Through)j(the)i
(Looking)e(Glass\224)125 2167 y(This)i(chapter)f(focuses)h(on)g(four)f
(questions:)104 2333 y(1.)41 b(Do)17 b(common,)f(unaltered)g
(applications)g(bene\002t)h(from)f(an)i(e)o(xok)o(ernel?)26
b(T)-7 b(o)18 b(answer)f(this)h(question)e(we)i(present)e(performance)
208 2433 y(results)21 b(of)f(Unix)h(applications)f(on)g(Xok)g(that)h
(ha)n(v)o(e)g(been)f(link)o(ed)g(against)g(an)h(optimized)f(libFS.)h
(Applications)e(on)i(Xok)f(run)208 2532 y(comparably)d(or)j
(signi\002cantly)f(f)o(aster)i(compared)d(to)i(both)g(FreeBSD)g(and)g
(OpenBSD.)104 2698 y(2.)41 b(Is)35 b(e)o(xok)o(ernel)e(\003e)o
(xibility)h(costly?)74 b(T)-7 b(o)35 b(partially)f(answer)h(this)g(we)h
(present)e(performance)e(numbers)h(of)i(the)g(pre)n(vious)208
2798 y(e)o(xperiment)22 b(running)g(on)i(top)g(of)g(a)g
(re\255implementation)d(of)j(the)h(libFS,)f(the)h(C\255FFS)g(\002le)g
(system,)g(within)f(OpenBSD.)g(The)208 2897 y(e)o(xok)o(ernel)18
b(and)h(OpenBSD)h(perform)e(roughly)g(comparably)-5 b(.)104
3064 y(3.)41 b(Are)20 b(aggressi)n(v)o(e)f(applications)g
(signi\002cantly)g(times)i(f)o(aster?)30 b(Among)19 b(other)g(e)o
(xperiments,)g(we)h(compare)f(the)h(performance)208 3163
y(of)f(an)i(optimized)d(webserv)o(er)m(,)h(which)g(is)i(eight)f(times)h
(f)o(aster)f(than)g(on)g(traditional)f(systems.)104 3329
y(4.)41 b(Does)21 b(local)h(control)e(lead)i(to)f(bad)h(global)e
(performance?)31 b(An)21 b(e)o(xok)o(ernel)f(gi)n(v)o(es)h
(applications)f(signi\002cantly)h(more)g(control)208
3429 y(than)e(traditional)g(operating)g(systems)h(do.)29
b(Can)21 b(it)g(reconcile)e(strong)g(local)h(control)f(with)h(good)f
(global)g(performance?)208 3562 y(T)-7 b(o)21 b(answer)f(this)i
(question)d(we)j(measure)e(aggressi)n(v)o(e)f(w)o(orkloads)h(on)g(Xok)h
(and)f(FreeBSD:)i(\(1\))e(gi)n(v)o(en)g(the)g(same)i(w)o(orkload,)208
3661 y(an)27 b(e)o(xok)o(ernel)f(performs)g(comparably)f(to)j(widely)g
(used)f(monolithic)g(systems,)j(and)d(\(2\))g(when)g(local)h
(optimizations)f(are)208 3761 y(performed,)17 b(that)j(whole)g(system)g
(performance)d(impro)o(v)o(es,)h(sometimes)i(signi\002cantly)-5
b(.)125 3927 y(W)e(e)21 b(describe)e(our)h(e)o(xperimental)e(en)m
(vironment)f(belo)n(w)-5 b(.)28 b(The)20 b(remainder)e(of)i(the)g
(chapter)f(addresses)h(each)g(question)f(in)i(turn.)0
4174 y Fv(5.1)117 b(Xok)28 b(Experimental)f(En)-5 b(vir)n(onment)0
4359 y Fp(W)e(e)27 b(compare)e(Xok/ExOS)g(to)i(both)e(FreeBSD)i(2.2.2)e
(and)h(OpenBSD)g(2.1)f(on)h(the)g(same)h(hardw)o(are.)46
b(Xok)26 b(uses)g(de)n(vice)g(dri)n(v)o(ers)0 4459 y(that)d(are)f(deri)
n(v)o(ed)f(from)g(those)h(of)g(OpenBSD.)g(ExOS)h(also)f(shares)h(a)g
(lar)o(ge)e(source)h(code)g(base)g(with)h(OpenBSD,)f(including)f(most)0
4559 y(applications)c(and)h(most)g(of)g(libc.)29 b(Compared)16
b(to)j(OpenBSD)f(and)g(FreeBSD,)g(ExOS)g(has)h(not)f(had)g(much)f(time)
h(to)h(mature;)f(we)g(b)n(uilt)0 4658 y(the)i(system)h(in)f(less)h
(than)f(tw)o(o)g(years)g(and)g(mo)o(v)o(ed)e(to)j(the)f(x86)f(platform)
g(only)g(a)i(year)e(ago.)125 4758 y(All)g(e)o(xperiments)e(are)i
(performed)d(on)i(200\255MHz)f(Intel)i(Pentium)f(Pro)g(processors)g
(with)h(a)g(256\255KByte)e(on\255chip)g(L2)i(cache)f(and)0
4858 y(64\255MByte)23 b(of)g(main)g(memory)-5 b(.)38
b(The)24 b(disk)f(system)h(consists)h(of)e(an)h(NCR)h(815)e(SCSI)h
(controller)e(connecting)g(a)i(f)o(ast)h(SCSI)f(chain)0
4957 y(with)d(one)f(or)g(more)g(Quantum)f(Atlas)j(XP32150)d(disk)h(dri)
n(v)o(es)g(on)g(the)h(PCI)g(b)n(us)g(\(vs440fx)e(PCI)i(chip)f(set\).)31
b(Reported)20 b(times)h(are)g(the)0 5057 y(minimum)e(time)h(of)g(ten)g
(trials)h(\(the)f(standard)f(de)n(viations)g(of)h(the)g(total)g(run)g
(times)g(are)h(less)g(than)f(three)f(percent\).)125 5156
y(As)g(discussed)f(in)h(Chapter)f(3,)h(some)f(ExOS)h(data)f(structures)
g(do)g(not)g(ha)n(v)o(e)g(full)h(protection.)27 b(T)-7
b(o)18 b(compensate)g(for)g(this)h(lack,)f(we)0 5256
y(ha)n(v)o(e)h(arti\002cially)h(inserted)g(three)f(e)o(xtra)g(system)h
(calls)h(before)e(e)n(v)o(ery)f(write)i(to)h(shared)e(tables.)29
b(This)20 b(gi)n(v)o(es)g(a)g(pessimal)g(feel)g(for)g(the)1908
5589 y(49)p eop
%%Page: 50 51
50 50 bop 1025 86 1851 4 v 1023 165 4 79 v 1075 142 a
Fc(Benchmark)p 1530 165 V 177 w(Description)19 b(\(application\))p
2873 165 V 1025 169 1851 4 v 1023 247 4 79 v 1075 224
a Fg(Cop)o(y)f(small)f(\002le)p 1530 247 V 103 w(cop)o(y)h(the)g
(compressed)g(archi)n(v)o(ed)i(source)d(tree)i(\(cp\))p
2873 247 V 1025 251 1851 4 v 1023 330 4 79 v 1075 306
a(Uncompress)p 1530 330 V 176 w(uncompress)f(the)g(archi)n(v)o(e)h
(\(gunzip\))p 2873 330 V 1025 333 1851 4 v 1023 412 4
79 v 1075 388 a(Cop)o(y)f(lar)o(ge)g(\002le)p 1530 412
V 115 w(cop)o(y)g(the)g(uncompressed)g(archi)n(v)o(e)i(\(cp\))p
2873 412 V 1025 415 1851 4 v 1023 494 4 79 v 1075 470
a(Unpack)e(\002le)p 1530 494 V 200 w(unpack)g(archi)n(v)o(e)i(\(pax\))p
2873 494 V 1025 497 1851 4 v 1023 576 4 79 v 1075 553
a(Cop)o(y)e(lar)o(ge)g(tree)p 1530 576 V 101 w(recursi)n(v)o(ely)i(cop)
o(y)e(the)g(created)h(directories)h(\(cp\).)p 2873 576
V 1025 579 1851 4 v 1023 658 4 79 v 1075 635 a(Dif)n(f)d(lar)o(ge)h
(tree)p 1530 658 V 136 w(compute)g(the)g(dif)n(ference)i(between)f(the)
f(trees)g(\(dif)n(f\))p 2873 658 V 1025 662 1851 4 v
1023 741 4 79 v 1075 717 a(Compile)p 1530 741 V 280 w(compile)h(source)
e(code)h(\(gcc\))p 2873 741 V 1025 744 1851 4 v 1023
823 4 79 v 1075 799 a(Delete)h(\002les)p 1530 823 V 207
w(delete)g(binary)f(\002les)g(\(rm\))p 2873 823 V 1025
826 1851 4 v 1023 905 4 79 v 1075 881 a(P)o(ack)f(tree)p
1530 905 V 265 w(archi)n(v)o(e)i(the)f(tree)g(\(pax\))p
2873 905 V 1025 908 1851 4 v 1023 987 4 79 v 1075 963
a(Compress)p 1530 987 V 242 w(compress)f(the)h(archi)n(v)o(e)i(tree)e
(\(gzip\))p 2873 987 V 1025 990 1851 4 v 1023 1069 4
79 v 1075 1046 a(Delete)p 1530 1069 V 336 w(delete)h(the)f(created)h
(source)f(tree)g(\(rm\))p 2873 1069 V 1025 1073 1851
4 v 0 1222 a Fp(T)-7 b(able)29 b(5.1:)46 b(The)29 b(I/O\255intensi)n(v)
o(e)f(w)o(orkload)f(installs)j(a)f(lar)o(ge)f(application)g(\(the)g
(lcc)i(compiler\).)54 b(The)29 b(size)g(of)g(the)g(compressed)0
1322 y(archi)n(v)o(e)19 b(\002le)i(for)e(lcc)i(is)g(1.1)e(MByte.)1069
2694 y @beginspecial -42 @llx -38 @lly 577 @urx 365 @ury
2160 @rwi @setspecial
%%BeginDocument: exos-cffs.ps
%!PS-Adobe-2.0 EPSF-1.2
%%Page: 1 1
%%BoundingBox: -42 -38 577 365
%%EndComments
1 setlinecap 1 setlinejoin
0.700 setlinewidth
0.00 setgray

/Jrnd { exch cvi exch cvi dup 3 1 roll idiv mul } def
/JDEdict 8 dict def
JDEdict /mtrx matrix put
/JDE {
  JDEdict begin
  /yrad exch def
  /xrad exch def
  /savematrix mtrx currentmatrix def
  xrad yrad scale
  0 0 1 0 360 arc
  savematrix setmatrix
  end
} def
/JSTR {
  gsave 1 eq { gsave 1 setgray fill grestore } if
    exch neg exch neg translate 
    clip                        
    rotate                      
    4 dict begin
      pathbbox  /&top exch def
                /&right exch def
                /&bottom exch def
                &right sub /&width exch def
      newpath
      currentlinewidth mul round dup               
      &bottom exch Jrnd exch &top             
      4 -1 roll currentlinewidth mul setlinewidth  
      { &right exch moveto &width 0 rlineto stroke } for    
    end
  grestore
  newpath
} bind def
 gsave /Times-Roman findfont 9.000000 scalefont setfont
0.000000 0.000000 translate
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 576.000000 0.000000 lineto stroke
/Helvetica-Bold findfont 18.000000 scalefont setfont
gsave 26.181816 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (cp) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 78.545448 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (gunzip) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 130.909088 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (cp) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 183.272720 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (pax) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 235.636353 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (cp) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 288.000000 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (diff) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 340.363617 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (gcc) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 392.727264 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (rm) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 445.090881 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (pax) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 497.454529 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (gzip) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 549.818176 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (rm) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 288.000000 -26.799999 translate 0.000000 rotate
0 -10.800000 translate (Unmodified UNIX Programs) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 0.000000 360.000000 lineto stroke
newpath 0.000000 0.000000 moveto -5.000000 0.000000 lineto stroke
newpath 0.000000 24.000000 moveto -2.000000 24.000000 lineto stroke
newpath 0.000000 48.000000 moveto -2.000000 48.000000 lineto stroke
newpath 0.000000 72.000000 moveto -2.000000 72.000000 lineto stroke
newpath 0.000000 96.000000 moveto -2.000000 96.000000 lineto stroke
newpath 0.000000 120.000000 moveto -5.000000 120.000000 lineto stroke
newpath 0.000000 144.000000 moveto -2.000000 144.000000 lineto stroke
newpath 0.000000 168.000000 moveto -2.000000 168.000000 lineto stroke
newpath 0.000000 192.000000 moveto -2.000000 192.000000 lineto stroke
newpath 0.000000 216.000000 moveto -2.000000 216.000000 lineto stroke
newpath 0.000000 240.000000 moveto -5.000000 240.000000 lineto stroke
newpath 0.000000 264.000000 moveto -2.000000 264.000000 lineto stroke
newpath 0.000000 288.000000 moveto -2.000000 288.000000 lineto stroke
newpath 0.000000 312.000000 moveto -2.000000 312.000000 lineto stroke
newpath 0.000000 336.000000 moveto -2.000000 336.000000 lineto stroke
newpath 0.000000 360.000000 moveto -5.000000 360.000000 lineto stroke
/Helvetica-Bold findfont 15.000000 scalefont setfont
gsave -8.000000 0.000000 translate 0.000000 rotate
0 -4.500000 translate (0) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 120.000000 translate 0.000000 rotate
0 -4.500000 translate (5) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 240.000000 translate 0.000000 rotate
0 -4.500000 translate (10) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 360.000000 translate 0.000000 rotate
0 -4.500000 translate (15) dup stringwidth pop neg 0 moveto
show
grestore
/Helvetica-Bold findfont 18.000000 scalefont setfont
gsave -30.400000 180.000000 translate 90.000000 rotate
0 0.000000 translate (Runtime \(seconds\)) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
 gsave 
 gsave  gsave  10.472727 1.920000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -1.920000 lineto
  5.236363 -1.920000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  62.836361 24.480000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -24.480000 lineto
  5.236363 -24.480000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  115.199997 15.840000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -15.840000 lineto
  5.236363 -15.840000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  167.563629 39.840000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -39.840000 lineto
  5.236363 -39.840000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  219.927261 48.480000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -48.480000 lineto
  5.236363 -48.480000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  272.290894 12.480000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -12.480000 lineto
  5.236363 -12.480000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  324.654541 336.000000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -336.000000 lineto
  5.236363 -336.000000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  377.018158 5.760000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -5.760000 lineto
  5.236363 -5.760000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  429.381805 16.559999 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -16.559999 lineto
  5.236363 -16.559999 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  481.745422 110.399994 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -110.399994 lineto
  5.236363 -110.399994 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  534.109070 125.759995 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -125.759995 lineto
  5.236363 -125.759995 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  314.181793 345.599976 translate 0.000000 rotate
/Times-Roman findfont 16.000000 scalefont setfont
gsave 0.000000 0.000000 translate 0.000000 rotate
0 -4.800000 translate (23.0) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore  grestore 
 gsave  gsave  20.945454 10.320000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -10.320000 lineto
  5.236363 -10.320000 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  73.309090 20.880001 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -20.880001 lineto
  5.236363 -20.880001 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  125.672722 15.840000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -15.840000 lineto
  5.236363 -15.840000 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  178.036362 120.959999 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -120.959999 lineto
  5.236363 -120.959999 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  230.399994 86.399994 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -86.399994 lineto
  5.236363 -86.399994 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  282.763611 31.199999 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -31.199999 lineto
  5.236363 -31.199999 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  335.127258 336.000000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -336.000000 lineto
  5.236363 -336.000000 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  387.490906 7.440000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -7.440000 lineto
  5.236363 -7.440000 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  439.854523 26.400002 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -26.400002 lineto
  5.236363 -26.400002 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  492.218170 129.839996 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -129.839996 lineto
  5.236363 -129.839996 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  544.581787 124.080002 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -124.080002 lineto
  5.236363 -124.080002 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  329.890900 360.000000 translate 0.000000 rotate
/Times-Roman findfont 16.000000 scalefont setfont
gsave 0.000000 0.000000 translate 0.000000 rotate
0 -4.800000 translate (23.1) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore  grestore 
 gsave  gsave  31.418180 10.559999 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -10.559999 lineto
  5.236363 -10.559999 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  83.781815 18.960001 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -18.960001 lineto
  5.236363 -18.960001 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  136.145447 4.560000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -4.560000 lineto
  5.236363 -4.560000 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  188.509079 217.919998 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -217.919998 lineto
  5.236363 -217.919998 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  240.872711 167.040009 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -167.040009 lineto
  5.236363 -167.040009 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  293.236359 30.240000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -30.240000 lineto
  5.236363 -30.240000 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  345.599976 336.000000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -336.000000 lineto
  5.236363 -336.000000 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  397.963623 12.000000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -12.000000 lineto
  5.236363 -12.000000 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  450.327240 23.039999 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -23.039999 lineto
  5.236363 -23.039999 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  502.690887 131.040009 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -131.040009 lineto
  5.236363 -131.040009 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  555.054504 228.240005 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -228.240005 lineto
  5.236363 -228.240005 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  345.599976 345.599976 translate 0.000000 rotate
/Times-Roman findfont 16.000000 scalefont setfont
gsave 0.000000 0.000000 translate 0.000000 rotate
0 -4.800000 translate (23.2) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore  grestore 
 gsave  gsave  41.890907 1.440000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -1.440000 lineto
  5.236363 -1.440000 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  94.254539 22.320000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -22.320000 lineto
  5.236363 -22.320000 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  146.618179 14.160000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -14.160000 lineto
  5.236363 -14.160000 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  198.981812 181.200012 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -181.200012 lineto
  5.236363 -181.200012 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  251.345444 208.799988 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -208.799988 lineto
  5.236363 -208.799988 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  303.709076 25.920002 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -25.920002 lineto
  5.236363 -25.920002 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  356.072723 336.000000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -336.000000 lineto
  5.236363 -336.000000 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  408.436340 16.799999 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -16.799999 lineto
  5.236363 -16.799999 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  460.799988 8.400000 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -8.400000 lineto
  5.236363 -8.400000 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  513.163635 130.799988 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -130.799988 lineto
  5.236363 -130.799988 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  gsave  565.527222 287.519989 translate 0.000000 rotate
 newpath 5.236363 0.000000 moveto  -5.236363 0.000000 lineto
  -5.236363 -287.519989 lineto
  5.236363 -287.519989 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  361.309082 360.000000 translate 0.000000 rotate
/Times-Roman findfont 16.000000 scalefont setfont
gsave 0.000000 0.000000 translate 0.000000 rotate
0 -4.800000 translate (21.6) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore  grestore 
 grestore 
 gsave 20.945454 360.000000 translate 0.000000 rotate
 gsave  gsave  0.000000 -5.100000 translate 0.000000 rotate
 newpath -5.236363 -2.000000 moveto  5.236363 -2.000000 lineto
  5.236363 2.000000 lineto
  -5.236363 2.000000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  grestore 
/Helvetica-Bold findfont 17.000000 scalefont setfont
gsave 9.236363 0.000000 translate 0.000000 rotate
0 -10.200000 translate (Xok/ExOS) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -25.500000 translate 0.000000 rotate
 newpath -5.236363 -2.000000 moveto  5.236363 -2.000000 lineto
  5.236363 2.000000 lineto
  -5.236363 2.000000 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 9.236363 -20.400000 translate 0.000000 rotate
0 -10.200000 translate (OpenBSD/C-FFS) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -45.900002 translate 0.000000 rotate
 newpath -5.236363 -2.000000 moveto  5.236363 -2.000000 lineto
  5.236363 2.000000 lineto
  -5.236363 2.000000 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 9.236363 -40.799999 translate 0.000000 rotate
0 -10.200000 translate (OpenBSD) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -66.300003 translate 0.000000 rotate
 newpath -5.236363 -2.000000 moveto  5.236363 -2.000000 lineto
  5.236363 2.000000 lineto
  -5.236363 2.000000 lineto
closepath gsave 0.750000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 9.236363 -61.200001 translate 0.000000 rotate
0 -10.200000 translate (FreeBSD) dup stringwidth pop pop 0 0 moveto
show
grestore
 grestore 
0.000000 0.000000 translate
 grestore 

%%EndDocument
 @endspecial 0 2810 a(Figure)e(5\2551:)27 b(Performance)15
b(of)i(unmodi\002ed)e(UNIX)j(applications.)27 b(Xok/ExOS)16
b(and)h(OpenBSD/C\255FFS)h(use)f(a)h(C\255FFS)g(\002le)g(system)0
2910 y(while)i(Free/OpenBSD)g(use)g(their)g(nati)n(v)o(e)g(FFS)h
(\002le)g(systems.)29 b(T)m(imes)21 b(are)f(in)g(seconds.)0
3177 y(cost)i(of)e(protection.)31 b(All)22 b(measurements)e(reported)f
(in)i(this)h(thesis)g(include)e(these)i(e)o(xtra)e(calls.)33
b(In)21 b(practice,)f(protection)g(is)i(of)n(f)f(the)0
3276 y(critical)f(path,)g(and)f(these)i(o)o(v)o(erheads)d(are)i(lost)g
(in)h(e)o(xperimental)d(noise.)125 3376 y(It)29 b(is)h(important)d(to)i
(note)g(that)g(a)g(suf)n(\002ciently)f(moti)n(v)n(ated)g(k)o(ernel)g
(programmer)e(can)i(implement)g(an)o(y)g(optimization)g(that)h(is)0
3476 y(implemented)21 b(in)i(an)f(e)o(xtensible)g(system.)37
b(In)22 b(f)o(act,)h(a)h(member)d(of)h(our)g(research)g(group,)f(Costa)
j(Sapuntzakis,)e(has)g(implemented)0 3575 y(a)36 b(v)o(ersion)e(of)i
(C\255FFS)h(within)e(OpenBSD.)g(Extensible)g(systems)h(\(and)f(we)h
(belie)n(v)o(e)f(e)o(xok)o(ernels)e(in)j(particular\))e(mak)o(e)h
(these)0 3675 y(optimizations)16 b(signi\002cantly)h(easier)h(to)g
(implement)f(than)g(centralized)g(systems)h(do.)28 b(F)o(or)17
b(e)o(xample,)g(porting)f(C\255FFS)j(to)f(OpenBSD)0 3775
y(took)13 b(more)g(ef)n(fort)g(than)g(designing)g(C\255FFS)i(and)e
(implementing)f(it)j(as)f(a)h(library)d(\002le)j(system.)27
b(The)14 b(e)o(xperiments)e(belo)n(w)h(demonstrate)0
3874 y(that)21 b(by)g(using)g(unpri)n(vile)o(ged)e(application\255le)n
(v)o(el)f(resource)i(management,)g(an)o(y)g(skilled)h(programmer)e(can)
i(implement)f(useful)h(OS)0 3974 y(optimizations.)28
b(The)20 b(e)o(xtra)f(layer)h(of)g(protection)e(required)h(to)h(mak)o
(e)g(this)g(application\255le)n(v)o(el)e(management)g(safe)i(costs)h
(little.)0 4221 y Fv(5.2)117 b(P)n(erf)m(ormance)26 b(of)j(common,)f
(unalter)n(ed)f(applications)0 4406 y Fp(If)18 b(an)g(e)o(xok)o(ernel)e
(only)i(impro)o(v)o(es)e(the)i(performance)e(of)i(strange,)f(niche)h
(applications)f(or)m(,)h(requires)f(that)i(applications)e(be)h
(modi\002ed)0 4506 y(to)i(bene\002t,)g(then)g(its)h(usefulness)e(is)j
(se)n(v)o(erely)d(diminished.)125 4606 y(Our)h(e)o(xperiments)g(sho)n
(w)h(that)g(an)g(e)o(xok)o(ernel)e(matters,)i(e)n(v)o(en)f(for)h
(common)e(applications.)31 b(W)-7 b(e)22 b(measure)e(the)i(performance)
c(of)0 4705 y(an)h(I/O\255intensi)n(v)o(e)f(softw)o(are)h(de)n(v)o
(elopment)e(w)o(orkload)h(made)g(up)h(of)h(the)f(mainstream)f
(applications)h(listed)h(in)f(T)-7 b(able)20 b(5.1)e(\(most)i(are)0
4805 y(found)i(in)h(\223/usr/bin\224)g(on)f(a)i(Unix)f(system\).)39
b(As)24 b(Figure)f(5\2551)f(sho)n(ws,)i(by)f(linking)f(against)h(an)g
(optimized)f(library)h(\002le)h(system)f(\(C\255)0 4904
y(FFS\),)d(some)f(unaltered)e(UNIX)i(applications)f(run)h
(signi\002cantly)f(f)o(aster)h(on)g(top)g(of)g(Xok/ExOS)f(than)h
(identical)f(v)o(ersions)g(e)o(x)o(ecuted)0 5004 y(on)29
b(traditional)f(systems.)56 b(Xok/ExOS)28 b(completes)g(all)i
(benchmarks)d(in)i(41)g(seconds,)h(19)f(seconds)g(f)o(aster)g(than)f
(FreeBSD)i(and)0 5104 y(OpenBSD.)20 b(On)h(eight)f(of)g(the)g(ele)n(v)o
(en)g(benchmarks)e(Xok/ExOS)h(performs)g(better)h(than)g(Free/OpenBSD)g
(\(in)g(one)g(case)h(by)f(o)o(v)o(er)f(a)0 5203 y(f)o(actor)h(of)f
(four\).)28 b(ExOS')-5 b(s)21 b(performance)c(impro)o(v)o(ements)g(are)
j(due)g(to)g(its)i(C\255FFS)f(\002le)g(system.)125 5303
y(In)f(general,)f(normal)h(applications)f(bene\002t)h(from)g(an)h(e)o
(xok)o(ernel)d(by)i(being)g(link)o(ed)g(against)g(an)g(optimized)g
(libOS.)g(Thus,)h(e)n(v)o(en)1908 5589 y(50)p eop
%%Page: 51 52
51 51 bop 0 83 a Fp(without)17 b(modi\002cations,)f(the)o(y)h(still)i
(pro\002t)e(from)f(an)i(e)o(xok)o(ernel.)26 b(While)18
b(an)g(e)o(xok)o(ernel)d(allo)n(ws)j(e)o(xperimentation)c(with)k
(completely)0 183 y(dif)n(ferent)d(OS)i(interf)o(aces,)f(a)h(more)f
(important)f(result)i(may)f(be)g(impro)o(ving)e(the)i(rate)h(of)f(inno)
o(v)n(ation)e(of)i(implementations)f(of)h(e)o(xistent)0
282 y(interf)o(aces.)125 382 y(W)-7 b(e)25 b(also)g(ran)f(the)h
(Modi\002ed)e(Andre)n(w)h(Benchmark)f(\(MAB\))h([69)o(].)42
b(On)25 b(this)g(benchmark,)e(Xok/ExOS)g(tak)o(es)i(11.5)e(seconds,)0
482 y(OpenBSD/C\255FFS)c(tak)o(es)h(12.5)e(seconds,)g(OpenBSD)h(tak)o
(es)g(14.2)f(seconds,)h(and)f(FreeBSD)i(tak)o(es)f(11.5)f(seconds.)28
b(The)19 b(dif)n(ference)0 581 y(in)14 b(performance)g(on)g(MAB)g(is)g
(less)g(prof)o(ou)o(nd)f(than)g(o)o(n)h(th)o(e)g(I/O\255)o(inten)o(si)n
(v)o(e)f(ben)o(chm)o(ark)o(,)c(because)14 b(MAB)g(stresses)g(fork,)e
(an)i(e)o(xpensi)n(v)o(e)0 681 y(function)19 b(in)i(Xok/ExOS.)f(ExOS')
-5 b(s)21 b(fork)f(performance)e(suf)n(fers)j(because)f(Xok)h(does)f
(not)h(yet)g(allo)n(w)g(en)m(vironments)d(to)k(share)e(page)0
780 y(tables.)29 b(F)o(ork)20 b(tak)o(es)g(six)h(milliseconds)e(on)h
(ExOS,)g(compared)e(to)j(less)g(than)f(one)f(millisecond)g(on)h
(OpenBSD.)0 1027 y Fv(5.3)117 b(The)27 b(cost)i(of)g(exok)o(er)n(nel)e
(\003exibility)0 1213 y Fp(An)h(e)o(xok)o(ernel)d(pro)o(vides)h(e)o
(xtreme)g(\003e)o(xibility)-5 b(.)50 b(Rightfully)-5
b(,)27 b(an)o(y)g(systems)h(b)n(uilder)f(w)o(ould)f(e)o(xpect)h(that)g
(this)i(\003e)o(xibility)d(w)o(ould)0 1313 y(ha)n(v)o(e)16
b(a)i(performance)c(cost.)28 b(This)17 b(section)g(looks)f(at)i(tw)o(o)
f(possible)g(costs:)28 b(\(1\))17 b(the)g(opportunity)d(cost)j(of)f(OS)
i(abstractions)e(at)i(library)0 1412 y(le)n(v)o(el,)i(and)f(\(2\))h
(the)g(brute)f(cost)i(of)f(protection,)0 1625 y Fq(5.3.1)99
b(The)26 b(cost)f(of)g(OS)f(abstractions)i(in)f(libraries)0
1772 y Fp(Gi)n(v)o(en)20 b(the)h(same)g(application)e(code)h(and)h
(same)g(OS)g(code)f(\(placed)g(in)h(a)g(libOS)h(on)e(an)h(e)o(xok)o
(ernel,)e(in)i(the)f(k)o(ernel)g(on)h(a)g(monolithic)0
1872 y(system\),)h(does)h(a)f(traditional)f(system)i(w)o(ould)f(pro)o
(vide)e(superior)h(performance?)33 b(Or)m(,)22 b(phrased)f(another)g(w)
o(ay)-5 b(,)22 b(if)h(an)f(optimization)0 1972 y(is)k(done)d(on)h(an)h
(e)o(xok)o(ernel)d(and)i(gi)n(v)o(es)h(a)g(f)o(actor)f(of)g(four)m(,)g
(w)o(ould)g(the)g(same)h(optimization)e(done)h(on)g(a)h(traditional)e
(OS)j(gi)n(v)o(e)e(e)n(v)o(en)0 2071 y(more?)125 2171
y(T)-7 b(o)25 b(partially)g(answer)g(this)h(question)f(we)g(measure)g
(the)h(performance)c(of)j(an)h(OpenBSD\255based)e(implementation)f(of)i
(C\255FFS)0 2270 y(\(done)19 b(by)h(Costa)g(Sapuntzakis\))f(on)h(the)g
(w)o(orkload)f(in)h(the)g(pre)n(vious)f(e)o(xperiment.)125
2370 y(Figure)h(5\2551)h(sho)n(ws)h(the)f(performance)e(of)i(these)h
(applications)e(o)o(v)o(er)h(Xok/ExOS)f(and)h(OpenBSD/C\255FFS.)h(The)f
(total)h(running)0 2470 y(time)27 b(for)g(Xok/ExOS)f(is)i(41)f(seconds)
f(and)h(for)f(OpenBSD/C\255FFS)i(is)g(51)f(seconds.)49
b(Since)27 b(ExOS)g(and)g(OpenBSD/C\255FFS)g(use)0 2569
y(the)f(same)h(type)e(of)h(\002le)h(system,)h(one)e(w)o(ould)f(e)o
(xpect)g(that)i(ExOS)f(and)g(OpenBSD)g(perform)e(equally)h(well.)48
b(As)27 b(can)f(be)g(seen)g(in)0 2669 y(Figure)g(5\2551,)h(Xok/ExOS)e
(performance)e(is)28 b(indeed)d(comparable)f(to)j(OpenBSD/C\255FFS)g
(on)f(eight)g(of)g(the)g(11)g(applications.)47 b(On)0
2769 y(three)22 b(applications)g(\(pax,)g(cp,)g(dif)n(f\),)g(Xok/ExOS)g
(runs)g(considerably)e(f)o(aster)j(\(though)e(we)i(do)f(not)g(yet)h(ha)
n(v)o(e)f(a)h(good)e(e)o(xplanation)0 2868 y(for)f(this\).)125
2968 y(From)d(these)h(measurements)e(we)j(conclude)d(that,)i(e)n(v)o
(en)f(though)f(ExOS)i(implements)f(the)h(b)n(ulk)f(of)h(the)g
(operating)e(system)i(at)h(the)0 3067 y(application)g(le)n(v)o(el,)g
(common)f(softw)o(are)i(de)n(v)o(elopment)d(operations)i(on)g(Xok/ExOS)
g(perform)g(comparably)e(to)j(OpenBSD/C\255FFS.)0 3167
y(The)o(y)14 b(demonstrate)f(that\227at)i(least)g(for)f(this)i(common)d
(domain)g(of)i(applications\227an)e(e)o(xok)o(ernel')-5
b(s)13 b(\003e)o(xibility)h(can)g(be)h(pro)o(vided)d(for)0
3267 y(free:)29 b(e)n(v)o(en)19 b(without)g(aggressi)n(v)o(e)f
(optimizations)g(ExOS')-5 b(s)20 b(performance)d(is)k(comparable)c(to)j
(that)g(of)f(mature)g(monolithic)f(systems.)0 3366 y(The)g(cost)h(of)f
(lo)n(w\255le)n(v)o(el)g(multiple)o(xing)e(is)j(ne)o(gligible:)27
b(an)19 b(optimization)e(done)g(on)h(an)h(e)o(xok)o(ernel)d(can)i(gi)n
(v)o(e)g(the)h(same)f(performance)0 3466 y(impro)o(v)o(ement)f(as)k
(done)e(on)h(a)g(traditional)g(system.)0 3679 y Fq(5.3.2)99
b(The)26 b(cost)f(of)g(pr)n(otection)0 3826 y Fp(While)k(the)f(abo)o(v)
o(e)e(e)o(xperiment)g(by)i(no)f(means)h(\223pro)o(v)o(es\224)e(that)i
(the)g(e)o(xok)o(ernel)e(structure)h(will)i(ne)n(v)o(er)e(penalize)g
(applications,)i(it)0 3926 y(agrees)e(with)h(our)f(e)o(xperiences)f
(that)i(e)o(xok)o(ernel)e(\003e)o(xibility)h(does)g(not)h(impose)f(o)o
(v)o(erheads.)49 b(The)28 b(main)f(reason)g(for)g(this)i(is)f(that)0
4025 y(protection)18 b(tends)i(to)h(be)f(of)n(f)g(the)g(critical)g
(path.)29 b(F)o(or)20 b(e)o(xample,)e(when)i(the)g(benchmarks)e(in)j
(in)f(Figure)g(5\2551)f(are)h(run)g(without)f(XN)i(or)0
4125 y(an)o(y)i(of)h(the)g(e)o(xtra)f(system)h(calls,)i(the)e
(performance)d(dif)n(ference)h(is)j(\223noise\224:)36
b(39.7)23 b(seconds)h(to)g(41.1)f(seconds,)h(despite)g(reducing)0
4225 y(the)g(o)o(v)o(erall)f(number)g(of)h(Xok)g(system)g(calls)h(from)
f(300,000)d(to)k(81,000.)39 b(Real)25 b(w)o(orkloads)e(are)h(dominated)
f(by)h(costs)h(other)e(than)0 4324 y(protection)18 b(and)i(system)g
(call)h(o)o(v)o(erhead.)125 4424 y(Some)g(secondary)-5
b(,)20 b(more)i(speci\002c)g(reasons)g(for)f(the)h(lack)g(of)g(impact)g
(of)g(an)g(e)o(xtra)f(protection)f(layer)i(are)g(that:)34
b(in)22 b(man)o(y)f(cases)0 4523 y(e)o(xok)o(ernel)29
b(protection)g(is)j(not)f(a)h(duplication,)f(since)h(it)g(allo)n(ws)f
(library)f(operating)f(systems)j(to)f(remo)o(v)o(e)e(their)i
(corresponding)0 4623 y(checks.)c(Furthermore,)14 b(the)j(cost)f(of)g
(checking)e(protection)g(\(usually)i(a)g(table)g(lookup)e(to)j(map)e
(principals)g(to)h(access)h(rights\))f(tends)f(to)0 4723
y(be)20 b(dw)o(arfed)e(by)h(the)h(cost)g(of)g(the)f(operations)f(it)j
(is)g(coupled)d(to.)29 b(F)o(or)19 b(e)o(xample,)f(system)i(calls)h
(are)e(roughly)f(an)i(order)e(of)h(magnitude)0 4822 y(more)h(e)o
(xpensi)n(v)o(e)e(while)i(I/O)h(operations)e(such)h(as)h(disk)g(or)f
(netw)o(ork)f(accesses)i(can)f(be)h(o)o(v)o(er)e(a)i(1000)e(times)i
(more)e(costly)-5 b(.)30 b(In)20 b(those)0 4922 y(rare)j(cases)h(where)
f(protection)f(checks)h(are)g(more)g(elaborate,)g(the)o(y)f(tend)h(to)h
(be)f(naturally)g(cachable.)38 b(In)23 b(the)g(case)h(of)f(\002le)h
(blocks,)0 5022 y(for)c(instance,)f(access)i(rights)f(can)g(be)g
(stored)g(in)g(the)g(b)n(uf)n(fer)f(cache)h(along)f(with)h(the)h(block)
e(the)o(y)g(correspond)f(too.)125 5121 y(While)26 b(an)f(e)o(xok)o
(ernel)f(can)h(impose)g(e)o(xtra)g(protection)f(checks,)i(it)g(also)g
(mak)o(es)f(some)h(operations)e(cheaper:)39 b(using)25
b(a)h(library)0 5221 y(operating)17 b(system)i(means)g(that)g(man)o(y)e
(operations)h(that)h(formerly)d(required)i(system)h(calls)g(no)n(w)g
(can)f(be)h(performed)d(with)j(function)1908 5589 y(51)p
eop
%%Page: 52 53
52 52 bop 0 83 a Fp(calls.)60 b(Thus,)32 b(for)d(some)h(uses)h(an)f(e)o
(xok)o(ernel)e(is)j(intrinsically)f(f)o(aster)g(than)g(a)g(more)g
(traditional)f(system.)3250 53 y Fi(1)3343 83 y Fp(F)o(or)h(e)o
(xample,)h(an)0 183 y(OpenBSD)21 b(emulator)f(written)h(on)g(our)f
(most)i(recent)e(e)o(xok)o(ernel,)f(Xok,)i(sometimes)g(runs)g(OpenBSD)g
(application)f(binaries)g(f)o(aster)0 282 y(than)e(their)g
(non\255emulated)d(performance)g(on)j(OpenBSD)g(for)g(the)g(simple)g
(reason)g(that)g(that)h(man)o(y)e(system)h(calls)h(\(e.g.,)f(to)g(read)
g(data)0 382 y(structures\))h(become)g(function)g(calls)i(into)e(the)i
(emulator')-5 b(s)19 b(libOS.)0 629 y Fv(5.4)117 b(Aggr)n(essi)o(v)o(e)
28 b(application)h(perf)m(ormance)0 814 y Fp(In)d(part,)g(the)g(e)o
(xok)o(ernel)e(architecture)g(w)o(as)j(moti)n(v)n(ated)d(by)i(the)g
(ability)f(to)h(perform)e(application\255speci\002c)g(or)m(,)i(more)f
(commonly)-5 b(,)0 914 y(domain\255speci\002c)23 b(optimizations.)1054
884 y Fi(2)1132 914 y Fp(T)-7 b(w)o(o)25 b(natural)g(questions,)g
(then,)g(are)g(\002rst,)i(does)e(an)g(e)o(xok)o(ernel)e(gi)n(v)o(e)h
(suf)n(\002cient)g(po)n(wer)g(that)0 1014 y(interesting)g
(optimizations)f(can)h(be)h(done?)41 b(Second,)25 b(do)f
(domain\255speci\002c)f(optimizations)g(yield)h(signi\002cant)g(impro)o
(v)o(ements)e(or)0 1113 y(do)e(the)o(y)f(only)h(gi)n(v)o(e)f
(\223noise\224)h(le)n(v)o(el)g(impro)o(v)o(ements?)125
1213 y(Experiments)j(sho)n(w)i(that)g(an)g(e)o(xok)o(ernel)e(enables)h
(domain\255speci\002c)f(optimizations)h(that)h(gi)n(v)o(e)f(order)n
(\255of\255magnitude)c(perfor)n(\255)0 1313 y(mance)28
b(impro)o(v)o(ements)d([48)o(].)54 b(Our)28 b(speci\002c)h(results)g
(come)e(from)h(an)g(interf)o(ace)g(designed)f(for)h(f)o(ast)h(I/O,)f
(which)g(impro)o(v)o(es)f(the)0 1412 y(performance)17
b(of)j(applications)f(such)h(as)h(web)f(serv)o(ers.)0
1625 y Fq(5.4.1)99 b(XCP:)25 b(a)f(\223zer)n(o\255touch\224)j(\002le)e
(copying)g(pr)n(ogram)0 1772 y Fg(XCP)18 b Fp(is)g(an)f(ef)n(\002cient)
f(\002le)i(cop)o(y)e(program.)26 b(It)17 b(e)o(xploits)f(the)h(lo)n
(w\255le)n(v)o(el)f(disk)h(interf)o(ace)f(by)h(remo)o(ving)d
(arti\002cial)k(ordering)d(constraints,)0 1872 y(by)22
b(impro)o(ving)e(disk)j(scheduling)e(through)g(lar)o(ge)h(schedules,)g
(by)h(eliminating)e(data)i(touching)e(by)h(the)h(CPU,)h(and)e(by)g
(performing)0 1972 y(all)f(disk)f(operations)f(asynchronously)-5
b(.)125 2071 y(Gi)n(v)o(en)26 b(a)h(list)h(of)e(\002les,)k
Fg(XCP)d Fp(w)o(orks)g(as)g(follo)n(ws.)49 b(First,)29
b(it)f(enumerates)d(and)h(sorts)i(the)f(disk)f(blocks)h(of)f(all)i
(\002les)f(and)g(issues)0 2171 y(lar)o(ge,)19 b(asynchronous)e(disk)j
(reads)g(using)g(this)h(schedule.)28 b(\(If)19 b(multiple)h(instances)g
(of)g Fg(XCP)h Fp(run)e(concurrently)-5 b(,)17 b(the)j(disk)g(dri)n(v)o
(er)f(will)0 2270 y(mer)o(ge)26 b(the)i(schedules.\))50
b(Second,)28 b(it)g(creates)g(ne)n(w)f(\002les)i(of)e(the)g(correct)g
(size,)j(o)o(v)o(erlapping)24 b(inode)j(and)f(disk)i(block)f
(allocation)0 2370 y(with)g(the)f(disk)h(reads.)48 b(Finally)-5
b(,)27 b(as)h(the)e(disk)h(reads)f(complete,)h(it)g(constructs)f(lar)o
(ge)f(writes)i(to)g(the)g(ne)n(w)f(disk)h(blocks)f(using)g(the)0
2470 y(b)n(uf)n(fer)18 b(cache)h(entries.)29 b(This)19
b(strate)o(gy)g(eliminates)g(all)h(copies;)g(the)f(\002le)h(is)h(DMAed)
e(into)g(and)g(out)g(of)g(the)g(b)n(uf)n(fer)f(cache)h(by)g(the)h(disk)
0 2569 y(controller)n(\227the)e(CPU)k(ne)n(v)o(er)c(touches)i(the)g
(data.)125 2669 y Fg(XCP)h Fp(is)g(a)g(f)o(actor)f(of)h(three)f(f)o
(aster)g(than)g(the)h(cop)o(y)f(program)e(\()p Fg(CP)p
Fp(\))j(on)f(Xok/ExOS)f(that)i(uses)g(UNIX)g(interf)o(aces,)f
(irrespecti)n(v)o(e)f(of)0 2769 y(whether)h(all)i(\002les)g(are)f(in)g
(core)g(\(because)f Fg(XCP)i Fp(does)f(not)f(touch)g(the)i(data\))e(or)
h(on)g(disk)g(\(because)f Fg(XCP)i Fp(issues)g(disk)f(schedules)f(with)
0 2868 y(a)h(minimum)d(number)h(of)h(seeks)g(and)g(the)g(lar)o(gest)g
(contiguous)e(ranges)h(of)h(disk)g(blocks\).)125 2968
y(The)k(f)o(act)h(that)g(the)f(\002le)i(system)f(is)g(an)g(application)
e(library)h(allo)n(ws)h(us)g(both)f(to)h(ha)n(v)o(e)f(inte)o(gration)f
(when)h(appropriate)e(and)i(to)0 3067 y(craft)e(ne)n(w)h(abstractions)f
(as)h(needed.)35 b(This)23 b(latter)g(ability)f(is)i(especially)e
(pro\002table)f(for)h(the)h(disk)g(both)e(because)h(of)h(the)f(high)g
(cost)0 3167 y(of)e(disk)g(operations)f(and)h(because)g(of)g(the)g
(demonstrated)f(reluctance)g(of)h(operating)f(systems)h(v)o(endors)f
(to)i(pro)o(vide)d(useful,)i(simple)0 3267 y(impro)o(v)o(ements)d(to)j
(their)f(interf)o(aces)g(\(e.g.,)g(prefetching,)e(asynchronous)f(reads)
k(and)f(writes,)h(\002ne\255grained)d(disk)j(restructuring)d(and)0
3366 y(\223sync\224)j(operations\).)0 3579 y Fq(5.4.2)99
b(The)26 b(Cheetah)g(HTTP/1.0)e(Ser)o(v)o(er)0 3726 y
Fp(The)33 b(e)o(xok)o(ernel)d(architecture)i(is)i(well)f(suited)g(to)g
(b)n(uilding)f(f)o(ast)h(serv)o(ers)g(\(e.g.,)i(for)d(NFS)i(serv)o(ers)
e(or)h(web)g(serv)o(ers\).)67 b(Serv)o(er)0 3826 y(performance)16
b(is)j(crucial)f(to)h(client/serv)o(er)e(applications)g([45)o(],)h(and)
g(the)h(I/O\255centric)e(nature)h(of)g(serv)o(ers)g(mak)o(es)g
(operating)f(system\255)0 3926 y(based)j(optimizations)f(pro\002table.)
125 4025 y(Gre)o(g)j(Ganger)g(has)h(de)n(v)o(eloped)d(an)j(e)o
(xtensible)f(I/O)i(library)d(\(XIO\))i(for)f(f)o(ast)i(serv)o(ers)e
(and)h(a)g(sample)g(application)e(that)j(uses)f(it,)0
4125 y(the)f(Cheetah)f(HTTP)h(serv)o(er)-5 b(.)34 b(This)22
b(library)f(is)i(designed)d(to)i(allo)n(w)g(application)e(writers)i(to)
g(e)o(xploit)f(domain\255speci\002c)f(kno)n(wledge)0
4225 y(and)d(to)g(simplify)g(the)h(construction)d(of)i
(high\255performance)c(serv)o(ers)k(by)g(remo)o(ving)e(the)i(need)g(to)
g(\223trick\224)g(the)h(operating)d(system)j(into)0 4324
y(doing)f(what)i(the)g(application)e(requires)h(\(e.g.,)g(Harv)o(est)g
([14)o(])h(stores)g(cached)f(pages)g(in)h(multiple)f(directories)g(to)h
(achie)n(v)o(e)f(f)o(ast)h(name)0 4424 y(lookup\).)125
4523 y(An)29 b(HTTP)h(serv)o(er')-5 b(s)30 b(task)g(is)h(simple:)49
b(gi)n(v)o(en)28 b(a)j(client)e(request,)j(it)e(\002nds)g(the)g
(appropriate)e(document)g(and)h(sends)h(it.)59 b(The)0
4623 y(Cheetah)20 b(W)-7 b(eb)21 b(serv)o(er)e(performs)f(the)j(follo)n
(wing)d(set)j(of)f(optimizations)f(as)i(well)g(as)f(others)g(not)g
(listed)h(here.)125 4723 y Fo(Mer)o(ged)k(File)g(Cache)f(and)i
(Retransmission)f(P)n(ool.)42 b Fp(Cheetah)25 b(a)n(v)n(oids)g(all)g
(in\255memory)d(data)j(touching)e(\(by)h(the)h(CPU\))g(and)0
4822 y(the)18 b(need)e(for)h(a)h(distinct)g(TCP)g(retransmission)f
(pool)f(by)h(transmitting)g(\002le)h(data)f(directly)g(from)g(the)g
(\002le)h(cache)g(using)f(precomputed)p 0 4894 1560 4
v 90 4949 a Fh(1)120 4972 y Fg(Admittedly)l(,)23 b(in)f(our)f(e)o
(xperience,)k(e)n(v)o(en)d(high)g(system)f(call)i(o)o(v)o(erhead)g(has)
e(little)j(impact)e(on)f(real)h(application)j(performance.)39
b(But)21 b(this)h(point)g(ar)o(gues)g(e)n(v)o(en)0 5051
y(further)c(for)f(the)h(non\255issue)g(of)f(the)h(cost)g(of)f(ha)o
(ving)h(operating)h(system)e(code)h(in)f(libraries.)90
5108 y Fh(2)120 5132 y Fg(In)h(f)o(act,)i(the)g(original)h(e)o(xok)o
(ernel)g(paper)f([25])f(focuses)g(almost)h(e)o(xclusi)n(v)o(ely)i(on)c
(application\255speci\002c)25 b(optimizations)d(rather)e(impro)o(ving)g
(the)f(rate)h(of)f(whole\255)0 5210 y(system)e(inno)o(v)n(ations,)j
(which)e(we)f(ha)o(v)o(e)g(come)h(to)f(re)o(gard)h(as)f(a)g(more)g
(signi\002cant)i(bene\002t.)1908 5589 y Fp(52)p eop
%%Page: 53 54
53 53 bop 1059 1218 a @beginspecial -56 @llx -38 @lly
577 @urx 361 @ury 2160 @rwi @setspecial
%%BeginDocument: cheetah.ps
%!PS-Adobe-2.0 EPSF-1.2
%%Page: 1 1
%%BoundingBox: -56 -38 577 361
%%EndComments
1 setlinecap 1 setlinejoin
0.700 setlinewidth
0.00 setgray

/Jrnd { exch cvi exch cvi dup 3 1 roll idiv mul } def
/JDEdict 8 dict def
JDEdict /mtrx matrix put
/JDE {
  JDEdict begin
  /yrad exch def
  /xrad exch def
  /savematrix mtrx currentmatrix def
  xrad yrad scale
  0 0 1 0 360 arc
  savematrix setmatrix
  end
} def
/JSTR {
  gsave 1 eq { gsave 1 setgray fill grestore } if
    exch neg exch neg translate 
    clip                        
    rotate                      
    4 dict begin
      pathbbox  /&top exch def
                /&right exch def
                /&bottom exch def
                &right sub /&width exch def
      newpath
      currentlinewidth mul round dup               
      &bottom exch Jrnd exch &top             
      4 -1 roll currentlinewidth mul setlinewidth  
      { &right exch moveto &width 0 rlineto stroke } for    
    end
  grestore
  newpath
} bind def
 gsave /Times-Roman findfont 9.000000 scalefont setfont
0.000000 0.000000 translate
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 576.000000 0.000000 lineto stroke
/Helvetica-Bold findfont 18.000000 scalefont setfont
gsave 38.400002 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (0 Byte) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 153.600006 -8.000000 translate 0.000000 rotate
0 -10.800000 translate ( 100 Byte) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 288.000000 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (1 KByte) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 403.200012 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (10 KByte) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 518.400024 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (100 KByte) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 288.000000 -26.799999 translate 0.000000 rotate
0 -10.800000 translate (HTTP page size) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 0.000000 360.000000 lineto stroke
newpath 0.000000 0.000000 moveto -5.000000 0.000000 lineto stroke
newpath 0.000000 44.444447 moveto -2.000000 44.444447 lineto stroke
newpath 0.000000 88.888893 moveto -5.000000 88.888893 lineto stroke
newpath 0.000000 133.333344 moveto -2.000000 133.333344 lineto stroke
newpath 0.000000 177.777786 moveto -5.000000 177.777786 lineto stroke
newpath 0.000000 222.222229 moveto -2.000000 222.222229 lineto stroke
newpath 0.000000 266.666687 moveto -5.000000 266.666687 lineto stroke
newpath 0.000000 311.111115 moveto -2.000000 311.111115 lineto stroke
newpath 0.000000 355.555573 moveto -5.000000 355.555573 lineto stroke
/Helvetica-Bold findfont 15.000000 scalefont setfont
gsave -8.000000 0.000000 translate 0.000000 rotate
0 -4.500000 translate (0) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 88.888893 translate 0.000000 rotate
0 -4.500000 translate (2000) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 177.777786 translate 0.000000 rotate
0 -4.500000 translate (4000) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 266.666687 translate 0.000000 rotate
0 -4.500000 translate (6000) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 355.555573 translate 0.000000 rotate
0 -4.500000 translate (8000) dup stringwidth pop neg 0 moveto
show
grestore
/Helvetica-Bold findfont 18.000000 scalefont setfont
gsave -44.799999 180.000000 translate 90.000000 rotate
0 0.000000 translate (Throughput \(requests/second\)) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
 gsave 
 gsave  gsave  19.200001 27.777779 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -27.777779 lineto
  9.600000 -27.777779 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  134.400009 25.911112 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -25.911112 lineto
  9.600000 -25.911112 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  249.600006 24.444445 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -24.444445 lineto
  9.600000 -24.444445 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  364.800018 15.866667 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -15.866667 lineto
  9.600000 -15.866667 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  480.000031 3.897778 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -3.897778 lineto
  9.600000 -3.897778 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  38.400002 44.444447 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -44.444447 lineto
  9.600000 -44.444447 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  153.600006 49.377777 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -49.377777 lineto
  9.600000 -49.377777 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  268.800018 47.111111 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -47.111111 lineto
  9.600000 -47.111111 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  384.000000 24.711111 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -24.711111 lineto
  9.600000 -24.711111 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  gsave  499.200012 4.337778 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -4.337778 lineto
  9.600000 -4.337778 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  57.600002 55.555557 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -55.555557 lineto
  9.600000 -55.555557 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  172.800003 49.377777 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -49.377777 lineto
  9.600000 -49.377777 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  288.000000 49.377777 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -49.377777 lineto
  9.600000 -49.377777 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  403.200012 25.866667 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -25.866667 lineto
  9.600000 -25.866667 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  518.400024 4.000000 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -4.000000 lineto
  9.600000 -4.000000 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  76.800003 112.444450 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -112.444450 lineto
  9.600000 -112.444450 lineto
closepath gsave 0.400000 setgray  fill grestore
stroke
 grestore  gsave  192.000000 95.688889 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -95.688889 lineto
  9.600000 -95.688889 lineto
closepath gsave 0.400000 setgray  fill grestore
stroke
 grestore  gsave  307.200012 87.155556 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -87.155556 lineto
  9.600000 -87.155556 lineto
closepath gsave 0.400000 setgray  fill grestore
stroke
 grestore  gsave  422.400024 50.400002 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -50.400002 lineto
  9.600000 -50.400002 lineto
closepath gsave 0.400000 setgray  fill grestore
stroke
 grestore  gsave  537.600037 7.155556 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -7.155556 lineto
  9.600000 -7.155556 lineto
closepath gsave 0.400000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  96.000000 348.888885 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -348.888885 lineto
  9.600000 -348.888885 lineto
closepath gsave 0.800000 setgray  fill grestore
stroke
 grestore  gsave  211.200012 355.644440 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -355.644440 lineto
  9.600000 -355.644440 lineto
closepath gsave 0.800000 setgray  fill grestore
stroke
 grestore  gsave  326.400024 299.288910 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -299.288910 lineto
  9.600000 -299.288910 lineto
closepath gsave 0.800000 setgray  fill grestore
stroke
 grestore  gsave  441.600006 101.466667 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -101.466667 lineto
  9.600000 -101.466667 lineto
closepath gsave 0.800000 setgray  fill grestore
stroke
 grestore  gsave  556.800049 12.711111 translate 0.000000 rotate
 newpath 9.600000 0.000000 moveto  -9.600000 0.000000 lineto
  -9.600000 -12.711111 lineto
  9.600000 -12.711111 lineto
closepath gsave 0.800000 setgray  fill grestore
stroke
 grestore  grestore 
 grestore 
 gsave 384.000000 311.111115 translate 0.000000 rotate
 gsave  gsave  0.000000 -5.100000 translate 0.000000 rotate
 newpath -9.600000 -2.000000 moveto  9.600000 -2.000000 lineto
  9.600000 2.000000 lineto
  -9.600000 2.000000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  grestore 
/Helvetica-Bold findfont 17.000000 scalefont setfont
gsave 13.600000 0.000000 translate 0.000000 rotate
0 -10.200000 translate (NCSA/BSD) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -25.500000 translate 0.000000 rotate
 newpath -9.600000 -2.000000 moveto  9.600000 -2.000000 lineto
  9.600000 2.000000 lineto
  -9.600000 2.000000 lineto
closepath gsave 0.500000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 13.600000 -20.400000 translate 0.000000 rotate
0 -10.200000 translate (Harvest/BSD) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -45.900002 translate 0.000000 rotate
 newpath -9.600000 -2.000000 moveto  9.600000 -2.000000 lineto
  9.600000 2.000000 lineto
  -9.600000 2.000000 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 13.600000 -40.799999 translate 0.000000 rotate
0 -10.200000 translate (Socket/BSD) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -66.300003 translate 0.000000 rotate
 newpath -9.600000 -2.000000 moveto  9.600000 -2.000000 lineto
  9.600000 2.000000 lineto
  -9.600000 2.000000 lineto
closepath gsave 0.400000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 13.600000 -61.200001 translate 0.000000 rotate
0 -10.200000 translate (Socket/Xok) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -86.699997 translate 0.000000 rotate
 newpath -9.600000 -2.000000 moveto  9.600000 -2.000000 lineto
  9.600000 2.000000 lineto
  -9.600000 2.000000 lineto
closepath gsave 0.800000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 13.600000 -81.599998 translate 0.000000 rotate
0 -10.200000 translate (Cheetah) dup stringwidth pop pop 0 0 moveto
show
grestore
 grestore 
0.000000 0.000000 translate
 grestore 

%%EndDocument
 @endspecial 0 1333 a Fp(Figure)17 b(5\2552:)27 b(HTTP)18
b(document)e(throughput)e(as)19 b(a)f(function)d(of)j(the)f(document)f
(size)i(for)f(se)n(v)o(eral)g(HTTP/1.0)g(serv)o(ers.)27
b Fo(NCSA/BSD)0 1433 y Fp(represents)e(the)h(NCSA/1.4.2)g(serv)o(er)f
(running)f(on)h(OpenBSD.)h Fo(Har)o(v)o(est/BSD)g Fp(represents)f(the)h
(Harv)o(est)g(proxy)e(cache)i(running)0 1533 y(on)21
b(OpenBSD.)g Fo(Sock)o(et/BSD)h Fp(represents)e(our)h(HTTP)g(serv)o(er)
g(using)f(TCP)j(sock)o(ets)e(on)g(OpenBSD.)g Fo(Sock)o(et/Xok)g
Fp(represents)f(our)0 1632 y(HTTP)27 b(serv)o(er)e(using)h(the)h(TCP)g
(sock)o(et)f(interf)o(ace)g(b)n(uilt)h(on)f(our)f(e)o(xtensible)h
(TCP/IP)h(implementation)d(on)i(the)h(Xok)f(e)o(xok)o(ernel.)0
1732 y Fo(Cheetah/Xok)16 b Fp(represents)g(the)h(Cheetah)g(HTTP)g(serv)
o(er)m(,)f(which)g(e)o(xploits)g(the)h(TCP)h(and)e(\002le)i(system)f
(implementations)e(for)h(speed.)0 1999 y(\002le)25 b(checksums)f
(\(which)g(are)h(stored)f(with)h(each)g(\002le\).)43
b(Data)25 b(are)g(transmitted)f(\(and)g(retransmitted,)g(if)h
(necessary\))f(to)h(the)g(client)0 2099 y(directly)19
b(from)h(the)g(\002le)h(cache)e(without)h(CPU)h(cop)o(y)e(operations.)
28 b(\(Cao)20 b(et)h(al.)29 b(ha)n(v)o(e)20 b(also)h(used)e(this)i
(technique)e([70)n(].\))125 2198 y Fo(Kno)o(wledge\255based)g(P)o(ack)o
(et)i(Mer)o(ging)o(.)30 b Fp(Cheetah)21 b(e)o(xploits)f(kno)n(wledge)e
(of)j(its)g(per)n(\255request)e(state)j(transitions)e(to)h(reduce)f
(the)0 2298 y(number)14 b(of)i(I/O)g(actions)g(it)h(initiates.)28
b(F)o(or)16 b(e)o(xample,)f(it)i(a)n(v)n(oids)f(sending)f(redundant)f
(control)h(pack)o(ets)h(by)f(delaying)g(A)m(CKs)i(on)f(client)0
2397 y(HTTP)25 b(requests,)g(since)f(it)i(kno)n(ws)d(it)j(will)f(be)f
(able)h(to)g(piggy\255back)c(them)j(on)g(the)h(response.)41
b(This)25 b(optimization)e(is)i(particularly)0 2497 y(v)n(aluable)16
b(for)h(small)h(document)e(sizes,)j(where)e(the)g(reduction)f
(represents)h(a)h(substantial)f(fraction)g(\(e.g.,)g(20\045\))g(of)g
(the)h(total)f(number)0 2597 y(of)j(pack)o(ets.)125 2696
y Fo(HTML\255based)d(File)h(Gr)o(ouping)o(.)27 b Fp(Cheetah)16
b(co\255locates)h(\002les)h(included)d(in)i(an)g(HTML)g(document)e(by)i
(allocating)f(them)g(in)i(disk)0 2796 y(blocks)24 b(adjacent)f(to)i
(that)f(\002le)h(when)f(possible.)41 b(When)24 b(the)h(\002le)g(cache)f
(does)g(not)g(capture)f(the)i(majority)e(of)h(client)g(requests,)h
(this)0 2896 y(e)o(xtension)19 b(can)h(impro)o(v)o(e)e(HTTP)i
(throughput)d(by)j(up)g(to)g(a)h(f)o(actor)e(of)h(tw)o(o.)125
2995 y(Figure)14 b(5\2552)h(sho)n(ws)h(HTTP)g(request)f(throughput)d
(as)17 b(a)f(function)e(of)h(the)h(requested)e(document)g(size)i(for)f
(\002v)o(e)g(serv)o(ers:)27 b(the)16 b(NCSA)0 3095 y(1.4.2)22
b(serv)o(er)h([68)o(])h(running)e(on)h(OpenBSD)h(2.0,)g(the)g(Harv)o
(est)f(cache)h([14)n(])g(running)e(on)i(OpenBSD)f(2.0,)h(the)g(base)g
(sock)o(et\255based)0 3194 y(serv)o(er)31 b(running)f(on)h(OpenBSD)h
(2.0)f(\(i.e.,)j(our)d(HTTP)h(serv)o(er)f(without)g(an)o(y)g
(optimizations\),)h(the)g(base)g(sock)o(et\255based)e(serv)o(er)0
3294 y(running)24 b(on)i(the)g(Xok)g(e)o(xok)o(ernel)e(system)i
(\(i.e.,)h(our)e(HTTP)i(serv)o(er)e(without)g(an)o(y)h(optimizations)e
(with)j(v)n(anilla)e(sock)o(et)h(and)g(\002le)0 3394
y(descriptor)20 b(implementations)g(layered)g(o)o(v)o(er)h(XIO\),)g
(and)g(the)g(Cheetah)h(serv)o(er)e(running)g(on)h(the)h(Xok)f(e)o(xok)o
(ernel)e(\(i.e.,)j(our)e(HTTP)0 3493 y(serv)o(er)f(with)i(all)f
(optimizations)f(enabled\).)125 3593 y(Figure)33 b(5\2552)g(pro)o
(vides)f(se)n(v)o(eral)h(important)f(pieces)i(of)g(information.)67
b(First,)38 b(our)33 b(base)h(HTTP)g(serv)o(er)f(performs)f(roughly)0
3693 y(as)f(well)g(as)g(the)f(Harv)o(est)g(cache,)i(which)e(has)h(been)
e(sho)n(wn)h(to)h(outperform)c(man)o(y)i(other)h(HTTP)g(serv)o(er)g
(implementations)e(on)0 3792 y(general\255purpose)e(operating)j
(systems.)59 b(Both)30 b(outperform)d(the)k(NCSA)g(serv)o(er)-5
b(.)58 b(This)30 b(gi)n(v)o(es)g(us)g(a)h(reasonable)e(starting)g
(point)0 3892 y(for)i(e)n(v)n(aluating)f(e)o(xtensions)h(that)h(impro)o
(v)o(e)d(performance.)61 b(Second,)33 b(the)f(def)o(ault)f(sock)o(et)h
(and)f(\002le)i(system)e(implementations)0 3991 y(b)n(uilt)25
b(on)g(top)g(of)g(XIO)h(perform)d(signi\002cantly)h(better)h(than)g
(the)g(OpenBSD)g(implementations)f(of)h(the)g(same)g(interf)o(aces)g
(\(by)f(80\226)0 4091 y(100\045\).)k(The)18 b(impro)o(v)o(ement)e
(comes)j(mainly)g(from)f(simple)h(\(though)e(generally)g(v)n(aluable\))
h(e)o(xtensions,)g(such)h(as)g(pack)o(et)g(mer)o(ging,)0
4191 y(application\255le)n(v)o(el)e(caching)i(of)h(pointers)g(to)g
(\002le)h(cache)e(blocks,)h(and)f(protocol)g(control)g(block)g(reuse.)
125 4290 y(Third,)32 b(and)e(most)h(importantly)-5 b(,)32
b(Cheetah)e(signi\002cantly)g(outperforms)f(the)i(serv)o(ers)f(that)h
(use)g(traditional)f(interf)o(aces.)61 b(By)0 4390 y(e)o(xploiting)23
b(Xok')-5 b(s)25 b(e)o(xtensibility)-5 b(,)24 b(Cheetah)g(gains)h(a)g
(four)f(times)h(performance)d(impro)o(v)o(ement)g(for)i(small)h
(documents)f(\(1)g(KByte)0 4490 y(and)c(smaller\),)f(making)g(it)i
(eight)e(times)i(f)o(aster)f(than)g(the)g(best)g(performance)d(we)k
(could)e(achie)n(v)o(e)g(on)g(OpenBSD.)h(Furthermore,)e(the)0
4589 y(lar)o(ge)24 b(document)e(performance)g(for)h(Cheetah)i(is)g
(limited)f(by)g(the)h(a)n(v)n(ailable)f(netw)o(ork)f(bandwidth)g
(\(three)g(100Mbit/s)h(Ethernets\))0 4689 y(rather)17
b(than)g(by)g(the)h(serv)o(er)e(hardw)o(are.)27 b(While)18
b(the)g(sock)o(et\255based)e(implementation)f(is)k(limited)e(to)h(only)
f(16.5)f(MByte/s)j(with)e(100\045)0 4788 y(CPU)27 b(utilization,)f
(Cheetah)f(deli)n(v)o(ers)g(o)o(v)o(er)f(29.3)h(MByte/s)h(with)g(the)g
(CPU)g(idle)g(o)o(v)o(er)f(30\045)g(of)g(the)h(time.)46
b(The)25 b(e)o(xtensibility)g(of)0 4888 y(ExOS')-5 b(s)24
b(def)o(ault)f(unpri)n(vile)o(ged)d(TCP/IP)k(and)f(\002le)i(system)e
(implementations)f(made)h(it)h(possible)g(to)f(achie)n(v)o(e)g(these)g
(performance)0 4988 y(impro)o(v)o(ements)17 b(incrementally)i(and)g
(with)i(lo)n(w)f(comple)o(xity)-5 b(.)125 5087 y(The)19
b(optimizations)f(performed)f(by)j(Cheetah)f(are)h(architecture)e
(independent.)26 b(In)20 b(Ae)o(gis,)g(Cheetah)f(obtained)f(similar)i
(perfor)n(\255)0 5187 y(mance)f(impro)o(v)o(ements)f(o)o(v)o(er)h
(Ultrix)h(web)g(serv)o(ers)f([49)o(].)1908 5589 y(53)p
eop
%%Page: 54 55
54 54 bop 1069 1147 a @beginspecial -49 @llx -38 @lly
577 @urx 361 @ury 2160 @rwi @setspecial
%%BeginDocument: global-perf.ps
%!PS-Adobe-2.0 EPSF-1.2
%%Page: 1 1
%%BoundingBox: -49 -38 577 361
%%EndComments
1 setlinecap 1 setlinejoin
0.700 setlinewidth
0.00 setgray

/Jrnd { exch cvi exch cvi dup 3 1 roll idiv mul } def
/JDEdict 8 dict def
JDEdict /mtrx matrix put
/JDE {
  JDEdict begin
  /yrad exch def
  /xrad exch def
  /savematrix mtrx currentmatrix def
  xrad yrad scale
  0 0 1 0 360 arc
  savematrix setmatrix
  end
} def
/JSTR {
  gsave 1 eq { gsave 1 setgray fill grestore } if
    exch neg exch neg translate 
    clip                        
    rotate                      
    4 dict begin
      pathbbox  /&top exch def
                /&right exch def
                /&bottom exch def
                &right sub /&width exch def
      newpath
      currentlinewidth mul round dup               
      &bottom exch Jrnd exch &top             
      4 -1 roll currentlinewidth mul setlinewidth  
      { &right exch moveto &width 0 rlineto stroke } for    
    end
  grestore
  newpath
} bind def
 gsave /Times-Roman findfont 9.000000 scalefont setfont
0.000000 0.000000 translate
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 576.000000 0.000000 lineto stroke
/Helvetica-Bold findfont 18.000000 scalefont setfont
gsave 57.600002 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (7/1) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 172.800003 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (14/2) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 288.000000 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (21/3) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 403.200012 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (28/4) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 518.400024 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (35/5) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 288.000000 -26.799999 translate 0.000000 rotate
0 -10.800000 translate (Xok/ExOS and FreeBSD) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 0.000000 360.000000 lineto stroke
newpath 0.000000 0.000002 moveto -5.000000 0.000002 lineto stroke
newpath 0.000000 31.893091 moveto -2.000000 31.893091 lineto stroke
newpath 0.000000 50.549355 moveto -2.000000 50.549355 lineto stroke
newpath 0.000000 63.786179 moveto -2.000000 63.786179 lineto stroke
newpath 0.000000 74.053459 moveto -2.000000 74.053459 lineto stroke
newpath 0.000000 82.442444 moveto -2.000000 82.442444 lineto stroke
newpath 0.000000 89.535225 moveto -2.000000 89.535225 lineto stroke
newpath 0.000000 95.679268 moveto -2.000000 95.679268 lineto stroke
newpath 0.000000 101.098701 moveto -2.000000 101.098701 lineto stroke
newpath 0.000000 105.946548 moveto -5.000000 105.946548 lineto stroke
newpath 0.000000 137.839630 moveto -2.000000 137.839630 lineto stroke
newpath 0.000000 156.495895 moveto -2.000000 156.495895 lineto stroke
newpath 0.000000 169.732727 moveto -2.000000 169.732727 lineto stroke
newpath 0.000000 180.000000 moveto -2.000000 180.000000 lineto stroke
newpath 0.000000 188.388992 moveto -2.000000 188.388992 lineto stroke
newpath 0.000000 195.481766 moveto -2.000000 195.481766 lineto stroke
newpath 0.000000 201.625809 moveto -2.000000 201.625809 lineto stroke
newpath 0.000000 207.045242 moveto -2.000000 207.045242 lineto stroke
newpath 0.000000 211.893097 moveto -5.000000 211.893097 lineto stroke
newpath 0.000000 243.786179 moveto -2.000000 243.786179 lineto stroke
newpath 0.000000 262.442444 moveto -2.000000 262.442444 lineto stroke
newpath 0.000000 275.679260 moveto -2.000000 275.679260 lineto stroke
newpath 0.000000 285.946564 moveto -2.000000 285.946564 lineto stroke
newpath 0.000000 294.335541 moveto -2.000000 294.335541 lineto stroke
newpath 0.000000 301.428314 moveto -2.000000 301.428314 lineto stroke
newpath 0.000000 307.572357 moveto -2.000000 307.572357 lineto stroke
newpath 0.000000 312.991791 moveto -2.000000 312.991791 lineto stroke
newpath 0.000000 317.839630 moveto -5.000000 317.839630 lineto stroke
newpath 0.000000 349.732727 moveto -2.000000 349.732727 lineto stroke
/Helvetica-Bold findfont 15.000000 scalefont setfont
gsave -8.000000 0.000002 translate 0.000000 rotate
0 -4.500000 translate (0) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 105.946548 translate 0.000000 rotate
0 -4.500000 translate (1) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 211.893097 translate 0.000000 rotate
0 -4.500000 translate (10) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 317.839630 translate 0.000000 rotate
0 -4.500000 translate (100) dup stringwidth pop neg 0 moveto
show
grestore
/Helvetica-Bold findfont 18.000000 scalefont setfont
gsave -37.599998 180.000000 translate 90.000000 rotate
0 0.000000 translate (Runtime \(seconds\)) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
 gsave 
 gsave  gsave  38.400002 263.951172 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -263.951172 lineto
  14.400001 -263.951172 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  76.800003 263.951172 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -263.951172 lineto
  14.400001 -263.951172 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  153.600006 285.016998 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -285.016998 lineto
  14.400001 -285.016998 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  192.000000 285.016998 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -285.016998 lineto
  14.400001 -285.016998 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  268.800018 310.899994 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -310.899994 lineto
  14.400001 -310.899994 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  307.200012 309.817291 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -309.817291 lineto
  14.400001 -309.817291 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  384.000000 323.054108 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -323.054108 lineto
  14.400001 -323.054108 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  422.400024 320.084564 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -320.084564 lineto
  14.400001 -320.084564 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  499.200012 332.324707 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -332.324707 lineto
  14.400001 -332.324707 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  537.600037 329.556244 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -329.556244 lineto
  14.400001 -329.556244 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  38.400002 216.278503 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -216.278503 lineto
  14.400001 -216.278503 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  76.800003 216.278503 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -216.278503 lineto
  14.400001 -216.278503 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  153.600006 238.938339 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -238.938339 lineto
  14.400001 -238.938339 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  192.000000 248.171600 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -248.171600 lineto
  14.400001 -248.171600 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  268.800018 255.858093 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -255.858093 lineto
  14.400001 -255.858093 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  307.200012 262.442444 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -262.442444 lineto
  14.400001 -262.442444 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  384.000000 269.535217 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -269.535217 lineto
  14.400001 -269.535217 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  422.400024 280.064697 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -280.064697 lineto
  14.400001 -280.064697 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  499.200012 281.098694 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -281.098694 lineto
  14.400001 -281.098694 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  537.600037 286.857727 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -286.857727 lineto
  14.400001 -286.857727 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  38.400002 118.018448 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -118.018448 lineto
  14.400001 -118.018448 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  76.800003 149.911545 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -149.911545 lineto
  14.400001 -149.911545 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  153.600006 140.084564 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -140.084564 lineto
  14.400001 -140.084564 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  192.000000 166.145554 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -166.145554 lineto
  14.400001 -166.145554 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  268.800018 148.106918 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -148.106918 lineto
  14.400001 -148.106918 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  307.200012 177.153000 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -177.153000 lineto
  14.400001 -177.153000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  384.000000 160.881302 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -160.881302 lineto
  14.400001 -160.881302 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  422.400024 162.254913 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -162.254913 lineto
  14.400001 -162.254913 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  499.200012 160.881302 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -160.881302 lineto
  14.400001 -160.881302 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  537.600037 196.777969 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -196.777969 lineto
  14.400001 -196.777969 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  grestore 
 grestore 
 gsave 153.600006 356.163452 translate 0.000000 rotate
 gsave  gsave  0.000000 -5.100000 translate 0.000000 rotate
 newpath -14.400001 -2.000000 moveto  14.400001 -2.000000 lineto
  14.400001 2.000000 lineto
  -14.400001 2.000000 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  grestore 
/Helvetica-Bold findfont 17.000000 scalefont setfont
gsave 18.400002 0.000000 translate 0.000000 rotate
0 -10.200000 translate (Total) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -25.500000 translate 0.000000 rotate
 newpath -14.400001 -2.000000 moveto  14.400001 -2.000000 lineto
  14.400001 2.000000 lineto
  -14.400001 2.000000 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 18.400002 -20.400000 translate 0.000000 rotate
0 -10.200000 translate (Max) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -45.900002 translate 0.000000 rotate
 newpath -14.400001 -2.000000 moveto  14.400001 -2.000000 lineto
  14.400001 2.000000 lineto
  -14.400001 2.000000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 18.400002 -40.799999 translate 0.000000 rotate
0 -10.200000 translate (Min) dup stringwidth pop pop 0 0 moveto
show
grestore
 grestore 
0.000000 0.000000 translate
 grestore 

%%EndDocument
 @endspecial 0 1263 a Fp(Figure)22 b(5\2553:)35 b(Measured)22
b(global)g(performance)f(of)i(Xok/ExOS)f(\(the)g(\002rst)i(bar\))f(and)
f(FreeBSD)i(\(the)f(second)f(bar\),)h(using)g(the)g(\002rst)0
1363 y(application)14 b(pool.)27 b(T)m(imes)17 b(are)f(in)g(seconds)f
(and)g(on)h(a)g(log)g(scale.)28 b Fk(number/number)14
b Fp(refers)i(to)g(the)g(the)g(total)g(number)e(of)i(applications)0
1462 y(run)g(by)f(the)i(script)f(and)g(the)g(maximum)f(number)f(of)i
(jobs)h(run)e(concurrently)-5 b(.)25 b Fo(T)-8 b(otal)16
b Fp(is)h(the)g(total)f(running)e(time)j(of)f(each)g(e)o(xperiment,)0
1562 y Fo(Max)k Fp(is)h(the)f(longest)g(runtime)f(of)h(an)o(y)f
(process)h(in)h(a)f(gi)n(v)o(en)f(run)g(\(gi)n(ving)g(the)h(w)o(orst)h
(latenc)o(y\).)28 b Fo(Min)21 b Fp(is)g(the)f(minimum.)0
1829 y Fv(5.5)117 b(Global)29 b(perf)m(ormance)0 2015
y Fp(An)16 b(e)o(xok)o(ernel)e(gi)n(v)o(es)h(applications)g
(signi\002cantly)g(more)h(control)e(than)i(traditional)f(operating)f
(systems)i(do.)28 b(Ho)n(we)n(v)o(er)m(,)14 b(it)j(must)f(also)0
2114 y(guarantee)j(good)f(global)i(performance)d(when)j(running)e
(multiple)h(applications)g(concurrently)-5 b(.)26 b(The)20
b(e)o(xperiments)f(in)h(this)h(section)0 2214 y(measure)i(the)h
(situation)g(where)f(the)h(e)o(xok)o(ernel)e(architecture)g(seems)i
(potentially)f(weak:)37 b(under)22 b(substantial)i(load)f(where)h
(sel\002sh)0 2313 y(applications)g(are)h(consuming)e(lar)o(ge)i
(resources)f(and)g(utilizing)h(I/O)g(de)n(vices)g(hea)n(vily)-5
b(.)43 b(The)25 b(results)h(indicate)e(that)i(an)f(e)o(xok)o(ernel)0
2413 y(can)18 b(successfully)g(reconcile)f(local)h(control)f(with)i
(global)e(performance:)26 b(\(1\))17 b(gi)n(v)o(en)g(the)i(same)f(w)o
(orkload,)f(an)h(e)o(xok)o(ernel)e(performs)0 2513 y(comparably)d(to)j
(widely)f(used)h(monolithic)e(systems,)i(and)g(\(2\))f(that)g(when)g
(local)h(optimizations)e(are)i(performed,)d(that)j(whole)f(system)0
2612 y(performance)i(impro)o(v)o(es,)h(and)i(can)g(do)g(so)g
(signi\002cantly)-5 b(.)125 2712 y(There)20 b(are)i(tw)o(o)g
(intuitions)f(behind)f(these)h(results.)34 b(First,)23
b(most)e(local)h(optimizations,)e(because)h(the)o(y)g(mak)o(e)g
(applications)f(run)0 2812 y(f)o(aster)m(,)j(lead)f(to)h(more)f
(resources)f(globally)-5 b(.)35 b(F)o(or)22 b(e)o(xample,)f(if)i(an)g
(application,)e(after)h(being)g(link)o(ed)g(against)g(an)g(optimized)f
(libOS)0 2911 y(cuts)f(its)h(runtime)e(from)g(ten)h(seconds)f(to)h(one)
f(second,)g(then)h(there)f(are)h(nine)f(seconds)h(of)f(freed)g
(resources)g(to)h(go)g(around)e(the)i(entire)0 3011 y(system.)34
b(Second,)21 b(an)h(e)o(xok)o(ernel)d(mediates)j(allocation)f(and)g(re)
n(v)n(ocation)f(of)h(resources.)33 b(Therefore)20 b(it)j(has)f(the)f
(po)n(wer)g(to)h(enforce)0 3110 y(an)o(y)14 b(global)g(polic)o(y)g
(that)h(a)g(traditional)f(operating)f(system)j(can.)27
b(Thus,)15 b(all)h(else)f(equal,)g(it)h(has)f(no)g(problem)e(achie)n
(ving)g(similar)i(global)0 3210 y(performance.)26 b(The)17
b(single)h(ne)n(w)g(challenge)f(an)h(e)o(xok)o(ernel)d(f)o(aces)k(is)g
(deri)n(ving)d(information)g(lost)i(by)g(dislocating)f(abstractions)g
(into)0 3310 y(application)25 b(space.)50 b(F)o(or)26
b(e)o(xample,)h(traditional)f(operating)f(systems)j(manage)e(both)g
(virtual)g(memory)f(and)i(\002le)g(caching.)48 b(As)28
b(a)0 3409 y(result,)c(the)o(y)e(can)h(perform)e(global)h(resource)g
(management)f(of)i(pages)g(that)g(tak)o(es)g(into)g(account)f(the)h
(manner)f(in)h(which)g(a)g(page)g(is)0 3509 y(being)g(used.)38
b(In)23 b(contrast,)h(if)g(an)f(e)o(xok)o(ernel)e(dislocates)j(virtual)
f(memory)e(and)i(\002le)h(b)n(uf)n(fer)f(management)e(into)i(library)f
(operating)0 3609 y(systems)f(it)g(no)g(longer)e(can)h(mak)o(e)g(such)h
(distinctions.)29 b(While)21 b(such)g(information)d(matters)i(in)h
(theory)-5 b(,)19 b(in)i(practice)e(we)i(ha)n(v)o(e)f(found)0
3708 y(it)g(either)f(unnecessary)f(or)h(crude)f(enough)g(that)h(no)g
(special)h(methods)e(ha)n(v)o(e)h(been)f(necessary)h(to)h(deri)n(v)o(e)
e(it.)29 b(Ho)n(we)n(v)o(er)m(,)18 b(whether)g(this)0
3808 y(happ)o(y)h(situation)h(al)o(w)o(ays)g(holds)g(is)h(an)f(open)f
(question.)0 4021 y Fq(5.5.1)99 b(Experiments)125 4168
y Fp(Global)16 b(performance)f(has)i(not)g(been)f(e)o(xtensi)n(v)o(ely)
g(studied.)27 b(W)-7 b(e)19 b(use)e(the)g(total)h(time)f(to)h(complete)
e(a)h(set)h(of)f(concurrent)e(tasks)j(as)0 4268 y(a)f(measure)e(of)h
(system)h(throughput,)c(and)j(the)g(minimum)f(and)h(the)g(maximum)f
(latenc)o(y)g(of)h(indi)n(vidual)f(applications)g(as)i(a)f(measure)g
(of)0 4367 y(interacti)n(v)o(e)i(performance.)26 b(F)o(or)19
b(simplicity)g(we)h(compare)e(Xok/ExOS')-5 b(s)19 b(performance)d
(under)i(high)h(load)g(to)h(that)f(of)g(FreeBSD;)h(in)0
4467 y(these)g(e)o(xperiments,)d(FreeBSD)j(al)o(w)o(ays)g(performs)e
(better)h(than)g(OpenBSD,)g(because)g(of)g(OpenBSD')-5
b(s)20 b(small,)g(non\255uni\002ed)d(b)n(uf)n(fer)0 4566
y(cache.)38 b(While)24 b(this)g(methodology)c(does)j(not)g(guarantee)e
(that)j(an)f(e)o(xok)o(ernel)e(can)i(compare)f(to)h(an)o(y)g
(centralized)f(system,)i(it)g(does)0 4666 y(of)n(fer)19
b(a)i(useful)e(relati)n(v)o(e)h(metric.)125 4766 y(The)i(space)g(of)g
(possible)g(combinations)f(of)h(applications)f(to)i(run)e(is)j(lar)o
(ge.)35 b(The)22 b(e)o(xperiments)e(use)j(randomization)d(to)i(ensure)0
4865 y(we)i(get)g(a)h(reasonable)e(sample)g(of)h(this)h(space.)40
b(The)24 b(inputs)g(are)g(a)g(set)h(of)f(applications)e(to)j(pick)e
(from,)h(the)g(total)g(number)e(to)j(run,)0 4965 y(and)h(the)h(maximum)
f(number)f(that)i(can)g(be)g(running)e(concurrently)-5
b(.)46 b(Each)27 b(e)o(xperiment)e(maintains)h(the)h(number)e(of)i
(concurrent)0 5065 y(processes)e(at)g(the)g(speci\002ed)f(maximum.)42
b(The)24 b(outputs)g(are)h(the)g(total)f(running)f(time,)j(gi)n(ving)e
(throughput,)e(and)j(the)f(time)h(to)g(run)0 5164 y(each)20
b(application.)28 b(Poor)19 b(interacti)n(v)o(e)g(performance)e(will)k
(sho)n(w)f(up)g(as)h(a)f(high)g(minimum)f(latenc)o(y)-5
b(.)125 5264 y(The)26 b(\002rst)i(application)e(pool)g(includes)g(a)i
(mix)f(of)f(I/O\255intensi)n(v)o(e)g(and)g(CPU\255intensi)n(v)o(e)g
(programs:)42 b(pack)26 b(archi)n(v)o(e)g(\(pax)g(\255w\),)1908
5589 y(54)p eop
%%Page: 55 56
55 55 bop 1069 1230 a @beginspecial -49 @llx -38 @lly
577 @urx 361 @ury 2160 @rwi @setspecial
%%BeginDocument: global-perf2.ps
%!PS-Adobe-2.0 EPSF-1.2
%%Page: 1 1
%%BoundingBox: -49 -38 577 361
%%EndComments
1 setlinecap 1 setlinejoin
0.700 setlinewidth
0.00 setgray

/Jrnd { exch cvi exch cvi dup 3 1 roll idiv mul } def
/JDEdict 8 dict def
JDEdict /mtrx matrix put
/JDE {
  JDEdict begin
  /yrad exch def
  /xrad exch def
  /savematrix mtrx currentmatrix def
  xrad yrad scale
  0 0 1 0 360 arc
  savematrix setmatrix
  end
} def
/JSTR {
  gsave 1 eq { gsave 1 setgray fill grestore } if
    exch neg exch neg translate 
    clip                        
    rotate                      
    4 dict begin
      pathbbox  /&top exch def
                /&right exch def
                /&bottom exch def
                &right sub /&width exch def
      newpath
      currentlinewidth mul round dup               
      &bottom exch Jrnd exch &top             
      4 -1 roll currentlinewidth mul setlinewidth  
      { &right exch moveto &width 0 rlineto stroke } for    
    end
  grestore
  newpath
} bind def
 gsave /Times-Roman findfont 9.000000 scalefont setfont
0.000000 0.000000 translate
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 576.000000 0.000000 lineto stroke
/Helvetica-Bold findfont 18.000000 scalefont setfont
gsave 57.600002 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (7/1) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 172.800003 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (14/2) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 288.000000 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (21/3) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 403.200012 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (28/4) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 518.400024 -8.000000 translate 0.000000 rotate
0 -10.800000 translate (35/5) dup stringwidth pop 2 div neg 0 moveto
show
grestore
gsave 288.000000 -26.799999 translate 0.000000 rotate
0 -10.800000 translate (Xok/ExOS and FreeBSD) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
0.700000 setlinewidth  gsave newpath 0.000000 0.000000 moveto 0.000000 360.000000 lineto stroke
newpath 0.000000 0.000002 moveto -5.000000 0.000002 lineto stroke
newpath 0.000000 27.966217 moveto -2.000000 27.966217 lineto stroke
newpath 0.000000 44.325405 moveto -2.000000 44.325405 lineto stroke
newpath 0.000000 55.932430 moveto -2.000000 55.932430 lineto stroke
newpath 0.000000 64.935539 moveto -2.000000 64.935539 lineto stroke
newpath 0.000000 72.291618 moveto -2.000000 72.291618 lineto stroke
newpath 0.000000 78.511093 moveto -2.000000 78.511093 lineto stroke
newpath 0.000000 83.898651 moveto -2.000000 83.898651 lineto stroke
newpath 0.000000 88.650810 moveto -2.000000 88.650810 lineto stroke
newpath 0.000000 92.901756 moveto -5.000000 92.901756 lineto stroke
newpath 0.000000 120.867973 moveto -2.000000 120.867973 lineto stroke
newpath 0.000000 137.227158 moveto -2.000000 137.227158 lineto stroke
newpath 0.000000 148.834183 moveto -2.000000 148.834183 lineto stroke
newpath 0.000000 157.837296 moveto -2.000000 157.837296 lineto stroke
newpath 0.000000 165.193375 moveto -2.000000 165.193375 lineto stroke
newpath 0.000000 171.412842 moveto -2.000000 171.412842 lineto stroke
newpath 0.000000 176.800400 moveto -2.000000 176.800400 lineto stroke
newpath 0.000000 181.552567 moveto -2.000000 181.552567 lineto stroke
newpath 0.000000 185.803513 moveto -5.000000 185.803513 lineto stroke
newpath 0.000000 213.769730 moveto -2.000000 213.769730 lineto stroke
newpath 0.000000 230.128906 moveto -2.000000 230.128906 lineto stroke
newpath 0.000000 241.735947 moveto -2.000000 241.735947 lineto stroke
newpath 0.000000 250.739044 moveto -2.000000 250.739044 lineto stroke
newpath 0.000000 258.095123 moveto -2.000000 258.095123 lineto stroke
newpath 0.000000 264.314606 moveto -2.000000 264.314606 lineto stroke
newpath 0.000000 269.702148 moveto -2.000000 269.702148 lineto stroke
newpath 0.000000 274.454315 moveto -2.000000 274.454315 lineto stroke
newpath 0.000000 278.705261 moveto -5.000000 278.705261 lineto stroke
newpath 0.000000 306.671478 moveto -2.000000 306.671478 lineto stroke
newpath 0.000000 323.030670 moveto -2.000000 323.030670 lineto stroke
newpath 0.000000 334.637695 moveto -2.000000 334.637695 lineto stroke
newpath 0.000000 343.640808 moveto -2.000000 343.640808 lineto stroke
newpath 0.000000 350.996887 moveto -2.000000 350.996887 lineto stroke
newpath 0.000000 357.216370 moveto -2.000000 357.216370 lineto stroke
/Helvetica-Bold findfont 15.000000 scalefont setfont
gsave -8.000000 0.000002 translate 0.000000 rotate
0 -4.500000 translate (0) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 92.901756 translate 0.000000 rotate
0 -4.500000 translate (1) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 185.803513 translate 0.000000 rotate
0 -4.500000 translate (10) dup stringwidth pop neg 0 moveto
show
grestore
gsave -8.000000 278.705261 translate 0.000000 rotate
0 -4.500000 translate (100) dup stringwidth pop neg 0 moveto
show
grestore
/Helvetica-Bold findfont 18.000000 scalefont setfont
gsave -37.599998 180.000000 translate 90.000000 rotate
0 0.000000 translate (Runtime \(seconds\)) dup stringwidth pop 2 div neg 0 moveto
show
grestore
 grestore 
 gsave 
 gsave  gsave  38.400002 224.355270 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -224.355270 lineto
  14.400001 -224.355270 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  76.800003 258.762024 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -258.762024 lineto
  14.400001 -258.762024 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  153.600006 249.923935 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -249.923935 lineto
  14.400001 -249.923935 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  192.000000 303.743500 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -303.743500 lineto
  14.400001 -303.743500 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  268.800018 268.680664 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -268.680664 lineto
  14.400001 -268.680664 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  307.200012 327.119904 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -327.119904 lineto
  14.400001 -327.119904 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  384.000000 287.708374 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -287.708374 lineto
  14.400001 -287.708374 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  422.400024 343.882172 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -343.882172 lineto
  14.400001 -343.882172 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  499.200012 296.904694 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -296.904694 lineto
  14.400001 -296.904694 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  gsave  537.600037 354.412140 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -354.412140 lineto
  14.400001 -354.412140 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  38.400002 193.159592 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -193.159592 lineto
  14.400001 -193.159592 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  76.800003 209.518768 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -209.518768 lineto
  14.400001 -209.518768 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  153.600006 204.766617 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -204.766617 lineto
  14.400001 -204.766617 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  192.000000 253.844177 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -253.844177 lineto
  14.400001 -253.844177 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  268.800018 219.408661 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -219.408661 lineto
  14.400001 -219.408661 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  307.200012 273.086487 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -273.086487 lineto
  14.400001 -273.086487 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  384.000000 235.178833 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -235.178833 lineto
  14.400001 -235.178833 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  422.400024 288.029877 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -288.029877 lineto
  14.400001 -288.029877 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  499.200012 242.732208 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -242.732208 lineto
  14.400001 -242.732208 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  gsave  537.600037 298.909912 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -298.909912 lineto
  14.400001 -298.909912 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  grestore 
 gsave  gsave  38.400002 55.932430 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -55.932430 lineto
  14.400001 -55.932430 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  76.800003 27.966217 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -27.966217 lineto
  14.400001 -27.966217 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  153.600006 55.932430 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -55.932430 lineto
  14.400001 -55.932430 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  192.000000 55.932430 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -55.932430 lineto
  14.400001 -55.932430 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  268.800018 55.932430 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -55.932430 lineto
  14.400001 -55.932430 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  307.200012 88.650803 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -88.650803 lineto
  14.400001 -88.650803 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  384.000000 100.257835 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -100.257835 lineto
  14.400001 -100.257835 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  422.400024 106.477310 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -106.477310 lineto
  14.400001 -106.477310 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  499.200012 96.747208 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -96.747208 lineto
  14.400001 -96.747208 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  gsave  537.600037 72.291618 translate 0.000000 rotate
 newpath 14.400001 0.000000 moveto  -14.400001 0.000000 lineto
  -14.400001 -72.291618 lineto
  14.400001 -72.291618 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  grestore 
 grestore 
 gsave 76.800003 345.991760 translate 0.000000 rotate
 gsave  gsave  0.000000 -5.100000 translate 0.000000 rotate
 newpath -14.400001 -2.000000 moveto  14.400001 -2.000000 lineto
  14.400001 2.000000 lineto
  -14.400001 2.000000 lineto
closepath gsave 1.000000 setgray  fill grestore
stroke
 grestore  grestore 
/Helvetica-Bold findfont 17.000000 scalefont setfont
gsave 18.400002 0.000000 translate 0.000000 rotate
0 -10.200000 translate (Total) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -25.500000 translate 0.000000 rotate
 newpath -14.400001 -2.000000 moveto  14.400001 -2.000000 lineto
  14.400001 2.000000 lineto
  -14.400001 2.000000 lineto
closepath gsave 0.700000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 18.400002 -20.400000 translate 0.000000 rotate
0 -10.200000 translate (Max) dup stringwidth pop pop 0 0 moveto
show
grestore
 gsave  gsave  0.000000 -45.900002 translate 0.000000 rotate
 newpath -14.400001 -2.000000 moveto  14.400001 -2.000000 lineto
  14.400001 2.000000 lineto
  -14.400001 2.000000 lineto
closepath gsave 0.000000 setgray  fill grestore
stroke
 grestore  grestore 
gsave 18.400002 -40.799999 translate 0.000000 rotate
0 -10.200000 translate (Min) dup stringwidth pop pop 0 0 moveto
show
grestore
 grestore 
0.000000 0.000000 translate
 grestore 

%%EndDocument
 @endspecial 0 1346 a Fp(Figure)17 b(5\2554:)27 b(Measured)16
b(global)g(performance)f(of)i(Xok/ExOS)f(\(the)h(\002rst)h(bar\))f(and)
f(FreeBSD)i(\(the)f(second)g(bar\),)f(using)h(the)g(second)0
1446 y(application)i(pool.)28 b(Methodology)17 b(and)j(presentation)e
(are)j(as)f(described)f(for)h(Figure)f(5\2553.)0 1713
y(search)26 b(for)h(a)g(w)o(ord)f(in)h(a)g(lar)o(ge)f(\002le)i
(\(grep\),)e(compute)f(a)j(checksum)d(man)o(y)h(times)h(o)o(v)o(er)e(a)
j(small)f(set)h(of)e(\002les)i(\(cksum\),)f(solv)o(e)f(a)0
1812 y(tra)n(v)o(eling)e(salesman)h(problem)e(\(tsp\),)j(solv)o(e)f
(iterati)n(v)o(ely)e(a)j(lar)o(ge)e(discrete)h(Laplace)f(equation)g
(using)g(successi)n(v)o(e)h(o)o(v)o(errelaxation)0 1912
y(\(sor\),)i(count)f(w)o(ords)h(\(wc\),)g(compile)f(\(gcc\),)i
(compress)d(\(gzip\),)i(and)g(uncompress)d(\(gunzip\).)47
b(F)o(or)27 b(this)g(e)o(xperiment,)f(we)h(chose)0 2012
y(applications)14 b(on)h(which)f(both)g(Xok/ExOS)g(and)h(FreeBSD)g(run)
g(roughly)e(equi)n(v)n(alently)-5 b(.)25 b(Each)14 b(application)g
(runs)g(for)h(at)g(least)h(se)n(v)o(eral)0 2111 y(seconds)f(and)f(is)j
(run)d(in)i(a)f(separate)g(directory)f(from)g(the)h(others)g(\(to)g(a)n
(v)n(oid)g(cooperati)n(v)o(e)e(b)n(uf)n(fer)h(cache)h(reuse\).)27
b(The)15 b(pseudo\255random)0 2211 y(number)j(generators)g(are)h
(identical)g(and)g(start)h(with)g(the)f(same)h(seed,)f(thus)h
(producing)c(identical)j(schedules.)29 b(The)19 b(applications)f(we)0
2311 y(chose)i(compete)f(for)g(the)i(CPU,)g(memory)-5
b(,)17 b(and)j(the)g(disk.)125 2410 y(Figure)d(5\2553)g(sho)n(ws)h(on)g
(a)h(log)f(scale)g(the)g(results)h(for)e(\002v)o(e)h(dif)n(ferent)f(e)o
(xperiments:)26 b(se)n(v)o(en)18 b(jobs)g(with)g(a)h(maximum)d
(concurrenc)o(y)0 2510 y(of)21 b(one)g(job)g(through)e(35)i(jobs)g
(with)h(a)g(maximum)d(concurrenc)o(y)f(of)k(\002v)o(e)f(jobs.)32
b(The)21 b(results)h(sho)n(w)f(that)h(an)f(e)o(xok)o(ernel)e(system)j
(can)0 2609 y(achie)n(v)o(e)d(performance)e(roughly)h(comparable)g(to)j
(UNIX,)f(despite)g(being)f(mostly)h(untuned)e(for)h(global)h
(performance.)125 2709 y(W)m(ith)d(a)g(second)f(application)g(pool,)g
(we)h(e)o(xamine)f(global)g(performance)e(when)i(specialized)h
(applications)e(\(emulated)h(by)g(appli\255)0 2809 y(cations)i(that)h
(bene\002t)f(from)f(C\255FFS')-5 b(s)20 b(performance)c(adv)n
(antages\))g(compete)i(with)g(each)g(other)g(and)g(non\255specialized)e
(applications.)0 2908 y(This)30 b(pool)e(includes)h(tsp)h(and)e(sor)i
(from)e(abo)o(v)o(e,)i(unpack)e(archi)n(v)o(e)g(\(pax)g(\255r\))h(from)
f(Section)i(5.2,)g(recursi)n(v)o(e)e(cop)o(y)h(\(cp)g(\255r\))g(from)0
3008 y(Section)21 b(5.2,)h(and)f(comparison)e(\(dif)n(f\))i(of)g(tw)o
(o)h(identical)g(5)f(MB)i(\002les.)35 b(The)21 b(pax)g(and)h(cp)f
(applications)g(represent)f(the)i(specialized)0 3108
y(applications.)125 3207 y(Figure)f(5\2554)g(sho)n(ws)h(on)g(a)h(log)e
(scale)i(the)f(results)g(for)g(\002v)o(e)g(e)o(xperiments:)31
b(se)n(v)o(en)21 b(jobs)i(with)f(a)g(maximum)f(concurrenc)o(y)d(of)k
(one)0 3307 y(job)17 b(through)f(35)h(jobs)h(with)f(a)i(maximum)c
(concurrenc)o(y)g(of)i(5)h(jobs.)28 b(The)17 b(results)h(sho)n(w)g
(that)f(global)g(performance)e(on)i(an)h(e)o(xok)o(ernel)0
3406 y(system)25 b(does)h(not)e(de)o(grade)g(e)n(v)o(en)g(when)h(some)g
(applications)f(use)i(resources)e(aggressi)n(v)o(ely)-5
b(.)42 b(In)25 b(f)o(act,)i(the)e(relati)n(v)o(e)f(performance)0
3506 y(dif)n(ference)18 b(between)i(FreeBSD)g(and)g(Xok/ExOS)f
(increases)h(with)g(job)g(concurrenc)o(y)-5 b(.)0 3719
y Fq(5.5.2)99 b(Discussion)0 3866 y Fp(The)14 b(central)f(challenge)g
(in)h(an)g(e)o(xok)o(ernel)d(system)k(is)f(not)g Fk(enfor)m(cing)f
Fp(a)h(global)f(system)h(polic)o(y)f(b)n(ut,)i(rather)m(,)f
Fk(deriving)f Fp(the)h(information)0 3966 y(needed)f(to)g(decide)g
(what)g(enforceme)o(nt)g(in)l(v)n(olv)n(es)g(and)f(do)o(ing)g(so)h(in)g
(suc)o(h)g(a)g(w)o(ay)f(that)h(ap)o(plication)f(\003e)o(x)o(ibility)h
(is)g(min)o(imally)g(cu)o(rtailed)o(.)0 4065 y(Since)i(an)g(e)o(xok)o
(ernel)e(controls)h(resource)g(allocation)h(and)f(re)n(v)n(ocation,)g
(it)i(has)g(the)f(po)n(wer)f(to)h(enforce)f(global)g(policies.)27
b(Quota\255based)0 4165 y(schemes,)18 b(for)g(instance,)g(can)g(be)g
(tri)n(vially)f(enforced)f(using)i(only)f(allocation)g(denial)h(and)g
(re)n(v)n(ocation.)26 b(F)o(ortunately)-5 b(,)16 b(the)j(crudeness)0
4265 y(of)24 b(successful)h(global)f(optimizations)f(allo)n(ws)i
(global)f(schemes)g(to)h(be)g(readily)f(implemented)e(by)j(an)f(e)o
(xok)o(ernel.)41 b(F)o(or)24 b(e)o(xample,)0 4364 y(Xok)c(currently)e
(tracks)i(global)g(LR)m(U)g(information)e(that)i(applications)f(can)h
(use)g(when)g(deallocating)f(resources.)125 4464 y(W)-7
b(e)27 b(belie)n(v)o(e)e(that)h(an)g(e)o(xok)o(ernel)e(can)i(pro)o
(vide)e(global)i(performance)d Fk(superior)j Fp(to)g(current)f
(systems.)48 b(First,)28 b(ef)n(fecti)n(v)o(e)d(local)0
4564 y(optimization)19 b(can)i(mean)f(there)h(are)g(more)f(resources)g
(for)g(the)h(entire)f(system.)32 b(Second,)20 b(an)h(e)o(xok)o(ernel)e
(gi)n(v)o(es)h(application)f(writers)0 4663 y(machinery)27
b(to)h(orchestrate)g(inter)n(\255application)e(resource)h(management,)i
(allo)n(wing)e(them)i(to)f(perform)f(domain\255speci\002c)f(global)0
4763 y(optimizations)31 b(not)g(possible)h(on)f(current)g(centralized)g
(systems)h(\(e.g.,)i(the)e(UNIX)g(\223mak)o(e\224)f(program)f(could)h
(be)h(modi\002ed)e(to)0 4862 y(orchestrate)23 b(the)h(complete)f(b)n
(uild)g(process\).)40 b(Third,)24 b(an)g(e)o(xok)o(ernel)e(can)i(unify)
f(the)h(man)o(y)e(space\255partitioned)g(caches)i(in)g(current)0
4962 y(systems)c(\(e.g.,)f(the)h(b)n(uf)n(fer)e(cache,)i(netw)o(ork)e
(b)n(uf)n(fers,)h(etc.\).)29 b(F)o(ourth,)18 b(since)i(applications)f
(can)g(kno)n(w)g(when)g(resources)g(are)h(scarce,)0 5062
y(the)o(y)i(can)h(mak)o(e)g(better)f(use)h(of)g(resources)f(when)g
(layering)g(abstractions.)37 b(F)o(or)22 b(e)o(xample,)g(a)h(web)g
(serv)o(er)f(that)h(caches)g(documents)0 5161 y(in)i(virtual)g(memory)e
(could)h(stop)h(caching)f(documents)g(when)g(its)i(cache)f(does)g(not)f
(\002t)i(in)g(main)e(memory)-5 b(.)42 b(Future)25 b(research)f(will)0
5261 y(pursue)19 b(these)h(issues.)1908 5589 y(55)p eop
%%Page: 56 57
56 56 bop 0 83 a Fq(5.5.3)99 b(Summary)0 239 y Fp(Our)25
b(e)o(xperiments)e(sho)n(w)j(that)f(e)n(v)o(en)f(common,)h(unaltered)f
(applications)g(can)h(bene\002t)g(on)g(e)o(xok)o(ernels,)f(simply)h(by)
g(being)f(link)o(ed)0 338 y(against)32 b(an)g(optimized)f(library)h
(operating)e(system.)66 b(Importantly)-5 b(,)33 b(libOS)f
(optimizations)f(appear)h(just)h(as)g(ef)n(fecti)n(v)o(e)e(as)i(their)0
438 y(equi)n(v)n(alent)21 b(in\255k)o(ernel)g(implementation.)34
b(Aggressi)n(v)o(e)22 b(applications)f(that)i(w)o(ant)f(to)h(manage)f
(their)g(resources)g(sho)n(w)g(e)n(v)o(en)g(greater)0
538 y(impro)o(v)o(ements.)42 b(The)25 b(impro)o(v)o(ement)d(is)k
(especially)f(dramatic)f(for)h(I/O\255centric)f(applications,)h(such)g
(as)h(our)f(web)g(serv)o(er)m(,)g(which)0 637 y(runs)g(up)h(to)g(a)g(f)
o(actor)g(of)f(8)h(f)o(aster)g(than)g(its)h(closest)f(equi)n(v)n
(alent.)45 b(Finally)-5 b(,)27 b(the)f(po)n(wer)f(that)h(an)f(e)o(xok)o
(ernel)f(gi)n(v)o(es)i(to)g(applications)0 737 y(does)18
b(not)f(lead)h(to)g(poor)e(global)h(performance.)26 b(In)17
b(f)o(act,)i(when)e(this)h(control)f(is)i(used)e(to)h(impro)o(v)o(e)e
(application)g(speed,)i(an)g(e)o(xok)o(ernel)0 836 y(system)24
b(can)g(ha)n(v)o(e)g(dramatically)f(impro)o(v)o(ed)e(global)j
(performance,)e(since)i(there)g(are)g(more)f(resources)h(to)g(go)g
(around.)39 b(Based)25 b(on)0 936 y(these)20 b(e)o(xperiments,)e(the)j
(e)o(xok)o(ernel)d(architecture)g(appears)i(to)g(be)g(a)h(promising)d
(alternati)n(v)o(e)h(to)h(traditional)f(systems.)1908
5589 y(56)p eop
%%Page: 57 58
57 57 bop 0 706 a Fj(Chapter)42 b(6)0 1121 y Fn(Re\003ections)52
b(on)g(Do)n(wnloading)g(Code)208 1553 y Fp(The)19 b(indi)n(vidual')-5
b(s)19 b(whole)h(e)o(xperience)e(is)j(b)n(uilt)f(upon)f(the)h(plan)g
(of)g(his)h(language.)27 b(\227)21 b(Henri)f(Delacroix)125
1714 y(Extensibility)e(refers)g(roughly)f(to)j(ho)n(w)e(easily)i(a)f
(system')-5 b(s)20 b(functionality)d(can)i(be)g(augmented.)27
b(A)20 b(strong)e(thread)g(in)h(computer)0 1813 y(science)25
b(has)f(been)g(de)n(v)o(eloping)e(techniques)i(to)g(enhance)g(e)o
(xtensibility)-5 b(,)24 b(ranging)e(from)i(programming)d(methodologies)
h(such)j(as)0 1913 y(structured)20 b(programming)f(to)j(assist)h
(program)d(modi\002cation,)g(to)i(dynamic)e(linking)h(of)h(de)n(vice)f
(dri)n(v)o(ers)f(to)i(add)f(ne)n(w)h(functions)e(to)0
2013 y(an)e(operating)e(system)j(k)o(ernel.)27 b(Using)18
b(language)f(to)h(b)n(uild)g(e)o(xtensible)f(systems)h(has)h(had)e(a)i
(v)o(enerable)d(tradition:)27 b(the)18 b(widely\255used)0
2112 y(te)o(xt)h(editor)f(emacs)i(has)f(done)f(so)i(since)f(its)h
(inception)e([11)n(,)i(81)o(],)f(database)g(systems)g(e)o(xploit)f(it)i
(to)g(enrich)e(queries)g(and)h(e)o(xtend)f(data)0 2212
y(types,)i(and)f(more)h(recently)f(web)h(bro)n(wsers)f(and)h(serv)o
(ers)g(ha)n(v)o(e)f(used)h(it)h(to)f(e)o(xtend)f(their)h(base)h
(functionality)-5 b(.)125 2312 y(A)19 b(v)n(ariety)e(of)i(operating)e
(systems)i(ha)n(v)o(e)f(allo)n(wed)g(applications)f(to)i(do)n(wnload)e
(untrusted)g(code)h(into)h(them)f(as)h(a)g(w)o(ay)g(to)g(e)o(xtend)0
2411 y(their)k(functionality)e([9)o(,)i(22)o(,)g(25)o(,)h(32)o(,)f(48)o
(,)h(71)o(,)f(79)o(,)g(80)o(,)h(92)o(].)37 b(This)24
b(chapter)d(documents)h(e)o(xperiences)f(dra)o(wn)h(from)g(the)h(e)o
(xok)o(ernel)0 2511 y(systems)c(described)f(in)h(this)g(thesis.)29
b(These)19 b(e)o(xperiences)e(co)o(v)o(er)g(a)i(period)e(of)i(four)e
(years,)i(and)f(span)g(numerous)f(rethinkings)g(of)i(the)0
2610 y(role)h(of)g(do)n(wnloaded)d(code,)j(and,)f(as)i(well,)f(much)g
(belated)f(realization)g(of)h(its)h(implications)f(and)f(misuses.)125
2710 y(The)i(ability)h(to)h(do)n(wnload)d(code)h(has)i(subtle)f
(implications.)34 b(This)22 b(chapter')-5 b(s)21 b(central)h(contrib)n
(ution)e(is)j(its)g(perspecti)n(v)o(e)e(on)h(the)0 2810
y(abilities)g(do)n(wnloaded)d(code)h(grants)h(and)g(remo)o(v)o(es,)f
(as)i(well)g(as)h(its)f(concrete)e(e)o(xamples)h(of)g(ho)n(w)g(these)g
(gained)f(and)h(lost)h(abilities)0 2909 y(matter)e(in)g(practice.)29
b(Some)20 b(speci\002c)g(insights)g(include:)104 3058
y(1.)41 b(\223In\002nite\224)19 b(e)o(xtensibility)g(requires)g(T)l
(uring)g(completeness,)g(T)l(uring)g(completeness)g(gi)n(v)o(es)h
(in\002nite)g(e)o(xtensibility)-5 b(.)208 3187 y(Solving)20
b(the)h(ne)o(gati)n(v)o(e)e(problem)g(of)i(e)o(xtensibility)f(requires)
g(supporting)f(all)i(unanticipated)e(uses.)33 b(A)22
b(guaranteed)c(solution)208 3286 y(is)h(to)g(let)g(applications)e
(inject)h(general\255purpose)d(code)j(into)g(the)h(system,)g(thereby)e
(granting)f(them)i(the)h(ability)f(to)h(implement)208
3386 y(an)o(y)k(computable)e(polic)o(y)i(or)h(mechanism.)39
b(\(An)23 b(alternati)n(v)o(e)g(code)g(motion,)g(uploading)f(operating)
g(system)i(code)f(into)h(the)208 3486 y(application,)18
b(pro)o(vides)g(the)j(same)f(guarantee.\))208 3614 y(Con)m(v)o(ersely)
-5 b(,)18 b(an)j(interf)o(ace)f(stri)n(ving)g(for)g(in\002nite)h
(generality)f(is)h(implicitly)g(attempting)e(to)i(pro)o(vide)e(T)l
(uring)h(completeness.)208 3714 y(Explicitly)f(realizing)g(this)i(f)o
(act)f(leads)h(to)f(the)g(ob)o(vious)f(solution)g(of)h(ha)n(ving)f
(clients)h(pass)h(in)f(general\255purpose)d(code.)208
3842 y(The)i(follo)n(wing)g(point)g(pro)o(vides)g(an)h(e)o(xample:)104
4000 y(2.)41 b(Correct)26 b(applications)g(track)h(what)g(resources)f
(the)o(y)g(ha)n(v)o(e)h(access)g(to,)i(rendering)c(the)i(operating)e
(system')-5 b(s)28 b(bookk)o(eeping)208 4099 y(redundant.)69
b(Thus,)37 b(if)e(the)f(operating)e(system)j(can)f(reuse)g(the)h
(application')-5 b(s)33 b(data)h(structures,)j(it)e(can)f(eliminate)g
(this)208 4199 y(redundanc)o(y)-5 b(.)208 4328 y(T)e(o)18
b(ensure)g(that)g(the)h(operating)d(system)j(can)f(understand)e(these)j
(structures)f(without)f(restricting)h(their)g(implementation,)e(we)208
4427 y(use)23 b(the)g(pre)n(vious)f(point:)35 b(clients)24
b(pro)o(vide)d(a)j(data)f(structure)g(interpreter)m(,)f(written)h(in)g
(a)h(T)l(uring)e(complete)g(language,)g(that)208 4527
y(the)e(operating)e(system)i(uses)h(to)g(e)o(xtract)e(the)h(bookk)o
(eeping)d(information)h(it)j(needs.)208 4655 y(T)-7 b(o)20
b(force)f(these)i(interpreters)d(to)j(be)f(correct,)f(we)h(use)h(the)f
(follo)n(wing)f(technique:)104 4813 y(3.)41 b(Inducti)n(v)o(e)21
b(incremental)g(testing)j(pro)o(vides)d(a)j(practical)e(w)o(ay)i(to)f
(v)o(erify)f(the)h(correctness)f(\(not)h(just)h(mere)e(safety\))h(of)g
(deter)n(\255)208 4913 y(ministic)d(code.)28 b(W)-7 b(e)22
b(call)e(functions)f(amenable)g(to)h(this)h(approach)d
Fk(untrusted)i(deterministic)g(functions)f Fp(\(UDFs\).)208
5041 y(Using)f(UDFs,)h(operating)d(systems)j(can)f(a)n(v)n(oid)f
(pre\255determining)e(implementation)h(tradeof)n(fs)h(by)g(lea)n(ving)h
(implementation)208 5141 y(decisions)e(to)h(client)h(UDFs.)29
b(Our)16 b(most)i(interesting)e(use)h(of)g(UDFs,)h(v)o(erifying)d(the)i
(resource)f(interpreters)g(described)f(abo)o(v)o(e,)208
5240 y(lets)k(untrusted)e(\002le)i(systems)g(track)g(what)f(disk)h
(blocks)f(the)o(y)f(o)n(wn)h(without)g(the)h(operating)e(system)h
(understanding)e(ho)n(w)-5 b(,)18 b(yet)208 5340 y(without)h(being)g
(vulnerable)f(to)j(malice.)1908 5589 y(57)p eop
%%Page: 58 59
58 58 bop 104 83 a Fp(4.)41 b(There)22 b(are)g(practical)h(nuances)e
(between)h(using)h(code)f(or)g(data)h(to)g(orchestrate)f(actions)g
(between)g(entities.)38 b(T)-7 b(w)o(o)23 b(e)o(xamples)208
183 y(follo)n(w)-5 b(.)208 314 y(Data)23 b(is)h(not)f(a)h(T)l(uring)e
(machine:)35 b(compared)21 b(to)i(do)n(wnloaded)e(code,)i(data)g(is)i
(transparent,)d(and)h(its)h(operations)e(\(read)g(and)208
414 y(write\))30 b(tri)n(vially)h(bounded)d(in)k(cost)f(and)f
(guaranteed)f(to)j(terminate.)60 b(Code)31 b(is)h(not,)h(necessarily)-5
b(,)33 b(an)o(y)d(of)h(these)g(things.)208 514 y(Injecting)23
b(potentially)h(non\255terminating)e(black)i(box)o(es)g(into)h(an)g
(operating)e(system)j(does)f(not)f(help)h(simplicity)-5
b(.)43 b(W)-7 b(e)26 b(only)208 613 y(use)20 b(do)n(wnloaded)d(code)j
(in)g(a)h(fe)n(w)f(speci\002c)g(instances,)g(and)g(ha)n(v)o(e)g(remo)o
(v)o(ed)d(it)k(more)f(than)f(once.)208 745 y(Code)24
b(requires)g(indirection.)41 b(Imposing)23 b(code)h(between)g(the)h
(operating)d(system)j(and)f(its)i(data)f(forces)f(it)h(to)g(go)g
(through)d(a)208 845 y(layer)c(of)g(potentially)f(non\255terminating)e
(indirection.)27 b(F)o(or)18 b(e)o(xample,)f(since)i(our)e(disk)i
(subsystem)f(relies)h(on)f(client)g(UDFs)h(to)208 944
y(interpret)i(\002le)j(system)f(structures,)f(it)i(cannot)d(modify)g
(them)i(directly)-5 b(,)22 b(b)n(ut)h(requires)e(assistance)j(for)e
(operations)f(as)j(simple)208 1044 y(as)c(changing)f(one)g(disk)h
(block)g(pointer)f(to)h(another)f(in)h(order)f(to)h(compact)f(the)i
(disk.)104 1208 y(5.)41 b(The)19 b(main)h(bene\002t)g(of)g(do)n
(wnloaded)d(code)j(is)h Fk(not)f Fp(e)o(x)o(ecution)e(speed,)h(b)n(ut)i
(rather)e(trust)h(and)g(consequently)e(po)n(wer)-5 b(.)208
1340 y(While)32 b(we)g(started)g(with)g(the)g(vie)n(w)g(that)g(do)n
(wnloading)d(code)i(w)o(as)h(useful)g(for)f(speed)h(\(e.g.,)h(to)f
(eliminate)g(the)g(cost)g(of)208 1439 y(k)o(ernel/user)24
b(boundary)f(crossings\))i([25)o(])h(it)h(has)f(turned)e(out)i(to)g(be)
g(f)o(ar)g(more)f(crucial)g(for)g(po)n(wer:)40 b(because)25
b(do)n(wnloaded)208 1539 y(code)19 b(can)h(be)g(controlled,)e(it)j(can)
f(be)g(safely)g(granted)f(abilities)i(that)f(e)o(xternal,)f
(unrestricted)f(application)h(code)h(cannot.)208 1670
y(F)o(or)g(e)o(xample,)g(since)i(do)n(wnloaded)c(\002le)k(system)g
(UDFs)g(can)f(be)g(v)o(eri\002ed,)f(the)o(y)h(can)g(be)g(trusted)g(to)g
(track)g(that)g(\002le)h(system')-5 b(s)208 1770 y(disk)20
b(blocks.)28 b(Ob)o(viously)-5 b(,)18 b(unrestricted)h(applications)g
(cannot)g(similarly)h(be)g(trusted.)125 1932 y(The)j(chapter)h(is)h(or)
o(ganized)c(as)k(follo)n(ws.)41 b(The)24 b(ne)o(xt)f(four)g(sections)i
(discuss)f(dif)n(ferent)f(language\255based)e(subsystems,)k(which)0
2031 y(form)30 b(the)h(spine)g(for)g(our)f(e)o(xperiences)f(and)i
(lessons:)52 b(DPF)31 b([31)o(],)j(our)c(pack)o(et)h(\002lter)g
(engine;)36 b Fk(application)29 b(speci\002c)h(messa)o(g)o(e)0
2131 y(handler)o(s)21 b Fp(\()p Fg(ASH)p Fp(s\))h([25)o(,)g(92)o(,)g
(93)o(],)g(a)g(netw)o(orking)e(system)i(which)f(in)m(v)n(ok)o(es)g(do)n
(wnloaded)e(code)j(on)f(message)h(arri)n(v)n(al;)f(XN)i([48)n(],)g(the)
0 2231 y(disk)g(protection)f(subsystem)h(described)f(in)h(Chapter)g(4,)
h(which)f(contains)g(our)f(most)i(interesting)e(use)i(of)f(do)n
(wnloaded)e(code;)j(and)0 2330 y(\002nally)-5 b(,)21
b Fk(pr)l(otected)g(methods)p Fp(,)g(which)g(applications)f(use)h(to)h
(enforce)e(in)m(v)n(ariants)g(on)h(shared)g(state.)34
b(Section)21 b(6.5)f(e)o(xplores)h(some)g(of)0 2430 y(the)h(slippery)f
(implications)h(of)g(using)f(computational)f(b)n(uilding)h(blocks)h(in)
g(lieu)g(of)g(passi)n(v)o(e)g(procedural)e(interf)o(aces.)34
b(Section)22 b(6.6)0 2530 y(links)e(our)g(e)o(xperiences)e(to)i(the)h
(e)o(xistent)e(literature)h(on)g(e)o(xtensible)f(systems.)0
2776 y Fv(6.1)117 b(DPF:)28 b(dynamic)h(pack)o(et)e(\002lters)0
2961 y Fp(P)o(ack)o(et)c(\002lters)g(are)g(one)g(of)f(the)h(most)g
(successful)g(e)o(xamples)f(of)g(do)n(wnloaded)f(code:)34
b(most)23 b(modern)e(operating)g(systems)j(pro)o(vide)0
3061 y(support)19 b(for)i(them.)30 b(This)21 b(section)g(discusses)g
(our)f(pack)o(et)h(\002lter)g(system,)g(DPF)h(\(\223dynamic)c(pack)o
(et)j(\002lters\224\))g([25)n(,)g(31)o(],)g(which)g(w)o(as)0
3160 y(brie\003y)27 b(discussed)h(in)h(Chapter)e(3.)53
b(DPF)29 b(uses)g(a)f(combination)e(of)i(language)e(and)i(compilation)e
(techniques)h(to)h(get)g(speed)g(and)0 3260 y(protection.)f(W)-7
b(e)19 b(focus)f(on)g(what)g(abilities)h(do)n(wnloading)d(code)h
(granted,)g(along)h(with)g(some)h(lessons,)f(including)f(our)h
(in\255hindsight)0 3360 y(nai)n(v)o(e)h(mistak)o(es)i(applying)d
(dynamic)h(compilation)f(to)j(pack)o(et)e(\002lters.)0
3571 y Fq(6.1.1)99 b(Language)26 b(design)0 3719 y Fp(The)e(main)h
(challenge)e(in)i(DPF)g(is)h(ef)n(fecti)n(v)o(e)d(detection)g(of)i
(\002lter)g(o)o(v)o(erlap:)36 b(i.e.,)26 b(kno)n(wing)c(when)i(tw)o(o)h
(\002lters)h(are)e(comparing)f(the)0 3818 y(same)f(message)f(of)n
(fsets)g(to)g(the)h(same)f(v)n(alues.)33 b(Protection)20
b(requires)g(this)i(feature,)f(since)g(otherwise)g(an)g(application)f
(could)g(easily)0 3918 y(steal)g(another')-5 b(s)18 b(messages.)29
b(Additionally)-5 b(,)18 b(o)o(v)o(erlap)f(detection)h(aids)i(ef)n
(\002cienc)o(y)-5 b(,)17 b(since)j(it)g(enables)f(mer)o(ging)e(of)i(o)o
(v)o(erlapping)d(\002lter)0 4018 y(se)o(gments)h([6,)h(95)o(].)29
b(Such)17 b(mer)o(ging)f(is)j(crucial)f(for)f(scalability)-5
b(.)28 b(T)-7 b(ypical)18 b(systems)h(ha)n(v)o(e)e(man)o(y)g(\002lters)
i(simultaneously)d(acti)n(v)o(e,)i(one)0 4117 y(for)i(each)f(netw)o
(ork)g(connection.)125 4217 y(W)-7 b(e)21 b(made)e(the)h(DPF)h
(language)e(declarati)n(v)o(e,)f(unlik)o(e)h(pre)n(vious)g(pack)o(et)g
(\002lter)i(languages)d([65)o(,)i(64)o(,)h(95)o(].)29
b(A)21 b(lo)n(wer)n(\255le)n(v)o(el)d(imper)n(\255)0
4317 y(ati)n(v)o(e)h(language)f(arti\002cially)i(complicates)f(o)o(v)o
(erlap)e(detection)i(due)g(to)h(the)g(presence)e(of)i(operationally)d
(dif)n(ferent)h(yet)i(functionally)0 4416 y(equi)n(v)n(alent)e
(instruction)h(sequences.)29 b(A)20 b(declarati)n(v)o(e)f(language)g
(allo)n(wed)g(us)i(to)f(a)n(v)n(oid)g(puzzling)f(out)g(such)h(artif)o
(acts.)3486 4386 y Fi(1)125 4516 y Fp(A)g(declarati)n(v)o(e)f(language)
g(also)i(assists)h(a)f(sophisticated)e(optimizer)m(,)g(since)i(it)g
(mak)o(es)f(programmer)d(intent)j(clearer)-5 b(.)30 b(The)20
b(small)0 4615 y(simplicity)e(of)g(the)g(DPF)i(language)c(\(e.g.,)i
(the)g(lack)g(of)g(loops,)g(aliasing,)h(v)n(ariables\))e(made)h
(constructing)e(a)j(sophisticated)e(in\255k)o(ernel)0
4715 y(compiler)29 b(tractable.)58 b(Gi)n(v)o(en)29 b(more)g(primiti)n
(v)o(e)g(compilation)f(technology)-5 b(,)29 b(an)h(imperati)n(v)o(e)e
(language)g(w)o(ould)i(ha)n(v)o(e)f(been)g(more)0 4815
y(appropriate,)20 b(since)j(it)g(w)o(ould)f(allo)n(w)g(a)h(cle)n(v)o
(er)e(programmer)e(to)k(implement)e(optimizations)g(the)h(compiler)g(w)
o(ould)f(not)h(otherwise)0 4914 y(do.)125 5014 y(DPF)17
b(uses)g(dynamic)d(compilation)h(to)h(compile)g(\002lters,)h(which)f
(mak)o(es)g(such)g(semantic)g(incorporation)d(easy)-5
b(.)28 b(Its)17 b(optimizations)0 5114 y(include)23 b(encoding)g
(\002lter)i(constants)f(in)h(the)f(instruction)f(stream)i(rather)e
(than)h(being)g(loaded)f(from)h(a)h(data)f(structure,)h(coalescing)p
0 5183 1560 4 v 90 5238 a Fh(1)120 5261 y Fg(Independently)d(of)d(our)h
(w)o(ork,)f(the)h(P)-6 b(A)f(THFINDER)18 b(pack)o(et)j(\002lter)f
(language)i(w)o(as)d(also)h(designed)h(declarati)n(v)o(ely)l(,)j
(though)c(here)g(this)g(form)e(made)i(it)g(easier)g(to)0
5340 y(put)d(into)h(hardw)o(are)h([6)q(].)1908 5589 y
Fp(58)p eop
%%Page: 59 60
59 59 bop 0 83 a Fp(comparisons)29 b(of)i(adjacent)f(message)g(v)n
(alues,)j(estimating)d(alignment)g(of)g(message)h(loads)g(to)g
(eliminate)f(the)h(pessimal)g(use)g(of)0 183 y(unaligned)18
b(memory)h(loads)h(and,)f(\002nally)-5 b(,)19 b(eliminating)g(bounds)g
(checks.)125 282 y(The)d(most)h(unusual)f(optimization)g(DPF)h(does)g
(is)h Fk(hash)f(table)f(compilation)p Fp(.)27 b(When)17
b(\002lters)g(compare)f(the)h(same)g(message)g(of)n(fset)0
382 y(to)j(the)f(same)h(v)n(alue)f(we)h(mer)o(ge)e(them.)29
b(Ho)n(we)n(v)o(er)m(,)17 b(when)i(the)o(y)g(compare)f(to)i(dif)n
(ferent)e(v)n(alues)h(we)h(create)g(a)g(hash)f(table)h(holding)e(the)0
482 y(constant)25 b(each)g(\002lter)h(compares)e(to.)45
b(DPF)26 b(uses)g(dynamic)e(code)h(generation)f(to)h(compile)g(this)h
(hash)f(table)g(to)h(e)o(x)o(ecutable)d(code.)0 581 y(F)o(or)e(e)o
(xample,)g(if)h(the)g(hash)f(table)h(has)g(no)g(collisions,)g(the)f
(lookup)f(can)i(elide)g(collision)f(checks.)34 b(If)21
b(there)h(are)f(a)i(small)f(number)e(of)0 681 y(k)o(e)o(ys)h(\(say)g(8)
g(or)f(less\))i(it)g(instead)e(generates)h(a)g(specialized)f(binary)g
(search)h(that)g(hard)f(codes)g(each)h(k)o(e)o(y)f(as)i(an)f(immediate)
f(v)n(alue)g(in)0 780 y(the)g(instruction)f(stream.)29
b(Otherwise)20 b(it)h(creates)f(a)g(jump)g(table.)29
b(Additionally)-5 b(,)18 b(since)i(the)g(number)e(and)i(v)n(alue)f(of)h
(k)o(e)o(ys)g(are)g(kno)n(wn)0 880 y(at)25 b(runtime,)e(DPF)i(can)f
(select)h(among)e(se)n(v)o(eral)g(hash)h(functions)f(to)h(obtain)f(the)
h(best)h(distrib)n(ution,)e(and)h(then)g(encode)e(the)i(chosen)0
980 y(function)18 b(in)j(the)f(instruction)f(stream.)0
1192 y Fq(6.1.2)99 b(Do)o(wnloaded)25 b(code)h(pr)n(o)o(vides)f(po)o
(wer)0 1340 y Fp(Because)g(do)n(wnloaded)e(code)i(can)g(be)g
(controlled,)f(it)i(can)f(be)g(safely)g(granted)f(abilities)i(that)f(e)
o(xternal,)g(unrestricted)f(application)0 1439 y(code)c(cannot.)125
1539 y(Because)j(pack)o(et)g(\002lters)i(can)e(be)g(restricted)h(\(to)f
(terminate)g(quickly)-5 b(,)22 b(and)h(to)h(not)f(o)o(v)o(erlap\))e
(the)o(y)i(can)h(be)f(trusted)g(to)h(correctly)0 1639
y(claim)17 b(incoming)f(pack)o(ets.)28 b(The)17 b(alternati)n(v)o(e,)f
(asking)h(applications)f(if)i(the)o(y)e(w)o(ant)i(a)f(particular)g
(pack)o(et,)g(is)h(clearly)f(untenable)e(since)0 1738
y(there)21 b(is)i(nothing)d(pre)n(v)o(enting)f(an)j(application)e(from)
h(claiming)g(all)h(pack)o(ets.)34 b(The)21 b(each)h(of)f(the)h
(remaining)e(three)i(subsystems)f(we)0 1838 y(describe)e(illustrate)i
(this)f(point.)125 1938 y Fo(T)-8 b(o)14 b(r)o(estrict)g(code,)h(do)o
(wnload)f(it.)27 b Fp(In)14 b(general,)g(code)f(on)h(the)g(other)g
(side)g(of)g(a)g(trust)h(boundary)c(cannot)i(be)h(pre)n(v)o(ented)e
(from)h(doing)0 2037 y(arbitrary)19 b(computations,)g(nor)h(from)g
(communicating.)28 b(Embedding)18 b(do)n(wnloaded)g(code)i(in)h(a)g
(trusted)f(e)o(x)o(ecution)f(conte)o(xt)g(allo)n(ws)0
2137 y(the)j(host)f(to)h(completely)e(control)h(the)h(code,)f(pre)n(v)o
(enting)e(actions)i(otherwise)g(impossible)g(to)h(restrict.)34
b(DPF)22 b(o)o(v)o(erlap)e(detection)h(is)0 2236 y(one)14
b(e)o(xample)g(of)h(restricting)f(computation.)25 b(Another)14
b(is)i(letting)e(\002lters)i(see)g(pack)o(ets)e(the)o(y)h(do)f(not)h(o)
n(wn,)g(since)g(the)g(the)o(y)g(cannot)f(leak)0 2336
y(pack)o(et)20 b(contents)f(to)h(their)g(associated)g(applications.)28
b(An)20 b(e)o(xample)f(outside)h(the)g(conte)o(xt)f(of)h(this)g
(chapter)f(is)i(Myers')f(information)0 2436 y(\003o)n(w)j(control)e(w)o
(ork)i([66)n(],)h(which)e(uses)h(a)h(trusted)e(compiler)g(and)g
(runtime)f(en)m(vironment)f(to)j(pre)n(v)o(ent)e(applications)h(from)g
(leaking)0 2535 y(sensiti)n(v)o(e)e(information.)0 2748
y Fq(6.1.3)99 b(Some)25 b(lessons)0 2895 y Fo(The)f(cost)g(of)f
(extensibility)-6 b(.)39 b Fp(Compared)22 b(to)i(\223hard\255wired\224)
d(systems,)j(e)o(xtensibility)f(can)g(add)g(noticeable)f(comple)o(xity)
-5 b(.)37 b(A)24 b(static)0 2995 y(pack)o(et)d(demultiple)o(x)o(er)f
(is)j(roughly)c(an)j(order)f(of)h(magnitude)e(smaller)i(than)g(DPF')-5
b(s)23 b(three)e(thousand)g(lines)h(of)g(code.)34 b(It)22
b(is)h(simpler)0 3095 y(as)d(well,)g(consisting)f(of)h(a)g(sequence)e
(of)i(conditions)e(and)h(a)h(hash)g(table)f(implementation.)27
b(The)19 b(bene\002ts)h(of)f(enabled)g(functionality)0
3194 y(can)h(mak)o(e)g(introduction)d(of)j(this)h(layer)f(of)g
(indirection)e(w)o(orthwhile,)h(b)n(ut)h(the)o(y)g(rarely)f(come)h
(without)f(cost.)125 3294 y Fo(Code)k(is)h(data,)g(b)n(ut)g(data)f(is)h
(not)g(code.)39 b Fp(In)23 b(a)h(theoretical)e(sense,)j(all)f(code)f
(is)h(data.)39 b(Ho)n(we)n(v)o(er)m(,)22 b(in)i(a)f(practical)g(sense,)
i(some)0 3394 y(code)20 b(is)i(more)e(data)h(than)g(others.)31
b(Data)21 b(changes)f(frequently)-5 b(,)19 b(code)h(does)h(not.)31
b(As)22 b(a)f(result,)g(it)h(is)g(signi\002cantly)e(more)g(dif)n
(\002cult)g(to)0 3493 y(dynamically)d(compile)i(data)g(than)g(code.)29
b(Data')-5 b(s)20 b(rate)f(of)g(change)f(typically)h(requires)f(that)i
(the)f(implementor)f(use)i(self\255modifying)0 3593 y(code)g(and,)f(w)o
(orse,)h(understand)e(ho)n(w)i(to)g(mak)o(e)g(it)h(f)o(ast)f(on)g
(modern)f(architectures)f(that)j(penalize)e(the)h(operations)f(it)i
(needs.)125 3692 y(While)29 b(a)h(single)f(pack)o(et)f(\002lter)i(code)
e(fragment)g(is)i(constant)e(during)g(its)i(life)f(in)h(the)f(k)o
(ernel,)h(the)f(trie)h(created)e(by)h(mer)o(ging)0 3792
y(\002lters)21 b(changes)d(incessantly)-5 b(,)19 b(potentially)g(on)g
(each)h(insertion.)28 b(In)19 b(a)i(sense,)f(by)f(mer)o(ging)f
(\002lters)i(we)h(ha)n(v)o(e)e(transmuted)f(them)i(from)0
3892 y(code)f(\(changing)e(rarely\))h(to)h(data)g(\(changing)e
(frequently\).)27 b(Our)19 b(\002rst)h(real)f(implementation)e(of)i
(DPF)h(missed)g(the)f(implications)g(of)0 3991 y(this)24
b(transformation.)35 b(W)-7 b(e)24 b(nai)n(v)o(ely)d(treated)i(the)g
(trie)g(as)h(slo)n(wly)f(changing)e(code)h(in)h(that)g(we)h
(potentially)d(re)o(generated)g(the)i(entire)0 4091 y(structure)d(on)g
(insertion)g(of)g(a)h(ne)n(w)g(\002lter)g([31)n(].)31
b(This)21 b(re)o(generation)d(did)i(not)h(scale)g(at)g(all)g(with)g
(lar)o(ge)f(number)f(of)h(branches)f(\(which)0 4191 y(correspond)e(to)i
(protocols\))f(in)i(the)f(trie.)29 b(A)20 b(second)f(implementation)e
(made)i(\002lter)h(insertion)e(cheaper)g(by)i(incrementally)d(patching)
0 4290 y(the)27 b(pre)n(viously)e(generated)g(code.)49
b(Conceptually)-5 b(,)27 b(this)g(change)f(w)o(as)i(simple:)43
b(instead)27 b(of)f(representing)f(each)i(\002lter)g(operation)0
4390 y(of)c(\223load)f(message)h(v)n(alue)g(and)g(compare\224)e(as)j(a)
f(basic)h(block,)e(it)i(became)f(a)g(code)g(fragment)e(link)o(ed)i(to)g
(the)g(ne)o(xt)f(fragment)g(by)h(an)0 4489 y(indirect)c(jump.)28
b(This)19 b(design)g(isolated)g(the)g(ef)n(fects)g(of)g(adding)f(a)i
(ne)n(w)f(\002lter)h(to)f(patching)f(the)i(jumps)e(threading)g(the)h
(code)g(together)0 4589 y(using)h(either)f(self\255modifying)f(code)h
(or)m(,)h(on)f(machines)h(where)f(instruction)g(cache)h(\003ushing)f
(is)i(e)o(xpensi)n(v)o(e,)d(indirect)i(jumps.)125 4689
y(Which)13 b(this)g(modi\002cation)g(is)g(conceptually)g(tri)n(vial,)d
(it)j(con\003icts)g(with)g(modern)g(architecture)g(trends.)23
b(RISC)13 b(processors)g(require)0 4788 y(programmers)22
b(manually)i(implement)g(instruction)g(and)h(data)g(cache)g(coherence)e
(via)i(e)o(xplicit)g(cache)g(\003ushes.)44 b(In)25 b(conditions)f(of)0
4888 y(frequent)c(insertion)h(\(e.g.,)f(once)h(e)n(v)o(ery)g(six)h
(message)f(matches\))g(this)h(operation)e(adds)h(signi\002cant)h(o)o(v)
o(erhead,)d(both)h(in)i(the)g(cost)g(of)0 4988 y(the)d(\003ush)g
(itself,)g(and)g(in)g(the)g(opportunity)d(cost)j(of)f(subsequent)g
(cache)g(misses.)2360 4957 y Fi(2)2422 4988 y Fp(There)h(are)f(w)o(ays)
i(to)f(mitigate)f(this)h(cost,)g(b)n(ut)g(the)o(y)0 5087
y(complicate)25 b(the)i(code)f(generator)-5 b(.)47 b(\(F)o(or)26
b(e)o(xample,)g(generating)f(code)h(into)g(memory)f(guaranteed)f(to)j
(not)f(be)h(in)f(the)h(instruction)p 0 5158 1560 4 v
90 5214 a Fh(2)120 5237 y Fg(F)o(or)22 b(all)h(the)g(dra)o(wbacks)h(of)
e(its)h(instruction)i(set,)f(the)f(x86)f(f)o(amily)i(of)e(machines)i
(mak)o(es)f(self\255modifying)i(code)e(simple,)h(since)f(the)h(pre)n(v)
n(alence)i(in)c(running)0 5316 y(applications)f(requires)d(that)g(it)g
(w)o(ork,)f(and)g(not)h(cost)g(outrageously)l(.)1908
5589 y Fp(59)p eop
%%Page: 60 61
60 60 bop 0 83 a Fp(cache.\))42 b(Another)23 b(problem,)h(banal)h(b)n
(ut)f(real,)i(is)g(that)f(threading)d(requires)i(that)h(pointers)f(be)h
(loaded)e(as)j(immediates,)f(which)f(on)0 183 y(64\255bit)19
b(machines)g(can)h(be)h(e)o(xpensi)n(v)o(e.)27 b(Again,)19
b(\002x)o(es)h(are)g(not)g(intellectually)f(deep,)h(b)n(ut)g(can)g
(require)f(tedious)g(bookk)o(eeping.)125 282 y(In)i(contrast,)g
(dynamically)f(compiling)g(code)h(is)i(much)e(simpler)-5
b(.)34 b(The)21 b(code)g(changes)g(infrequently)-5 b(,)19
b(if)j(e)n(v)o(er)m(,)f(and)g(tends)h(to)g(be)0 382 y(used)j(man)o(y)f
(times)h(before)f(being)g(discarded.)42 b(As)26 b(a)f(result,)h
(compilation)d(is)j(a)g(\223one)e(of)n(f)5 b(\224)24
b(af)n(f)o(air)g(and)g(its)i(cost)g(easily)f(recouped.)0
482 y(While)30 b(current)f(dynamic)g(compilation)f(techniques)g(w)o
(orks)i(reasonably)e(well)j(for)e(compiling)f(languages,)j(the)o(y)e
(must)h(mature)0 581 y(further)19 b(before)f(the)o(y)i(can)g(be)g
(readily)f(used)h(to)h(compile)e(data)h(structures.)0
828 y Fv(6.2)117 b(A)m(pplication\255speci\002c)26 b(message)j
(handlers)0 1014 y Fp(This)17 b(section)g(describes)g(lessons)g
(learned)f(in)h(the)h(conte)o(xt)d(of)i(the)g Fg(ASH)h
Fp(netw)o(orking)d(subsystem.)h([25)o(,)h(92)o(,)h(93)o(].)28
b Fg(ASH)p Fp(s)18 b(\(application\255)0 1113 y(speci\002c)25
b(message)f(handlers\))f(are)h(application)f(code)h(do)n(wnloaded)e
(into)i(the)h(operating)d(system,)k(made)e(safe)g(using)g(a)h(v)n
(ariant)f(of)0 1213 y(softw)o(are)c(f)o(ault)g(isolation)g([89)n(],)g
(and)g(in)m(v)n(ok)o(ed)f(upon)f(message)i(arri)n(v)n(al.)125
1313 y(An)34 b(e)o(xok)o(ernel)e(attempts)j(to)f(place)h(most)f(pri)n
(vile)o(ged)f(operating)f(system)j(code)f(in)g(the)h(more)f(for)o(gi)n
(ving)d(and)j(inno)o(v)n(ati)n(v)o(e)0 1412 y(en)m(vironment)22
b(of)j(untrusted)f(softw)o(are.)44 b(F)o(or)25 b(e)o(xample,)g(it)h
(uses)f(DPF)i(to)e(enable)f(library\255based)f(netw)o(orking.)43
b(In)25 b(a)g(sense,)i Fg(ASH)p Fp(s)0 1512 y(allo)n(w)15
b(the)g(re)n(v)o(erse)f(mo)o(v)o(ement)e(in)k(that)f(the)o(y)f(allo)n
(w)h(applications)f(to)h(e)o(xchange)e(a)i(more)f(general)g(en)m
(vironment,)f(where)h(the)o(y)h(can)f(run)0 1611 y(unrestricted)h(in)h
(time)g(and)f(in)i(operation,)d(for)i(a)g(more)f(restricti)n(v)o(e)h
(en)m(vironment)d(that)j(grants)f(tw)o(o)h(speci\002c)h(abilities:)28
b(tight)15 b(coupling)0 1711 y(to)21 b(clock)f(and)g(netw)o(ork)g(e)n
(v)o(ents,)g(and)g(a)h(w)o(ay)g(incorporate)e(application)g(semantics)i
(into)f(OS)i(actions.)30 b(These)21 b(tw)o(o)g(abilities)g(enable)0
1811 y(libOSes)28 b(to)g(ef)n(\002ciently)f(handle)f(incoming)g
(messages.)52 b(T)m(ight)27 b(coupling)f(to)i(interrupts)f(allo)n(ws)g
(lo)n(w\255latenc)o(y)f(message)i(replies.)0 1910 y(Control)d(o)o(v)o
(er)f(o)o(v)o(er)h(message)g(placement)g(eliminates)g(intermediate)f(b)
n(uf)n(fering)g(and)h(its)i(associated)e(copies.)46 b(The)25
b(challenge)f(in)0 2010 y(this)d(motion)e(comes)h(from)f(forcing)f
Fg(ASH)p Fp(s)j(to)g(remain)e(unpri)n(vile)o(ged)e(\(otherwise)i
(dynamic)g(linking)g(w)o(ould)g(suf)n(\002ce\).)125 2110
y(This)h(section)g(focuses)g(on)f(these)i(tw)o(o)f Fg(ASH)h
Fp(abilities)f(and)g(then)g(closes)g(with)h(e)o(xperiences,)d
(including)g(some)i(mistak)o(es.)0 2322 y Fq(6.2.1)99
b(Pulling)24 b(application)h(semantics)g(into)g(e)o(v)o(ent)h(handling)
0 2470 y Fg(ASH)p Fp(s)d(are)g(cheap)e(to)i(in)m(v)n(ok)o(e)e(\(a)i(fe)
n(w)f(tens)h(of)f(instructions\),)g(and)g(their)g(runtime)g(bounded.)33
b(Thus,)23 b(the)o(y)e(can)i(be)f(run)g(in)h(situations)0
2569 y(where)h(hea)n(vy\255weight)e(application)g(scheduling)h(is)i
(unacceptable.)39 b Fg(ASH)p Fp(s)25 b(thus)f(represent)f(a)i(w)o(ay)f
(for)g(applications)f(to)h(decouple)0 2669 y(actions)31
b(from)g(their)g(o)n(wn)g(e)o(x)o(ecution.)61 b(Frequently)-5
b(,)33 b(decoupling)c(happens)h(in)i(order)e(to)i(tightly)f(couple)f
(the)i(e)o(xtension)e(to)i(an)0 2769 y(e)n(v)o(ent)20
b(which)h(cannot)f(tolerate)h(the)g(o)o(v)o(erhead)d(of)j(conte)o(xt)f
(switching)h(to)g(an)g(application.)31 b(By)21 b(decoupling)e
Fg(ASH)p Fp(s)j(the)o(y)e(can)h(be)g(run)0 2868 y(whene)n(v)o(er)15
b(a)j(message)f(arri)n(v)o(es,)g(unlik)o(e)g(applications.)27
b(An)18 b(more)e(v)o(enerable)g(e)o(xample)g(is)i(the)f(monitoring)e
(system)j(of)f(Deutsch)g(and)0 2968 y(Grant)j([22)n(],)h(which)e(allo)n
(ws)i(code)e(fragments)g(to)h(log)g(v)n(arious)f(k)o(ernel)h(e)n(v)o
(ents.)125 3067 y(More)c(generally)-5 b(,)16 b(the)h(decoupled)e
(nature)h(of)h Fg(ASH)p Fp(s)h(allo)n(w)f(them)g(to)g(be)g(in)m(v)n(ok)
o(ed)e Fk(r)m(eactively)p Fp(,)j(when)e(e)n(v)o(ents)h(happen,)f
(rather)g(than)0 3167 y(when)24 b(an)h(application)f(e)o(x)o(ecutes.)42
b(This)25 b(f)o(act)g(forms)g(the)g(basis)g(of)g(a)g(common)e(pattern:)
39 b(reacti)n(v)o(e)24 b(incorporation)d(of)k(application)0
3267 y(kno)n(wle)o(ge)18 b(into)i(e)n(v)o(ent)f(handling.)125
3366 y(Applications)13 b(ha)n(v)o(e)g(information)f(th)o(at)h(OSes)g
(ca)o(n)g(u)o(se)g(to)f(mak)n(e)h(b)o(etter)g(d)o(ecision)o(s.)22
b(Unfortunately)-5 b(,)10 b(e)o(xtracting)j(this)g(information)0
3466 y(can)k(be)g(dif)n(\002cult.)28 b(Ev)o(ents)16 b(must)h(be)g
(serviced)g(frequently)e(and)h(quickly)-5 b(.)27 b(Application)16
b(conte)o(xt\255switching)e(is)k(relati)n(v)o(ely)e(costly)h(and)0
3566 y(their)23 b(runtime)g(dif)n(\002cult)g(to)g(bound)f(at)i(a)g
(\002ne\255granularity)-5 b(.)36 b(Ho)n(we)n(v)o(er)m(,)22
b(by)h(decoupling)e(code)i(that)g(can)h(mak)o(e)f(this)h(decision)f
(from)0 3665 y(the)e(application,)e(it)i(can)f(be)h(tamed)f(and)g(run)g
(reacti)n(v)o(ely)-5 b(.)28 b(Both)21 b(DPF)g(\002lters)h(and)e
Fg(ASH)p Fp(s)h(\002t)g(this)g(pattern.)30 b(Other)20
b(e)o(xamples)g(include)0 3765 y(the)h(page)f(replacement)f(e)o
(xtensions)h(of)g(Cao)h(et)g(al.)-6 b(')21 b([13)o(],)g(and)f(the)h
(messaging)f(systems)h(of)f(Edw)o(ards)g(et)i(al.)f([24)n(])g(and)g
(Fiuczynski)0 3864 y(and)f(Bershad)f([32)o(].)125 3964
y(One)27 b(w)o(ay)h(to)g(vie)n(w)g(the)f(bene\002t)h(of)f(this)i
(pattern)e(is)h(that)g(decisions)f(pro\002t)h(from)e(more)h
(information:)43 b(the)28 b(ability)f(to)h(mak)o(e)0
4064 y(reacti)n(v)o(e)20 b(rather)h(than)g Fk(a)g(priori)h
Fp(decisions)f(in)h(a)f(dynamic)f(en)m(vironment)f(lik)o(e)i(netw)o
(orking)e(can)j(be)f(quite)g(useful.)32 b(Another)20
b(w)o(ay)i(is)0 4163 y(that)k(that)f(e)n(v)o(ent)g(handling)f(is)i
(best)g(done)f(at)h(occurrence,)f(if)g(for)g(no)h(other)e(reason)h
(than)h(it)g(remo)o(v)o(es)e(the)h(o)o(v)o(erhead)e(of)j(b)n(uf)n
(fering)0 4263 y(and)20 b(reduces)g(latenc)o(y)-5 b(.)29
b(A)21 b(\002nal)g(w)o(ay)g(is)h(that,)e(in)h(general,)f(the)g(more)g
(semantics)h(that)g(are)f(kno)n(wn,)f(the)i(f)o(aster)g(an)f(operation)
f(can)i(be)0 4363 y(performed,)c(in)k(part)e(because)h(it)h(can)f(be)g
(specialized)g(\(made)f(more)g(appropriate\))f(based)i(on)f(semantic)h
(constraints.)125 4462 y(F)o(or)j(e)o(xample,)f(inspired)h(by)g(the)g
(observ)n(ations)e(of)j(Clark)f(and)g(T)-6 b(ennenhouse)21
b([18)n(],)j Fg(ASH)p Fp(s)h(can)e(inte)o(grate)f(operations)g(such)h
(as)0 4562 y(checksumming,)d(byte)i(sw)o(apping,)g(or)h(encryption)d
(into)j(the)f(cop)o(y)g(from)g(netw)o(ork)f(b)n(uf)n(fer)g(to)i
(application)e(space.)37 b(The)22 b Fg(ASH)h Fp(cop)o(y)0
4661 y(engine)j(allo)n(ws)g Fg(ASH)p Fp(s)i(to)f(pro)o(vide)d(a)j(code)
f(snippet,)i(which)e(it)h(inte)o(grates)f(into)g(a)h(specialized)f(cop)
o(y)g(loop)g(using)g(dynamic)f(code)0 4761 y(generation.)i(This)21
b(f)o(acility)f(allo)n(ws)g Fg(ASH)p Fp(s)h(to)f(eliminate)g(duplicate)
f(data)h(touching)f(steps.)125 4861 y(Unlik)o(e)k(pack)o(et)g
(\002lters,)h(this)g Fg(ASH)g Fp(ability)f(is)i(entirely)d(moti)n(v)n
(ated)g(by)h(speed,)h(not)f(po)n(wer)-5 b(.)39 b(The)23
b(reason)f(for)h(this)h(dif)n(ference)e(is)0 4960 y(that)c(the)g(data)g
(cop)o(y)f(loop)g(does)h(not)f(in)m(v)n(olv)o(e)g(protection)f(\227)i
(since)h(all)f(operations)f(are)g(done)g(on)h(the)g Fg(ASH)p
Fp(')-5 b(s)19 b(data)e(\227)i(and,)f(therefore,)0 5060
y(need)g(not)g(be)g(restricted)g(in)h(an)o(y)f(w)o(ay)-5
b(.)28 b(P)o(ack)o(et)18 b(\002lters,)h(on)g(the)f(other)g(hand,)f
(allo)n(w)i(untrusted)e(code)h(to)g(compute)f(protection\255critical)0
5160 y(functions,)i(making)f(restrictions)i(essential.)1908
5589 y(60)p eop
%%Page: 61 62
61 61 bop 125 83 a Fp(T)-7 b(o)25 b(summarize:)40 b(\(1\))25
b(tamed)g(code)g(can)g(be)h(made)f(lightweight)f(and,)j(thus,)f(it)h
(can)e(be)h(run)f(in)g(situations)h(where)f(application)0
183 y(scheduling)20 b(is)i(infeasible,)f(and)g(\(2\))g(this)h
(decoupling)e(allo)n(ws)h(application)f(semantics)i(to)g(be)f(reacti)n
(v)o(ely)f(incorporated)f(into)i(e)n(v)o(ent)0 282 y(processing.)0
495 y Fq(6.2.2)99 b(Discussion)0 642 y Fo(Sour)o(ce)26
b(le)o(v)o(el)g(v)o(ersus)h(object)e(code)h(le)o(v)o(el)g(sandboxing)o
(.)47 b Fp(Softw)o(are)25 b(f)o(ault)i(isolation)e(\(SFI\))h(can)g(be)g
(done)g(either)f(at)i(the)f(source)0 742 y(or)e(at)g(the)g(object)g
(code)f(le)n(v)o(el)g([59)o(,)h(89)o(].)41 b Fg(ASH)p
Fp(s)25 b(were)e(b)n(uilt)i(using)e(object)g(code)h(SFI,)g(which)f(has)
i(the)f(theoretical)e(adv)n(antage)g(that)0 842 y(it)k(w)o(orks)f
(across)g(languages)e(and)i(compilers,)g(and)g(with)g(pre\255compiled)d
(code.)43 b(In)25 b(retrospect,)g(a)h(source)e(le)n(v)o(el)h
(implementation)0 941 y(w)o(ould)f(ha)n(v)o(e)h(been)f(better)-5
b(.)44 b(Object\255le)n(v)o(el)24 b(modi\002cation)f(is)j(dif)n
(\002cult)f(and)f(e)o(xtremely)g(non\255portable,)e(ob)o(viously)h(v)n
(arying)h(across)0 1041 y(dif)n(ferent)17 b(architectures)h(and)g
(object)g(code)g(formats.)28 b(Ev)o(en)18 b(w)o(orse,)h(it)g(also)g(v)n
(aries)g(across)g(dif)n(ferent)e(compiler)g(releases)i(due)g(to)g(the)0
1141 y(practice)h(of)h(commercial)f(v)o(endors)f(of)i(deliberately)f
(changing)f(object)h(code)h(formats)f(in)h(undocumented)d(w)o(ays)j(in)
g(order)f(to)i(sti\003e)0 1240 y(third\255party)c(competitors)h([59)n
(].)125 1340 y(Source\255le)n(v)o(el)31 b(SFI,)k(because)e(it)i(is)g
(tightly)e(inte)o(grated)f(within)i(a)g(compiler)m(,)i(is)f(much)e
(simpler)h(to)g(de)n(v)o(elop.)68 b(It)35 b(requires)0
1439 y(the)e(addition)f(of)h(modest,)j(mostly)c(portable)g(operations)g
(done)g(at)h(the)h(le)n(v)o(el)e(of)h(a)h(compiler')-5
b(s)32 b(intermediate)g(representation.)0 1539 y(A)j(secondary)e
(bene\002t)i(of)f(inte)o(gration)f(is)j(that)f(SFI)g(operations)f(are)g
(optimized)g(by)g(the)h(host)g(compiler)m(,)i(unlik)o(e)d(object)g(SFI)
0 1639 y(implementations.)54 b(In)29 b(contrast,)h(object)f(SFI)h
(constantly)e(must)h(\002ght)g(against)f(the)i(f)o(act)f(that)g(it)h
(has)f(lost)h(much)e(lost)i(semantic)0 1738 y(information.)e(F)o(or)21
b(e)o(xample,)e(object)h(code)g(modi\002cation)f(requires)g(that)i
(compiler)n(\255generated)c(jump)j(tables)h(be)g(relocated,)e(which)0
1838 y(can)h(be)g(challenging,)e(since)i(simply)g(\002nding)f(these)i
(tables)f(is)h(dif)n(\002cult,)f(typically)f(requiring)f(compiler)n
(\255speci\002c)h(heuristics.)125 1938 y(An)27 b(ob)o(vious)e(disadv)n
(antage)g(of)i(using)f(source\255le)n(v)o(el)f(SFI)j(is)g(that)f(it)h
(is)g(speci\002c)f(to)g(one)g(compiler)f(back)g(end)h(and)f(whate)n(v)o
(er)0 2037 y(languages)16 b(its)j(front)d(end\(s\))h(consume.)27
b(In)18 b(theory)-5 b(,)16 b(this)i(is)h(important.)26
b(In)18 b(practice,)f(operating)f(system)i(softw)o(are)f(is)h(written)g
(in)g(the)0 2137 y(C)23 b(programming)c(language.)35
b(On)22 b(those)g(rare)g(systems)h(where)f(other)g(languages)f(are)h
(used,)h(special)f(support)f(w)o(ould)h(be)g(required)0
2236 y(e)n(v)o(en)f(with)i(object)f(code)f(SFI,)i(since)f(these)h
(languages)e(typically)g(use)i(a)g(runtime)e(system,)i(which)e(must)i
(be)f(adapted)f(to)i(run)e(in)i(an)0 2336 y(operating)18
b(system')-5 b(s)21 b(restricti)n(v)o(e)f(conte)o(xt.)125
2436 y(A)e(more)f(serious)h(problem)e(is)j(that)g(a)f(source)f(SFI)i
(system)f(typically)f(increases)h(the)g(size)h(of)f(the)g(trusted)f
(computing)f(base)i(more)0 2535 y(than)23 b(object)g(code)f(SFI)i
(system)g(does.)38 b(A)24 b(specious)f(counter)f(to)h(this)h(problem)d
(is)k(the)e(belief)g(that)g(if)h(the)f(trusted)g(compiler)f(is)j(the)0
2635 y(same)d(as)g(that)g(used)f(to)h(compile)e(the)i(operating)e
(system,)h(then)g(the)h(trusted)f(computing)e(base)j(has)g(not)f
(really)g(increased)g(since)h(the)0 2735 y(correctness)e(of)h(that)g
(compiler)e(must)i(already)f(be)h(trusted.)31 b(Ho)n(we)n(v)o(er)m(,)19
b(there)h(is)i(a)g(lar)o(ge)e(dif)n(ference)f(between)h(compiling)f(a)i
(k)o(ernel)0 2834 y(correctly)f(and)h(resisting)h(the)f(malice)g(of)h
(cle)n(v)o(er)e(hack)o(ers)h(trying)f(to)i(\002nd)f(a)h(hole)f(in)h
(10\255100K)d(lines)j(of)f(compiler)m(,)f(assembler)m(,)h(and)0
2934 y(dynamic)e(link)o(er)g(code.)125 3033 y(The)f(lack)h(of)g(a)h
(widely)e(a)n(v)n(ailable)h(object)f(code)h(SFI)g(system)h(forced)d(us)
j(to)f(\223roll)g(our)f(o)n(wn.)-6 b(\224)28 b(Realistically)-5
b(,)20 b(the)f(reliability)f(of)h(a)0 3133 y(trusted)h(compiler)f(is)i
(most)f(lik)o(ely)g(better)g(than)g(a)g(object)g(code)f(SFI)i(module)e
(we)h(ha)n(v)o(e)g(implemented)e(ourselv)o(es.)125 3233
y Fo(W)-5 b(e)24 b(no)g(longer)f(use)i Fg(ASH)p Fo(s.)42
b Fp(In)23 b(theory)-5 b(,)23 b(coupling)g(pack)o(et)g(arri)n(v)n(al)g
(to)h(application)f(semantics)h(is)h(pro\002table.)39
b(Separate)24 b(from)0 3332 y(our)16 b(w)o(ork,)h(Edw)o(ards)g(et)h
(al.)f([24)o(])g(pro)o(vide)f(a)h(w)o(ay)h(use)f(simple)g
(application\255pro)o(vided)c(scripts)k(to)h(direct)e(message)h
(placement)g(while)0 3432 y(Fiuczynski)i(and)g(Bershad)h([32)n(])g(pro)
o(vide)e(a)i(fully)g(general)e(messaging)h(system.)29
b(Ho)n(we)n(v)o(er)m(,)18 b(practical)h(technology)f(tradeof)n(fs)g(ha)
n(v)o(e)0 3532 y(made)23 b(us)h(eliminate)f Fg(ASH)p
Fp(s.)40 b(The)23 b(three)g(main)g(bene\002ts)g(of)h
Fg(ASH)p Fp(s)g(are)f(\(1\))g(elimination)f(of)i(k)o(ernel)e
(crossings,)i(\(2\))f(inte)o(grated)f(data)0 3631 y(cop)o(ying,)k(and)g
(\(3\))g(f)o(ast)h(upcalls)f(to)g(unscheduled)e(processes,)k(thereby)d
(reducing)f(processing)h(latenc)o(y)h(\(e.g.,)h(of)f(send\255response)0
3731 y(style)f(netw)o(ork)f(messages\).)42 b(On)25 b(current)e
(generation)g(chips,)i(ho)n(we)n(v)o(er)m(,)e(the)i(latenc)o(y)e(of)i
(I/O)g(de)n(vices)f(is)h(lar)o(ge)f(compared)f(to)i(the)0
3830 y(o)o(v)o(erhead)16 b(of)j(k)o(ernel)g(crossings,)f(making)g(the)h
(\002rst)h(bene\002t)f(ne)o(gligible.)27 b(The)19 b(second)f(does)h
(not)g(require)f(do)n(wnloading)e(code,)i(only)0 3930
y(an)j(upcall)f(mechanism)f([19)o(].)30 b(In)21 b(practice,)f(it)h(is)h
(the)e(latter)h(ability)f(that)h(gi)n(v)o(es)f(speed.)30
b(Finally)-5 b(,)20 b(the)h(presence)f(of)g(DMA)h(hardw)o(are)0
4030 y(mak)o(es)d(the)g(data)g(inte)o(gration)e Fg(ASH)p
Fp(s)j(pro)o(vide)d(irrele)n(v)n(ant,)g(since)j(there)e(is)i(no)f(w)o
(ay)g(to)g(add)f(user)h(e)o(xtensions)f(to)h(the)g(hardw)o(are')-5
b(s)17 b(brute)0 4129 y(cop)o(y)-5 b(.)0 4376 y Fv(6.3)117
b(XN:)28 b(ef\002cient)f(disk)i(multiplexing)208 4562
y Fp(Language)18 b(shapes)i(the)g(w)o(ay)g(we)h(think,)e(and)h
(determines)f(what)h(we)g(can)g(think)g(about.)28 b(\227)21
b(B.)g(L.)f(Whorf)125 4744 y(This)d(section)h(e)o(xplores)e(language)g
(issues)i(in)g(the)f(e)o(xok)o(ernel')-5 b(s)16 b(disk)h(multiple)o
(xing)f(system,)i(XN,)g(our)e(most)i(\223language)e(hea)n(vy\224)0
4844 y(subsystem,)29 b(which)e(contains)f(our)h(most)g(interesting)g
(use)h(of)f(do)n(wnloaded)e(code.)50 b(W)-7 b(e)29 b(\002rst)f(discuss)
g(ho)n(w)f(to)g(use)h(UDFs)g(to)g(let)0 4944 y(untrusted)18
b(\002le)h(systems)h(track)e(what)h(disk)g(blocks)f(the)o(y)h(o)n(wn,)f
(hopefully)f(in)i(enough)e(detail)i(that)g(other)f(practitioners)g(can)
h(see)g(ho)n(w)0 5043 y(to)h(use)h(UDFs)g(in)f(their)g(domain.)28
b(W)-7 b(e)21 b(then)f(present)g(a)g(series)h(of)f(insights)g(that)g
(ha)n(v)o(e)g(arisen)g(in)g(XN)h(and)e(close)i(with)f(lessons.)1908
5589 y(61)p eop
%%Page: 62 63
62 62 bop 0 83 a Fq(6.3.1)99 b(Language)26 b(Ev)o(olution)0
230 y Fp(As)d(discussed)f(in)g(Chapter)f(4,)i(the)f(languages)f(we)h
(use)g(to)g(describe)g(client)g(meta)g(data)g(ha)n(v)o(e)f(gone)g(from)
g(through)f(four)h(iterations,)0 330 y(becoming)27 b(increasingly)h
(general,)j(lo)n(wer)n(\255le)n(v)o(el,)f(and)f(abstract.)57
b(W)-7 b(e)30 b(went)g(from)e(an)i(approach)d(that)i(did)h(not)f(use)g
(a)h(language)0 430 y(at)25 b(all)g(to)g(one)f(with)h(an)g(e)o(xpressi)
n(v)o(e)e(declarati)n(v)o(e)g(description)g(language)g(\(which)h
(reading)f(\002le)i(system)g(literature)f(sho)n(wed)g(as)h(not)0
529 y(e)o(xpressi)n(v)o(e)15 b(enough\))f(to)i(our)f(quasi\255T)l
(uring)f(complete)1623 499 y Fi(3)1673 529 y Fp(One)j(vie)n(w)f(of)g
(the)g(abo)o(v)o(e)e(e)n(v)n(olution)h(is)i(as)g(a)g(struggle)e(to)i
(de\002ne)e(a)i(uni)n(v)o(ersal)0 629 y(data)h(layout)f(language.)27
b(A)18 b(uni)n(v)o(ersal)f(language)f(for)h(most)h(domains)f(requires)g
(T)l(uring)g(completeness.)27 b(Once)18 b(this)g(f)o(act)h(is)f
(realized,)0 729 y(it)i(becomes)d(ob)o(vious)g(that)i(one)g(needs)f(to)
h(pro)o(vide)e(general\255purpose)e(computational)i(primiti)n(v)o(es.)
27 b(Unfortunately)-5 b(,)16 b(we)j(only)f(made)0 828
y(this)j(connection)d(in)i(hindsight)f(after)h(se)n(v)o(eral)f(years)h
(of)g(struggles)g(with)g(disk)g(multiple)o(xing.)0 1041
y Fq(6.3.2)99 b(Insights)0 1188 y Fo(In\002nite)19 b(generality)e(r)o
(equir)o(es)g(T)-8 b(uring)20 b(completeness.)28 b Fp(A)19
b(designer)e(attempting)f(to)j(b)n(uild)e(an)h(in\002nitely)g(\(or)f(e)
n(v)o(en)g(v)o(ery)g(general\))0 1288 y(interf)o(ace)e(or)g(component)f
(set)i(is)h(implicitly)e(stri)n(ving)g(for)h(T)l(uring)e(completeness.)
27 b(Explicit)15 b(articulation)g(of)g(this)i(f)o(act)f(mak)o(es)f(it)i
(clear)0 1388 y(a)26 b(solution)e(is)i(to)f(allo)n(w)g(clients)h(to)f
(customize)f(policies)h(and)g(interf)o(ace)f(implementations)f(using)i
(a)g(T)l(uring)f(complete)g(language)0 1487 y(rather)19
b(than,)h(say)-5 b(,)20 b(a)g(\223jumble)f(of)h(procedure)e(\003ags.)-6
b(\224)125 1587 y(The)18 b(author)f(belatedly)g(had)h(this)h(insight)f
(after)g(struggling)f(with)h(the)h(problem)d(of)i(ho)n(w)g(to)h
(de\002ne)f(a)g(completely)f(general)h(set)h(of)0 1686
y(meta)j(data)g(b)n(uilding)f(blocks)g(and,)h(in)h(f)o(act,)f(only)f
(months)h(after)g(coming)e(up)i(with)g(the)g(solution)g(\(UDFs\))g(did)
g Fk(why)g Fp(the)o(y)g(solv)o(e)g(the)0 1786 y(problem)c(become)h
(clear)-5 b(.)125 1886 y Fo(T)d(uring)23 b(completeness)g(guarantees)e
(in\002nite)j(extensibility)-6 b(.)35 b Fp(\223Solving\224)22
b(e)o(xtensibility)f(requires)g(sho)n(wing)h(that)g(an)o(y)g(unan\255)0
1985 y(ticipated)d(use)h(of)f(a)h(system)g(can)f(be)h(implemented.)27
b(Pro)o(ving)18 b(a)i(ne)o(gati)n(v)o(e)d(property)h(is)i(hard.)28
b(A)20 b(k)o(e)o(y)f(realization)g(of)g(this)h(chapter)f(is)0
2085 y(that,)h(when)g(appropriate,)d(T)l(uring)i(completeness)h(pro)o
(vides)e(a)j(w)o(ay)f(to)h(guarantee)d(that)i(the)h(e)o(xtensibility)e
(problem)f(is)j(solv)o(ed.)29 b(F)o(or)0 2185 y(e)o(xample,)17
b(the)i(f)o(act)g(that)g(UDFs)g(are)g(\(roughly\))d(T)l(uring)h
(complete)h(guarantees)f(that)i(that)g(the)o(y)f(can)g(describe)g(an)o
(y)g(computable)f(data)0 2284 y(layout,)i(anticipated)g(or)h(not.)125
2384 y Fo(T)-6 b(ransmuting)21 b(the)h(imperati)o(v)o(e)f(to)g(the)h
(declarati)o(v)o(e.)32 b Fp(System)21 b(implemented)f(functionality)f
(is)k(imperati)n(v)o(e.)31 b(It)22 b(determines)0 2483
y(ho)n(w)j(to)h(resolv)o(e)e(tradeof)n(fs)g(in)i(interf)o(ace)e
(construction:)38 b(i.e.,)27 b(whether)d(to)i(optimize)e(for)h(latenc)o
(y)-5 b(,)25 b(throughput,)f(or)h(space.)45 b(Such)0
2583 y(predetermination)17 b(can)i(cause)h(problems)e(when)h(man)o(y)g
(tradeof)n(fs)f(e)o(xist.)30 b(Do)n(wnloaded)17 b(code)i(can)h(be)g
(used)f(by)g(a)i(system)f(designer)0 2683 y(to)g(defer)g(such)f
(tradeof)n(fs)g(to)i(clients.)29 b(By)21 b(allo)n(wing)e(client)h(code)
g(to)g(implement)f(functions,)f(the)i(system)h(b)n(uilder)e(can)h
(switch)h(from)0 2782 y(an)i(imperati)n(v)o(ely)f(deciding)g(ho)n(w)g
(to)i(implement)e(this)i(function,)e(to)i(declarati)n(v)o(e)e(testing)h
(that)h(client)f(code)g(did)g(so)h(correctly)-5 b(.)37
b(F)o(or)0 2882 y(e)o(xample,)17 b(rather)h(than)h(imperati)n(v)o(ely)d
(deciding)i(ho)n(w)g(to)h(represent)f(meta)g(data)h(XN)g(declarati)n(v)
o(ely)e(tests)j(that)f(a)g(UDF)g(produces)f(the)0 2982
y(correct)f(output.)27 b(This)19 b(approach)d(has)i(been)g(noticeably)e
(easier)j(than)e(the)i(pre)n(vious)d(struggle)i(to)g(construct)f(a)i
(uni)n(v)o(ersal)d(data)i(layout)0 3081 y(language.)125
3181 y(The)k(cost)g(of)h(this)g(approach)d(is)j(that)g(testing)f(can)h
(be)f(more)g(comple)o(x)f(than)h(implementing)e(the)i(functionality)f
(\(it)i(can)f(also)h(be)0 3280 y(simpler\))17 b(and)g(more)g(e)o
(xpensi)n(v)o(e,)f(though)g(this)j(can)e(be)h(a)g(net)g(win)g(if)g(the)
g(algorithm)e(is)j(not)e(on)g(the)h(critical)g(path)f(or)h(grants)f
(suf)n(\002cient)0 3380 y(po)n(wer)i(or)h(speed.)125
3480 y Fo(Code)30 b(enables)g(semantic)h(compr)o(ession.)58
b Fp(Data)31 b(representation)d(is)j(important.)57 b(In)30
b(a)h(sense,)h(UDFs)f(can)f(be)g(vie)n(wed)g(as)0 3579
y(semantics\255e)o(xploiting)23 b(meta)j(data)g(compressors.)45
b(One)26 b(could,)g(after)f(all,)j(de\002ne)d(a)i(space\255inef)n
(\002cient)d(and)h(in\003e)o(xible)g(b)n(ut)h(fully)0
3679 y(general)14 b(meta)i(data)f(layout.)27 b(Ho)n(we)n(v)o(er)m(,)14
b(UDFs)i(allo)n(w)f(representation)f(to)h(be)h(more)e(succinct.)27
b(F)o(or)15 b(e)o(xample,)g(much)g(of)g(the)g(meaning)0
3779 y(of)23 b(a)g(libFS')-5 b(s)25 b(meta)e(data)g(is)h(encode)e(in)h
(its)h(code,)f(eliminating)f(the)h(need)g(to)g(duplicate)f(this)i
(information)c(in)k(the)f(meta)g(data)g(itself)0 3878
y(\(e.g.,)h(a)h(libFS)f(\223just)h(kno)n(ws\224)e(that)h(certain)g
(types)g(of)g(block)f(pointers)g(point)h(to)g(four)f(contigous)g
(blocks)g(rather)g(than)h(one\).)40 b(As)25 b(a)0 3978
y(more)c(sophisticated)g(e)o(xample,)f(consider)h(an)h(algebraic)e
(relation)h(between)g(blocks)g(such)h(as)g(a)g(\002le)h(system)f(that)f
(allocates)h(blocks)0 4077 y(at)f(the)f(be)o(ginning)d(of)j(e)n(v)o
(ery)f(c)o(ylinder)f(group.)28 b(While)20 b(a)h(prede\002ned)d(data)i
(structure)f(w)o(ould)g(ha)n(v)o(e)h(to)g(list)h(e)n(v)o(ery)e(block,)g
(a)h(UDF)h(can)0 4177 y(encode)e(this)i(kno)n(wledge)d(in)i(a)h
(function)d(that)i(reads)g(the)g(base)h(block)e(from)g(a)i(instance)f
(of)f(meta)i(data)f(and)f(constructs)h(its)h(set:)377
4410 y Fl(pr)o(oc)i(owns\(meta\))546 4509 y(base)g(=)e
(meta\343\345base)p 1144 4509 22 4 v 28 w(block;)546
4609 y(set)i(=)e(\340\341;)546 4708 y(for)i(i)e(=)g(0)g(to)h(number)p
1136 4708 V 27 w(of)p 1225 4708 V 26 w(partitions)716
4808 y(set)g(=)g(set)g(U)f(\340)h(i)f Ff(\003)f Fl(blocks)p
1401 4808 V 27 w(in)p 1483 4808 V 25 w(cylinder)p 1742
4808 V 27 w(gr)o(oup)j(+)e(base)i(\341;)546 4908 y(r)o(eturn)h(set;)p
0 4971 1560 4 v 90 5026 a Fh(3)120 5049 y Fg(While)16
b(the)h(language)i(used)d(to)g(write)h(UDFs)f(is)g(more\255or)o
(\255less)g(T)m(uring)h(complete,)h(their)f(e)o(x)o(ecution)i(en)m
(vironment)g(is)d(restricted)i(\(since)g(UDFs)d(cannot)i(run)g(\223too)
0 5128 y(long\224\))22 b(as)e(are)h(UDFs)e(\(since)j(the)o(y)f(must)f
(be)h(practical)j(to)c(v)o(erify\).)35 b(Similar)22 b(restrictions)h
(will)e(hold)g(for)g(an)o(y)f(code)i(do)n(wnloaded)h(into)e(the)g(k)o
(ernel,)i(since)e(it)g(must)0 5207 y(be)h(pre)n(v)o(ented)j(from)d(at)h
(least)g(corrupting)h(k)o(ernel)g(data)g(structures.)41
b(F)o(or)21 b(linguistic)k(we)e(will)g(still)g(refer)g(to)f(such)h(e)o
(xtensions)h(as)e(T)m(uring)g(complete)i(despite)g(this)0
5286 y(restricted)c(e)o(x)o(ecution)g(en)m(vironment.)1908
5589 y Fp(62)p eop
%%Page: 63 64
63 63 bop 125 249 a Fo(UDFs)27 b(can)g(mak)o(e)h(code)f(transpar)o
(ent.)49 b Fp(A)28 b(strength)e(of)h(do)n(wnloaded)d(code)j(is)h(that)f
(it)h(can)f(compute)f(its)i(results)g(ho)n(we)n(v)o(er)0
349 y(it)f(wishes,)h(in)f(w)o(ays)f(the)g(underlying)e(system)i(did)g
(not)g(anticipate.)47 b(Ho)n(we)n(v)o(er)m(,)26 b(mysterious)f(result)h
(computation)e(can)i(also)h(be)f(a)0 448 y(liability:)33
b(users)21 b(of)h(the)g(code)f(may)g(w)o(ant)h(to)g(kno)n(w)e(when)i
(it)g(computes)f(a)h(certain)f(output.)33 b(F)o(or)21
b(e)o(xample,)f(consider)h(a)h(library)f(\002le)0 548
y(system)j(function,)f Fl(access)p Fp(,)k(that)d(gi)n(v)o(en)e(a)i
(principal)f(and)g(inode,)g(indicates)h(whether)f(that)h(principal)e
(is)j(allo)n(wed)e(to)h(use)g(the)g(inode)0 648 y(\()p
Fl(access\(inode,)c(pid\))d Ff(!)g Fl(bool)p Fp(\).)28
b(Gi)n(v)o(en)16 b(this)i(function,)d(it)i(is)h(not)e(ob)o(vious)f
(what)i(v)n(alues)f(of)h Fl(pid)g Fp(will)h(cause)e(it)i(to)f(return)e
(true)i(for)f(a)h(piece)0 747 y(of)g(meta)f(data.)28
b(Thus,)17 b(an)g(application)e(creating)h(a)h(\002le)h(controlled)d
(using)h Fl(access)j Fp(cannot)d(determine)g(if)h(there)f(e)o(xists)h
(a)g(special)g(\223back)0 847 y(door\224)i(v)n(alue)g(of)h
Fl(pid)g Fp(that)g(w)o(ould)f(gi)n(v)o(e)h(others)f(access)i(to)f(its)h
(\002les.)30 b(UDFs)21 b(can)e(eliminate)h(this)g(problem.)28
b(First,)20 b(we)h(transform)d(this)0 946 y(function)h(into)i(one)f
(that)i(gi)n(v)o(en)d(an)i(inode)f(produces)f(the)i(set)h(of)f
(principles)f(allo)n(wed)g(to)h(use)h(it)f(\()p Fl(access\(inode\))j
Ff(!)c(f)g Fl(set)i(of)f(principles)0 1046 y Ff(g)e Fp(\).)31
b(\(In)20 b(a)h(sense,)g(we)f(transform)f Fl(access)24
b Fp(into)c(a)h(function)e(that)h(returns)g(the)g(set)i(of)e(v)n(alues)
g(for)g(which)g(the)h(original)e Fl(access)k Fp(returned)0
1146 y(true.\))31 b(Second,)20 b(we)h(ensure)f(that)h
Fl(access)j Fp(is)e(deterministic.)31 b(No)n(w)-5 b(,)20
b(at)i(each)e(modi\002cation)g(of)g(an)h(inode)f(we)h(can)g(use)g
(online)g(testing)0 1245 y(to)f(ensure)g(that)g(the)g(set)h(of)f
(principles)f(associated)h(with)h(it)g(gro)n(ws)e(or)h(shrinks)g(e)o
(xactly)f(as)i(it)g(should.)125 1345 y Fo(Pr)o(ogram)c(v)o
(eri\002cation)h(enables)i(\223nestable\224)e(extensibility)-6
b(.)29 b Fp(Because)20 b(XN)f(v)o(eri\002es)g(the)h(correctness)e(of)h
(reference)e(counts,)0 1445 y(pointers,)38 b(and)e(meta)f(data)h
(interpreters,)i(it)e(allo)n(ws)g(untrusted)e(implementors)g(to)i(e)o
(xtend)e(an)i(e)o(xisting)f(\002le)h(system)g(without)0
1544 y(compromising)18 b(its)k(inte)o(grity)-5 b(.)30
b(Thus,)20 b(it)i(is)g(possible)e(to)h(add)g(an)g(entirely)f(ne)n(w)g
(directory)f(type)i(to)g(a)g(\002le)h(system)f(and)f(ha)n(v)o(e)h(it)g
(point)0 1644 y(to)26 b(old)g(types,)i(perform)c(access)j(control)d(on)
i(them,)h(etc.)48 b(without)25 b(the)i(e)o(xisting)e(implementation)f
(open)h(to)i(malice.)47 b(W)-7 b(e)27 b(do)f(not)0 1743
y(kno)n(w)19 b(of)h(an)o(y)f(other)h(w)o(ay)g(to)g(achie)n(v)o(e)f
(this)i(same)f(result.)0 1956 y Fq(6.3.3)99 b(Lessons)0
2104 y Fo(Pr)o(o)o(vide)25 b(r)o(easonable)g(defaults.)46
b Fp(UDFs)27 b(are)f(written)g(in)g(a)h(pseudo\255assembly)c(language.)
45 b(A)27 b(simple)f(virtual)f(machine)g(can)h(be)0 2203
y(both)g(easy)i(to)f(implement)f(\(ours)h(took)f(roughly)f(a)j(day\))f
(and)f(small)i(\(ours)f(w)o(as)h(a)f(fe)n(w)h(hundred)d(lines)i(of)g
(code\).)50 b(The)27 b(cost,)i(of)0 2303 y(course,)17
b(is)h(the)g(unpleasantness)e(of)h(writing)g(assembly\255le)n(v)o(el)e
(code.)28 b(F)o(ortunately)-5 b(,)15 b(for)i(limited)g(domains,)g(such)
g(as)h(pack)o(et)f(\002lters)h(or)0 2402 y(meta)h(data)g(interpreters,)
e(this)j(dra)o(wback)c(can)j(be)g(eliminated)f(by)g(hiding)g(such)h
(code)f(behind)f(higher)n(\255le)n(v)o(el)g(procedural)f(interf)o
(aces,)0 2502 y(which)k(clients)g(use)h(instead.)125
2602 y(Unfortunately)-5 b(,)13 b(we)k(repeatedly)d(ne)o(glected)h(to)h
(construct)f(good)g(def)o(ault)h(libraries)f(after)h(b)n(uilding)f(the)
h(base)g(e)o(xtensible)g(system.)0 2701 y(As)d(a)g(result,)h(clients)f
(typically)g(wrote)g(their)g(code)g(in)g(ter)o(ms)g(of)f(ra)n(w)h
(\(alb)o(eit)g(po)o(rtab)o(le\))g(assemb)o(ly)g(lan)o(gu)o(age,)8
b(leading)13 b(to)g(impenetrable)0 2801 y(code)18 b(scattered)h
(throughout)c(programs.)27 b(This)19 b(c)o(ycle)f(w)o(as)i
(self\255reinforcing:)26 b(ne)n(w)18 b(programmers)e(that)j(w)o(anted)g
(to)g(use)g(the)f(system)0 2901 y(w)o(ould)k(look)f(at)i(e)o(xisting)e
(clients,)i(typically)f(not)g(understand)e(what)i(the)o(y)g(did,)g(and)
f(so)i(cut\255and\255paste)d(the)i(original)g(code)f(with)i(ad)0
3000 y(hoc)d(modi\002cations.)125 3100 y(The)28 b(observ)n(ation)f
(that)i(an)g(e)o(xtensible)f(system)h(must)g(pro)o(vide)e(good)g(def)o
(ault)i(libraries)f(is)i(neither)e(deep)g(nor)g(unique)g([11)o(].)0
3199 y(Nonetheless)20 b(it)g(w)o(as)i(frequently)17 b(violated:)29
b(we)21 b(did)e(so)i(with)f(pack)o(et)g(\002lters,)h(then)e(with)i(w)o
(ak)o(e)f(up)g(predicates,)f(then)h(with)g(UDFs.)125
3299 y Fo(Lo)o(w\255le)o(v)o(el)k(type)h(systems)g(ar)o(e)g(useful.)44
b Fp(From)25 b(one)f(perspecti)n(v)o(e)f(XN)j(can)f(be)g(vie)n(wed)f
(as)i(a)f(dynamic)f(type)g(system)h(placed)0 3399 y(belo)n(w)e(a)g
(\002le)h(system)g(to)f(catch)g(errors.)38 b(It)24 b(serv)o(ed)e(this)i
(role)f(well,)h(catching)e(se)n(v)o(eral)h(errors)f(in)i(the)f
(C\255FFS)h(\002le)g(system)g(that)f(had)0 3498 y(escaped)d(the)g
(notice)f(of)h(an)h(e)o(xperienced)c(implementor)-5 b(.)28
b(In)20 b(this)g(sense,)h(XN)f(has)h(bene\002ts)f(similar)g(to)h(a)f
(lo)n(w\255le)n(v)o(el)f(typing)g(system)0 3598 y(such)25
b(as)i(the)e(T)m(il)h(assembly)f(language)f(de)n(v)o(eloped)f(to)j
(catch)f(lo)n(w\255le)n(v)o(el)f(compiler)h(b)n(ugs)g([85)o(].)45
b(One)25 b(possible)h(use)f(of)h(e)o(xok)o(ernel)0 3698
y(technology)18 b(is)j(to)f(place)g(them)g(belo)n(w)g(e)o(xistent)f
(operating)g(systems)h(as)h(ef)n(\002cient)f(runtime)f(type)h(check)o
(ers.)125 3797 y Fo(F)n(ast)26 b(languages)f(ar)o(e)h(unnecessary)-6
b(.)49 b Fp(Writing)26 b(do)n(wnloaded)e(code)i(using)g(an)h(ef)n
(\002cient)f(language)f(does)h(not)g(hurt.)48 b(But,)28
b(at)0 3897 y(least)d(in)g(the)f(conte)o(xt)f(of)h(an)h(e)o(xok)o
(ernel,)e(it)i(does)f(not)g(seem)h(to)f(help)g(o)o(v)o(erly)f(much)g
(either)-5 b(.)42 b(UDFs,)26 b(for)e(e)o(xample,)g(are)g(written)g(in)0
3996 y(an)f(interpreted)e(assembly)i(code)f(and)g(w)o(ak)o(eup)g
(predicates)g(ha)n(v)o(e)h(numerous)e(e)o(xcess)i(manual)e(address)i
(translations.)37 b(The)22 b(reason)0 4096 y(for)f(this)h(is)h(that)f
(code)f(used)g(for)h(protection)e(is)i(usually)f(of)n(f)g(the)h
(critical)g(path,)f(while)h(non\255protection)c(code)j(can)h(be)g
(placed)f(in)h(the)0 4196 y(application)d(itself)i(at)f(\(perhaps\))e
(the)j(cost)f(of)g(an)g(e)o(xtra)g(system)g(call.)0 4443
y Fv(6.4)117 b(Pr)n(otected)26 b(Methods)0 4628 y Fp(This)19
b(section)g(brie\003y)f(discusses)h(our)f(most)h(recent)f(use)h(of)g
(do)n(wnloaded)d(code,)i Fk(pr)l(otected)g(methods)p
Fp(.)28 b(Similar)19 b(to)g([9)o(],)g(we)g(pro)o(vides)0
4728 y(them)g(as)h(an)g(e)o(xtensible)e(means)h(for)g(applications)f
(to)i(implement)e(safe)h(decentralized)f(sharing)g(of)i(state)g(in)f
(those)h(cases)g(where)f(the)0 4828 y(k)o(ernel')-5 b(s)17
b(lo)n(w\255le)n(v)o(el)g(access)h(control)e(is)j(insuf)n(\002cient.)27
b(F)o(or)17 b(e)o(xample,)g(a)h(\002le)g(system)g(whose)f(directories)g
(are)g(mapped)f(to)i(e)o(xok)o(ernel\255)0 4927 y(protected)24
b(disk)i(blocks)e(may)i(also)f(require)g(that)g(names)h(within)f(a)h
(directory)e(be)h(unique,)h(an)f(in)m(v)n(ariant)f(ine)o(xpressible)g
(solely)h(in)0 5027 y(terms)30 b(of)g(hardw)o(are)f(protection.)58
b(Using)30 b(protected)f(methods,)j(directory)c(blocks)i(could)f(be)i
(associated)f(with)g(a)h Fl(unique)p 3709 5027 22 4 v
26 w(name)0 5126 y Fp(method)19 b(that)h(untrusted)f(library)g(\002le)i
(systems)g(w)o(ould)e(ha)n(v)o(e)h(to)g(use)g(to)h(allocate)f(names.)
125 5226 y(This)g(use)g(of)f(do)n(wnloaded)f(code)h(has)h(little)h(to)f
(do)f(with)h(speed.)29 b(Rather)20 b(it)g(is)h(intended)e(to)h(solv)o
(e)f(the)h(problem)e(that)i(distrusting)0 5326 y(application)g(cannot)g
(force)g(one)h(another)e(to)j(obe)o(y)d(e)o(x)o(ecution)g(in)m(v)n
(ariants.)31 b(F)o(or)21 b(e)o(xample,)f(consider)g(a)h(model)g(where)f
Fl(unique)p 3709 5326 V 26 w(name)1908 5589 y Fp(63)p
eop
%%Page: 64 65
64 64 bop 0 83 a Fp(is)25 b(pro)o(vided)d(in)i(a)h(library)-5
b(,)24 b(with)g(the)g(admonishment)e(to)j(use)f(it)h(when)f(modifying)e
(a)i(directory)-5 b(.)40 b(Nothing)23 b(pre)n(v)o(ents)f(a)j(malicious)
0 183 y(application)i(from)h(jumping)e(into)j(the)f(middle)g(of)g(the)h
(procedure)d(to)j(skip)f(o)o(v)o(er)f(an)o(y)h(in)m(v)n(ariant)f
(checks)h(or)m(,)i(more)d(simply)-5 b(,)30 b(just)0 282
y(writing)20 b(to)g(the)g(directory)f(block)g(directly)-5
b(.)125 382 y(Mutually)20 b(mistrusting)h(applications)g(can)g(safely)h
(share)f(state)i(by)e(agreeing)f(on)i(code)f(to)h(use,)g(do)n
(wnloading)c(it)23 b(in)f(the)g(k)o(ernel,)0 482 y(and)j(accessing)g
(the)g(state)h(through)d(this)j(code.)43 b(Method)24
b(in)m(v)n(ocation)g(happens)g(via)h(a)h(system)f(call,)i(forcing)c(e)o
(x)o(ecution)g(to)j(be)o(gin)0 581 y(at)h(a)h(well\255de\002ned)d
(program)g(counter)g(v)n(alue.)49 b(This)27 b(pre)n(v)o(ents)e
(applications)h(from)f(jumping)h(o)o(v)o(er)f(guards.)48
b(Method)26 b(e)o(x)o(ecution)0 681 y(cannot)c(be)h(\223hi)g(jack)o
(ed\224)f(by)h(the)g(application)e(manipulating)g(its)j(state)g(via)f
(deb)n(ugging)d(system)k(calls,)g(signals,)f(or)g(page)f(mapping)0
780 y(tricks.)36 b(State)23 b(e)o(xists)f(only)g(in)g(the)h(method')-5
b(s)21 b(address)h(space.)35 b(Applications)22 b(cannot)f(modify)g(it)i
(by)e(for)o(ging)f(pointers)i(or)g(aliasing)0 880 y(virtual)g
(addresses.)37 b(A)23 b(bene\002t)g(of)g(this)g(separation)f(is)h(that)
g(non\255page)e(protection)g(can)h(be)h(readily)f(implemented,)g(as)h
(opposed)e(to)0 980 y(page)27 b(granularity)f(memory)g(protection)g(of)
h(unrestricted)f(application)h(code.)51 b(The)27 b(method)g(cannot)f
(write)i(outside)f(its)i(address)0 1079 y(space.)g(This)21
b(protects)e(the)i(application)d(from)i(b)n(uggy)e(or)i(malicious)g
(method)f(code.)28 b(\(Though,)18 b(the)i(areas)h(where)e(one)h(w)o
(ould)f(trust)0 1179 y(a)i(method')-5 b(s)19 b(output,)g(b)n(ut)h(not)g
(trust)g(it)h(to)f(not)g(corrupt)f(the)h(application')-5
b(s)19 b(state)i(are)f(rare.\))125 1279 y(Methods)j(can)h(be)g(used)g
(to)g(force)f(the)h(coupling)e(of)i(state)h(modi\002cations,)e(such)h
(as)h(forcing)d(the)j(in)m(v)n(alidation)d(of)h(a)i(\223ne)o(gati)n(v)o
(e)0 1378 y(name)h(cache\224)g(when)g(a)h(directory)e(entry)g(is)j
(allocated.)47 b(The)o(y)26 b(also)g(help)h(the)f(modi\002cation)f(of)h
(data)h(structures)e(that)i(span)f(trust)0 1478 y(boundaries.)31
b(F)o(or)21 b(e)o(xample,)f(the)o(y)h(can)g(be)g(used)h(to)f(repair)g
(\002le)h(system)g(data)f(structures)g(after)g(a)h(\002le)g(system)g
(crash.)32 b(Finally)-5 b(,)21 b(the)o(y)0 1577 y(can)f(pro)o(vide)e
(an)i(easy)h(w)o(ay)f(to)g(get)g(atomicity)-5 b(.)125
1677 y(Protected)29 b(methods)h(are)g(only)g(one)g(of)g(man)o(y)f(w)o
(ays)i(to)g(pro)o(vide)d(e)o(xtensible)h(protection.)59
b(An)30 b(alternati)n(v)o(e)f(is)j(to)e(force)g(all)0
1777 y(applications)19 b(to)g(be)h(written)f(in)h(a)g(restricted)g
(language)e(and)h(compiled)f(with)i(a)g(trusted)f(compiler)-5
b(.)28 b(W)m(ith)20 b(the)g(adv)o(ent)f(of)g(languages)0
1876 y(such)h(as)h(Ja)n(v)n(a,)f(such)g(alternati)n(v)o(es)f(may)h
(become)f(more)g(palatable.)125 1976 y(Another)m(,)31
b(more)f(traditional)f(w)o(ay)-5 b(,)33 b(is)f(to)f(use)g(serv)o(ers)f
(to)h(encapsulate)e(sensiti)n(v)o(e)i(state.)61 b(Ho)n(we)n(v)o(er)m(,)
31 b(because)f(serv)o(er)g(code)0 2076 y(is)e(not)e(controlled)f(by)i
(the)g(trusted)f(k)o(ernel)g(it)i(cannot)e(enforce)f(in)m(v)n(ariants)g
(on)i(it.)50 b(Thus,)28 b(serv)o(er)e(functionality)e(must)j(be)g
(trusted)0 2175 y(completely)-5 b(,)25 b(and)h(cannot)f(be)h(nested)f
(in)h(the)g(same)h(w)o(ay)f(that)g(methods)f(can)g(be.)47
b(F)o(or)25 b(e)o(xample,)h(the)g(k)o(ernel)f(can)h(use)g(testing)g(to)
0 2275 y(v)o(erify)19 b(that)i(methods)f(only)g(touches)g(a)h
(speci\002c)g(range)e(of)i(bytes)f(in)h(its)h(guarded)d(state,)i(that)g
(its)h(modi\002cations)d(preserv)o(e)g(pre\255)h(and)0
2374 y(post\255conditions,)e(that)i(it)h(is)g(correct,)e(etc.)0
2619 y Fv(6.5)117 b(Discussion)0 2805 y Fo(Data)17 b(is)h(not)f(a)h(T)
-8 b(uring)18 b(machine.)29 b Fp(Data)18 b(is)g(in\003e)o(xible,)f(b)n
(ut)g(transparent,)f(and)h(its)i(operations)d(\(read)g(and)h(write\))g
(tri)n(vially)g(bounded)0 2904 y(in)24 b(cost)g(and)f(guaranteed)e(to)j
(terminate.)38 b(Code)23 b(is)i(not)e(necessarily)g(an)o(y)g(of)g
(these)h(three)f(things.)39 b(The)23 b(benign)f(characteristics)h(of)0
3004 y(data)h(can)g(be)h(a)g(relief)f(compared)e(to)j(the)f
(uncertainty)e(induced)h(by)h(injecting)g(potentially)f
(non\255terminating)e(black)j(box)o(es)f(into)h(a)0 3103
y(comple)o(x)18 b(operating)h(system.)29 b(T)-7 b(w)o(o)21
b(speci\002c)f(e)o(xamples)f(follo)n(w)-5 b(.)125 3203
y(Information)16 b(can)k(be)f(communicated)e(by)i(memory)f(\(e.g,)h(a)h
(\003ag)g(set)g(when)f(the)h(operating)e(system)i(is)g(allo)n(wed)f(to)
h(write)g(a)g(disk)0 3303 y(block\))j(or)h(by)f(code)h(\(e.g.,)f(a)i
(routine)e(called)h(with)g(the)g(disk)g(block)f(asking)g(if)i(it)f(can)
g(be)g(written\).)40 b(XN)25 b(e)o(xplicitly)e(uses)i(pointers)0
3402 y(rather)16 b(than)g(code)g(to)h(track)f(block)g(write)h(orders,)f
(despite)h(the)g(lack)f(of)h(\003e)o(xibility)-5 b(.)26
b(Code)17 b(made)f(dependenc)o(y)e(c)o(ycles)i(more)g(dif)n(\002cult)0
3502 y(to)k(check,)f(and)h(thus,)g(the)g(cost)h(of)f(sharing)f(higher)
-5 b(.)125 3602 y(It)24 b(is)g(relati)n(v)o(ely)f(simple)h(and)f(well)i
(understood)c(ho)n(w)i(to)h(decouple)e(application)h(actions)g(from)g
(application)f(e)o(x)o(ecution)g(using)0 3701 y(the)28
b(stylized)g(method)e(of)h(b)n(uf)n(fering.)50 b(An)28
b(application)e(that)i(wishes)h(to)f(send)f(a)i(lar)o(ge)d(message)i
(on)f(the)h(netw)o(ork)f(can)h(gi)n(v)o(e)f(the)0 3801
y(b)n(uf)n(fer)19 b(for)g(the)h(message)g(to)g(the)h(OS.)f(The)g(OS)h
(\(or)e(DMA)h(engine\))f(can)h(in)g(turn)g(send)f(it)i(across)f(the)g
(netw)o(ork)f(at)i(whate)n(v)o(er)d(rate)j(the)0 3900
y(netw)o(ork)f(supports,)h(irrespecti)n(v)o(e)f(of)h(whether)g(the)h
(application)e(that)h(pro)o(vided)e(the)j(data)f(is)i(currently)d
(running.)31 b(As)22 b(a)g(result,)g(this)0 4000 y(pattern)c(of)g
(using)g(b)n(uf)n(fering)e(rather)h(than)h(do)n(wnloaded)e(code)i(to)g
(decouple)f(application)g(actions)h(from)g(scheduling)e(can)j(be)f
(seen)g(in)0 4100 y(all)j(operating)d(systems)j(the)f(author)f(is)i(a)o
(w)o(are)f(of.)125 4199 y(The)32 b(alternati)n(v)o(e,)j(ha)n(ving)e
(the)g(application)f(e)o(xplicitly)g(cooperate)g(with)h(the)g(OS)h(via)
g(tamed)e(do)n(wnloaded)f(code,)36 b(can)d(be)0 4299
y(accomplished)18 b([32)o(,)i(93)o(])h(b)n(ut)f(requires)f(f)o(ar)h
(more)g(machinery)e(than)i(the)g(simple)g(b)n(uf)n(fer)f(management)f
(routines)h(abo)o(v)o(e.)125 4399 y Fo(Data)g(has)i(visible)g
(transitions.)30 b Fp(Data,)21 b(because)f(it)h(is)g(passi)n(v)o(e,)f
(can)g(only)g(be)h(changed)d(by)i(an)h(acti)n(v)o(e)f(entity)-5
b(.)29 b(Gi)n(v)o(en)20 b(the)g(right)0 4498 y(frame)n(w)o(ork)e
(\(e.g.,)h(if)h(applications)f(can)g(only)g(write)h(to)h(data)e(via)h
(system)g(calls\),)h(this)f(characteristic)f(mak)o(es)h(transitions)f
(clear)h(and)0 4598 y(easily)j(coupled)e(to)h(actions)h(or)f(checks.)35
b(F)o(or)22 b(e)o(xample,)g(to)g(allo)n(w)h(applications)e(to)i
(control)e(the)h(order)g(of)g(disk)g(block)g(writes,)h(XN)0
4697 y(allo)n(ws)d(them)f(to)h(create)g(dependenc)o(y)c(chains.)29
b(Since)20 b(the)f(pointers)g(used)h(to)f(form)g(chains)h(can)f(only)g
(be)h(added)e(using)h(the)h(OS,)g(it)h(is)0 4797 y(simple)j(to)g(check)
g(for)f(c)o(ycles.)41 b(If)24 b(code)g(w)o(as)h(used)f(instead)f
(\(e.g.,)h(a)h(boolean)e(procedure)e Fl(can)p 2804 4797
22 4 v 27 w(write?)p Fp(\))42 b(that)24 b(w)o(as)h(associated)f(with)0
4897 y(each)c(block\),)e(if)j(the)f(code)g(is)h(in)f(an)o(y)g(w)o(ay)g
(opaque,)e(such)i(checking)e(becomes)i(more)f(dif)n(\002cult.)125
4996 y Fo(Data)28 b(is)j(passi)o(v)o(e,)i(contr)o(ol)28
b(acti)o(v)o(e.)57 b Fp(From)30 b(the)f(application')-5
b(s)29 b(perspecti)n(v)o(e,)h(the)g(passi)n(vity)g(of)f(data)h(can)f
(be)h(a)g(signi\002cant)0 5096 y(problem:)61 b(it)37
b(mak)o(es)f(state)i(transitions)e(in)m(visible,)k(requiring)34
b(polling)i(to)g(track)h(them.)78 b(Our)36 b(e)o(xok)o(ernel)e(pro)o
(vides)h Fk(wak)o(eup)0 5196 y(pr)m(edicates)368 5165
y Fi(4)427 5196 y Fp(as)25 b(a)h(w)o(ay)f(to)g(conceptually)d(\(if)j
(not)f(actually\))g(transmute)g(passi)n(v)o(e)h(data)f(into)h(acti)n(v)
o(e)f(e)n(v)o(ents.)43 b(W)-7 b(ak)o(eup)24 b(predicates)p
0 5261 1560 4 v 90 5317 a Fh(4)120 5340 y Fg(The)16 b(e)o(xok)o(ernel')
l(s)21 b(system)c(for)g(this)g(w)o(as)h(concei)n(v)o(ed,)h(designed)g
(and)f(implemented)h(by)e(Thomas)g(Pinckne)o(y)1908 5589
y Fp(64)p eop
%%Page: 65 66
65 65 bop 0 83 a Fp(are)25 b(application)e(code)i(snippets)g(do)n
(wnloaded)d(into)j(the)g(k)o(ernel,)g(bound)e(to)i(useful)g(memory)e
(locations)h(\(block)g(I/O)h(\003ags,)i(timer)0 183 y(counters,)19
b(etc.\))29 b(and)20 b(e)n(v)n(aluated)e(on)i(v)n(arious)f(interrupts.)
28 b(When)20 b(the)o(y)g(e)n(v)n(aluate)f(to)h(true,)g(the)g(process)g
(is)h(a)o(w)o(ak)o(ened.)125 282 y Fo(Code)i(imposes)h(indir)o(ection.)
38 b Fp(Placing)23 b(code)g(between)f(the)i(operating)d(system)j(and)f
(its)h(data)f(forces)g(the)g(OS)h(to)g(go)f(through)0
382 y(a)j(layer)e(of)h(potentially)f(non\255terminating)d(indirection.)
43 b(F)o(or)24 b(e)o(xample,)h(rather)f(than)h(meta)g(data)g(tra)n(v)o
(ersal)g(routines)f(that)h(simply)0 482 y(w)o(alk)d(do)n(wn)g(a)h(v)o
(ector)e(of)h(block)f(pointers,)h(XN)h(requires)e(the)h(use)h(of)f
(untrusted)f(iterators)h(and)g(must)g(mak)o(e)g(pro)o(visions)f(to)h
(ensure)0 581 y(that)k(the)o(y)g(do)g(not)g(run)f(too)h(long.)47
b(Additionally)-5 b(,)25 b(it)i(cannot)e(simply)h(modify)f(client)h
(meta)g(data)h(an)o(ymore)d(\227)i(since)h(it)g(does)f(not)0
681 y(understand)16 b(their)h(semantics)h(\227)g(and,)g(as)g(a)g
(result,)g(cannot)f(necessarily)g(do)h(an)f(operation)f(as)j(simple)e
(as)i(changing)d(one)h(disk)h(block)0 780 y(pointer)h(to)h(another)f
(in)h(order)f(to)i(compact)e(the)h(disk.)125 880 y(Further)m(,)31
b(the)f(indirecting)e(code)i(forces)f(the)i(OS)f(to)h(plan)e(for)h(f)o
(ailure.)59 b(It)30 b(must)g(ha)n(v)o(e)g(a)g(contingenc)o(y)e(plan)h
(for)h(when)g(the)0 980 y(application)20 b(code)g(does)h(not)g(update)f
(data)h(appropriately)d(or)j(e)n(v)o(en)f(terminate.)31
b(Ha)n(ving)20 b(to)i(rely)e(on)h(a)h(non\255trustw)o(orthy)17
b(opponent)0 1079 y(to)j(do)g(crucial)g(operations)e(can)i(be)h(a)f
(practical)g(irritant.)125 1179 y Fo(Code)c(hides)h(inf)n(ormation.)27
b Fp(Information)14 b(can)i(be)g(e)o(xchanged)e(from)h(operating)f
(system)j(to)g(application)d(using)i(either)g(mapped)0
1279 y(OS)26 b(data)f(structures)g(or)g(system)h(calls.)45
b(The)25 b(latter)h(interf)o(ace)e(shields)i(applications)e(from)g
(implementation)g(details.)45 b(Ho)n(we)n(v)o(er)m(,)0
1378 y(if)27 b(the)g(OS)g(does)f(not)h(anticipate)f(the)g(need)g(for)g
(a)h(piece)g(of)f(information)e(and)i(encapsulate)g(it)h(within)g(a)g
(system)f(call,)j(the)e(client)0 1478 y(cannot)c(reco)o(v)o(er)f(it.)42
b(Ho)n(we)n(v)o(er)m(,)23 b(by)h(ripping)e(a)o(w)o(ay)i(this)h
(procedural)c(layer)j(layer)g(and)f(e)o(xporting)f(data)i(structures)f
(\(read)g(only\))g(to)0 1577 y(applications,)17 b(the)o(y)g(can)g
(obtain)g(all)h(information,)d(anticipated)i(by)g(the)h(k)o(ernel)f
(implementor)e(or)i(not.)28 b(\(The)17 b(potential)g(cost)h(is)h(being)
0 1677 y(tied)h(to)h(a)f(speci\002c)h(implementation.\))125
1777 y(Our)16 b(library)g(operating)g(system')-5 b(s)18
b(reliance)e(on)h(\223w)o(ak)o(eup)f(predicates\224)g(has)i(dri)n(v)o
(en)d(home)h(the)i(adv)n(antages)d(of)i(e)o(xposing)e(k)o(ernel)0
1876 y(data)k(structures.)29 b(Frequently)-5 b(,)17 b(we)j(ha)n(v)o(e)e
(required)g(unusual)g(information)f(about)i(the)g(system.)29
b(In)20 b(all)g(cases,)g(this)g(information)d(w)o(as)0
1976 y(already)i(pro)o(vided)f(by)i(the)g(k)o(ernel)f(data)h
(structures.)125 2076 y Fo(Understanding)o(.)27 b Fp(A)16
b(practical)f(problem)e(in)j(using)e(do)n(wnloaded)f(code)i(is)h(that)f
(historically)g(there)g(has)g(been)g(a)h(schism)f(between)0
2175 y(the)g(compiler)f(and)h(operating)e(system)i(communities.)26
b(As)16 b(a)g(result,)g(OS)g(implementors)d(frequently)g(do)i(not)g
(understand)e(compilers.)0 2275 y(The)o(y)19 b(ha)n(v)o(e)h(no)f(equi)n
(v)n(alent)g(dif)n(\002culty)g(with)h(data)h(structures.)125
2374 y Fo(Alter)o(nati)o(v)o(es)14 b(to)i(do)o(wnloading)f(code)h(f)n
(or)f(semantics.)29 b Fp(DPF)-7 b(,)16 b Fg(ASH)p Fp(s)h(and)e(XN)h
(can)g(be)g(vie)n(wed)f(as)h(systems)h(to)e(pull)h(application)0
2474 y(semantics)22 b(into)f(resource)g(management)e(decisions.)34
b(Ho)n(we)n(v)o(er)m(,)20 b(this)i(is)h(not)f(the)f(only)g(w)o(ay)h(to)
g(get)g(the)g(same)g(ef)n(fect.)33 b(The)22 b(easiest)0
2574 y(is)28 b(to)f(upload)f(operating)g(system)h(code)f(into)h(the)h
(application.)48 b(It)28 b(can)f(then)f(decide)h(ho)n(w)f(to)i
(implement)e(whate)n(v)o(er)f(decision)i(it)0 2673 y(desires.)36
b(Additionally)-5 b(,)20 b(it)j(can)g(do)f(so)g(in)h(a)g(T)l(uring)e
(complete)g(w)o(ay)-5 b(,)22 b(in)h(an)f(unrestricted)f(en)m
(vironment,)f(and)h(with)i(much)e(concern)0 2773 y(in)f(the)h
(operating)d(system)i(about)g(termination)e(and)i(opaqueness)e(issues.)
125 2873 y(In)26 b(non\255protection)c(situations,)28
b(the)e(semantics)g(of)g(resources)g(need)f(ne)n(v)o(er)g(be)i
(imported)d(into)i(the)h(operating)d(system.)48 b(The)0
2972 y(application)26 b(can)h(instead)f(determine)g(what)h(actions)g
(to)h(do,)g(using)e(whate)n(v)o(er)g(domain\255speci\002c)f(kno)n
(wledge)g(is)j(important,)f(and)0 3072 y(then)20 b(just)h(tell)h(the)e
(operating)f(system)i(what)g(to)g(do.)30 b(This)21 b(requires)e
(constructing)g(interf)o(aces)h(that)h(do)f(declarati)n(v)o(e)f
(checking)g(of)i(an)0 3171 y(operation)h(rather)i(than)g(imperati)n(v)o
(ely)e(deciding)g(ho)n(w)i(to)h(do)e(it.)42 b(F)o(or)24
b(e)o(xample,)g(consider)f(the)h(problem)f(of)h(writing)f(cached)h
(disk)0 3271 y(blocks)h(to)h(stable)h(storage)e(in)h(a)g(w)o(ay)g(that)
g(guarantees)f(consistenc)o(y)f(across)i(reboots.)46
b(Rather)25 b(than)h(an)g(e)o(xok)o(ernel)e(deciding)g(on)0
3371 y(a)i(particular)f(write)h(ordering)e(itself)i(and)g(thus)f(ha)n
(ving)g(to)h(struggle)f(with)h(the)g(tradeof)n(fs)f(in)h(scheduling)e
(heuristics)h(and)h(caching)0 3470 y(decisions)21 b(required)e(to)i(do)
f(so)i(well,)f(it)h(can)f(instead)f(allo)n(w)h(the)g(application)f
(construct)g(schedules,)g(retaining)g(for)g(itself)i(the)f(much)0
3570 y(simpli\002ed)16 b(task)g(of)g(merely)f(checking)f(that)j(an)o(y)
e(application)f(schedule)i(gi)n(v)o(es)f(appropriate)f(consistenc)o(y)h
(guarantees.)26 b(Application)0 3670 y(of)c(this)h(methodology)c
(enables)j(an)g(e)o(xok)o(ernel)e(to)j(lea)n(v)o(e)f(library)f
(operating)g(systems)i(to)f(decide)g(on)g(tradeof)n(fs)f(themselv)o(es)
g(rather)0 3769 y(than)f(forcing)e(a)j(particular)e(set,)i(a)f(crucial)
g(shift)g(of)g(labor)-5 b(.)125 3869 y(One)21 b(of)h(the)g(games)f(we)h
(ha)n(v)o(e)f(played)g(frequently)f(in)i(an)g(e)o(xok)o(ernel)d(is)k
(determining)d(ho)n(w)h(to)h(construct)f(interf)o(aces)g(where)h(an)0
3968 y(application)d(\223just)h(kno)n(wing\224)e(what)j(is)g
(appropriate)d(can)i(be)g(e)o(xpressed)f(as)h(a)h(k)o(ernel)e(action.)0
4215 y Fv(6.6)117 b(Related)27 b(W)-9 b(ork)0 4401 y
Fp(There)16 b(ha)n(v)o(e)g(been)g(a)h(number)e(of)i(papers)f(that)h(e)n
(v)n(aluate)f(dif)n(ferent)f(do)n(wnloading)f(code)i(mechanisms.)27
b(Small)17 b(and)f(Seltzer)h(compare)0 4501 y(se)n(v)o(eral)24
b(e)o(xtension)g(techniques)g([80)n(],)i(Bershad)f(et)h(al.)f([9)o(])g
(and)g(P)o(ardyak)e(and)h(Bershad)h(describe)f([71)o(])h(dif)n(ferent)e
(aspects)j(of)f(the)0 4600 y(SPIN)31 b(operating)e(system')-5
b(s)32 b(e)o(xtensibility)d(frame)n(w)o(ork.)59 b(This)31
b(chapter)f(complements)f(this)j(prior)d(w)o(ork.)61
b(Stallman)30 b([81)o(])h(and)0 4700 y(Borenstein)16
b(and)h(Gosling)f([11)o(])h(discuss)g(language)e(issues)j(in)f(the)g
(conte)o(xt)f(of)g(the)h(EMA)m(CS)h(te)o(xt)e(editor)-5
b(.)28 b(The)17 b(discussion)f(is)i(lar)o(gely)0 4800
y(complementary)-5 b(,)28 b(since)h(e)o(xtensions)e(in)i(this)h(conte)o
(xt)e(are)g(trusted,)j(b)n(ut)e(there)f(are)h(o)o(v)o(erlapping)d
(lessons)j(\(the)g(most)g(painful)e(to)0 4899 y(redisco)o(v)o(er)18
b(that)i(reasonable)f(def)o(aults)h(must)g(be)g(pro)o(vided\).)125
4999 y(Both)g(SPIN)g([9,)g(32)o(,)h(71)o(])f(and)g(V)-5
b(ino)20 b([79)n(,)h(80)o(])f(are)g(tw)o(o)h(other)e(e)o(xtensible)g
(operating)g(systems)h(that)h(use)f(do)n(wnloaded)d(code.)125
5098 y(Code)30 b(motion)f(has)i(been)e(a)i(recurrent)e(theme)h(in)g
(operating)f(systems)i(since)f(inception)f([41)o(,)i(22)o(].)60
b(Micro\255k)o(ernels)28 b(are)j(an)0 5198 y(attempt)g(to)g(mo)o(v)o(e)
e(operating)h(system)h(code)f(out)h(of)g(the)g(harsh)f(en)m(vironment)e
(of)j(the)g(k)o(ernel)f(into)h(the)g(more)f(genteel)h(conte)o(xt)0
5298 y(of)d(processes)f([41)o(,)h(53)o(,)g(2,)g(77)o(,)g(84)o(].)53
b(V)-5 b(irtual)27 b(machines)g([20)o(])h(similarly)g(mo)o(v)o(e)e
(operating)g(system)i(code)g(to)g(application\255le)n(v)o(el.)1908
5589 y(65)p eop
%%Page: 66 67
66 66 bop 0 83 a Fp(Interestingly)-5 b(,)24 b(this)i(is)g(the)f(single)
h(feature)e(the)o(y)g(change)g(about)h(the)g(OS:)h(all)g(hardw)o(are)e
(details)h(are)g(emulated)g(f)o(aithfully)-5 b(.)42 b(Most)0
183 y(modern)18 b(operating)h(systems)h(pro)o(vide)f(w)o(ays)h(to)g
(dynamically)f(do)n(wnload)f(load)h(de)n(vice)h(dri)n(v)o(ers.)125
282 y(Se)n(v)o(eral)i(hints)h(for)g(when)g(to)g(do)n(wnload)f(code)g
(can)h(be)h(found)d(in)j(Lampson)e([52)n(].)39 b(A)24
b(useful)f(insight)g(is)h(that)f(do)n(wnloading)e(is)0
382 y(simply)h(an)h(e)o(xample)e(of)i(higher)n(\255order)c(function)i
(programing)f(\(or)i(in)h(systems)g(languages,)f(the)g(use)h(of)g
(function)e(pointers)g(rather)0 482 y(than)k(\003ags)g(as)h
(parameters\).)42 b(The)24 b(main)h(dif)n(ference)e(is)j(that)f(code)f
(is)i(being)e(shipped)g(across)h(trust)h(boundaries)c(rather)j(than,)g
(for)0 581 y(instance,)19 b(library)g(interf)o(aces.)28
b(Thus,)20 b(it)g(appears)f(possible)g(to)h(tak)o(e)g(some)g(of)f(the)h
(ideas)g(from)e(these)i(mature)f(areas)h(\223whole)f(cloth.)-6
b(\224)0 681 y(Sussman)20 b(and)g(Abelson)f([1)o(])i(is)g(a)f(classic)h
(te)o(xt.)125 780 y(The)16 b(parallel)g(community)e(has)j(long)f
(considered)e(the)j(idea)f(of)h(\223function)d(shipping\224)h(for)h
(speed)g(\227)h(e.g.,)g(to)g(bring)e(computation)0 880
y(closer)23 b(to)h(data,)g(to)g(be)f(able)g(to)h(migrate)f
(computations)e(for)i(load\255balancing,)e(etc.)40 b(Some)23
b(of)g(the)h(insights)f(from)g(this)h(use)f(can)h(be)0
980 y(applied)18 b(to)h(operating)e(systems.)30 b(Similarly)-5
b(,)18 b(the)h(distrib)n(uted)f(systems)i(community)d(has)i(shipped)f
(code)g(as)i(well.)29 b(Ja)n(v)n(a)20 b(applets)f(are)0
1079 y(a)g(topical)e(e)o(xample)g([40)o(].)28 b(T)-6
b(ennenhouse)16 b(and)h(W)-7 b(eatherall)19 b(ha)n(v)o(e)e(proposed)f
(to)i(use)h(mobile)e(code)g(to)i(b)n(uild)e(Acti)n(v)o(e)h(Netw)o(orks)
g([86)n(];)0 1179 y(in)e(an)f(acti)n(v)o(e)g(netw)o(ork,)g(protocols)f
(are)i(replaced)e(by)h(programs,)g(which)g(are)g(safely)g(e)o(x)o
(ecuted)f(in)i(the)f(operating)f(system)i(on)f(message)0
1279 y(arri)n(v)n(al.)27 b(Curiously)-5 b(,)17 b(in)h(contrast)f(to)h
(our)f(e)o(xperience,)f(most)i(uses)g(of)f(mobile)g(code)g(in)h(an)g
(Acti)n(v)o(e)f(Netw)o(ork)g(seem)h(to)g(be)g(to)g(impro)o(v)o(e)0
1378 y(ef)n(\002cienc)o(y)-5 b(,)18 b(rather)i(increase)f(po)n(wer)-5
b(.)1908 5589 y(66)p eop
%%Page: 67 68
67 67 bop 0 706 a Fj(Chapter)42 b(7)0 1121 y Fn(Conclusion)208
1553 y Fp(But)29 b(in)g(our)g(enthusiasm,)h(we)f(could)g(not)f(resist)i
(a)g(radical)e(o)o(v)o(erhaul)f(of)i(the)g(system,)i(in)f(which)e(all)i
(of)f(its)h(major)208 1652 y(weaknesses)13 b(ha)n(v)o(e)g(been)f(e)o
(xposed,)h(analyzed,)g(and)g(replaced)f(with)i(ne)n(w)f(weaknesses.)27
b(\227)14 b(Bruce)f(Le)n(v)o(erett,)g(\223Re)o(gister)208
1752 y(Allocation)19 b(in)h(Optimizing)f(Compilers\224)125
1934 y(This)13 b(chapter)f(discusses)i(possible)g(w)o(ays)f(that)h(an)f
(e)o(xok)o(ernel)f(approach)f(could)h(f)o(ail,)j(lessons)f(learned)e
(in)i(b)n(uilding)e(our)h(e)o(xok)o(ernel)0 2034 y(systems,)20
b(and)g(conclusions.)0 2281 y Fv(7.1)117 b(P)n(ossible)29
b(F)m(ailur)n(es)g(of)f(the)g(Ar)n(chitectur)n(e)208
2467 y Fp(Doubt)21 b(')o(til)i(thou)f(canst)h(doubt)e(no)i
(more...doubt)c(is)k(thought)e(and)i(thought)e(is)i(life.)37
b(Systems)23 b(which)g(end)f(doubt)f(are)208 2566 y(de)n(vices)e(for)h
(drugging)d(thought.)28 b(\227\255)20 b(Albert)g(Guerard)125
2749 y(In)27 b(our)f(mind,)j(the)e(remaining)f(serious)h(questions)g
(about)g(the)g(e)o(xok)o(ernel)e(architecture)h(are)i(sociological)e
(ones)h(rather)g(than)0 2848 y(technical.)39 b(W)-7 b(e)24
b(list)h(\002v)o(e)e(possible)h(f)o(ailures)f(of)g(the)h(architecture)e
(once)h(it)h(mo)o(v)o(es)e(from)h(our)g(coddling)e(laboratory)h(into)h
(the)h(\223real)0 2948 y(w)o(orld:\224)104 3114 y(1.)41
b(Application)26 b(writers)i(do)g(not)g(deal)g(well)g(with)g(the)g
(freedom)f(the)o(y)g(ha)n(v)o(e)g(and)h(become)f(tied)h(too)f(closely)h
(to)g(a)h(particular)208 3214 y(e)o(xok)o(ernel)23 b(implementation,)h
(pre)n(v)o(enting)e(upgrades)h(and)i(slo)n(wing,)h(rather)e(than)h
(impro)o(ving,)e(system)j(e)n(v)n(olution.)42 b(While)208
3313 y(adherence)18 b(to)i(standard)e(interf)o(aces)i(and)f(good)f
(programming)f(practices)i Fk(should)g Fp(pre)n(v)o(ent)f(this)j(type)e
(of)h(f)o(ailure)f(\(gi)n(v)o(en)f(that)208 3413 y(these)23
b(techniques)f(ha)n(v)o(e)h(a)g(v)o(enerable)f(track)g(record)g(of)h
(doing)f(so)i(in)f(other)g(domains\),)f(it)i(remains)f(to)g(be)g
(demonstrated)e(if)208 3513 y(the)o(y)e(suf)n(\002ce)h(for)g(e)o(xok)o
(ernels.)104 3679 y(2.)41 b(Commoditization)22 b(of)h(operating)g
(system)h(softw)o(are)g(mak)o(es)g(operating)e(system)j(research)e
(irrele)n(v)n(ant.)40 b(Commoditization)208 3778 y(has)31
b(already)g(se)n(v)o(erely)g(restricted)g(the)h(viability)f(of)g(ne)n
(w)h(OS)g(interf)o(aces.)63 b(The)31 b(dominance)f(of)h(a)i(fe)n(w)e
(OSes,)k(and)d(the)208 3878 y(increasing)22 b(cost)h(of)g(implementing)
e(them,)j(may)f(restrict)g(the)g(viability)g(of)g(ne)n(w)g
(implementations)f(of)h(these)g(interf)o(aces)g(as)208
3978 y(well.)29 b(If)20 b(so,)h(then)e(much)h(of)f(the)i(inno)o(v)n
(ation)c(potential)j(of)g(an)g(e)o(xok)o(ernel)e(will)j(be)f(lost.)104
4144 y(3.)41 b(The)15 b(technical)h(ability)g(to)g(inno)o(v)n(ate)f
(does)g(not)h(lead)g(to)h(an)o(y)e(more)g(inno)o(v)n(ation)f(than)i(on)
g(traditional)f(systems.)28 b(The)16 b(e)o(xok)o(ernel)208
4243 y(architecture)22 b(is)k(based)d(on)h(a)h
(partially\255sociological)d(assumption:)36 b(that)24
b(making)f(OS)i(inno)o(v)n(ation)d(easier)j(and)e(less)j(costly)208
4343 y(will)e(lead)g(to)g(a)h(v)n(ast)f(impro)o(v)o(ement)d(in)j(inno)o
(v)n(ation.)38 b(This)24 b(may)g(well)g(be)g(a)g(f)o(alse)h
(assumption.)39 b(F)o(or)24 b(instance,)g(inno)o(v)n(ation)208
4443 y(may)19 b(already)g(be)h(\223easy)h(enough\224)d(for)h(those)h
(who)g(care)g(to)g(do)g(it.)104 4609 y(4.)41 b(An)23
b(e)o(xok)o(ernel,)f(by)h(migrating)f(most)h(OS)h(code)f(to)h
(libraries,)g(remo)o(v)o(es)d(the)j(\223single)f(point)g(of)g
(upgrade\224)e(characteristic)i(of)208 4708 y(current)c(systems.)31
b(This)21 b(can)g(be)f(an)h(adv)n(antage,)e(since)i(applications)e(do)h
(not)h(ha)n(v)o(e)f(to)h(w)o(ait)g(for)f(the)h(central)f(OS)i(to)f
(upgrade)208 4808 y(b)n(ut)27 b(can)g(instead)g(do)h(so)f(themselv)o
(es.)51 b(Ho)n(we)n(v)o(er)m(,)27 b(it)h(can)f(also)h(impede)e
(progress)h(by)g(making)f(impro)o(v)o(ements)e(harder)i(to)208
4907 y(disseminate.)104 5073 y(5.)41 b(Users)18 b(will)g(not)g(switch)g
(operating)e(systems.)28 b(An)18 b(OS)g(forms)f(the)h(primal)f(mud)g
(on)g(which)g(systems)i(are)e(b)n(uilt.)29 b(Changes)17
b(to)h(it)208 5173 y(ha)n(v)o(e)i(f)o(ar)g(reaching)f(impact.)30
b(Computer)20 b(system)h(users)g(ha)n(v)o(e)f(thus)g(demonstrated)f(an)
h(understandable)e(reluctance)i(to)g(alter)208 5273 y(it.)29
b(It)21 b(may)f(be)g(that)g(the)g(adv)n(antages)f(of)h(an)g(e)o(xok)o
(ernel)e(system)i(do)g(not)g(proof)e(suf)n(\002cient)i(to)h(lead)f(to)g
(such)g(a)h(switch.)1908 5589 y(67)p eop
%%Page: 68 69
68 68 bop 208 83 a Fp(F)o(ortunately)-5 b(,)20 b(an)j(e)o(xok)o(ernel)d
(does)i(not)h(require)e(\223whole)h(cloth\224)g(adoption)e(for)i
(success.)37 b(It)23 b(appears)f(that)g(man)o(y)g(e)o(xok)o(ernel)208
183 y(interf)o(aces,)e(especially)g(those)h(related)f(to)h(I/O,)g(can)g
(be)g(grafted)e(on)i(to)g(e)o(xisting)f(systems,)h(with)g(little)h
(loss)g(in)f(performance.)208 282 y(Normal)k(applications)g(w)o(ould)g
(the)h(e)o(xisting)f(OS)i(interf)o(aces)e(as)i(a)f(def)o(ault,)h(while)
f(more)f(aggressi)n(v)o(e)f(applications)h(w)o(ould)208
382 y(ha)n(v)o(e)19 b(the)h(po)n(wer)g(to)g(control)f(important)f
(decisions.)1766 352 y Fi(1)0 548 y Fp(While)k(we)h(ha)n(v)o(e)e
(con\002dence)g(that)h(the)g(e)o(xok)o(ernel')-5 b(s)20
b(technical)h(adv)n(antages)g(will)h(allo)n(w)g(it)h(to)f(transcend)f
(these)h(potential)f(pitf)o(alls,)0 648 y(it)g(must)f(still)i
(demonstrate)c(that)i(it)h(does.)0 895 y Fv(7.2)117 b(Experience)0
1080 y Fp(Ov)o(er)25 b(the)i(past)f(three)g(years,)h(we)f(ha)n(v)o(e)g
(b)n(uilt)g(three)g(e)o(xok)o(ernel)e(systems.)47 b(W)-7
b(e)28 b(distill)f(our)e(e)o(xperience)f(by)i(discussing)g(the)g(clear)
0 1180 y(adv)n(antages,)18 b(the)j(costs,)f(and)g(lessons)g(learned)f
(from)h(b)n(uilding)e(e)o(xok)o(ernel)g(systems.)0 1392
y Fq(7.2.1)99 b(Clear)25 b(adv)o(antages)0 1540 y Fo(Exposing)g(k)o(er)
o(nel)h(data)e(structur)o(es.)44 b Fp(Allo)n(wing)24
b(libOSes)i(to)f(map)g(k)o(ernel)f(and)h(hardw)o(are)f(data)h
(structures)f(into)h(their)g(address)0 1639 y(spaces)f(is)h(a)f(po)n
(werful)e(e)o(xtensibility)h(mechanism.)39 b(\(Of)23
b(course,)h(these)g(structures)f(must)h(not)g(contain)e(sensiti)n(v)o
(e)i(information)d(to)0 1739 y(which)28 b(the)g(application)f(lacks)h
(pri)n(vile)o(ges.\))52 b(The)28 b(bene\002ts)g(of)g(mapping)f(data)h
(structures)g(are)g(tw)o(o\255fold.)52 b(First,)31 b(e)o(xposed)c(data)
0 1839 y(structures)h(can)g(be)g(accessed)g(without)g(system)g(call)h
(o)o(v)o(erhead.)50 b(More)28 b(importantly)-5 b(,)28
b(ho)n(we)n(v)o(er)m(,)f(mapping)g(the)h(data)g(structures)0
1938 y(directly)19 b(allo)n(ws)i(libOSes)g(to)f(mak)o(e)g(use)g(of)g
(information)e(the)i(e)o(xok)o(ernel)e(did)i(not)g(anticipate)f(e)o
(xporting.)125 2038 y(Because)k(e)o(xposed)g(data)g(structures)g(do)g
(not)h(constitute)f(a)h(well\255de\002ned)e(API,)i(softw)o(are)f(that)h
(directly)f(relies)h(on)f(them)h(\(e.g.,)0 2138 y(the)e(hardw)o(are)f
(abstraction)g(layer)h(in)g(a)h(libOS\))f(may)g(need)f(to)i(be)f
(recompiled)e(or)i(modi\002ed)f(if)h(the)h(k)o(ernel)e(changes.)34
b(This)23 b(can)f(be)0 2237 y(seen)i(as)g(a)g(disadv)n(antage.)37
b(On)24 b(the)g(other)e(hand,)h(code)g(af)n(fected)g(by)g(changes)g(in)
g(e)o(xposed)f(data)i(structures)f(will)h(typically)f(reside)0
2337 y(in)e(dynamically\255link)o(ed)16 b(libOSes,)21
b(so)g(that)g(applications)e(need)g(not)i(concern)d(themselv)o(es)i
(with)h(these)f(changes.)29 b(Moreo)o(v)o(er)m(,)18 b(most)0
2436 y(impro)o(v)o(ements)j(that)i(w)o(ould)g(require)f(k)o(ernel)h
(modi\002cation)e(on)i(a)h(traditional)e(operating)g(systems)i(need)f
(only)f(ef)n(fect)h(libOSes)h(on)0 2536 y(e)o(xok)o(ernels.)i(This)15
b(is)h(one)e(of)h(the)f(main)h(adv)n(antages)e(of)i(the)g(e)o(xok)o
(ernel,)e(as)j(libOSes)f(can)g(be)g(modi\002ed)f(and)g(deb)n(ugged)f
(considerably)0 2636 y(more)20 b(easily)g(than)g(k)o(ernels.)29
b(Finally)-5 b(,)20 b(we)g(e)o(xpect)g(most)g(changes)f(to)i(the)f(e)o
(xok)o(ernel)e(proper)h(to)h(be)h(along)e(the)h(lines)h(of)f(ne)n(w)g
(de)n(vice)0 2735 y(dri)n(v)o(ers)f(or)h(hardw)o(are\255oriented)c
(functionality)-5 b(,)18 b(which)h(e)o(xpose)h(ne)n(w)g(structures)f
(rather)g(than)h(modify)f(e)o(xisting)g(ones.)125 2835
y(In)31 b(the)h(end,)i(some)e(aggressi)n(v)o(e)f(applications)g(may)g
(not)h(w)o(ork)f(across)h(all)h(v)o(ersions)e(of)h(the)g(e)o(xok)o
(ernel,)g(e)n(v)o(en)f(if)h(the)o(y)g(are)0 2935 y(dynamically)g(link)o
(ed.)69 b(This)34 b(problem)e(is)i(nothing)f(ne)n(w)-5
b(,)36 b(ho)n(we)n(v)o(er)-5 b(.)68 b(A)34 b(number)e(of)i(UNIX)f
(programs)f(such)i(as)g(top,)j(gated,)0 3034 y(lsof,)25
b(and)e(netstat)i(already)d(mak)o(e)i(use)g(of)g(pri)n(v)n(ate)f(k)o
(ernel)g(data)h(structures)f(through)f(the)i(k)o(ernel)f(memory)g(de)n
(vice)g Fb(/dev/kmem)p Fp(.)0 3134 y(Administrators)c(ha)n(v)o(e)g
(simply)h(learned)f(to)i(reinstall)f(these)g(programs)f(whene)n(v)o(er)
f(major)h(k)o(ernel)h(data)g(structures)f(change.)125
3233 y(The)28 b(use)h(of)g(\223w)o(ak)o(eup)f(predicates\224)g(has)i
(forcefully)c(dri)n(v)o(en)i(home)g(the)h(adv)n(antages)e(of)i(e)o
(xposing)e(k)o(ernel)i(data)f(structures.)0 3333 y(Frequently)-5
b(,)15 b(we)h(ha)n(v)o(e)g(required)f(unusual)g(information)f(about)h
(the)h(system.)28 b(In)17 b(all)f(cases,)i(this)f(information)d(w)o(as)
j(already)e(pro)o(vided)0 3433 y(by)20 b(the)g(k)o(ernel)f(data)h
(structures.)125 3532 y Fo(The)f(CPU)g(interface.)28
b Fp(The)18 b(combination)e(of)j(time)g(slices,)g
(initiation/termination)d(upcalls,)j(and)f(directed)f(yields)i(has)g
(pro)o(v)o(en)0 3632 y(its)29 b(v)n(alue)f(repeatedly)-5
b(.)52 b(\(Subsequent)26 b(to)j(our)f(w)o(ork,)h(others)f(ha)n(v)o(e)g
(found)f(these)h(primiti)n(v)o(es)g(useful)g([35)n(].\))54
b(W)-7 b(e)30 b(ha)n(v)o(e)d(used)i(the)0 3732 y(primiti)n(v)o(es)k
(for)h(inter)n(\255process)e(communication)g(optimization)g(\(e.g.,)k
(tw)o(o)f(applications)e(communicating)e(through)h(a)i(shared)0
3831 y(message)20 b(queue)f(can)h(yield)g(to)g(each)g(other\),)f
(global)g(gang\255scheduling,)d(and)k(rob)n(ust)f(critical)i(sections)f
(\(see)g(belo)n(w\).)125 3931 y Fo(Libraries)h(ar)o(e)g(simpler)h(than)
f(k)o(er)o(nels.)32 b Fp(The)21 b(\223edit,)g(compile,)f(deb)n(ug\224)g
(c)o(ycle)g(of)h(applications)f(is)i(considerably)d(f)o(aster)i(than)0
4031 y(the)h(\223edit,)g(compile,)g(reboot,)f(deb)n(ug\224)f(c)o(ycle)i
(of)g(k)o(ernels.)34 b(A)23 b(practical)e(bene\002t)h(of)g(placing)f
(OS)i(functionality)c(in)k(libraries)e(is)i(that)0 4130
y(the)h(\223reboot\224)e(is)j(replaced)d(by)h(\223relink.)-6
b(\224)39 b(Accumulated)22 b(o)o(v)o(er)h(man)o(y)f(iterations,)i(this)
h(replacement)d(reduces)h(de)n(v)o(elopment)d(time)0
4230 y(substantially)-5 b(.)42 b(Additionally)-5 b(,)24
b(the)h(f)o(act)g(that)g(the)g(library)f(is)i(isolated)f(from)f(the)h
(rest)g(of)g(the)g(system)g(allo)n(ws)g(easy)g(deb)n(ugging)e(of)0
4329 y(basic)d(abstractions.)29 b(Untrusted)19 b(user)n(\255le)n(v)o
(el)g(serv)o(ers)h(in)g(microk)o(ernel\255based)d(systems)j(also)h(ha)n
(v)o(e)f(this)g(bene\002t.)0 4542 y Fq(7.2.2)99 b(Costs)0
4689 y Fp(Exok)o(ernels)18 b(are)j(not)e(a)i(panacea.)28
b(This)20 b(section)g(lists)i(some)e(of)g(the)g(costs)h(we)g(ha)n(v)o
(e)e(encountered.)125 4789 y Fo(Exok)o(er)o(nel)k(interface)g(design)h
(is)h(not)f(simple.)41 b Fp(The)23 b(goal)h(of)f(an)h(e)o(xok)o(ernel)d
(system)j(is)h(for)e(pri)n(vile)o(ged)f(softw)o(are)h(to)h(e)o(xport)0
4889 y(interf)o(aces)19 b(that)h(let)g(unpri)n(vile)o(ged)c
(applications)i(manage)h(their)g(o)n(wn)g(resources.)28
b(At)20 b(the)f(same)h(time,)g(these)f(interf)o(aces)g(must)h(of)n(fer)
0 4988 y(rich)i(enough)e(protection)h(that)h(libOSes)h(can)f(assure)h
(themselv)o(es)f(of)g(in)m(v)n(ariants)f(on)h(high\255le)n(v)o(el)e
(abstractions.)35 b(It)22 b(generally)f(tak)o(es)0 5088
y(se)n(v)o(eral)c(iterations)g(to)h(obtain)f(a)h(satisf)o(actory)f
(interf)o(ace,)g(as)i(the)e(designer)g(struggles)g(to)h(increase)f(po)n
(wer)f(and)i(remo)o(v)o(e)d(unnecessary)p 0 5159 1560
4 v 90 5214 a Fh(1)120 5238 y Fg(John)i(Jannotti)i(in)e(our)g(group)h
(has)f(be)o(gun)h(the)f(process)h(of)f(inte)o(grating)j(e)o(xok)o
(ernel)g(disk)e(and)f(netw)o(ork)i(interf)o(aces)h(into)e(Linux.)1908
5589 y Fp(68)p eop
%%Page: 69 70
69 69 bop 0 83 a Fp(functionality)17 b(while)j(still)g(pro)o(viding)d
(the)i(necessary)g(le)n(v)o(el)g(of)g(protection.)27
b(Most)20 b(of)f(our)g(major)g(e)o(xok)o(ernel)e(interf)o(aces)i(ha)n
(v)o(e)g(gone)0 183 y(through)f(multiple)i(designs)f(o)o(v)o(er)g(se)n
(v)o(eral)h(years.)125 282 y Fo(Inf)n(ormation)25 b(loss.)50
b Fp(V)-9 b(aluable)26 b(information)f(can)h(be)h(lost)h(by)e
(implementing)f(OS)i(abstractions)f(at)i(application)d(le)n(v)o(el.)49
b(F)o(or)0 382 y(instance,)28 b(if)f(virtual)f(memory)e(and)j(the)f
(\002le)h(system)g(are)g(completely)e(at)i(application)e(le)n(v)o(el,)j
(the)f(e)o(xok)o(ernel)d(may)i(be)h(unable)e(to)0 482
y(distinguish)f(pages)g(used)g(to)h(cache)f(disk)h(blocks)f(and)g
(pages)g(used)h(for)f(virtual)g(memory)-5 b(.)40 b(Glaze,)26
b(the)e(Fugu)g(e)o(xok)o(ernel,)g(has)h(the)0 581 y(additional)19
b(complication)f(that)i(it)g(cannot)f(distinguish)g(such)h(uses)g(from)
f(the)h(physical)f(pages)g(used)h(for)f(b)n(uf)n(fering)f(messages)i
([60)o(].)0 681 y(Frequently\255used)i(information)h(can)h(often)h(be)f
(deri)n(v)o(ed)g(with)h(little)h(ef)n(fort.)42 b(F)o(or)25
b(e)o(xample,)f(if)h(page)g(tables)g(are)g(managed)e(by)i(the)0
780 y(application,)19 b(the)i(e)o(xok)o(ernel)e(can)i(approximate)e(LR)
m(U)i(page)f(ordering)f(by)i(tracking)e(the)i(insertion)g(of)f
(translations)h(into)f(the)h(TLB.)0 880 y(Ho)n(we)n(v)o(er)m(,)d(at)j
(the)f(v)o(ery)f(least,)i(this)f(inference)f(requires)g(thought.)125
980 y Fo(Self\255paging)i(libOSes.)37 b Fp(Self\255paging)20
b(is)j(dif)n(\002cult)f(\(only)f(a)i(fe)n(w)g(commercial)d(operating)h
(systems)i(page)f(their)g(k)o(ernel\).)35 b(Self\255)0
1079 y(paging)21 b(libOSes)j(are)f(e)n(v)o(en)f(more)g(dif)n(\002cult)g
(because)g(paging)g(can)h(be)g(caused)f(by)g(e)o(xternal)g(entities)h
(\(e.g.,)g(the)g(k)o(ernel)f(touching)f(a)0 1179 y(paged\255out)f(b)n
(uf)n(fer)i(that)h(a)g(libOS)g(pro)o(vided\).)34 b(Careful)23
b(planning)e(is)i(necessary)f(to)h(ensure)f(that)h(libOSes)h(can)e
(quickly)g(select)h(and)0 1279 y(return)h(a)i(page)e(to)i(the)f(e)o
(xok)o(ernel,)f(and)h(that)h(there)e(is)j(a)e(f)o(acility)h(to)f(sw)o
(ap)h(in)f(processes)g(without)g(kno)n(wledge)e(of)i(their)g(internals)
0 1378 y(\(otherwise)19 b(virtual)h(memory)e(customization)h(will)i(be)
f(infeasible\).)0 1586 y Fq(7.2.3)99 b(Lessons)0 1734
y Fo(Pr)o(o)o(vide)16 b(space)i(f)n(or)f(application)g(data)g(in)h(k)o
(er)o(nel)g(structur)o(es.)28 b Fp(LibOSes)18 b(are)f(often)g(easier)h
(to)f(de)n(v)o(elop)f(if)i(the)o(y)f(can)g(store)g(shared)0
1833 y(state)22 b(in)f(k)o(ernel)f(data)h(structures.)31
b(In)21 b(particular)m(,)e(this)j(ability)e(can)h(simplify)g(the)g
(task)g(of)g(locating)f(shared)g(state)i(and)e(often)h(a)n(v)n(oids)0
1933 y(a)o(wkw)o(ard)e(\(and)h(comple)o(x\))e(replication)h(of)h(inde)o
(xing)f(structures)g(at)i(the)g(application)e(le)n(v)o(el.)29
b(F)o(or)20 b(e)o(xample,)f(Xok)h(lets)h(libOSes)g(use)0
2032 y(the)f(softw)o(are\255only)e(bits)j(of)f(page)f(tables,)i
(greatly)e(simplifying)g(the)h(implementation)e(of)i(cop)o(y)f(on)h
(write.)125 2132 y Fo(F)n(ast)f(applications)h(do)h(not)f(r)o(equir)o
(e)f(good)h(micr)o(obenchmark)f(perf)n(ormance.)28 b
Fp(The)20 b(main)g(bene\002t)g(of)g(an)g(e)o(xok)o(ernel)e(is)j(not)0
2232 y(that)28 b(it)h(mak)o(es)e(primiti)n(v)o(e)g(operations)f(ef)n
(\002cient,)j(b)n(ut)f(that)g(it)h(gi)n(v)o(es)e(applications)g
(control)g(o)o(v)o(er)f(e)o(xpensi)n(v)o(e)g(operations)g(such)i(as)0
2331 y(I/O.)23 b(It)h(is)g(this)g(control)f(that)g(gi)n(v)o(es)g(order)
f(of)h(magnitude)f(performance)e(impro)o(v)o(ements)h(to)j
(applications,)e(not)h(f)o(ast)h(system)g(calls.)0 2431
y(W)-7 b(e)28 b(hea)n(vily)d(tuned)h(Ae)o(gis)g(to)h(achie)n(v)o(e)e(e)
o(xcellent)h(microbenchmark)c(performance.)45 b(Xok,)28
b(on)e(the)g(other)g(hand,)h(is)g(completely)0 2531 y(untuned.)g(Ne)n
(v)o(ertheless,)19 b(applications)g(perform)f(well.)125
2630 y Fo(Inexpensi)o(v)o(e)26 b(critical)f(sections)h(ar)o(e)e(useful)
j(f)n(or)e(LibOSes.)46 b Fp(In)25 b(traditional)g(OSes,)i(ine)o(xpensi)
n(v)o(e)c(critical)j(sections)f(can)h(be)0 2730 y(implemented)f(by)h
(disabling)f(interrupts)h([10)o(].)48 b(ExOS)27 b(implements)e(such)h
(critical)h(sections)g(by)f(disabling)g(softw)o(are)g(interrupts)0
2829 y(\(e.g.,)i(time)g(slice)g(termination)e(upcalls\).)51
b(Using)27 b(critical)h(sections)g(instead)f(of)g(locks)h(remo)o(v)o
(es)e(the)h(need)g(to)h(communicate)d(to)0 2929 y(manage)17
b(a)h(lock,)g(to)g(trust)g(softw)o(are)f(to)h(acquire)f(and)h(release)g
(locks)f(correctly)-5 b(,)17 b(and)g(to)h(use)g(comple)o(x)e
(algorithms)h(to)h(reclaim)g(a)g(lock)0 3029 y(when)g(a)g(process)g
(dies)h(while)f(still)h(holding)e(it.)29 b(This)18 b(approach)e(has)j
(pro)o(v)o(en)d(to)i(be)g(similarly)g(useful)g(on)g(the)g(Fugu)f
(multiprocessor;)0 3128 y(it)k(is)g(the)f(basis)h(of)f(Fugu')-5
b(s)20 b(f)o(ast)h(message)f(passing.)125 3228 y Fo(User)m(\255le)o(v)o
(el)25 b(page)g(tables)h(ar)o(e)f(complex.)46 b Fp(If)26
b(page)f(tables)h(are)g(migrated)e(to)i(user)g(le)n(v)o(el)f(\(as)h(on)
g(Ae)o(gis\),)g(a)h(concerted)d(ef)n(fort)0 3328 y(must)18
b(be)g(made)f(to)h(ensure)g(that)g(the)g(user')-5 b(s)18
b(TLB)g(re\002ll)h(handler)d(can)i(run)f(in)h(unusual)f(situations.)28
b(The)18 b(reason)f(is)i(not)f(performance,)0 3427 y(b)n(ut)25
b(that)g(the)f(naming)g(conte)o(xt)f(pro)o(vided)f(by)j(virtual)f
(memory)f(mappings)g(is)j(a)f(requirement)d(for)j(most)f(useful)h
(operations.)41 b(F)o(or)0 3527 y(e)o(xample,)23 b(in)g(the)h(case)g
(of)f(do)n(wnloaded)e(code)i(run)f(in)i(an)g(interrupt)e(handler)m(,)g
(if)i(the)f(k)o(ernel)g(is)h(not)g(willing)f(to)h(allo)n(w)f
(application)0 3626 y(code)18 b(to)h(service)f(TLB)i(misses)f(then)g
(there)f(are)h(man)o(y)e(situations)i(where)f(the)h(code)f(will)h(be)g
(unable)e(to)i(mak)o(e)g(progress.)27 b(User)n(\255le)n(v)o(el)0
3726 y(page)d(tables)g(made)g(the)g(implementation)e(of)j(libOSes)f
(trick)o(y)g(on)g(Ae)o(gis;)i(since)f(the)f(x86)g(has)g(hardw)o(are)f
(page)h(tables,)h(this)g(issue)0 3826 y(disappeared)18
b(on)i(Xok/ExOS.)0 4101 y Fv(7.3)117 b(Conclusion)208
4287 y Fp(Our)19 b(in)m(v)o(entions)g(mirror)f(our)i(secret)g(wishes.)
30 b(La)o(wrence)19 b(Durrell)g(\(1912\2551990\))d(\223Mountoli)n(v)o
(e\224)i(\(1959\))125 4443 y(This)30 b(thesis)h(proposes)d(and)i(e)n(v)
n(aluates)f(the)i(e)o(xok)o(ernel)c(operating)i(system)h(architecture.)
57 b(An)30 b(e)o(xok)o(ernel)e(gi)n(v)o(es)i(untrusted)0
4543 y(application)14 b(code)h(as)h(much)f(safe)h(control)e(o)o(v)o(er)
g(resources)h(as)h(possible.)28 b(It)16 b(does)f(so)h(by)f(separating)g
(management)e(from)i(protection.)0 4643 y(All)h(functionality)e
(necessary)g(for)h(protection)f(resides)i(in)f(the)h(e)o(xok)o(ernel,)e
(control)g(o)o(v)o(er)g(all)i(other)f(aspects)h(is)g(gi)n(v)o(en)e(to)i
(applications.)0 4742 y(Ideally)-5 b(,)26 b(applications)f(can)h
(safely)g(and)g(ef)n(\002ciently)f(perform)f(an)o(y)h(operation)g(that)
h(a)h(pri)n(vile)o(ged)d(operating)g(system)i(can.)47
b(Thus,)0 4842 y(unlik)o(e)22 b(traditional)f(systems,)j(on)e(an)g(e)o
(xok)o(ernel)e(system,)k(OS)f(softw)o(are)f(becomes:)33
b(\(1\))22 b(unpri)n(vile)o(ged,)e(\(2\))i(able)g(to)h(co\255e)o(xist)e
(with)0 4941 y(other)h(implementations,)f(\(3\))h(modi\002able)f(and)h
(deplo)o(yable)e(by)j(orders)e(of)h(magnitude)f(more)h(programmers.)33
b(W)-7 b(e)24 b(hope)d(that)i(this)0 5041 y(or)o(ganization)17
b(signi\002cantly)i(impro)o(v)o(es)f(operating)h(system)h(inno)o(v)n
(ation.)125 5141 y(This)29 b(thesis)i(has)f(discussed)f(both)g(the)h(e)
o(xok)o(ernel)d(architecture,)j(and)f(ho)n(w)g(to)h(apply)f(its)i
(principles)d(in)i(practice,)h(dra)o(wing)0 5240 y(upon)20
b(e)o(xamples)f(from)h(tw)o(o)i(e)o(xok)o(ernel)c(systems.)32
b(These)21 b(systems)h(gi)n(v)o(e)e(signi\002cant)g(performance)e(adv)n
(antages)i(to)h(aggressi)n(v)o(ely\255)0 5340 y(specialized)27
b(applications)f(while)h(maintaining)e(competiti)n(v)o(e)h(performance)
e(on)j(unmodi\002ed)e(UNIX)i(applications,)h(e)n(v)o(en)e(under)1908
5589 y(69)p eop
%%Page: 70 71
70 70 bop 0 83 a Fp(hea)n(vily)23 b(multi\255task)o(ed)g(w)o(orkloads.)
38 b(Exok)o(ernels)22 b(also)i(simplify)f(the)h(job)f(of)g(operating)f
(system)i(de)n(v)o(elopment)d(by)i(allo)n(wing)g(one)0
183 y(library)14 b(operating)e(system)j(to)g(be)f(de)n(v)o(eloped)f
(and)h(deb)n(ugged)e(from)h(another)h(one)g(running)e(on)i(the)h(same)g
(machine.)26 b(The)14 b(adv)n(antages)0 282 y(of)28 b(rapid)f
(operating)f(system)i(de)n(v)o(elopment)d(e)o(xtend)h(be)o(yond)g
(specialized)h(niche)h(applications.)51 b(Thus,)29 b(while)f(some)f
(questions)0 382 y(about)17 b(the)g(full)h(implications)f(of)g(the)h(e)
o(xok)o(ernel)e(architecture)g(remain)h(to)g(be)h(answered,)f(it)i(is)f
(a)g(viable)g(approach)d(that)j(of)n(fers)f(man)o(y)0
482 y(adv)n(antages)i(o)o(v)o(er)f(con)m(v)o(entional)f(systems.)1908
5589 y(70)p eop
%%Page: 71 72
71 71 bop 0 706 a Fj(Chapter)42 b(8)0 1121 y Fn(XN')-8
b(s)52 b(Interface)0 1553 y Fp(This)20 b(Chapter)g(describes)g(the)g
(public)f(and)h(pri)n(vile)o(ged)e(XN)j(system)f(call)h(interf)o(ace.)
125 1652 y(A)c(number)e(of)i(routines)f(e)o(xpect)g(a)i(de)n(vice)e
(number)g(\(an)g(inte)o(ger)g(of)h(type)g Fl(dev)p 2368
1652 22 4 v 26 w(t)p Fp(\),)h(which)f(names)f(an)h(acti)n(v)o(e)g
(XN\255controlled)e(disk.)0 1752 y(This)k(name)g(is)h(implicit)g(in)f
(the)g(disk)h(address)f(type,)f Fl(da)p 1615 1752 V 26
w(t)p Fp(,)j(a)e(64\255bit)f(inte)o(ger)h(that)g(encodes)f(the)i(de)n
(vice)e(name,)h(disk)g(block,)f(and)h(byte)0 1851 y(of)n(fset)k(within)
g(the)g(disk)h(block.)37 b(A)24 b(de)n(vice)f(corresponds)e(to)i(some)h
(range)e(of)h(disk)g(blocks,)h(a)f(freemap)f(that)i(tracks)f(these)g
(blocks,)0 1951 y(and)d(a)g(\223root)g(catalogue,)-6
b(\224)18 b(which)i(is)h(a)g(persistent)f(table)g(that)g(libFSes)h
(install)g(types)f(and)f(\002le)i(system)g(roots)f(into.)125
2051 y(In)g(general,)h(an)o(y)f(XN)i(system)f(call)h(f)o(ails)g(if:)31
b(\(1\))21 b(a)g(libFS\255supplied)f(capability)g(is)j(insuf)n
(\002cient,)d(\(2\))g(a)i(libFS\255supplied)e(pointer)0
2150 y(is)h(bogus)e(\(i.e.,)h(not)f(readable)g(or)m(,)g(for)h
(modi\002cations,)e(not)i(writeable\),)f(or)h(\(3\))f(a)i
(libFS\255supplied)d(name)i(is)h(bogus)e(\(e.g.,)g(an)h(in)m(v)n(alid)0
2250 y(disk)h(block)e(name,)h(an)h(in)m(v)n(alid)e(root)h(catalogue)f
(entry)h(character)f(string,)i(etc.\).)30 b(T)-7 b(o)21
b(sa)n(v)o(e)f(space,)h(we)g(do)f(not)g(mention)g(these)g(errors)0
2350 y(further)-5 b(.)125 2449 y(W)e(e)22 b(elide)g(the)f(details)h(of)
f(mapping)f(XN)h(data)h(structures)f(and)g(b)n(uf)n(fer)f(cache)h
(entries,)g(since)h(the)o(y)e(are)i(speci\002c)f(to)h(the)g(hosting)0
2549 y(OS')-5 b(s)21 b(virtual)f(memory)e(interf)o(ace)i(rather)f(than)
h(XN)g(itself.)0 2789 y Fv(A)116 b(Pri)o(vileged)29 b(system)f(calls)0
2975 y Fp(Only)20 b(the)g(k)o(ernel)f(or)h(pri)n(vile)o(ged)e
(applications)h(can)h(use)h(the)f(follo)n(wing)f(system)h(calls.)0
3181 y Fq(A.1)99 b(XN)25 b(initialization)f(and)h(shutdo)o(wn)0
3329 y Fp(The)20 b(follo)n(wing)e(three)i(routines)f(are)i(used)e(to)i
(initialize)f(and)g(cleanly)f(shutdo)n(wn)g(an)h(XN\255controlled)e
(disk.)0 3428 y Fl(xn)p 78 3428 V 26 w(err)p 185 3428
V 27 w(t)i(sys)p 344 3428 V 26 w(xn)p 444 3428 V 26 w(init\(dev)p
696 3428 V 27 w(t)g(dev\);)332 3566 y Fp(Initialize)36
b(XNdisk)h Fl(dev)p Fp(.)79 b(F)o(ails)38 b(if)f(the)f(disk)h(w)o(as)g
(not)f(cleanly)g(shutdo)n(wn,)j(in)d(which)h(case)f(the)h(XN)g(disk)208
3665 y(reconstruction)17 b(program)h(must)j(be)f(run)f(in)h(order)f(to)
i(\002nd)f(all)g(XN)h(in)m(v)n(ariant)e(violations.)0
3803 y Fl(xn)p 78 3803 V 26 w(err)p 185 3803 V 27 w(t)h(sys)p
344 3803 V 26 w(xn)p 444 3803 V 26 w(shutdown\(dev)p
902 3803 V 29 w(t)g(dev\);)332 3940 y Fp(Clean)25 b(shutdo)n(wn)e(of)h
(an)h(disk)f Fl(dev)p Fp(.)44 b(F)o(ails)26 b(if)f(an)o(y)e(blocks)h
(in)h(the)g(b)n(uf)n(fer)e(cache)h(contain)g(violations.)41
b(Before)24 b(it)208 4040 y(can)c(proceed)e(the)i(in)m(v)n(ok)o(er)f
(must)h(iterati)n(v)o(ely)f(\003ush)h(the)h(b)n(uf)n(fer)d(cache)i(to)h
(remo)o(v)o(e)d(these)i(blocks.)0 4177 y Fl(dev)p 113
4177 V 26 w(t)g(sys)p 271 4177 V 27 w(xn)p 372 4177 V
26 w(format\(void\);)332 4314 y Fp(Prepare)f(a)i(ne)n(w)f(disk)g(for)g
(XN;)g(returns)g(the)g(de)n(vice)f(number)g(of)h(the)g(disk.)29
b(Currently)-5 b(,)18 b(it)j(al)o(w)o(ays)g(succeeds.)0
4559 y Fq(A.2)99 b(Reconstruction)0 4706 y Fp(The)20
b(follo)n(wing)e(tw)o(o)j(functions)e(are)h(used)g(by)f(pri)n(vile)o
(ged)g(reconstruction)e(programs:)0 4805 y Fl(db)p 82
4805 V 26 w(t)j(sys)p 240 4805 V 27 w(db)p 345 4805 V
25 w(alloc\(dev)p 639 4805 V 27 w(t)g(dev)-5 b(,)20 b(db)p
931 4805 V 26 w(t)g(db,)g(size)p 1227 4805 V 26 w(t)g(n\);)332
4943 y Fp(F)o(orces)g(the)g(e)o(xtent)g Fl([db,)g(db+n\))i
Fp(on)e(disk)g Fl(dev)i Fp(to)e(be)g(tak)o(en)g(of)n(f)f(of)h(the)g
(freelist.)0 5080 y Fl(xn)p 78 5080 V 26 w(err)p 185
5080 V 27 w(t)g(sys)p 344 5080 V 26 w(xn)p 444 5080 V
26 w(mod)p 607 5080 V 26 w(r)o(efcnt\(da)p 903 5080 V
29 w(t)g(da,)g(int)g(delta\);)332 5218 y Fp(Alters)h
Fl(da)p Fp(')-5 b(s)21 b(reference)e(count)g(by)h Fl(delta)p
Fp(.)125 5355 y(Currently)-5 b(,)18 b(the)i(error)f(log)h(routines)f
(are)h(in)h(\003ux.)29 b(W)-7 b(e)21 b(elide)f(them)g(here.)1908
5589 y(71)p eop
%%Page: 72 73
72 72 bop 0 83 a Fv(B)116 b(Public)28 b(system)h(calls)0
269 y Fp(The)20 b(follo)n(wing)e(system)j(calls)g(are)f(intended)f(for)
g(use)i(by)e(an)o(y)h(libFS.)0 506 y Fq(B.1)100 b(Cr)n(eating)25
b(types)0 662 y Fp(The)20 b(follo)n(wing)e(three)i(system)h(calls)f
(are)h(used)f(to)g(create)g(the)g(types)g(for)g(a)g(ne)n(w)g(ne)n(w)g
(libFS.)0 762 y Fl(xn)p 78 762 22 4 v 26 w(err)p 185
762 V 27 w(t)g(sys)p 344 762 V 26 w(install)p 542 762
V 26 w(mount\(dev)p 899 762 V 28 w(t)g(dev)-5 b(,)20
b(char)h(*name,)f(db)p 1588 762 V 26 w(t)g(*db,)g(size)p
1923 762 V 26 w(t)g(nelem,)g(xn)p 2290 762 V 26 w(elem)p
2461 762 V 25 w(t)g(t,)g(cap)p 2697 762 V 26 w(t)g(c\);)332
928 y Fp(Allocate)f(the)h(e)o(xtent)f Fl([db,)g(db+nelem*sizeof)j(t\))f
Fp(on)e(disk)h Fl(dev)g Fp(and)f(associate)h(it)g(with)g
Fl(name)h Fp(in)e(the)h(root)f(catalogue.)208 1027 y(If)31
b Fl(db)p Fp(')-5 b(s)33 b(v)n(alue)d(is)j Fl(0)p Fp(,)i(then)c(the)g
(k)o(ernel)g(decides)g(what)g(e)o(xtent)g(to)h(allocate)f(and)g(writes)
h(the)f(allocated)g(block)f(into)208 1127 y Fl(db)p Fp(.)49
b(LibFSes)27 b(use)g(this)g(system)g(call)g(to)g(install)g(both)f
(install)h(\002le)g(system)g(roots)f(and)g(types.)49
b(On)26 b(reboot,)h(the)g(XN)208 1226 y(reconstructor)j(loads)j(the)h
(catalogue)e(and)g(tra)n(v)o(erses)h(\002le)h(systems)g(from)e(these)h
(roots,)j(garbage)31 b(collecting)i(and)208 1326 y(performing)15
b(consistenc)o(y)h(checks.)28 b(The)18 b(entry)f(can)h(be)g(modi\002ed)
f(for)g(applications)g(that)i(possess)f Fl(cap)p Fp(.)30
b(The)18 b(call)g(f)o(ails)208 1426 y(if)i(an)o(y)f(block)h(in)g(the)g
(e)o(xtent)g(has)g(already)f(been)h(allocated,)f(if)h
Fl(type)i Fp(is)g(in)m(v)n(alid,)c Fl(name)k Fp(or)e
Fl(db)h Fp(are)f(not)g(readable.)0 1592 y Fl(xn)p 78
1592 V 26 w(err)p 185 1592 V 27 w(t)g(sys)p 344 1592
V 26 w(type)p 502 1592 V 27 w(import\(dev)p 860 1592
V 28 w(t)g(dev)-5 b(,)20 b(char)h(*type)p 1395 1592 V
27 w(name\);)332 1758 y Fp(Con)m(v)o(erts)i(the)i(root)f(catalogue)f
(entry)h Fl(name)i Fp(in)e Fl(dev)p Fp(')-5 b(s)27 b(root)c(catalogue)h
(from)f(a)i(disk)g(block)e(e)o(xtent)h(to)h(an)f(actual)208
1857 y(type.)51 b(It)28 b(f)o(ails)g(if)h(name)e(does)g(not)h(e)o
(xist,)h(the)f(blocks)f(are)h(not)f(\223ra)o(w\224)g(disk)h(blocks)f
(\(i.e.,)i(of)f(type)f Fl(XN)p 3305 1857 V 26 w(DB)p
Fp(\),)h(or)f(the)208 1957 y(contents)19 b(of)h(the)g(e)o(xtent)g(form)
f(an)h(in)m(v)n(alid)f(type.)0 2123 y Fl(xn)p 78 2123
V 26 w(err)p 185 2123 V 27 w(t)h(sys)p 344 2123 V 26
w(r)o(eserve)p 582 2123 V 29 w(type\(dev)p 875 2123 V
28 w(t)g(dev)-5 b(,)20 b(char)h(*name\);)332 2289 y Fp(Reserv)o(e)27
b(a)h(slot)g(for)e(an)h(as\255yet\255unspeci\002ed)e(type)i(in)h
Fl(dev)p Fp(')-5 b(s)29 b(root)d(catalogue.)49 b(This)28
b(call)f(is)i(used)e(to)g(construct)208 2389 y(mutually)19
b(recursi)n(v)o(e)f(types.)125 2555 y(T)-7 b(o)20 b(create)g(a)g(ne)n
(w)g(type,)g(the)g(libFS)h(performs)d(the)j(follo)n(wing)d(four)h
(steps:)104 2721 y(1.)41 b(Allocates)26 b(space)f(for)h(it)g(on)g(disk)
f(and)h(installs)h(it)f(in)g(the)g(root)f(catalogue)g(using)g
Fl(sys)p 2732 2721 V 27 w(install)p 2931 2721 V 26 w(mount)p
Fp(.)47 b(The)26 b(v)n(alue)f(of)h Fl(type)h Fp(in)208
2820 y(this)20 b(installation)g(is)g Fl(XN)p 911 2820
V 26 w(DB)p Fp(,)g(indicating)f(the)h(blocks)f(are)h(simple)g(disk)g
(blocks.)28 b(If)20 b(the)g(type)f(is)i(in)m(v)n(olv)o(ed)d(part)i(of)f
(a)i(mutually)208 2920 y(recursi)n(v)o(e)e(speci\002cation)h(\(which)g
(can)g(happen)f(when)h(the)h(type)f(is)i(a)f(composite)f(type\),)f(the)
i(libFS)g(can)g(use)g Fl(sys)p 3504 2920 V 26 w(r)o(eserve)p
3742 2920 V 29 w(type)208 3020 y Fp(to)c(reserv)o(e)e(the)i(type)g
(names)f(for)g(these)h(other)f(types,)i(as)f(well)h(as)f(getting)f
(their)h(type)f(id)h(\(an)g(inte)o(ger)e(assigned)i(by)f(the)h(k)o
(ernel\),)208 3119 y(which)i(is)i(needed)e(by)h(the)g(type')-5
b(s)20 b Fl(owns)i Fp(UDF)f(to)f(compute)f(the)h(typed)f(block)g(set)i
(that)g(it)g(outputs.)104 3285 y(2.)41 b(Initializes)20
b(these)g(blocks)g(using)f Fl(sys)p 1278 3285 V 27 w(xn)p
1379 3285 V 26 w(writeb)j Fp(\(discussed)d(belo)n(w\))g(to)i(the)f
(contents)f(in)i(ths)f(types)g(\223type)g(structure,)-6
b(\224)19 b(which)208 3385 y(holds)g(the)h Fl(owns)i
Fp(UDF)-7 b(,)21 b(the)f Fl(r)o(efcnt)k Fp(UDF)-7 b(,)20
b(and)g(other)f(information.)104 3551 y(3.)41 b(Writes)21
b(these)f(blocks)g(back)f(to)h(disk)h(\(the)e(follo)n(wing)g(step)h(f)o
(ails)h(if)g(the)o(y)e(are)h(dirty\).)104 3717 y(4.)41
b(Finally)-5 b(,)15 b(it)h(uses)f Fl(sys)p 788 3717 V
27 w(type)p 947 3717 V 27 w(import)h Fp(to)f(con)m(v)o(ert)e(the)i
(blocks)g(from)f(generic)g(blocks)g(to)h(an)g(XN)h(recognized)d(type.)
27 b Fl(sys)p 3519 3717 V 26 w(type)p 3677 3717 V 27
w(import)208 3817 y Fp(performs)18 b(consistenc)o(y)g(checks)i(on)f
(the)h(type)f(data)h(structure)f(\(e.g.,)g(that)h(the)g(contained)e
(UDFs)j(are)f(deterministic,)f(that)h(the)208 3916 y(partitions)c(are)g
(sensible\))h(and,)f(if)h(the)g(checks)f(succeed,)h(changes)f(the)g
(type)h(cataglogue)e(entry)g(to)i(be)g(of)f(type)h Fl(XN)p
3511 3916 V 25 w(TYPE)h Fp(rather)208 4016 y(than)h Fl(XN)p
469 4016 V 26 w(DB)p Fp(.)0 4182 y(At)i(this)f(point,)g(the)g(libFS)h
(can)f(create)g(and)f(point)h(to)g(blocks)g(of)f(the)i(ne)n(w)f(type.)0
4420 y Fq(B.2)100 b(Cr)n(eating)25 b(and)h(deleting)f(\002le)g(system)g
(tr)n(ees)0 4575 y Fp(T)-7 b(o)24 b(create)g(a)h(ne)n(w)f(\002le)g
(system,)h(the)g(libFS)f(installs)h(the)f(root)g(of)g(the)g(tree)g
(using)f Fl(sys)p 2505 4575 V 27 w(install)p 2704 4575
V 26 w(mount)p Fp(.)42 b(T)-7 b(o)25 b(load)e(an)h(already)f(e)o
(xisting)0 4675 y(one)d(from)f(disk)h(into)g(the)g(b)n(uf)n(fer)f
(cache)h(it)h(can)f(use)g(the)g(follo)n(wing)f(tw)o(o)h(functions:)0
4775 y Fl(xn)p 78 4775 V 26 w(err)p 185 4775 V 27 w(t)g(sys)p
344 4775 V 26 w(xn)p 444 4775 V 26 w(mount\(dev)p 801
4775 V 28 w(t)g(dev)-5 b(,)20 b(struct)i(r)o(oot)p 1327
4775 V 27 w(entry)g(*r)-6 b(,)20 b(char)h(*name,)f(cap)p
2128 4775 V 26 w(t)g(c\);)332 4941 y Fp(Bootstrap)i(the)g(\002le)h
(system)f(tree)g(by)g(inserting)f(the)h(type)g Fl(name)p
Fp(')-5 b(s)24 b(block)d(e)o(xtent)g(into)h(the)g(b)n(uf)n(fer)f
(cache:)33 b(getting)208 5040 y(the)16 b(types)f(for)h(the)g(rest)g(of)
g(the)g(\002le)g(system)g(tree)g(can)g(be)g(done)f(by)g(recursi)n(v)o
(ely)f(applying)g(the)i(associated)g Fl(owns)h Fp(UDF)g(to)208
5140 y(the)j(root)g(and)g(its)i(children.)28 b(The)21
b(call)g(writes)g(the)f(root)g(catalogue)f(entry)h(into)g
Fl(r)p Fp(,)i(and)e(then)g(annotates)g(the)g(associated)208
5240 y(entries)g(in)h(the)g(b)n(uf)n(fer)e(cache)h(with)h(the)g(gi)n(v)
o(en)e(type.)30 b(F)o(ails)22 b(if)f Fl(name)h Fp(name)e(does)g(not)h
(e)o(xist,)f(or)h(the)g(e)o(xtent)f(pointed)f(to)208
5339 y(by)g(the)i(root)e(catalogue)g(entry)g(is)i(not)f(in)h(the)f(b)n
(uf)n(fer)f(cache)g(re)o(gistry)-5 b(.)1908 5589 y(72)p
eop
%%Page: 73 74
73 73 bop 208 133 a Fl(/)p Ff(\003)21 b Fl(specify)h(xn)g(operations)i
(that)f(involve)f(UDFs.)f Ff(\003)p Fl(/)208 232 y(struct)i(xn)p
475 232 22 4 v 26 w(op)f(\340)377 332 y(/)p Ff(\003)f
Fl(Specify)i(what)f(extent)h(will)d(be)i(allocated/fr)o(eed/r)o(ead.)k
Ff(\003)p Fl(/)377 432 y(struct)e(xn)p 645 432 V 26 w(update)e(\340)546
531 y(size)p 659 531 V 26 w(t)g(own)p 863 531 V 26 w(id;)211
b(/)p Ff(\003)21 b Fl(id)g(of)h(the)g(udf)g(to)g(run.)g
Ff(\003)p Fl(/)546 631 y(cap)p 655 631 V 27 w(t)64 b(cap;)281
b(/)p Ff(\003)21 b Fl(capability)h(to)g(use)g(for)h(access.)g
Ff(\003)p Fl(/)546 830 y(db)p 628 830 V 26 w(t)f(db;)242
b(/)p Ff(\003)21 b Fl(base)i(\343)e(all)g(objects)i(ar)o(e)g(sector)g
(aligned.)e Ff(\003)p Fl(/)546 930 y(size)p 659 930 V
26 w(t)h(nelem;)105 b(/)p Ff(\003)21 b Fl(number)i(of)f(elements)h(of)f
(type.)g Ff(\003)p Fl(/)546 1029 y(xn)p 624 1029 V 26
w(elem)p 795 1029 V 26 w(t)f(type;)h(/)p Ff(\003)f Fl(type)i
Ff(\003)p Fl(/)377 1129 y(\341)f(u;)377 1328 y(/)p Ff(\003)408
1428 y(\003)f Fl(Specify)i(update)g(to)f(a)f(piece)h(of)g
(meta\343data.)44 b(Semantics:)408 1528 y Ff(\003)148
b Fl(memcpy\(\(char)24 b Ff(\003)p Fl(\)meta)e(+)g(of)o(fset,)h(addr)-6
b(,)22 b(nbytes\);)408 1627 y Ff(\003)f Fl(Ignor)o(ed)i(for)f(r)o
(eads.)408 1727 y Ff(\003)p Fl(/)377 1826 y(struct)i(xn)p
645 1826 V 26 w(m)p 730 1826 V 25 w(vec)e(\340)546 1926
y(size)p 659 1926 V 26 w(t)56 b(of)o(fset;)c(/)p Ff(\003)21
b Fl(what)h(of)o(fset)i(in)d(the)h(type)g Ff(\003)p Fl(/)546
2026 y(void)85 b Ff(\003)p Fl(addr;)43 b(/)p Ff(\003)21
b Fl(ptr)i(to)e(value)h(to)g(copy)h(ther)o(e)g Ff(\003)p
Fl(/)546 2125 y(size)p 659 2125 V 26 w(t)56 b(nbytes;)377
2225 y(\341)22 b Ff(\003)p Fl(mv;)377 2325 y(size)p 490
2325 V 26 w(t)g(n;)317 b(/)p Ff(\003)21 b Fl(number)i(of)f(elements)g
(in)f(mv)h Ff(\003)p Fl(/)208 2424 y(\341;)1262 2823
y Fp(Figure)d(8\2551:)29 b(Metadata)20 b(operation)e(structure.)0
3090 y Fl(xn)p 78 3090 V 26 w(err)p 185 3090 V 27 w(t)i(sys)p
344 3090 V 26 w(type)p 502 3090 V 27 w(mount\(dev)p 860
3090 V 28 w(t)g(dev)-5 b(,)20 b(char)h(*type)p 1395 3090
V 27 w(name\);)332 3256 y Fp(Similar)f(to)g Fl(sys)p
775 3256 V 27 w(xn)p 876 3256 V 26 w(mount)p Fp(,)h(e)o(xcept)e(that)h
(it)g(annotates)f(a)h(a)h Fl(type)p 2171 3256 V 26 w(name)p
Fp(')-5 b(s)22 b(cached)d(blocks)g(as)i(holding)d(an)h(XN)i(type.)208
3356 y(It)h(f)o(ails)h(if)g(the)g(gi)n(v)o(en)e(name)g(does)i(not)f(e)o
(xist)g(in)h(the)f(root)g(catalogue,)f(is)j(not)e(a)h(type,)f(or)g(if)h
(the)f(blocks)g(are)g(not)g(in)h(the)208 3455 y(b)n(uf)n(fer)18
b(cache.)125 3621 y(T)-7 b(o)19 b(use)g(a)g(\002le)h(system)f(tree,)g
(the)g(\002le)h(system)f(root)g(and)f(an)o(y)g(types)h(it)h(needs)e
(must)h(\002rst)h(be)f(loaded)f(into)h(the)g(b)n(uf)n(fer)f(cache)g
(using)0 3721 y Fl(sys)p 93 3721 V 27 w(xn)p 194 3721
V 26 w(r)o(ead)p 351 3721 V 27 w(and)p 491 3721 V 26
w(insert)27 b Fp(\(discussed)d(belo)n(w\).)41 b(Then,)25
b Fl(sys)p 1677 3721 V 27 w(xn)p 1778 3721 V 26 w(mount)h
Fp(annotates)e(these)h(disk)f(blocks)g(with)h(the)g(type)f(gi)n(v)o(en)
g(by)g(their)0 3821 y(root)c(catalogue)e(entry)i(\(for)f(the)h(root,)f
(its)j(synthetic)d(libFS)i(type,)e(for)h(types)g(themselv)o(es)f
Fl(XN)p 2732 3821 V 26 w(TYPE)p Fp(\).)125 3920 y(T)-7
b(ypes)20 b(and)f(roots)h(can)g(be)g(remo)o(v)o(ed)e(from)h(the)h(root)
g(catalogue)f(using:)0 4020 y Fl(xn)p 78 4020 V 26 w(err)p
185 4020 V 27 w(t)h(sys)p 344 4020 V 26 w(uninstall)p
620 4020 V 27 w(mount\(dev)p 978 4020 V 27 w(t)h(dev)-5
b(,)19 b(char)i(*name,)f(cap)p 1693 4020 V 27 w(t)g(c\);)332
4186 y Fp(Delete)e(root)f(catalogue)g(entry)g Fl(name)i
Fp(on)e Fl(dev)p Fp(.)30 b(F)o(ails)18 b(if)g Fl(name)h
Fp(is)g(a)f(\002le)h(system)f(root)f(that)h(contains)f(child)g
(pointers,)208 4285 y(or)22 b(is)h(a)f(type)g(with)g(cached)g(blocks.)
34 b(If)22 b(a)h(type)f(is)h(deleted)f(that)g(is)h(used)f(by)g(some)g
(non\255cached)d(meta)k(data)f(instance,)208 4385 y(then)e(that)h(meta)
g(data')-5 b(s)21 b Fl(owns)h Fp(function)d(will)j(f)o(ail)f(\(as)g
(will)h(the)e(system)h(call)h(using)e Fl(owns)p Fp(\).)32
b(A)21 b(better)g(solution)f(w)o(ould)208 4485 y(be)e(to)h(count)f(ho)n
(w)g(man)o(y)f(blocks)h(of)h(a)g(gi)n(v)o(en)e(type)i(e)o(xist)f(and)h
(only)e(allo)n(w)i(the)g(type)f(to)h(be)f(deleted)h(when)f(there)g(are)
g(no)208 4584 y(more)h(blocks)g(of)h(its)i(type.)0 4863
y Fq(B.3)100 b(Buffer)26 b(cache)g(operations)0 5011
y Fp(The)20 b(structure)g Fl(xn)p 540 5011 V 26 w(op)h
Fp(is)h(used)e(for)g(man)o(y)g(of)g(the)g(remaining)f(system)i(calls,)g
(usually)f(to)h(specify)f(e)o(xtents,)g Fl(owns)i Fp(partition)d(id')-5
b(s,)21 b(and)0 5110 y(\(for)e(modi\002cation\))f(the)j(byte)e
(range\(s\))g(to)h(modify)-5 b(.)28 b(Figure)19 b(8\2551)h(gi)n(v)o(es)
f(its)i(ANSI)g(C)g(representation.)125 5210 y(The)16
b(follo)n(wing)g(tw)o(o)i(routines)e(are)h(used)g(to)g(bring)f(blocks)h
(into)g(the)g(b)n(uf)n(fer)f(cache)h(and)g(prepare)e(them)i(for)g(use)g
(and)g(delete)g(them:)0 5310 y Fl(xn)p 78 5310 V 26 w(err)p
185 5310 V 27 w(t)j(sys)p 344 5310 V 26 w(xn)p 444 5310
V 26 w(r)o(ead)p 601 5310 V 27 w(and)p 741 5310 V 26
w(insert\(dev)p 1062 5310 V 29 w(t)g(dev)-5 b(,)20 b(db)p
1356 5310 V 26 w(t)g(db,)f(size)p 1651 5310 V 27 w(t)h(nblocks,)g(xn)p
2061 5310 V 26 w(cnt)p 2180 5310 V 27 w(t)g(*cnt\);)1908
5589 y Fp(73)p eop
%%Page: 74 75
74 74 bop 208 133 a Fl(struct)23 b(xn)p 475 133 22 4
v 26 w(iov)f(\340)377 232 y(xn)p 455 232 V 26 w(cnt)p
574 232 V 26 w(t)g Ff(\003)p Fl(cnt;)381 b(/)p Ff(\003)21
b Fl(Decr)o(emented)j(on)e(every)h(successul)h(io)p Ff(\003)p
Fl(/)377 332 y(struct)g(xn)p 645 332 V 26 w(ioe)d(\340)546
432 y(db)p 628 432 V 26 w(t)h(db;)546 531 y(size)p 659
531 V 26 w(t)g(nblocks;)546 631 y(void)g Ff(\003)p Fl(addr;)275
b(/)p Ff(\003)22 b Fl(mem)f(to)h(write)g(fr)o(om/to.)h
Ff(\003)p Fl(/)377 731 y(\341)f(iov[1];)377 830 y(size)p
490 830 V 26 w(t)g(n)p 600 830 V 25 w(io;)423 b(/)p Ff(\003)21
b Fl(number)i(of)f(entries.)g Ff(\003)p Fl(/)208 930
y(\341;)1415 1328 y Fp(Figure)d(8\2552:)29 b(I/O)20 b(v)o(ector)f
(structure.)332 1596 y(Read)28 b Fl([db,)h(db+nblocks\))i
Fp(from)c(disk)h Fl(dev)i Fp(into)e(the)g(b)n(uf)n(fer)e(cache.)53
b Fl(cnt)29 b Fp(is)g(incremented)d(each)i(time)g(a)h(block)e(is)208
1695 y(brought)18 b(in.)29 b(F)o(ails)21 b(if)f(the)h(e)o(xtent)e(does)
h(not)g(\002t)h(in)f(the)g(b)n(uf)n(fer)f(cache.)0 1861
y Fl(xn)p 78 1861 V 26 w(err)p 185 1861 V 27 w(t)h(sys)p
344 1861 V 26 w(xn)p 444 1861 V 26 w(insert)p 633 1861
V 27 w(attr\(da)p 861 1861 V 28 w(t)h(par)o(ent,)g(struct)h(xn)p
1429 1861 V 26 w(op)e(*op\);)313 2027 y(Install)29 b(the)g(type)h(of)f
(the)g(buf)o(fer)h(cache)g(entry)g(using)f(the)h(par)o(ent)g(block)f
(named)g(by)g(par)o(ent.)55 b(Allocation,)31 b(deletion)f(and)208
2127 y(r)o(eading)20 b(and)f(writing)h(all)e(perform)j(this)e(call)g
(implicitly)f(since)i(they)g(r)o(equir)o(e)h(r)o(egistry)g(entries.)29
b(Fails)19 b(if)g(the)g(extent)i(speci\014ed)f(in)f(op)208
2226 y(is)g(not)i(guar)o(ded)h(by)e(the)h(sub-partition)h(speci\014ed)g
(in)d(op.)0 2393 y(xn)p 78 2393 V 26 w(err)p 185 2393
V 27 w(t)h(sys)p 344 2393 V 26 w(xn)p 444 2393 V 26 w(delete)p
653 2393 V 27 w(attr\(dev)p 916 2393 V 28 w(t)h(dev)-5
b(,)19 b(db)p 1209 2393 V 26 w(t)h(db,)g(size)p 1505
2393 V 26 w(t)g(nblocks,)h(cap)p 1946 2393 V 26 w(t)f(cap\);)313
2559 y(Remove)f(the)g(buf)o(fer)h(cache)f(entries)h(for)f([db,)g
(db+nblocks\))h(associated)h(with)d(disk)g(dev.)27 b(Fails)18
b(if)g(r)o(emoving)i(the)f(entry)g(would)208 2658 y(lead)h(to)g(an)g
(invariant)h(violation)g(or)f(if)g(the)h(entry)g(is)f(in)f(use)i(by)f
(some)g(other)i(application.)0 2824 y Fp(Importantly)-5
b(,)17 b(libFSes)22 b(can)e(fetch)g(an)o(y)f(block)h(e)o(xtent)f(into)i
(the)f(b)n(uf)n(fer)f(cache.)29 b(The)o(y)20 b(only)f(need)h(to)h
(locate)f(the)g(blocks)g(parent)f(\(and)0 2924 y(thus)h(its)h(type)f
(and)g(access)h(control)d(mechanism\))h(before)g(actually)g(reading)g
(or)h(writing)g(the)g(cached)f(blocks.)125 3023 y(The)g(follo)n(wing)g
(tw)o(o)h(functions)f(write)i(b)n(uf)n(fer)d(cache)i(entries)g(back)g
(to)g(disk:)0 3123 y Fl(xn)p 78 3123 V 26 w(err)p 185
3123 V 27 w(t)g(sys)p 344 3123 V 26 w(xn)p 444 3123 V
26 w(writeback\(dev)p 894 3123 V 29 w(t)g(dev)-5 b(,)20
b(db)p 1188 3123 V 26 w(t)g(db,)g(size)p 1484 3123 V
26 w(t)g(nblocks,)h(xn)p 1894 3123 V 25 w(cnt)p 2012
3123 V 27 w(t)f(*cnt\);)313 3289 y(W)o(rites)h([db,)f(db)g(+)g
(nblocks\))i(back)e(to)h(disk)f(dev.)28 b(Each)21 b(write)f(decr)o
(ements)j(cnt.)0 3455 y(xn)p 78 3455 V 26 w(err)p 185
3455 V 27 w(t)d(sys)p 344 3455 V 26 w(xn)p 444 3455 V
26 w(writebackv\(dev)p 929 3455 V 29 w(t)g(dev)-5 b(,)20
b(struct)i(xn)p 1407 3455 V 26 w(iov)e(*iov\);)313 3621
y(W)o(rites)h(a)e(list)h(of)g(these)i(extents)g(back)e(to)h(disk)f
(dev.)28 b(On)19 b(some)i(har)o(dwar)o(e)h(disks,)e(this)h(\\gather")h
(mechanism)e(enables)h(mor)o(e)208 3721 y(sophisticated)28
b(scheduling.)48 b(Figur)o(e)27 b(8-2)g(gives)g(the)g(ANSI)e(C)h(r)o
(epr)o(esentation)31 b(for)c(xn)p 2562 3721 V 26 w(iov.)46
b(Note)27 b(that)g(neither)h(of)e(these)i(two)208 3821
y(system)17 b(calls)f(r)o(equir)o(e)j(access)f(checks:)27
b(They)17 b(only)f(fail)g(if)g(the)h(extent)h(is)d(invalid)h(or)h
(contains)h(blocks)f(tainted)g(with)f(some)h(violation.)125
3987 y Fp(The)k(follo)n(wing)f(tw)o(o)i(routines)e(read)i(and)f(write)g
(the)h(bytes)g(in)f(b)n(uf)n(fer)g(cache)g(entries.)33
b(No)22 b(byte)f(range)g(read)g(by)g(a)h(UDF)g(can)g(be)0
4086 y(modi\002ed)d(using)h(these)g(routines.)0 4186
y Fl(xn)p 78 4186 V 26 w(err)p 185 4186 V 27 w(t)g(sys)p
344 4186 V 26 w(xn)p 444 4186 V 26 w(writeb\(da)p 758
4186 V 28 w(t)g(da,)g(void)g(*)g(sr)o(c,)g(size)p 1380
4186 V 26 w(t)h(nbytes,)g(cap)p 1794 4186 V 26 w(t)f(cap\);)313
4352 y(W)o(rites)g([sr)o(c,)h(sr)o(c)g(+)e(nbytes\))j(into)e(the)g
(cached)h(blocks)f(for)h([da,)e(da)h(+)g(nbytes\).)29
b(All)19 b(of)g(the)i(bytes)g(must)f(be)f(in)g(memory)-6
b(.)28 b(Fils)19 b(if)208 4451 y(any)h(block)g(of)h(the)f(extent)i(is)e
(not)g(in)g(cor)o(e.)0 4618 y(xn)p 78 4618 V 26 w(err)p
185 4618 V 27 w(t)g(sys)p 344 4618 V 26 w(xn)p 444 4618
V 26 w(r)o(eadb\(void)j(*)c(dst,)i(da)p 1077 4618 V 26
w(t)f(da,)g(size)p 1369 4618 V 26 w(t)g(nbytes,)h(cap)p
1782 4618 V 26 w(t)g(cap\);)313 4784 y(Reads)d([da,)g(da)f(+)g
(nbytes\))j(into)d([dst,)h(dst)g(+)f(nbytes\).)29 b(Fails)17
b(for)h(r)o(easons)h(identical)e(to)h(above,)g(with)f(the)h(additional)
f(r)o(estriction)208 4883 y(that)k([dst,)g(dst)f(+)g(nbytes\))i(must)f
(be)f(writable.)1908 5589 y Fp(74)p eop
%%Page: 75 76
75 75 bop 0 83 a Fq(B.4)100 b(Metadata)25 b(operations)0
230 y Fp(The)20 b(follo)n(wing)f(routines)h(are)h(used)f(to)h(allocate)
g(blocks,)f(form)f(edges)i(to)g(e)o(xisting)f(blocks,)f(delete)i(edges)
f(to)h(e)o(xisting)f(blocks,)g(and)0 330 y(change)f(a)h(block')-5
b(s)20 b(type:)0 430 y Fl(xn)p 78 430 22 4 v 26 w(err)p
185 430 V 27 w(t)g(sys)p 344 430 V 26 w(xn)p 444 430
V 26 w(alloc\(da)p 704 430 V 27 w(t)g(da,)g(struct)i(xn)p
1150 430 V 26 w(op)e(*op,)g(unsigned)h(alloc\);)332 596
y Fp(Allocates)i(the)f(e)o(xtent)g Fl([db,)h(db)f(+)f(\(sizeof)j(type)f
(*)f(nelem\))h Fp(gi)n(v)o(en)f(by)g Fl(op)h Fp(and)f(writes)h(the)g
(modi\002cations)e(contained)208 695 y(in)j Fl(op)h Fp(into)f(the)g
(parent)f(metadata,)h Fl(da)p Fp(.)41 b Fl(alloc)25 b
Fp(indicates)f(whether)f(the)h(block)f(should)g(be)h(zero)f(\002lled.)
41 b(The)24 b(call)g(f)o(ails)208 795 y(if:)37 b(\(1\))23
b(the)h(e)o(xtent)f(cannot)g(be)g(allocated;)i(\(2\))f
Fl(da)h Fp(is)f(not)g(in)g(core;)h(\(3\))e Fl(op)i Fp(contains)e(bogus)
g(data)h(\(its)g(partition)f(id)h(is)208 895 y(in)m(v)n(alid)19
b(or)g(the)i(modi\002cation)d(v)o(ector)h(has)i(bogus)e(byte)g
(ranges\);)h(or)f(\(4\))h(the)g(UDF)h(returns)e(the)i(wrong)d(data.)0
1061 y Fl(xn)p 78 1061 V 26 w(err)p 185 1061 V 27 w(t)i(sys)p
344 1061 V 26 w(xn)p 444 1061 V 26 w(fr)o(ee\(da)p 682
1061 V 29 w(t)g(da,)f(struct)k(xn)p 1130 1061 V 25 w(op)e(*op\);)332
1227 y Fp(Frees)f(the)g(e)o(xtent)f Fl([db,)h(db)g(+)f(\(sizeof)j(type)
e(*)g(nelem\))h Fp(gi)n(v)o(en)d(by)i Fl(op)p Fp(.)30
b(If)20 b(the)f(e)o(xtent')-5 b(s)20 b(has)g(a)g(reference)e(count)h
(greater)208 1326 y(than)h(one,)g(then)g(the)g(reference)f(count)h(is)i
(decremented.)28 b(Otherwise)20 b(it)i(is)f(placed)f(on)g(the)h
(freelist.)30 b(F)o(ails)22 b(for)e(similar)208 1426
y(reasons)f(to)i Fl(sys)p 656 1426 V 26 w(xn)p 756 1426
V 26 w(alloc)p Fp(.)0 1592 y Fl(xn)p 78 1592 V 26 w(err)p
185 1592 V 27 w(t)f(sys)p 344 1592 V 26 w(xn)p 444 1592
V 26 w(add)p 583 1592 V 26 w(edge\(da)p 854 1592 V 28
w(t)g(sr)o(c,)h(struct)h(xn)p 1308 1592 V 26 w(op)e(*sr)o(c)p
1551 1592 V 27 w(op,)g(da)p 1770 1592 V 26 w(t)g(dst\);)332
1758 y Fp(F)o(orms)e(an)h(edge)f(from)g Fl(sr)o(c)j Fp(to)e
Fl(dst)h Fp(and)e(increments)g Fl(dst)p Fp(')-5 b(s)21
b(reference)c(count.)28 b(F)o(ails)19 b(if:)29 b(\(1\))18
b(neither)g(node)g(is)i(in)f(core)208 1858 y(\()p Fl(sr)o(c)25
b Fp(must)f(be)f(modi\002ed)g(to)h(add)f(a)h(pointer)m(,)e
Fl(dst)k Fp(modi\002ed)c(to)i(increment)e(its)j(refernce)d(count\);)i
(\(2\))f Fl(sr)o(c)p Fp(')-5 b(s)26 b Fl(owns)f Fp(UDF)208
1957 y(f)o(ails,)20 b(or)g Fl(dst)p Fp(')-5 b(s)22 b
Fl(r)o(efcnt)i Fp(UDF)d(f)o(ails;)g(or)f(\(3\))f Fl(sr)o(c)p
1508 1957 V 27 w(op)i Fp(speci\002es)g(bogus)e(modi\002cations.)0
2123 y Fl(xn)p 78 2123 V 26 w(err)p 185 2123 V 27 w(t)h(sys)p
344 2123 V 26 w(xn)p 444 2123 V 26 w(set)p 555 2123 V
27 w(type\(da)p 811 2123 V 28 w(t)g(da,)f(int)i(ty)-6
b(,)19 b(void)h(*sr)o(c,)h(size)p 1603 2123 V 26 w(t)g(nbytes,)g(cap)p
2017 2123 V 26 w(t)f(cap\);)313 2289 y(Change)30 b(the)g(type)g(of)f(a)
g(type)g(union)h(instance:)46 b(XN)29 b(metadata)i(types)f(can)f(be)g
(\\unions,")j(which)d(means)h(they)g(can)f(be)208 2389
y(dynamically)22 b(converted)i(among)e(a)f(series)i(of)f(listed)g
(types.)33 b(Curr)o(ently)-6 b(,)24 b(the)e(type)g(\014eld)g(must)g(be)
g(\\nil")f(\(i.e.,)g(the)h(type)g(has)h(just)208 2489
y(been)d(initialized\).)27 b(Extending)22 b(the)e(system)h(call)e(to)h
(convert)i(between)f(existant)g(types)g(would)f(not)g(be)g(dif)o
(\014cult)g(\(it)g(only)g(r)o(equir)o(es)208 2588 y(r)o(etesting)i
(that)f(the)g(new)f(type')-5 b(s)21 b(owns)f(function)i(emits)e(the)h
(same)f(blocks)h(as)f(the)h(old)f(one\).)0 2867 y Fq(B.5)100
b(Reading)25 b(XN)g(data)g(structur)n(es)0 3015 y Fp(The)f(follo)n
(wing)e(six)i(functions)e(allo)n(w)i(applications)f(to)h(read)f(v)n
(arious)g(XN)h(bookk)o(eeping)d(data)j(structures.)39
b(All)25 b(f)o(ail)f(if)g(the)g(gi)n(v)o(en)0 3114 y(memory)18
b(is)j(not)f(writable.)29 b(If)19 b(the)h(used)g(data)g(structures)f
(are)h(mapped)f(into)g(the)h(libFS')-5 b(s)21 b(addresses)f(space,)g
(these)g(calls)h(are)f(simple)0 3214 y(library)f(calls.)0
3314 y Fl(xn)p 78 3314 V 26 w(err)p 185 3314 V 27 w(t)h(sys)p
344 3314 V 26 w(xn)p 444 3314 V 26 w(r)o(ead)p 601 3314
V 27 w(attr\(dev)p 864 3314 V 29 w(t)g(dev)-5 b(,)20
b(void)g(*)g(dst,)g(db)p 1495 3314 V 26 w(t)g(db,)g(cap)p
1787 3314 V 26 w(t)g(cap\);)313 3480 y(Reads)h(the)g(r)o(egistry)h
(attribute)h(for)e(db)f(on)g(disk)g(dev)g(into)h(dst.)28
b(Fails)20 b(if)g(db)g(is)f(not)i(in)f(cor)o(e.)0 3646
y(xn)p 78 3646 V 26 w(err)p 185 3646 V 27 w(t)g(sys)p
344 3646 V 26 w(xn)p 444 3646 V 26 w(r)o(ead)p 601 3646
V 27 w(catalogue\(dev)p 1052 3646 V 29 w(t)g(dev)-5 b(,)20
b(struct)i(r)o(oot)p 1579 3646 V 27 w(catalogue)g(*c\);)313
3812 y(Read)f(dev')-5 b(s)20 b(r)o(oot)i(catalogue)f(into)g(c.)0
3978 y(xn)p 78 3978 V 26 w(err)p 185 3978 V 27 w(t)f(sys)p
344 3978 V 26 w(dev)p 479 3978 V 27 w(list\(dev)p 720
3978 V 27 w(t)g(*devl,)g(int)g(ndevs\);)313 4144 y(Stor)o(es)29
b(the)f(enumerated)h(list)d(of)h(active)h(devices)g(into)f(devl,)h
(which)f(is)f(ndevs)i(big.)47 b(Fails)27 b(if)g(the)g(destination)h(is)
f(not)g(lar)n(ge)208 4243 y(enough.)0 4410 y(xn)p 78
4410 V 26 w(err)p 185 4410 V 27 w(t)20 b(sys)p 344 4410
V 26 w(xn)p 444 4410 V 26 w(info\(dev)p 719 4410 V 28
w(t)g(dev)-5 b(,)20 b(db)p 1012 4410 V 25 w(t*)h(r)p
1143 4410 V 26 w(db,)e(db)p 1364 4410 V 26 w(t*)i(f)p
1496 4410 V 26 w(db,)e(size)p 1748 4410 V 26 w(t*)i(f)p
1880 4410 V 26 w(nbytes\);)313 4576 y(Reads)i(the)e(block)h(addr)o(ess)
h(that)f(holds)g(the)g(r)o(oot)g(catalogue)h(into)e(r)p
2130 4576 V 26 w(db,)g(the)h(block)g(addr)o(ess)h(of)f(the)f(fr)o
(eemap)i(into)f(f)p 3458 4576 V 25 w(db)g(and)208 4675
y(the)e(size)h(of)f(the)h(fr)o(eemap)g(into)g(nbytes.)0
4841 y(db)p 82 4841 V 26 w(t)f(sys)p 240 4841 V 27 w(xn)p
341 4841 V 26 w(\014ndfr)o(ee\(dev)p 731 4841 V 29 w(t)g(dev)-5
b(,)20 b(db)p 1025 4841 V 26 w(t)g(hint,)g(size)p 1360
4841 V 26 w(t)g(nblocks\))h(;)313 5007 y(Returns)26 b(the)d(\014rst)i
(fr)o(ee)f(extent)h(\(starting)h(at)d(hint,)h(hint+nblocks\)\))i(found)
f(on)e(dev.)37 b(If)23 b(hint)h(is)e(0,)i(then)g(XN)f(makes)h(its)f
(own)208 5107 y(decision)d(about)h(wher)o(e)h(to)e(start)i(sear)o
(ching.)0 5273 y(xn)p 78 5273 V 26 w(err)p 185 5273 V
27 w(t)e(sys)p 344 5273 V 26 w(xn)p 444 5273 V 26 w(list)p
552 5273 V 26 w(writeable\(dev)p 987 5273 V 28 w(t)g(dev)-5
b(,)20 b(db)p 1280 5273 V 26 w(t)g(*dbv)-5 b(,)20 b(size)p
1645 5273 V 26 w(t)g(*n\);)1908 5589 y Fp(75)p eop
%%Page: 76 77
76 76 bop 313 83 a Fl(Reads)24 b(a)f(the)h(list)f(of)g(dirty)h(but)g
(writable)g(entries)g(for)g(device)g(dev)f(in)g(the)h(buf)o(fer)g
(cache)g(into)g(dbv)f(\(whose)h(size)g(is)f(given)g(by)208
183 y(n\).)k(T)-5 b(ypically)20 b(this)f(is)g(used)i(by)e(two)h(pr)o
(ograms.)29 b(A)19 b(\\syncer")j(deamon)e(that)g(\015ushes)h(back)f
(dirty)g(blocks,)g(and)g(by)g(any)f(shutdown)208 282
y(application)h(that)h(needs)g(to)f(\015ush)h(all)e(blocks)i(back)f(to)
g(disk.)28 b(The)20 b(latter)h(locks)g(the)f(buf)o(fer)i(cache)e(and)h
(iteratively)g(\015ushes)g(blocks)208 382 y(until)e(the)i(empty)g(list)
f(is)g(r)o(eturned.)0 548 y(db)p 82 548 22 4 v 26 w(t)g(sys)p
240 548 V 27 w(r)o(oot\(dev)p 522 548 V 28 w(t)g(dev\);)313
714 y(Return)34 b(the)f(block)g(addr)o(ess)h(of)f(dev')-5
b(s)32 b(XN-cr)o(eated)j(\\superblock")g(\(i.e.,)f(the)f(block)g(that)g
(holds)g(the)g(pointers)h(to)f(XN')-5 b(s)208 814 y(per)l(-device)22
b(bookkeeping)g(data)f(structur)o(es\).)0 1093 y Fq(B.6)100
b(File)24 b(system\255independent)k(na)n(vigation)c(calls)0
1240 y Fp(The)30 b(follo)n(wing)e(routines)h(allo)n(w)h(program)e(to)i
(na)n(vigate)e(an)o(y)i(libFS)g(meta)g(data.)58 b(The)o(y)29
b(are)h(used,)i(for)d(e)o(xample,)i(by)e(our)h(disk)0
1340 y(reconstruction)18 b(program.)0 1439 y Fl(xn)p
78 1439 V 26 w(err)p 185 1439 V 27 w(t)i(sys)p 344 1439
V 26 w(xn)p 444 1439 V 26 w(get)p 567 1439 V 27 w(r)o(efcnt\(da)p
864 1439 V 29 w(t)g(da,)g(cap)p 1155 1439 V 26 w(t)g(cap\);)332
1605 y Fp(Returns)g Fl(da)p Fp(')-5 b(s)22 b(reference)c(count.)0
1771 y Fl(xn)p 78 1771 V 26 w(err)p 185 1771 V 27 w(t)i(sys)p
344 1771 V 26 w(xn)p 444 1771 V 26 w(get)p 567 1771 V
27 w(nowns\(da)p 890 1771 V 27 w(t)g(da,)g(cap)p 1179
1771 V 26 w(t)g(cap\);)332 1938 y Fp(Returns)g(the)g(number)f(of)h
Fl(own)p Fp(s)h(partitions)e(in)i Fl(da)p Fp(')-5 b(s)21
b(type.)0 2104 y Fl(xn)p 78 2104 V 26 w(err)p 185 2104
V 27 w(t)f(sys)p 344 2104 V 26 w(xn)p 444 2104 V 26 w(udf)p
571 2104 V 27 w(enum\(da)p 867 2104 V 27 w(t)g(da,)g(size)p
1160 2104 V 26 w(t)g(owns)p 1389 2104 V 26 w(b,)f(size)p
1602 2104 V 27 w(t)h(owns)p 1832 2104 V 26 w(e,)f(struct)k(xn)p
2195 2104 V 26 w(update)e(*ups,)f(size)p 2745 2104 V
26 w(t)h(n,)e(cap)p 2998 2104 V 26 w(t)h(cap\);)332 2270
y Fp(Computes)e(a)i(list)g(of)f(of)f(all)i(blocks)e(controlled)f(by)i
Fl(da)p Fp(')-5 b(s)21 b(partitions)d Fl(owns)p 2488
2270 V 26 w(b)i Fp(through)d Fl(owns)p 3011 2270 V 26
w(e)p Fp(.)29 b(These)19 b(are)g(written)208 2369 y(into)f(the)h(v)o
(ector)f Fl(ups)i Fp(\(whose)f(size)g(is)h(gi)n(v)o(en)e(by)g
Fl(n)p Fp(\).)29 b(T)-7 b(o)19 b(ensure)f(that)i(the)e(list)i(does)f
(not)g(get)g(\223too)f(big\224)h(and)f(the)h(system)208
2469 y(call)h(does)g(not)g(run)f(\223too)g(long\224)g(\(both)g(of)h
(which)g(are)g(OS)g(dependent\))e(the)i(enumeration)d(may)j(be)g(brok)o
(en)e(up)i(by)g(XN)208 2568 y(into)f(multiple)h(passes.)1908
5589 y(76)p eop
%%Page: 77 78
77 77 bop 0 706 a Fj(Chapter)42 b(9)0 1121 y Fn(Aegis')51
b(Interface)0 1553 y Fp(In)26 b(general,)g(an)o(y)g(system)g(call)h(f)o
(ails)f(if:)42 b(\(1\))26 b(a)g(libOS)h(lacks)f(permissions)g(for)f
(the)h(operation,)g(\(2\))g(a)g(libOS\255supplied)f(pointer)g(is)0
1652 y(bogus)d(\(i.e.,)i(not)f(readable)f(or)m(,)h(for)g
(modi\002cations,)f(not)h(writeable\),)g(or)g(\(3\))g(a)h
(libOS\255supplied)d(name)i(is)h(bogus)f(\(e.g.,)g(an)g(in)m(v)n(alid)0
1752 y(page)d(name,)f(pack)o(et)g(\002lter)i(id,)f(etc.\).)29
b(T)-7 b(o)20 b(sa)n(v)o(e)h(space,)f(we)g(do)g(not)g(mention)f(these)h
(errors)g(further)-5 b(.)0 1963 y Fq(.7)99 b(CPU)25 b(interface)125
2110 y Fp(Figure)20 b(.7)h(presents)f(the)h(ANSI)g(C)h(representation)d
(of)i(an)f(Ae)o(gis)h(time)h(slice.)32 b(The)20 b(routines)g(to)h
(allocate,)g(yield,)f(and)h(free)f(time)0 2210 y(slices)h(are)f(gi)n(v)
o(en)f(belo)n(w)-5 b(.)0 2310 y Fl(int)20 b(ae)p 172
2310 22 4 v 26 w(s)p 225 2310 V 26 w(alloc\(int)h(pid,)e(int)h(n\);)332
2469 y Fp(Allocate)f(time)h(slice)g Fl(n)g Fp(and)f(gi)n(v)o(e)g(en)m
(vironment)d Fl(pid)21 b Fp(access)f(to)f(it.)30 b(F)o(ails)20
b(if)g Fl(n)g Fp(is)h(not)e(free,)g(or)g(the)g(current)f(process)208
2569 y(lacks)i(write)g(access)h(to)f Fl(pid)p Fp(.)0
2728 y Fl(int)g(ae)p 172 2728 V 26 w(s)p 225 2728 V 26
w(fr)o(ee\(int)i(slice\);)332 2888 y Fp(Free)e(time)h(slice)g
Fl(slice)p Fp(.)30 b(F)o(ails)21 b(if)f(the)g(current)f(process)h
(lacks)g(write)h(access)g(to)f(the)g(o)n(wning)f(en)m(vironment.)0
3047 y Fl(int)h(ae)p 172 3047 V 26 w(yield\(int)h(pid\);)332
3207 y Fp(Y)-5 b(ield)21 b(the)f(remainder)e(of)i(the)g(current)f(time)
i(quantum)d(to)i Fl(pid)p Fp(.)0 3366 y Fl(int)g(ae)p
172 3366 V 26 w(donate\(int)i(pid\);)332 3526 y Fp(Permenantly)d
(donate)g(current)f(time)j(slice)g(to)f(process)g Fl(pid)p
Fp(.)0 3797 y Fq(.8)99 b(En)l(vir)n(onments)0 3945 y
Fp(Figure)16 b(.8)h(presents)f(the)h(ANSI)g(C)h(representation)c(of)j
(an)g(Ae)o(gis)f(en)m(vironment,)f(which)h(is)i(used)e(to)h(store)g
(the)g(hardw)o(are)e(information)0 4044 y(needed)k(to)h(e)o(x)o(ecute)f
(a)i(thread)e(of)h(control)f(in)h(a)h(virtual)e(address)h(space,)g
(along)f(with)h(resource)f(accounting)f(information.)0
4144 y Fl(int)i(ae)p 172 4144 V 26 w(e)p 233 4144 V 26
w(alloc\(int)g(n,)g(struct)i(env)e(*e\);)332 4303 y Fp(Allocate)33
b(en)m(vironment)d Fl(n)p Fp(.)69 b(Application)32 b(\002lls)i(in)g
(the)f(guarenteed)e(mappings,)j(e)o(xception)e(handlers)g(in)h(the)208
4403 y(en)m(vironment)f(structure)i(\(gi)n(v)o(en)g(in)i
Fl(e)p Fp(\).)75 b(Ae)o(gis)35 b(checks)g(that)h(an)o(y)e(gi)n(v)o(en)h
(physical)f(addresses)h(are)g(allo)n(wed)g(an)208 4503
y(sensible.)0 4662 y Fl(int)20 b(ae)p 172 4662 V 26 w(e)p
233 4662 V 26 w(r)o(ef\(int)i(pid\);)332 4822 y Fp(Add)36
b(a)h(refrence)e(from)h(the)g(current)f(process)i(to)f(en)m(vironment)e
Fl(pid)p Fp(.)79 b(F)o(ails)37 b(if)g(the)f(current)g(process)g(lacks)
208 4921 y(permissions.)0 5081 y Fl(int)20 b(ae)p 172
5081 V 26 w(e)p 233 5081 V 26 w(unr)o(ef\(int)i(pid\);)332
5240 y Fp(Unreference)16 b(en)m(vironment)e Fl(pid)p
Fp(.)30 b(If)17 b(there)h(are)f(no)h(other)f(outstanding)f(references,)
g(the)i(en)m(v)f(is)i(freed.)27 b(F)o(ails)19 b(if)f(the)208
5340 y(current)g(process)i(does)g(not)g(ha)n(v)o(e)g(read)f(permission)
g(to)i(the)f(en)m(vironment.)1908 5589 y(77)p eop
%%Page: 78 79
78 78 bop 208 1366 a Fl(/)p Ff(\003)21 b Fl(T)m(ime\343slice;)42
b(contr)o(ols)24 b(an)d(or)o(der)o(ed)j(scheduling)f(quanta.)44
b(It)21 b(is)h(donated)229 1465 y Ff(\003)e Fl(permenentely)k(by)e
(synchr)o(onous)j(IPC.)42 b(It)21 b(can)h(be)g(donated)h(temporarily)g
(by)229 1565 y Ff(\003)d Fl(yielding)i(\(via)g(ae)p 753
1565 22 4 v 26 w(yield\))g(or)f(by)h(asynchr)o(onous)j(IPC')-5
b(s)21 b(\(via)h(ae)p 1950 1565 V 26 w(asynch)p 2182
1565 V 27 w(ipc\).)229 1665 y Ff(\003)e Fl(Ownership)j(of)f(the)g
(time\343slice)g(can)g(be)g(changed)h(by)f(any)g(pr)o(ocess)i(that)e
(has)229 1764 y Ff(\003)e Fl(the)j(owning)e(envir)o(onments)k
(capability)-6 b(.)229 1864 y Ff(\003)229 1964 y(\003)20
b Fl(T)m(ime\343slices)j(ar)o(e)f(initiated)g(via)g(an)f(upcall)h(to)g
(application)g(space)h(and)229 2063 y Ff(\003)d Fl(r)o(evoked)k(in)d
(the)h(same)g(manner;)g(this)g(interaction)i(allows)d(applications)229
2163 y Ff(\003)f Fl(to)i(contr)o(ol)h(important)h(context\343switching)
h(operations)f(\(e.g.,)d(this)229 2262 y Ff(\003)f Fl(functionality)k
(is)d(suf)o(\014cient)j(to)d(implement)h(scheduler)i(activations\).)229
2362 y Ff(\003)c Fl(The)i(price)h(of)e(this)h(functionality)i(is)d
(that)i(an)f(application)g(must)g(be)229 2462 y Ff(\003)e
Fl(pr)o(evented)25 b(fr)o(om)d(ignoring)g(r)o(evocation)i(interrupts.)
46 b(The)21 b(curr)o(ent)k(method)229 2561 y Ff(\003)20
b Fl(is)i(to)g(r)o(ecor)o(d)h(the)g(number)f(of)g(timer)g(interrupts)i
(a)e(pr)o(ocess)i(has)e(ignor)o(ed)229 2661 y Ff(\003)e
Fl(in)h(`ticks')h(and)g(when)g(this)g(value)g(exceeds)h(a)f(pr)o
(ede\014ned)i(thr)o(eshold)229 2761 y Ff(\003)c Fl(killing)h(the)h(pr)o
(ocess.)45 b(In)21 b(a)g(mor)o(e)i(matur)o(e)g(implementation)g(we)e
(would)g(simply)229 2860 y Ff(\003)f Fl(context)k(switch)e(the)g
(application)h(by)f(hand.)229 2960 y Ff(\003)p Fl(/)208
3059 y(struct)h(slice)f(\340)377 3159 y(char)g(pad[12];)377
3259 y(struct)i(env)192 b Ff(\003)p Fl(e;)105 b(/)p Ff(\003)21
b Fl(associated)j(envir)o(onment)g(\(null)d(if)h(no)f(one\))i
Ff(\003)p Fl(/)377 3358 y(unsigned)g(short)44 b(next,pr)o(ev;)129
b(/)p Ff(\003)21 b Fl(forwar)o(d)j(and)e(back)g(pointers)h
Ff(\003)p Fl(/)377 3458 y(int)e(ticks;)213 b(/)p Ff(\003)21
b Fl(ticks)h(consumed)i(in)d(interrupts)j Ff(\003)p Fl(/)377
3558 y(int)d(epc;)208 3657 y(\341;)1234 4056 y Fp(Figure)e(9\2551:)29
b(Ae)o(gis)20 b(time\255slice)g(representation)1908 5589
y(78)p eop
%%Page: 79 80
79 79 bop 208 1133 a Fl(/)p Ff(\003)229 1233 y(\003)20
b Fl(Envir)o(onment:)k(this)e(is)f(the)h(most)h(complicated)f(entity)h
(in)e(aegis.)43 b(An)229 1333 y Ff(\003)20 b Fl(envir)o(onment)k(is)d
(basically)i(a)e(pr)o(ocess:)j(it)d(de\014nes)i(the)f(pr)o(ogram)h
(counters)229 1432 y Ff(\003)d Fl(to)i(vector)i(events)f(to)f(and)g
(serves)h(as)f(a)f(r)o(esour)o(ce)k(accounting)f(point.)229
1532 y Ff(\003)p Fl(/)208 1631 y(struct)f(env)f(\340)377
1731 y(/)p Ff(\003)f Fl(pointers)i(to)f(exception)h(\\save)g(ar)o(eas")
h(wher)o(e)e(Aegis)g(stor)o(es)408 1831 y Ff(\003)f Fl(active)h(r)o
(egisters.)i Ff(\003)p Fl(/)377 1930 y(addr)p 517 1930
22 4 v 27 w(t)212 b(tlbx)p 892 1930 V 26 w(save)p 1050
1930 V 27 w(ar)o(ea,)775 2030 y(genx)p 927 2030 V 26
w(save)p 1085 2030 V 27 w(ar)o(ea,)775 2130 y(intx)p
892 2130 V 26 w(save)p 1050 2130 V 27 w(ar)o(ea;)377
2329 y(/)p Ff(\003)21 b Fl(exception)i(handlers.)g Ff(\003)p
Fl(/)377 2428 y(handler)p 607 2428 V 27 w(t)148 b(xh[NEX],)23
b(/)p Ff(\003)e Fl(sync)i(exception)g(handlers)g Ff(\003)p
Fl(/)801 2528 y(epi,)96 b(/)p Ff(\003)21 b Fl(epilogue)h(code)g
Ff(\003)p Fl(/)801 2628 y(pr)o(o,)86 b(/)p Ff(\003)21
b Fl(pr)o(ologue)i(code)f Ff(\003)p Fl(/)801 2727 y(init;)92
b(/)p Ff(\003)21 b Fl(initial)g(code)h(that)h(is)e(jumped)h(to)g
Ff(\003)p Fl(/)377 2827 y(/)p Ff(\003)408 2927 y(\003)f
Fl(The)h(following)f(four)i(\014elds)f(ar)o(e)h(cluster)o(ed)h(to)d(be)
h(on)408 3026 y Ff(\003)f Fl(the)h(same)g(cache)h(line.)408
3126 y Ff(\003)p Fl(/)377 3225 y(signed)f(char)144 b(cid;)126
b(/)p Ff(\003)21 b Fl(addr)o(ess)j(space)e(identi\014er)h
Ff(\003)p Fl(/)377 3325 y(unsigned)g(char)65 b(envn;)f(/)p
Ff(\003)21 b Fl(envir)o(onment)j(number)e Ff(\003)p Fl(/)377
3425 y(short)338 b(tag;)115 b(/)p Ff(\003)21 b Fl(11)g(bit)h(tag)g
Ff(\003)p Fl(/)377 3524 y(handler)p 607 3524 V 27 w(t)213
b(gate;)80 b(/)p Ff(\003)21 b Fl(ipc)g(entry)i(point)f
Ff(\003)p Fl(/)377 3624 y(unsigned)216 b(status;)38 b(/)p
Ff(\003)21 b Fl(status)i(r)o(egister)h Ff(\003)p Fl(/)377
3724 y(struct)g(tlb)221 b(xl[MAXXL];)127 b(/)p Ff(\003)21
b Fl(guar)o(enteed)k(translations)f Ff(\003)p Fl(/)377
3823 y(struct)g(ae)p 641 3823 V 26 w(intr)p 768 3823
V 26 w(queue)e Ff(\003)p Fl(iq;)229 b(/)p Ff(\003)21
b Fl(interrupt)j(queue)f Ff(\003)p Fl(/)208 3923 y(\341;)1379
4321 y Fp(Figure)c(9\2552:)29 b(En)m(vironment)17 b(structure)1908
5589 y(79)p eop
%%Page: 80 81
80 80 bop 0 83 a Fl(int)20 b(ae)p 172 83 22 4 v 26 w(e)p
233 83 V 26 w(add\(int)h(pid,)e(int)h(n\);)332 228 y
Fp(Gi)n(v)o(e)h Fl(pid)g Fp(access)g(to)g(en)m(vironment)d
Fl(n)p Fp(.)32 b(Only)20 b(gi)n(v)o(es)g(write)h(access)h(at)f(the)g
(moment.)30 b(F)o(ails)21 b(if)g(the)g(current)e(process)208
327 y(does)g(not)h(ha)n(v)o(e)g(access)h(to)f(pid.)0
472 y Fl(int)g(ae)p 172 472 V 26 w(e)p 233 472 V 26 w(fr)o(ee\(int)i
(pid\);)332 617 y Fp(Free)e(all)h(resources)e(consumed)g(by)h(en)m
(vironment)d Fl(pid)p Fp(.)0 762 y Fl(int)j(ae)p 172
762 V 26 w(e)p 233 762 V 26 w(write\(int)h(n,)f(size)p
721 762 V 26 w(t)g(of)o(fset,)h(void)f(*p,)g(size)p 1376
762 V 26 w(t)g(nbytes\);)332 907 y Fp(Modify)f(the)h(byte)g(range)f
Fl([of)o(fset,)j(of)o(fset+nbytes\))k Fp(in)20 b(the)g(en)m(vironment)d
Fl(n)p Fp(')-5 b(s)22 b(application\255speci\002c)c(data)i(re)o(gion.)0
1160 y Fq(.9)99 b(Ph)o(ysical)24 b(memory)0 1307 y Fp(The)c(follo)n
(wing)e(three)i(routines)f(allocate,)h(deallocate,)f(and)h(share)g
(physical)f(pages.)0 1407 y Fl(int)h(ae)p 172 1407 V
26 w(p)p 237 1407 V 26 w(alloc\(int)g(n\);)332 1552 y
Fp(Allocate)g(page)g Fl(n)p Fp(.)30 b(F)o(ails)21 b(if)f(page)g(is)h
(already)e(allocated.)0 1697 y Fl(int)h(ae)p 172 1697
V 26 w(p)p 237 1697 V 26 w(unr)o(ef\(int)i(n\);)332 1841
y Fp(Remo)o(v)o(e)f(reference)f(to)h(page)h Fl(n)p Fp(.)34
b(If)22 b(no)f(other)g(process)g(has)h(a)g(reference)e(to)i(the)g(page)
f(it)h(is)h(deallocated.)32 b(F)o(ails)23 b(if)208 1941
y(the)d(current)f(process)g(lacks)i(permissions.)0 2086
y Fl(int)f(ae)p 172 2086 V 26 w(p)p 237 2086 V 26 w(add\(int)h(pr)o
(ot,)g(int)f(pid,)f(int)h(n\);)332 2231 y Fp(Gi)n(v)o(e)i(process)g
Fl(pid)h Fp(access)g(to)f(page)g Fl(n)h Fp(with)f(protections)f
Fl(pr)o(ot)p Fp(.)38 b(F)o(ails)23 b(if)g(the)f(current)f(process)h
(lacks)g(appropriate)208 2330 y(permissions.)0 2583 y
Fq(.10)99 b(Interrupts)0 2731 y Fp(T)-7 b(o)19 b(mak)o(e)g(interrupt)f
(handling)f(ef)n(\002cient,)i(Ae)o(gis)h(places)f(interrupt)f
(noti\002cations)g(in)h(a)h(user)n(\255space)f(interrupt)e(queue)i
(that)g(the)g(libOS)0 2830 y(can)h(read)g(and)f(modify)g(directly)-5
b(.)28 b(The)20 b(structures)f(used)h(for)g(this)g(are)h(gi)n(v)o(en)d
(in)j(Figure)e(9\2553.)0 2930 y Fl(int)h(ae)p 172 2930
V 26 w(r)o(ead)p 329 2930 V 27 w(exposed)p 605 2930 V
27 w(info)h(\(struct)h(exposed)p 1230 2930 V 28 w(info)e(*i\);)332
3075 y Fp(Read)36 b(out)g(of)n(fsets)g(and)g(lengths)g(of)g(e)o(xposed)
e(k)o(ernel)i(data)g(structures)f(in)i(preperation)c(for)j(mapping)e
(their)208 3175 y(associated)20 b(pages.)28 b(Figure)20
b(9\2554)f(presents)h(the)g(data)g(structures)g(that)g(can)g(be)g
(mapped.)0 3319 y Fl(int)g(ae)p 172 3319 V 26 w(getrate\(void\);)332
3464 y Fp(Get)h(the)f(system')-5 b(s)21 b(clock)e(rate.)0
3609 y Fl(int)h(ae)p 172 3609 V 26 w(gettick\(void\);)332
3754 y Fp(Get)h(the)f(current)f(clock)g(tick.)0 3899
y Fl(int)h(ae)p 172 3899 V 26 w(cache\015ush)i(\(void)f(*ptr)-6
b(,)21 b(int)f(sz,)g(int)g(\015ags\);)332 4044 y Fp(Flush)g(the)h
(address)e(range)g Fl([ptr)-6 b(,)22 b(ptr+sz\))h Fp(out)d(of)g(the)g
(cache.)0 4188 y Fl(int)g(ae)p 172 4188 V 26 w(memcpy\(int)h(dst)p
667 4188 V 27 w(pfn,)f(int)g(sr)o(c)p 1013 4188 V 27
w(pfn,)g(int)g(sz,)g(int)g(cache\);)332 4333 y Fp(Cop)o(y)15
b(pages)h Fl(sr)o(c)p 817 4333 V 27 w(pfn,)h(sr)o(c)p
1062 4333 V 27 w(pfn+sz\))i Fp(to)d(the)g(contigious)e(page)h(range)g
(starting)g(at)h Fl(dst)p 2697 4333 V 27 w(pfn)p Fp(,)i(bypassing)c
(the)i(TLB.)g Fl(cache)208 4433 y Fp(indicates)j(whether)h(the)g(cop)o
(y)f(should)g(also)i(bypass)f(the)g(cache.)0 4578 y Fl(int)g(ae)p
172 4578 V 26 w(memset\(int)i(dst)p 648 4578 V 26 w(pfn,)f(int)f(of)o
(fset,)h(char)g(b,)e(int)h(sz\);)332 4722 y Fp(Set)h(memory)d
Fl([dst)p 872 4722 V 28 w(pfn+of)o(fset,)k(dst)p 1343
4722 V 27 w(pfn+of)o(fset+sz\))k Fp(to)20 b Fl(b)p Fp(.)30
b(Bypasses)21 b(the)f(TLB.)0 4867 y Fl(int)g(ae)p 172
4867 V 26 w(fpu\(int)h(\015ag\);)332 5012 y Fp(Enable/disable)e
(\003oating\255point)e(unit.)0 5157 y Fl(int)j(ae)p 172
5157 V 26 w(pid\(void\);)332 5302 y Fp(Get)h(the)f(current)f(pid.)1908
5589 y(80)p eop
%%Page: 81 82
81 81 bop 208 133 a Fl(struct)23 b(ae)p 471 133 22 4
v 26 w(interrupt)h(\340)377 232 y(handler)p 607 232 V
27 w(t)43 b(h;)232 b(/)p Ff(\003)21 b Fl(handler)i(to)f(jump)f(too.)h
Ff(\003)p Fl(/)377 432 y(/)p Ff(\003)f Fl(Up)g(to)h(thr)o(ee)h
(int\343speci\014c)h(ar)n(guments.)45 b(Used)22 b(to)g(parameterize)i
(interrupts.)p Ff(\003)p Fl(/)377 531 y(void)e Ff(\003)p
Fl(ar)n(g1;)377 631 y(void)g Ff(\003)p Fl(ar)n(g2;)377
731 y(void)g Ff(\003)p Fl(ar)n(g3;)377 930 y(/)p Ff(\003)f
Fl(Saved)h(values)h(to)f(give)f(application)i(scratch)h(r)o(egisters)
440 1029 y(epc)e(is)g(set)g(to)g(zer)o(o)h(if)e(no)h(r)o(eturn)i
(point.)42 b Ff(\003)p Fl(/)377 1129 y(unsigned)23 b(epc;)64
b(/)p Ff(\003)21 b Fl(holds)h(value)g(that)g(we)g(wer)o(e)g
(interrupted)i(at.)e Ff(\003)p Fl(/)377 1229 y(unsigned)h(a0;)95
b(/)p Ff(\003)21 b Fl(holds)h(a0)f(r)o(egister)j Ff(\003)p
Fl(/)377 1328 y(unsigned)f(a1;)95 b(/)p Ff(\003)21 b
Fl(holds)h(a1)f(r)o(egister)j Ff(\003)p Fl(/)377 1428
y(unsigned)f(a2;)95 b(/)p Ff(\003)21 b Fl(holds)h(a1)f(r)o(egister)j
Ff(\003)p Fl(/)208 1528 y(\341;)208 1727 y(/)p Ff(\003)229
1826 y(\003)c Fl(cir)o(cular)j(interrupt)h(queue:)e(is)g(pr)o(ovided)h
(at)f(user\343level)h(so)f(that)g(applications)229 1926
y Ff(\003)e Fl(can)i(contr)o(ol)i(interrupt)f(handling)f(ef)o
(\014ciently)-6 b(.)229 2026 y Ff(\003)229 2125 y(\003)20
b Fl(Useful)j(facts:)229 2225 y Ff(\003)126 b Fl(1.)21
b(pending)i(==)e(0)43 b(\343\345)22 b(q)f(is)h(empty)229
2325 y Ff(\003)126 b Fl(2.)21 b(tail)h(points)g(to)g(the)g(\014rst)h
(entry)g(to)f(dequeue.)229 2424 y Ff(\003)126 b Fl(3.)21
b(full:)g(pending)h(==)g(sz)229 2524 y Ff(\003)126 b
Fl(4.)21 b(head)h(\343)g(points)h(to)e(\014rst)i(empty)g(entry)-6
b(.)229 2623 y Ff(\003)229 2723 y(\003)20 b Fl(T)-6 b(o)22
b(consume)g(an)g(interrupt:)229 2823 y Ff(\003)126 b
Fl(1.)21 b(incr)o(ement)j(tail)d(\045)g(AE)p 1089 2823
V 25 w(INTQ)p 1283 2823 V 25 w(SZ)229 2922 y Ff(\003)126
b Fl(2.)21 b(decr)o(ement)j(pending.)229 3022 y Ff(\003)126
b Fl(3.)21 b(r)o(enable)i(the)f(interrupt)i(type.)229
3122 y Ff(\003)p Fl(/)208 3221 y(struct)f(ae)p 471 3221
V 26 w(intr)p 598 3221 V 27 w(queue)f(\340)377 3321 y(/)p
Ff(\003)408 3421 y(\003)f Fl(This)h(\015ag)g(counts)h(the)f(number)g
(of)g(interrupts)j(pending)d(while)f(the)408 3520 y Ff(\003)g
Fl(pr)o(ocess)j(is)d(running)i(with)e(interrupts)j(disabled.)408
3620 y Ff(\003)p Fl(/)377 3719 y(unsigned)f(short)g(pending;)377
3919 y(/)p Ff(\003)408 4018 y(\003)e Fl(Number)h(of)g(over\015ow)h
(ints)f(for)g(each)h(type.)43 b(\(simple)22 b(way)f(to)h(allow)408
4118 y Ff(\003)f Fl(r)o(esour)o(ce\343speci\014c)26 b(r)o(ecovery)-6
b(.\))408 4218 y Ff(\003)p Fl(/)377 4317 y(unsigned)23
b(short)g(over\015ow[AE)p 1221 4317 V 28 w(NINTS];)377
4417 y(unsigned)g(short)g(over\015ow)p 1116 4417 V 27
w(p;)127 b(/)p Ff(\003)21 b Fl(set)h(to)g(1)f(if)h(ther)o(e)h(is)e
(over\015ow)-5 b(.)23 b Ff(\003)p Fl(/)377 4616 y(unsigned)171
b(mask;)233 b(/)p Ff(\003)21 b Fl(0)h(\343\345)g(disabled,)f(1)h
(\343\345)g(enabled.)g Ff(\003)p Fl(/)356 4815 y(/)p
Ff(\003)398 4915 y(\003)f Fl(Handlers,)h(two)g(for)g(each)h(interrupt.)
44 b(W)m(e)22 b(make)g(application)398 5015 y Ff(\003)f
Fl(explicitly)h(check)g(whether)h(it)f(was)f(running)i(or)f(not.)43
b(Could)398 5114 y Ff(\003)21 b Fl(have)h(two)g(handlers,)h(wher)o(e)43
b(handler)23 b(0)e(is)h(set)g(when)g(pr)o(ocess)398 5214
y Ff(\003)f Fl(was)h(not)g(executing,)h(handler)f(1)g(is)f(set)h(when)g
(it)f(was.)398 5313 y Ff(\003)p Fl(/)377 5413 y(handler)p
607 5413 V 27 w(t)148 b(h[AE)p 949 5413 V 27 w(NINTS];)377
5612 y(/)p Ff(\003)408 5712 y(\003)21 b Fl(Cir)o(cular)i(queue;)f(when)
g(it)f(runs)h(out,)g(we)g(write)g(an)f(over\015ow)i(interrupt.)408
5812 y Ff(\003)p Fl(/)395 5911 y(unsigned)g(char)f(head;)395
6011 y(unsigned)h(char)f(tail;)208 6110 y(#)148 b(de\014ne)22
b(AE)p 690 6110 V 26 w(INTQ)p 885 6110 V 25 w(SZ)149
b(\(1)22 b(\344\344)g(4\))395 6210 y(struct)i(ae)p 659
6210 V 26 w(interrupt)f(e[AE)p 1108 6210 V 27 w(INTQ)p
1304 6210 V 25 w(SZ];)208 6310 y(\341;)916 6708 y Fp(Figure)d(9\2553:)
29 b(Structures)19 b(used)h(for)f(libOS\255le)n(v)o(el)h(interrupt)e
(handling.)1908 5589 y(81)p eop
%%Page: 82 83
82 82 bop 208 984 a Fl(struct)23 b(exposed)p 650 984
22 4 v 28 w(info)e(\340)313 1084 y(unsigned)i(int)f(start)p
844 1084 V 27 w(page;)65 b(/)p Ff(\003)21 b Fl(which)g(phys)h(page)h
(the)f(info)g(starts)i(on)d Ff(\003)p Fl(/)313 1183 y(int)h(num;)530
b(/)p Ff(\003)21 b Fl(how)g(many)h(pages)h Ff(\003)p
Fl(/)313 1382 y(/)p Ff(\003)e Fl(timing)h(r)o(elated)h(structur)o(es)i
Ff(\003)p Fl(/)313 1582 y(char)e Ff(\003)p Fl(clock)p
662 1582 V 26 w(tick)p 793 1582 V 26 w(start;)313 1681
y(int)f(clock)p 569 1681 V 26 w(tick)p 700 1681 V 26
w(size;)313 1781 y(char)h Ff(\003)p Fl(clock)p 662 1781
V 26 w(rate)p 804 1781 V 27 w(start;)313 1881 y(int)f(clock)p
569 1881 V 26 w(rate)p 711 1881 V 27 w(size;)313 2080
y(/)p Ff(\003)f Fl(page)i(info)e Ff(\003)p Fl(/)313 2179
y(char)i Ff(\003)p Fl(p)p 549 2179 V 25 w(r)o(efcnt)p
747 2179 V 28 w(start,)g Ff(\003)p Fl(p)p 1030 2179 V
25 w(acl)p 1137 2179 V 26 w(start,)g Ff(\003)p Fl(p)p
1418 2179 V 25 w(map)p 1576 2179 V 26 w(start;)313 2279
y(int)f(p)p 456 2279 V 26 w(r)o(efcnt)p 655 2279 V 28
w(size,)f(p)p 872 2279 V 26 w(acl)p 980 2279 V 26 w(size,)g(p)p
1195 2279 V 26 w(map)p 1354 2279 V 25 w(size;)313 2478
y(/)p Ff(\003)g Fl(env)h(info)g Ff(\003)p Fl(/)313 2578
y(char)h Ff(\003)p Fl(e)p 545 2578 V 25 w(r)o(efcnt)p
743 2578 V 28 w(start,)g Ff(\003)p Fl(e)p 1022 2578 V
25 w(acl)p 1129 2578 V 26 w(start,)g Ff(\003)p Fl(e)p
1406 2578 V 25 w(map)p 1564 2578 V 26 w(start,)g Ff(\003)p
Fl(env)p 1915 2578 V 26 w(start;)313 2678 y(int)f(e)p
452 2678 V 26 w(r)o(efcnt)p 651 2678 V 28 w(size,)f(e)p
864 2678 V 26 w(acl)p 972 2678 V 26 w(size,)g(e)p 1183
2678 V 26 w(map)p 1342 2678 V 26 w(size,)g(env)p 1627
2678 V 26 w(size;)313 2877 y(/)p Ff(\003)g Fl(time)h(slice)f(info)h
Ff(\003)p Fl(/)313 2976 y(char)h Ff(\003)p Fl(s)p 537
2976 V 25 w(r)o(efcnt)p 735 2976 V 28 w(start,)g Ff(\003)p
Fl(s)p 1006 2976 V 26 w(acl)p 1114 2976 V 25 w(start,)g
Ff(\003)p Fl(slice)p 1480 2976 V 26 w(start,)g Ff(\003)p
Fl(s)p 1749 2976 V 25 w(map)p 1907 2976 V 26 w(start;)313
3076 y(int)f(s)p 444 3076 V 26 w(r)o(efcnt)p 643 3076
V 28 w(size,)f(s)p 848 3076 V 26 w(acl)p 956 3076 V 26
w(size,)g(slice)p 1257 3076 V 26 w(size,)h(s)p 1461 3076
V 26 w(map)p 1620 3076 V 25 w(size;)313 3275 y(/)p Ff(\003)f
Fl(context)j(ids)d(info)h Ff(\003)p Fl(/)313 3375 y(char)h
Ff(\003)p Fl(cmap)p 674 3375 V 26 w(start,)g Ff(\003)p
Fl(c)p 947 3375 V 25 w(map)p 1105 3375 V 26 w(start;)313
3475 y(int)f(cmap)p 581 3475 V 26 w(size,)g(c)p 789 3475
V 25 w(map)p 947 3475 V 26 w(size;)313 3674 y(/)p Ff(\003)f
Fl(stlb)h Ff(\003)p Fl(/)313 3773 y(char)h Ff(\003)p
Fl(stlb)p 615 3773 V 26 w(start;)313 3873 y(int)f(stlb)p
522 3873 V 26 w(size;)208 3973 y(\341;)0 4371 y Fp(Figure)27
b(9\2554:)44 b(Structure)27 b(used)h(to)g(hold)f(where)g(each)h(e)o
(xposed)e(k)o(ernel)h(data)h(structure)f(be)o(gins)g(and)h(its)h(size.)
53 b(By)28 b(def)o(ault,)h(each)0 4471 y(en)m(vironment)17
b(has)k(read)e(access)i(to)f(the)h(pages)e(containing)g(these)h
(structures.)1908 5589 y(82)p eop
%%Page: 83 84
83 83 bop 208 133 a Fl(/)p Ff(\003)21 b Fl(Structur)o(e)j(to)e(hold)g
(r)o(ecv)h(messages.)g Ff(\003)p Fl(/)208 232 y(struct)g(ae)p
471 232 22 4 v 26 w(r)o(ecv)g(\340)377 332 y(int)e(n;)43
b(/)p Ff(\003)21 b Fl(number)h(of)g(entries)h Ff(\003)p
Fl(/)169 b(struct)24 b(r)o(ec)f(\340)578 432 y(int)e(sz;)578
531 y(void)g Ff(\003)p Fl(data;)377 631 y(\341)h(r[MAXPKTS];)208
731 y(\341;)1202 1129 y Fp(Figure)e(9\2555:)28 b(Netw)o(ork)20
b(pack)o(et)f(recei)n(v)o(e)g(structure)0 1396 y Fq(.11)99
b(Netw)o(orking)0 1544 y Fp(Ae)o(gis)18 b(pro)o(vides)e(calls)j(to)f
(insert)g(and)f(delete)h(pack)o(et)g(\002lters.)29 b(It)18
b(also)g(pro)o(vides)f(support)f(for)h(Ethernet)g(and)h(AN2)g(O)m(TT)o
(O)f(chips.)28 b(F)o(or)0 1643 y(simplicity)-5 b(,)19
b(we)i(only)e(pro)o(vide)f(the)j(former')-5 b(s)19 b(interf)o(ace.)125
1743 y(The)d(follo)n(wing)g(tw)o(o)h(functions)f(install)h(and)g
(delete)f(pack)o(et)h(\002lters.)29 b(Filters)18 b(can)e(be)h(bound)f
(to)h(an)g Fg(ASH)g Fp(\(libOS)g(messaging)f(code)0 1843
y(do)n(wnloaded)g(into)j(the)g(k)o(ernel\),)f(which)h(is)h(run)e(when)g
(the)h(\002lter)h(matches.)28 b(Otherwise)19 b(the)g(pack)o(et)g(will)g
(be)g(handled)f(by)g(the)h(libOS.)0 1942 y Fl(int)h(ae)p
172 1942 V 26 w(dpf)p 299 1942 V 26 w(install\(void)h(*\014lter)-6
b(,)21 b(int)f(sz,)g(int)g(ash)p 1275 1942 V 27 w(id\);)332
2108 y Fp(Installs)d Fl(\014lter)h Fp(\(of)d Fl(sz)j
Fp(bytes\))e(and)f(binds)h(it)h(to)f(the)h Fg(ASH)f Fl(ash)p
2002 2108 V 27 w(id)p Fp(.)28 b(F)o(ails)17 b(if)g(the)f(size)h(is)g
(too)f(lar)o(ge,)g(or)g(the)g(\002lter)h(o)o(v)o(erlaps)208
2208 y(with)j(another)f(\002lter)h(and)g(the)g(current)f(process)h(has)
g(insuf)n(\002cient)f(permissions)h(to)g(o)o(v)o(erride)e(it.)0
2374 y Fl(int)i(ae)p 172 2374 V 26 w(dpf)p 299 2374 V
26 w(delete\(int)i(id\);)332 2540 y Fp(Delete)f(\002lter)f
Fl(id)p Fp(.)30 b(F)o(ails)21 b(if)f(the)g(process)g(lacks)h
(permission)e(to)h(do)g(so.)125 2706 y(The)f(follo)n(wing)g(four)g
(functions)g(are)h(used)g(to)g(send)g(and)g(recei)n(v)o(e)f(messages.)0
2806 y Fl(int)h(ae)p 172 2806 V 26 w(eth)p 295 2806 V
26 w(poll\(int)h(\014d,)e(struct)k(ae)p 929 2806 V 26
w(r)o(ecv)e(*r)o(ecv)-5 b(,)21 b(volatile)f(int)g(*addr\);)332
2972 y Fp(Install)g(a)g(recei)n(v)o(e)e(structure,)g
Fl(r)o(ecv)p Fp(,)k(to)e(handle)e(pack)o(ets)h(arri)n(ving)f(for)h
(\002lter)g Fl(\014d)p Fp(;)i(recei)n(v)o(e)e(noti\002cation)f(via)h
(polling.)208 3071 y Fl(addr)24 b Fp(points)e(to)g(a)h(counter)e(that)i
(is)g(incremented)d(by)i(the)h(recei)n(v)o(ed)d(message)j(size.)36
b(Figure)22 b(9\2555)g(sho)n(ws)g(the)g(ANSI)h(C)208
3171 y(representation)18 b(of)i(the)g(recei)n(v)o(e)f(structure.)28
b(F)o(ails)21 b(if)g(there)e(are)h(already)f(too)h(man)o(y)f(enqueued)f
(recei)n(v)o(e)h(structures.)0 3337 y Fl(int)h(ae)p 172
3337 V 26 w(eth)p 295 3337 V 26 w(send\(void)i(*msg,)e(int)g(sz\);)332
3503 y Fp(Send)g Fl(msg)h Fp(\(of)f Fl(sz)h Fp(bytes\))f(on)g
(Ethernet.)0 3669 y Fl(int)g(ae)p 172 3669 V 26 w(eth)p
295 3669 V 26 w(sendv\(struct)25 b(ae)p 780 3669 V 26
w(r)o(ecv)c(*r)o(ecv\);)332 3835 y Fp(\223Gather\224)h(send)g(of)h(the)
f(message)h(speci\002ed)f(by)g Fl(r)o(ecv)p Fp(:)37 b(Ae)o(gis)22
b(copies)h(the)f(message)h(into)f(a)h(contigous)e(outgoing)208
3935 y(b)n(uf)n(fer)d(\(the)i(hardw)o(are)f(we)i(run)e(on)h(lacks)g
(support)f(for)h(DMA\).)0 4101 y Fl(int)g(ae)p 172 4101
V 26 w(eth)p 295 4101 V 26 w(info\(addr)p 597 4101 V
28 w(t)g(addr\);)332 4267 y Fp(Get)h(Ethernet)e(address.)0
4546 y Fq(.12)99 b(TLB)26 b(manipulation)0 4693 y Fp(Ae)o(gis)j(uses)g
(a)g(softw)o(are)f(TLB)h([7)o(])g(to)g(increase)f(the)g(ef)n(fecti)n(v)
o(e)g(hardw)o(are)f(TLB)i(size.)55 b(The)28 b(STLB)h(has)g(8192)e
(entries)i(and)f(is)h(a)0 4793 y(direct)c(mapped)f(hash)h(table;)k(it)d
(also)g(has)f(an)h(8\255entry)e(fully\255associati)n(v)o(e)f(o)o(v)o
(er\003o)n(w)h(b)n(uf)n(fer)g(\(similar)i(to)f(a)h(\223victim)f
(cache\224)g([47)o(]\).)0 4893 y(Figure)e(9\2556)g(gi)n(v)o(es)g(the)g
(ANSI)h(C)g(representation)e(of)h(an)g(STLB)h(entry)-5
b(.)38 b(Figure)23 b(9\2557)g(gi)n(v)o(es)g(the)g(MIPS)h(assembly)f
(code)g(to)h(load)f(an)0 4992 y(entry)18 b(from)g(the)h(STLB)g(into)g
(the)g(hardw)o(are)e(TLB)j(within)e(the)h(TLB)g(handler)-5
b(.)28 b(LibOSes)19 b(can)g(map)f(the)h(STLB)h(read\255only)c(into)j
(their)0 5092 y(address)j(spaces.)37 b(LibOS)23 b(modi\002cations)e(of)
i(the)g(hardw)o(are)e(TLB)i(are)g(propogated)c(to)k(the)g(STLB.)g(The)f
(libOS)h(program)e(counter)0 5191 y(that)f(Ae)o(gis)g(v)o(ectors)g(TLB)
g(misses)i(to)e(is)h(gi)n(v)o(en)e(in)h(the)g(libOSes)h(en)m(vironment)
c(structure.)125 5291 y(The)i(follo)n(wing)g(routings,)g(read,)g
(insert)h(and)g(modify)e(TLB)j(entries.)89 b Fl(int)20
b(ae)p 2402 5291 V 26 w(tlbwr\(addr)p 2743 5291 V 28
w(t)g(va,)g(struct)i(lo)e(lo\);)1908 5589 y Fp(83)p eop
%%Page: 84 85
84 84 bop 208 133 a Fa(struct)23 b Fl(stlb)f(\340)377
232 y(/)p Ff(\003)f Fl(STLB)h(tag:)g(the)g(contents)i(of)e(the)g(TLB)g
(context)i(r)o(egister)g(\(c0)p 2107 232 22 4 v 26 w(tlbctx\))f
Ff(\003)p Fl(/)377 332 y(unsigned)171 b(:2,)821 432 y(vpn:19,)22
b(/)p Ff(\003)f Fl(bad)g(virtual)i(page)f(number)g Ff(\003)p
Fl(/)821 531 y(tag:11;)g(/)p Ff(\003)f Fl(11)g(bit)h(tag)g(associated)i
(\(pseudo\343randomly\))i(with)21 b(each)h(pr)o(ocess)i
Ff(\003)p Fl(/)377 631 y(/)p Ff(\003)d Fl(TLB)h(entry)h
Ff(\003)p Fl(/)377 731 y(unsigned)171 b(:8,)162 b(/)p
Ff(\003)21 b Fl(r)o(eserved)j Ff(\003)p Fl(/)821 830
y(g:1,)123 b(/)p Ff(\003)21 b Fl(Global:)g(TLB)g(ignor)o(es)j(the)e
(PID)f(match)h(r)o(eq)h Ff(\003)p Fl(/)821 930 y(v:1,)127
b(/)p Ff(\003)21 b Fl(V)-6 b(alid:)21 b(if)g(not)h(set,)g(TLBL)g(or)g
(TLBS)g(miss)g(occurs)p Ff(\003)p Fl(/)821 1029 y(d:1,)123
b(/)p Ff(\003)21 b Fl(Dirty)h Ff(\003)p Fl(/)821 1129
y(n:1,)123 b(/)p Ff(\003)21 b Fl(Non\343cacheable.)i
Ff(\003)p Fl(/)821 1229 y(pfn:20;)f(/)p Ff(\003)f Fl(Page)h(frame)h
(number)f Ff(\003)p Fl(/)208 1328 y(\341;)1492 1644 y
Fp(Figure)e(9\2556:)29 b(STLB)20 b(structure)332 1911
y(Insert)d(TLB)h(entry)e(for)h(virtual)f(address)h Fl(va)p
Fp(.)30 b Fl(lo)17 b Fp(holds)g(the)h(physical)e(page)g(number)m(,)g
(protection)f(information,)h(and)208 2011 y(v)n(arious)j(softw)o(are)g
(tags.)30 b(Figure)19 b(9\2558)h(gi)n(v)o(es)g(its)h(ANSI)f(C)h
(representation.)0 2177 y Fl(void)f(ae)p 223 2177 V 26
w(tlbrpr)o(otn\(addr)p 671 2177 V 30 w(t)g(va,)g(int)g(len\);)313
2343 y(Read-pr)o(otect)k(the)d(r)o(egion)g([va,)f(va+len*P)l(AGESIZ\).)
i(Always)e(succeeds.)0 2509 y(void)g(ae)p 223 2509 V
26 w(unpr)o(otn\(addr)p 648 2509 V 30 w(t)g(va,)g(int)g(len\);)313
2675 y(Make)k(the)g(r)o(egion)g([va,)h(va+len*P)l(AGESIZ\))g(writable.)
39 b(Fails)23 b(if)g(the)h(curr)o(ent)i(pr)o(ocess)g(does)e(not)g(have)
g(write)g(access)h(to)f(any)208 2774 y(page.)0 2940 y(void)c(ae)p
223 2940 V 26 w(tlbdeleten\(addr)p 708 2940 V 29 w(t)g(va,)g(int)g
(len\);)313 3107 y(Delete)h([va,)f(va+len*P)l(AGESIZ\))j(fr)o(om)e(the)
f(TLB.)g(Always)g(succeeds.)0 3273 y(void)g(ae)p 223
3273 V 26 w(tlb\015ush\(void\);)313 3439 y(Flush)h(all)e(entries)j(fr)o
(om)f(STLB)f(and)h(TLB.)1908 5589 y Fp(84)p eop
%%Page: 85 86
85 85 bop 377 677 a Fl(#)21 b(Softwar)o(e)j(r)o(e\014ll)e(of)g(TLB:)g
(uses)g(an)g(STLB)g(cache.)377 876 y(#)f(1.)g(Compute)i(hash)f
(function)377 976 y(mfc0)86 b(k0,)21 b(c0)p 804 976 22
4 v 26 w(tlbcxt)234 b(#)22 b(get)g(virtual)g(page\343number)i(and)e
(11\343bit)g(pr)o(ocess)i(tag)377 1075 y(mfc0)86 b(k1,)21
b(c0)p 804 1075 V 26 w(tlbcxt)234 b(#)22 b(twice)377
1274 y(#)64 b(Our)21 b(hash)i(function)g(combines)f(pr)o(ocess)i(tag)f
(with)e(the)h(lower)g(bits)g(of)g(the)g(virtual)377 1374
y(#)64 b(page)22 b(number)g(\(VPN\))h(that)g(missed:)377
1474 y(#)170 b(\(\(\(c0)p 729 1474 V 27 w(tlbcxt)23 b(\344\344)f(17)f
(^)g(c0)p 1258 1474 V 26 w(tlbctx\))i(\345\345)f(16)g(\))f(&)g(STLB)p
1967 1474 V 27 w(MASK&~7\))377 1573 y(sll)155 b(k0,)21
b(k0,)h(17)479 b(#)21 b(move)h(VPN)f(up)377 1673 y(xor)117
b(k1,)21 b(k0,)h(k1)483 b(#)21 b(combine)h(with)g(pr)o(ocess)i(tag)377
1773 y(srl)148 b(k1,)21 b(k1,)h(16)479 b(#)21 b(move)h(down)g(\(8)g
(byte)g(align\))377 1872 y(andi)85 b(k0,)21 b(k1,)h(STLB)p
974 1872 V 26 w(MASK)f(&)g(~7)43 b(#)21 b(r)o(emove)i(upper)g(and)f
(lower)f(bits.)377 2071 y(#)g(2.)g(Index)h(into)g(STLB)377
2171 y(lui)149 b(k1,)21 b(HI\(stlb\))264 b(#)21 b(load)h(STLB)g(\(at)h
(known)f(location\))377 2271 y(add)107 b(k1,)21 b(k0,)g(k1)297
b(#)21 b(index)h(into)g(STLB)377 2470 y(#)f(3.)g(Load)i(the)f(physical)
g(page)g(entry)h(and)f(STLB)g(tag)377 2570 y(lw)127 b(k0,)21
b(LO\(stlb\)+4\(k1\))131 b(#)21 b(TLB)h(entry)377 2669
y(lw)127 b(k1,)21 b(LO\(stlb\)+0\(k1\))131 b(#)21 b(STLB)i(tag)377
2869 y(#)e(4.)g(Load)i(TLB:)e(we)g(\014rst)i(load)f(the)g(fetched)i
(TLB)e(entry)h(into)e(tlblo)h(\(but)g(do)g(not)g(write)377
2968 y(#)85 b(this)22 b(r)o(egister)i(into)e(the)g(TLB\);)g(we)f(then)i
(r)o(e\343fetch)h(tlbcxt)f(in)e(pr)o(eparation)j(to)e(its)377
3068 y(#)85 b(comparison)23 b(to)f(the)g(STLB)g(tag.)377
3167 y(mtc0)86 b(k0,)21 b(c0)p 804 3167 V 26 w(tlblo)268
b(#)22 b(\(optimistically\))h(load)e(TLB)h(entry)377
3267 y(mfc0)86 b(k0,)21 b(c0)p 804 3267 V 26 w(tlbcxt)234
b(#)22 b(get)g(context)h(again)377 3367 y(nop)733 b(#)22
b(delay)g(slot)377 3566 y(#)f(5.)g(Check)i(tag)f(\(does)h(not)f(match)g
(\343\345)g(jump)f(to)h(miss)g(handler\))377 3666 y(bne)125
b(k0,)21 b(k1,)g(stlb)p 954 3666 V 26 w(miss)149 b(#)21
b(compar)o(e)j(tags)e(to)g(see)g(if)g(we)f(got)h(a)g(hit)377
3765 y(mfc0)86 b(k1,)21 b(c0)p 804 3765 V 26 w(epc)323
b(#)21 b(get)i(exception)g(pr)o(ogram)g(counter)377 3964
y(#)e(6.)g(T)-6 b(ags)22 b(matched:)h(install)e(entry)i(into)f(the)g
(TLB)377 4064 y(tlbwr)572 b(#)22 b(write)g(tlblo)f(to)h(TLB)377
4263 y(#)f(7.)g(Return)i(fr)o(om)g(exception)377 4363
y(j)148 b(k1)466 b(#)21 b(jump)h(to)g(r)o(esumption)h(addr)o(ess)377
4463 y(rfe)623 b(#)21 b(r)o(eturn)j(fr)o(om)f(exception)477
4778 y Fp(Figure)d(9\2557:)28 b(Assembly)20 b(code)g(used)g(by)f(Ae)o
(gis)i(to)f(lookup)e(mapping)h(in)h(STLB)h(\(18)e(instructions\).)1908
5589 y(85)p eop
%%Page: 86 87
86 86 bop 208 2030 a Fl(/)p Ff(\003)21 b Fl(LO)g(portion)i(of)f(TLB)f
(mapping.)h Ff(\003)p Fl(/)208 2130 y(struct)h(lo)e(\340)377
2229 y(unsigned)716 2329 y(w:1,)f(/)p Ff(\003)h Fl(write)h(perm?)h
Ff(\003)p Fl(/)716 2428 y(:7,)75 b(/)p Ff(\003)21 b Fl(r)o(eserved)k
(for)d(softwar)o(e)i(\(libOS\))e Ff(\003)p Fl(/)716 2528
y(g:1,)36 b(/)p Ff(\003)21 b Fl(Global:)g(TLB)h(ignor)o(es)h(the)f(PID)
f(match)i(r)o(eq)f Ff(\003)p Fl(/)716 2628 y(v:1,)f(/)p
Ff(\003)g Fl(V)-6 b(alid:)20 b(If)i(not)g(set,)g(TLBL)g(or)g(TLBS)g
(miss)g(occurs)p Ff(\003)p Fl(/)716 2727 y(d:1,)f(/)p
Ff(\003)g Fl(Dirty)h Ff(\003)p Fl(/)716 2827 y(n:1,)f(/)p
Ff(\003)g Fl(Non\343cacheable.)i Ff(\003)p Fl(/)716 2927
y(pfn:20;)43 b(/)p Ff(\003)21 b Fl(Page)h(Frame)g(Number:)g(31..12)f
(of)h(the)h(pa)e Ff(\003)p Fl(/)208 3026 y(\341;)181
3425 y Fp(Figure)e(9\2558:)29 b(Hardw)o(are)19 b(de\002ned)g(\223lo)n
(w\224)h(portion)f(of)h(a)g(TLB)h(entry)e(\(i.e.,)h(the)g(part)g(bound)
e(to)j(a)f(virtual)g(page)f(number\).)1908 5589 y(86)p
eop
%%Page: 87 88
87 87 bop 0 747 a Fn(Bibliograph)m(y)42 1179 y Fp([1])40
b(H.)25 b(Abelson,)g(G.)g(J.)h(Sussman,)f(and)g(J.)g(Sussman.)42
b Fk(Structur)m(e)24 b(and)g(Interpr)m(etation)f(of)i(Computer)g(Pr)l
(o)o(gr)o(ams)p Fp(.)41 b(MIT)25 b(Press,)180 1279 y(1996.)42
1445 y([2])40 b(M.)29 b(Accetta,)i(R.)f(Baron,)g(W)-8
b(.)30 b(Bolosk)o(y)-5 b(,)30 b(D.)g(Golub,)g(R.)f(Rashid,)j(A.)d(T)-6
b(e)n(v)n(anian,)30 b(and)e(M.)h(Y)-9 b(oung.)51 b(Mach:)c(a)30
b(ne)n(w)e(k)o(ernel)180 1544 y(foundation)c(for)i(UNIX)h(de)n(v)o
(elopment.)45 b(In)26 b Fk(Pr)l(oceedings)g(of)h(the)g(Summer)g(1986)e
(USENIX)i(Confer)m(ence)p Fp(,)h(pages)e(93\226112,)180
1644 y(July)20 b(1986.)42 1810 y([3])40 b(T)-6 b(.E.)15
b(Anderson.)20 b(The)15 b(case)h(for)f(application\255speci\002c)e
(operating)h(systems.)22 b(In)15 b Fk(Thir)m(d)h(W)-8
b(orkshop)15 b(on)g(W)-8 b(orkstation)16 b(Oper)o(ating)180
1910 y(Systems)p Fp(,)k(pages)g(92\22694,)e(1992.)42
2076 y([4])40 b(T)-6 b(.E.)22 b(Anderson,)h(B.N.)g(Bershad,)h(E.D.)f
(Lazo)n(wska,)f(and)h(H.M.)g(Le)n(vy)-5 b(.)36 b(Scheduler)22
b(acti)n(v)n(ations:)35 b(Ef)n(fecti)n(v)o(e)21 b(k)o(ernel)i(support)
180 2175 y(for)g(the)g(user)n(\255le)n(v)o(el)f(management)g(of)h
(parallelism.)37 b(In)23 b Fk(Pr)l(oceedings)f(of)i(the)f(Thirteenth)g
(A)n(CM)h(Symposium)e(on)h(Oper)o(ating)180 2275 y(Systems)d
(Principles)p Fp(,)g(pages)g(95\226109,)e(October)h(1991.)42
2441 y([5])40 b(A.W)-8 b(.)27 b(Appel)f(and)h(K.)f(Li.)47
b(V)-5 b(irtual)27 b(memory)d(primiti)n(v)o(es)i(for)g(user)h
(programs.)44 b(In)27 b Fk(F)-9 b(ourth)26 b(International)e(Confer)m
(ence)i(on)180 2540 y(Ar)m(c)o(hitectur)m(e)16 b(Support)f(for)i(Pr)l
(o)o(gr)o(amming)e(Langua)o(g)o(es)g(and)h(Oper)o(ating)f(Systems)p
Fp(,)j(pages)e(96\226107,)f(Santa)i(Clara,)g(CA,)h(April)180
2640 y(1991.)42 2806 y([6])40 b(M.)27 b(L.)h(Baile)o(y)-5
b(,)29 b(B.)f(Gopal,)h(M.)e(A.)h(P)o(agels,)h(L.)f(L.)f(Peterson,)i
(and)e(P)-9 b(.)28 b(Sarkar)-5 b(.)48 b(P)-8 b(A)f(THFINDER:)28
b(A)g(pattern\255based)d(pack)o(et)180 2906 y(classi\002er)-5
b(.)61 b(In)31 b Fk(Pr)l(oceedings)g(of)g(the)h(F)l(ir)o(st)h
(Symposium)e(on)g(Oper)o(ating)f(Systems)j(Design)e(and)g
(Implementation)p Fp(,)h(pages)180 3005 y(115\226123,)17
b(Montere)o(y)-5 b(,)18 b(CA,)i(USA,)h(No)o(v)o(ember)d(1994.)42
3171 y([7])40 b(K.)26 b(Bala,)i(M.F)-7 b(.)26 b(Kaashoek,)g(and)f(W)-8
b(.E.)27 b(W)-7 b(eihl.)44 b(Softw)o(are)26 b(prefetching)d(and)i
(caching)g(for)g(translation)g(lookaside)g(b)n(uf)n(fers.)180
3271 y(In)33 b Fk(Pr)l(oceedings)g(of)h(the)g(F)l(ir)o(st)h(Symposium)e
(on)g(Oper)o(ating)g(Systems)h(Design)g(and)f(Implementation)p
Fp(,)h(pages)g(243\226253,)180 3371 y(No)o(v)o(ember)18
b(1994.)42 3537 y([8])40 b(J.)22 b(Barrera.)33 b(In)m(v)n(ocation)20
b(chaining:)31 b(manipulating)20 b(light\255weight)g(objects)i(across)g
(hea)n(vy\255weight)e(boundaries.)31 b(In)22 b Fk(Pr)l(oc.)f(of)180
3636 y(4th)f(IEEE)f(W)-8 b(orkshop)20 b(on)g(W)-8 b(orkstation)20
b(Oper)o(ating)f(Systems)p Fp(,)h(pages)g(191\226193,)d(October)i
(1993.)42 3802 y([9])40 b(B.)31 b(N.)g(Bershad,)i(S.)e(Sa)n(v)n(age,)i
(P)-9 b(.)31 b(P)o(ardyak,)h(E.)f(G.)g(Sirer)m(,)i(M.)d(Fiuczynski,)j
(D.)e(Beck)o(er)m(,)h(S.)g(Eggers,)g(and)e(C.)i(Chambers.)180
3902 y(Extensibility)-5 b(,)35 b(safety)f(and)f(performance)e(in)j(the)
g(SPIN)g(operating)e(system.)66 b(In)33 b Fk(Pr)l(oceedings)g(of)h(the)
g(F)l(ifteenth)f(A)n(CM)180 4002 y(Symposium)25 b(on)g(Oper)o(ating)g
(Systems)i(Principles)p Fp(,)g(pages)f(267\226284,)e(Copper)h(Mountain)
g(Resort,)j(CO,)e(USA,)h(December)180 4101 y(1995.)0
4267 y([10])40 b(B.N.)27 b(Bershad,)h(D.D.)f(Redell,)i(and)e(J.R.)g
(Ellis.)48 b(F)o(ast)28 b(mutual)e(e)o(xclusion)g(for)g(uniprocessors.)
45 b(In)27 b Fk(Pr)l(oc.)g(of)g(the)g(Conf)o(.)g(on)180
4367 y(Ar)m(c)o(hitectur)o(al)19 b(Support)f(for)j(Pr)l(o)o(gr)o
(amming)e(Langua)o(g)o(es)f(and)i(Oper)o(ating)e(Systems)p
Fp(,)j(pages)f(223\226237,)d(October)i(1992.)0 4533 y([11])40
b(Nathaniel)16 b(Borenstein)f(and)h(James)h(Gosling.)23
b(Unix)16 b(emacs:)27 b(A)17 b(retrospecti)n(v)o(e.)k(In)16
b Fk(A)n(CM)h(SIGGRAPH)e(Symposium)h(on)g(User)180 4633
y(Interface)j(Softwar)m(e)p Fp(,)h(October)f(1988.)0
4799 y([12])40 b(E.)20 b(Bugnion,)f(S.)h(De)n(vine,)g(and)f(M.)i
(Rosenblum.)27 b(Disco:)j(running)18 b(commodity)g(operating)h(systems)
h(on)g(scalable)g(multipro\255)180 4898 y(cessors.)29
b(In)20 b Fk(Pr)l(oceedings)f(of)i(the)f(Sixteenth)f(A)n(CM)h
(Symposium)f(on)h(Oper)o(ating)f(Systems)i(Principles)p
Fp(,)e(1997.)0 5064 y([13])40 b(P)-9 b(.)29 b(Cao,)j(E.)d(W)-8
b(.)30 b(Felten,)i(and)d(K.)g(Li.)53 b(Implementation)27
b(and)i(performance)d(of)j(application\255controlled)c(\002le)30
b(caching.)52 b(In)180 5164 y Fk(Pr)l(oceedings)13 b(of)g(the)g(F)l(ir)
o(st)g(Symposium)g(on)g(Oper)o(ating)f(Systems)h(Design)f(an)o(d)h(I)o
(mplemen)o(tatio)o(n)p Fp(,)8 b(pages)13 b(165\226178,)d(No)o(v)o
(ember)180 5264 y(1994.)1908 5589 y(87)p eop
%%Page: 88 89
88 88 bop 0 83 a Fp([14])40 b(A.)21 b(Chankhunthod,)16
b(P)-9 b(.)21 b(B.)g(Danzig,)f(C.)h(Neerdaels,)f(M.)g(F)-7
b(.)22 b(Sc)f(hw)o(artz,)f(and)g(K.)g(J.)i(W)-7 b(orrell.)30
b(A)21 b(hierarchical)d(internet)i(object)180 183 y(cache.)28
b(In)20 b Fk(Pr)l(oceedings)f(of)i(1996)e(Usenix)h(T)-8
b(ec)o(hnical)19 b(Confer)m(ence)p Fp(,)g(pages)h(153\226163,)d
(January)i(1996.)0 349 y([15])40 b(D.)28 b(L.)f(Chaum)g(and)g(R.)h(S.)g
(F)o(abry)-5 b(.)47 b(Implementing)25 b(capability\255based)h
(protection)f(using)i(encryption.)46 b(T)-6 b(echnical)27
b(Report)180 448 y(UCB/ERL)21 b(M78/46,)e(Uni)n(v)o(ersity)g(of)g
(California)h(at)h(Berk)o(ele)o(y)-5 b(,)18 b(July)i(1978.)0
614 y([16])40 b(D.)20 b(Cheriton)e(and)h(K.)h(Duda.)27
b(A)20 b(caching)f(model)f(of)i(operating)d(system)j(k)o(ernel)f
(functionality)-5 b(.)25 b(In)19 b Fk(Pr)l(oceedings)g(of)h(the)f(F)l
(ir)o(st)180 714 y(Symposium)g(on)h(Oper)o(ating)e(Systems)j(Design)f
(and)f(Implementation)p Fp(,)f(pages)i(179\226193,)d(No)o(v)o(ember)g
(1994.)0 880 y([17])40 b(D.)24 b(R.)h(Cheriton.)38 b(An)24
b(e)o(xperiment)e(using)i(re)o(gisters)f(for)h(f)o(ast)g
(message\255based)f(interprocess)g(communication.)36
b Fk(Oper)o(ating)180 980 y(Systems)20 b(Re)o(vie)o(w)p
Fp(,)g(18:12\22620,)d(October)j(1984.)0 1146 y([18])40
b(D.)26 b(D.)h(Clark)f(and)g(D.)g(L.)g(T)-6 b(ennenhouse.)43
b(Architectural)24 b(considerations)h(for)g(a)i(ne)n(w)f(generation)e
(of)i(protocols.)43 b(In)26 b Fk(A)n(CM)180 1245 y(Communication)13
b(Ar)m(c)o(hitectur)m(es,)j(Pr)l(otocols,)g(and)e(Applications)g
(\(SIGCOMM\))h(1990)p Fp(,)g(pages)g(200\226208,)e(Philadelphia,)i(P)-8
b(A,)180 1345 y(USA,)20 b(September)f(1990.)0 1511 y([19])40
b(D.D.)31 b(Clark.)58 b(On)31 b(the)g(structuring)f(of)g(systems)i
(using)f(upcalls.)57 b(In)31 b Fk(Pr)l(oceedings)f(of)h(the)h(T)-8
b(enth)31 b(A)n(CM)g(Symposium)f(on)180 1611 y(Oper)o(ating)19
b(Systems)h(Principles)p Fp(,)g(pages)g(171\226180,)d(December)i(1985.)
0 1777 y([20])40 b(R.)18 b(J.)h(Creasy)-5 b(.)24 b(The)18
b(origin)f(of)g(the)h(VM/370)f(time\255sharing)f(system.)25
b Fk(IBM)18 b(J)n(.)g(Resear)m(c)o(h)f(and)f(De)o(velopment)p
Fp(,)h(25\(5\):483\226490,)180 1876 y(September)i(1981.)0
2042 y([21])40 b(H.)20 b(Custer)-5 b(.)30 b Fk(Inside)20
b(W)-5 b(indows/NT)p Fp(.)30 b(Microsoft)19 b(Press,)i(Redmond,)d(W)-10
b(A,)21 b(1993.)0 2208 y([22])40 b(P)-9 b(.)18 b(Deutsch)f(and)g(C.)h
(A.)g(Grant.)25 b(A)18 b(\003e)o(xible)f(measurement)f(tool)h(for)g
(softw)o(are)g(systems.)25 b Fk(Information)16 b(Pr)l(ocessing)i(71)p
Fp(,)f(1971.)0 2374 y([23])40 b(P)-9 b(.)32 b(Druschel,)h(L.)f(L.)g
(Peterson,)h(and)e(B.)i(S.)f(Da)n(vie.)59 b(Experiences)30
b(with)i(a)g(high\255speed)e(netw)o(ork)g(adaptor:)51
b(A)32 b(softw)o(are)180 2474 y(perspecti)n(v)o(e.)23
b(In)17 b Fk(A)n(CM)g(Communication)f(Ar)m(c)o(hitectur)m(es,)h(Pr)l
(otocols,)h(and)e(Applications)g(\(SIGCOMM\))h(1994)p
Fp(,)f(pages)h(2\22613,)180 2574 y(London,)h(UK,)i(August)g(1994.)0
2740 y([24])40 b(A.)23 b(Edw)o(ards,)g(G.)h(W)-7 b(atson,)24
b(J.)g(Lumle)o(y)-5 b(,)21 b(D.)j(Banks,)g(C.)f(Clamv)n(okis,)h(and)e
(C.)i(Dalton.)37 b(User)n(\255space)23 b(protocols)e(deli)n(v)o(er)h
(high)180 2839 y(performance)i(to)j(applications)g(on)f(a)i(lo)n
(w\255cost)f(Gb/s)g(LAN.)48 b(In)27 b Fk(A)n(CM)h(Communication)d(Ar)m
(c)o(hitectur)m(es,)j(Pr)l(otocols,)g(and)180 2939 y(Applications)18
b(\(SIGCOMM\))i(1994)p Fp(,)f(pages)g(14\22624,)g(London,)e(UK,)k
(August)e(1994.)0 3105 y([25])40 b(D.)24 b(R.)h(Engler)m(,)f(M.)g(F)-7
b(.)25 b(Kaashoek,)f(and)f(J.)i(O'T)-7 b(oole)24 b(Jr)-5
b(.)40 b(Exok)o(ernel:)35 b(an)25 b(operating)d(system)i(architecture)f
(for)g(application\255)180 3205 y(speci\002c)14 b(resource)f
(management.)k(In)d Fk(Pr)l(oceedings)g(of)g(the)h(F)l(ifteenth)f(A)n
(CM)g(Symposium)f(on)h(Oper)o(ating)f(Systems)i(Principles)p
Fp(,)180 3304 y(pages)20 b(251\226266,)d(Copper)i(Mountain)g(Resort,)h
(Colorado,)e(December)h(1995.)0 3470 y([26])40 b(D.)21
b(R.)g(Engler)m(,)e(M.)i(F)-7 b(.)21 b(Kaashoek,)e(and)h(J.)i(O'T)-7
b(oole.)29 b(The)20 b(operating)f(system)h(k)o(ernel)g(as)i(a)e(secure)
h(programmable)c(machine.)180 3570 y(In)j Fk(Pr)l(oceedings)f(of)h(the)
g(Sixth)g(SIGOPS)f(Eur)l(opean)g(W)-8 b(orkshop)p Fp(,)19
b(pages)h(62\22667,)e(September)h(1994.)0 3736 y([27])40
b(D.)21 b(R.)g(Engler)m(,)e(M.)i(F)-7 b(.)21 b(Kaashoek,)e(and)h(J.)i
(O'T)-7 b(oole.)29 b(The)20 b(operating)f(system)h(k)o(ernel)g(as)i(a)e
(secure)h(programmable)c(machine.)180 3836 y(In)j Fk(Oper)o(ating)f
(systems)i(r)m(e)o(vie)o(w)p Fp(,)f(January)f(1995.)0
4002 y([28])40 b(D.)16 b(R.)g(Engler)m(,)f(D.)h(W)-7
b(allach,)17 b(and)e(M.)h(F)-7 b(.)16 b(Kaashoek.)k(Ef)n(\002cient,)c
(safe,)h(application\255speci\002c)c(message)i(processing.)20
b(T)-6 b(echnical)180 4101 y(Memorandum)17 b(MIT/LCS/TM533,)h(MIT)-6
b(,)20 b(March)f(1995.)0 4267 y([29])40 b(Da)o(wson)19
b(R.)i(Engler)-5 b(.)29 b(Simple,)19 b(rob)n(ust)h(online)f(v)o
(eri\002cation)g(of)h(program)e(correctness.)28 b(Submitted)19
b(for)h(publication.)0 4433 y([30])40 b(Da)o(wson)13
b(R.)h(Engler)-5 b(.)17 b(Ef)n(\002cient)c(v)o(eri\002cation)e(of)j
(demonically\255implemented)8 b(inte)o(ger)13 b(functions)f(\(or)m(,)h
(demonic)f(determinism,)180 4533 y(trusted)20 b(results\).)29
b(a)n(v)n(ailable)19 b(on)h(request,)f(December)g(1997.)0
4699 y([31])40 b(D.R.)27 b(Engler)f(and)g(M.F)-7 b(.)28
b(Kaashoek.)46 b(DPF:)28 b(f)o(ast,)h(\003e)o(xible)d(message)h
(demultiple)o(xing)d(using)i(dynamic)g(code)g(generation.)180
4799 y(In)c Fk(A)n(CM)h(Communication)d(Ar)m(c)o(hitectur)m(es,)i(Pr)l
(otocols,)g(and)g(Applications)e(\(SIGCOMM\))i(1996)p
Fp(,)g(pages)g(53\22659,)e(Stanford,)180 4898 y(CA,)h(USA,)f(August)g
(1996.)0 5064 y([32])40 b(Marc)19 b(Fiuczynski)g(and)h(Brian)g
(Bershad.)28 b(An)20 b(e)o(xtensible)f(protocol)f(architecture)g(for)i
(application\255speci\002c)d(netw)o(orking.)27 b(In)180
5164 y Fk(Pr)l(oceedings)19 b(of)h(the)g(1996)f(W)-5
b(inter)21 b(USENIX)f(Confer)m(ence)p Fp(,)f(pages)h(55\22664,)e
(January)h(1996.)1908 5589 y(88)p eop
%%Page: 89 90
89 89 bop 0 83 a Fp([33])40 b(B.)21 b(F)o(ord,)f(K.)h(V)-9
b(an)21 b(Maren,)f(J.)h(Lepreau,)e(S.)j(Cla)o(wson,)e(B.)i(Robinson,)d
(and)i(Jef)n(f)f(T)l(urner)-5 b(.)30 b(The)21 b(FLUX)g(OS)g(toolkit:)31
b(Reusable)180 183 y(components)c(for)h(OS)h(implementation.)50
b(In)29 b Fk(Pr)l(oc.)g(of)g(Sixth)g(W)-8 b(orkshop)28
b(on)h(Hot)g(T)-8 b(opics)29 b(in)g(Oper)o(ating)f(Systems)p
Fp(,)j(pages)180 282 y(14\22619,)18 b(May)i(1997.)0 441
y([34])40 b(Bryan)30 b(F)o(ord,)i(Mik)o(e)e(Hibler)m(,)j(Jay)d
(Lepreau,)i(P)o(atrick)e(T)l(ullman,)i(Godmar)d(Back,)k(and)d(Ste)n(v)o
(en)g(Cla)o(wson.)56 b(Microk)o(ernels)180 541 y(meet)28
b(recursi)n(v)o(e)f(virtual)h(machines.)50 b(In)28 b
Fk(Pr)l(oceedings)g(of)g(the)h(Second)d(Symposium)i(on)g(Oper)o(ating)f
(System)h(Design)g(and)180 641 y(Implementation)18 b(\(OSDI)h(1996\))p
Fp(,)f(October)i(1996.)0 800 y([35])40 b(Bryan)31 b(F)o(ord)f(and)h
(Sai)h(R.)h(Susarla.)59 b(CPU)32 b(inheritance)e(scheduling.)57
b(In)32 b Fk(Pr)l(oceedings)e(of)h(the)h(Second)e(Symposium)g(on)180
900 y(Oper)o(ating)19 b(System)h(Design)g(and)f(Implementation)f
(\(OSDI)i(1996\))p Fp(,)e(October)h(1996.)0 1059 y([36])40
b(G.)21 b(Ganger)f(and)g(Y)-11 b(.)22 b(P)o(att.)32 b(Metadata)20
b(update)g(performance)e(in)j(\002le)h(systems.)32 b(In)21
b Fk(Pr)l(oceedings)f(of)h(the)g(F)l(ir)o(st)h(Symposium)e(on)180
1158 y(Oper)o(ating)f(Systems)h(Design)g(and)f(Implementation)p
Fp(,)f(pages)i(49\22660,)e(No)o(v)o(ember)g(1994.)0 1318
y([37])40 b(Gre)o(gory)16 b(R.)i(Ganger)f(and)g(M.)h(Frans)g(Kaashoek.)
24 b(Embedded)15 b(inodes)j(and)f(e)o(xplicit)g(grouping:)26
b(Exploiting)16 b(disk)h(bandwidth)180 1417 y(for)i(small)i(\002les.)30
b(In)20 b Fk(Pr)l(oceedings)f(of)h(the)h(1997)d(USENIX)i(T)-8
b(ec)o(hnical)19 b(Confer)m(ence)p Fp(,)h(1997.)0 1577
y([38])40 b(R.)21 b(P)-9 b(.)20 b(Goldber)o(g.)27 b(Surv)o(e)o(y)18
b(of)i(virtual)g(machine)f(research.)28 b Fk(IEEE)20
b(Computer)p Fp(,)f(pages)h(34\22645,)e(June)i(1974.)0
1736 y([39])40 b(D.)31 b(Golub,)h(R.)f(Dean,)i(A.)e(F)o(orin,)i(and)d
(R.)h(Rashid.)57 b(UNIX)31 b(as)g(an)g(application)e(program.)55
b(In)30 b Fk(USENIX)h(1990)e(Summer)180 1835 y(Confer)m(ence)p
Fp(,)19 b(pages)h(87\22695,)e(June)i(1990.)0 1995 y([40])40
b(J.)20 b(Gosling.)26 b(Ja)n(v)n(a)20 b(intermediate)d(bytecodes.)26
b(In)19 b Fk(Pr)l(oc.)g(of)g(A)n(CM)h(SIGPLAN)e(workshop)h(on)f
(Intermediate)g(Repr)m(esentations)p Fp(,)180 2094 y(pages)i
(111\226118,)d(march)i(1995.)0 2253 y([41])40 b(P)-9
b(.)25 b(Brinch)f(Hansen.)41 b(The)24 b(nucleus)g(of)h(a)g
(multiprogramming)c(system.)41 b Fk(Communications)23
b(of)i(the)g(A)n(CM)p Fp(,)g(13\(4\):238\226241,)180
2353 y(April)20 b(1970.)0 2512 y([42])40 b(H.)19 b(H)345
2511 y(\250)340 2512 y(artig,)f(M.)h(Hohmuth,)d(J.)j(Liedtk)o(e,)f(and)
g(S.)h(Sch)1721 2511 y(\250)1714 2512 y(onber)o(g)d(andJ.)i(W)-7
b(olter)i(.)27 b(The)18 b(performance)e(of)i Fm(\026)p
Fp(\255k)o(ernel\255based)e(systems.)180 2612 y(In)k
Fk(Pr)l(oceedings)f(of)h(the)g(Sixteenth)f(A)n(CM)i(Symposium)e(on)h
(Oper)o(ating)e(Systems)j(Principles)p Fp(,)f(1997.)0
2771 y([43])40 b(J.H.)35 b(Hartman,)i(A.B.)e(Montz,)i(D.)e(Mosber)o
(ger)m(,)g(S.W)-8 b(.)35 b(O'Malle)o(y)-5 b(,)37 b(L.L.)d(Peterson,)j
(and)d(T)-6 b(.A.)34 b(Proebsting.)66 b(Scout:)58 b(A)180
2871 y(communication\255oriented)12 b(operating)j(system.)24
b(T)-6 b(echnical)16 b(Report)h(TR)h(94\25520,)e(Uni)n(v)o(ersity)g(of)
g(Arizona,)h(T)l(ucson,)g(AZ,)g(June)180 2970 y(1994.)0
3130 y([44])40 b(K.)24 b(Harty)g(and)g(D.R.)g(Cheriton.)39
b(Application\255controlled)21 b(physical)i(memory)f(using)i(e)o
(xternal)f(page\255cache)f(management.)180 3229 y(In)e
Fk(F)l(ifth)h(International)d(Confer)m(ence)i(on)g(Ar)m(c)o(hitectur)m
(e)g(Support)f(for)i(Pr)l(o)o(gr)o(amming)f(Langua)o(g)o(es)e(and)i
(Oper)o(ating)f(Systems)p Fp(,)180 3329 y(pages)h(187\226199,)d
(October)i(1992.)0 3488 y([45])40 b(D.)20 b(Hitz.)30
b(An)20 b(NFS)h(\002le)g(serv)o(er)e(appliance.)28 b(T)-6
b(echnical)19 b(Report)h(3001,)f(Netw)o(ork)g(Applicance)g
(Corporation,)f(March)h(1995.)0 3647 y([46])40 b(J.)20
b(Huck)f(and)g(J.)h(Hays.)28 b(Architectural)18 b(support)g(for)g
(translation)h(table)g(management)f(in)h(lar)o(ge)g(address)g(space)g
(machines.)27 b(In)180 3747 y Fk(Pr)l(oceedings)19 b(of)h(the)g(19th)g
(International)e(Symposium)h(on)g(Computer)h(Ar)m(c)o(hitectur)m(e)p
Fp(,)f(pages)h(39\22651,)e(May)i(1992.)0 3906 y([47])40
b(Norman)14 b(P)-9 b(.)16 b(Jouppi.)21 b(Impro)o(ving)12
b(direct\255mapped)h(cache)i(performance)e(by)i(the)h(addition)f(of)g
(a)h(small)g(fully\255associati)n(v)o(e)e(cache)180 4006
y(and)21 b(prefetch)g(b)n(uf)n(fers.)33 b(In)22 b Fk(17th)f(Annual)f
(International)g(Symposium)h(on)h(Computer)f(Ar)m(c)o(hitectur)m(e)p
Fp(,)h(pages)f(364\226373,)f(May)180 4105 y(1990.)0 4265
y([48])40 b(M.)21 b(Frans)h(Kaashoek,)e(Da)o(wson)h(R.)h(Engler)m(,)f
(Gre)o(gory)e(R.)j(Ganger)m(,)e(Hector)h(M.)h(Briceno,)f(Russell)h
(Hunt,)g(Da)n(vid)f(Mazieres,)180 4364 y(Thomas)13 b(Pinckne)o(y)-5
b(,)10 b(Robert)j(Grimm,)g(John)g(Jannotti,)f(and)h(K)n(enneth)g(Mack)o
(enzie.)f(Application)h(performance)g(and)g(\003e)o(xib)o(ility)180
4464 y(on)g(e)o(xok)o(ernel)f(systems.)20 b(In)13 b Fk(Pr)l(oceedings)g
(of)i(the)f(Sixteenth)f(A)n(CM)h(Symposium)f(on)g(Oper)o(ating)g
(Systems)i(Principles)p Fp(,)g(October)180 4563 y(1997.)0
4723 y([49])40 b(M.F)-7 b(.)27 b(Kaashoek,)f(D.R.)h(Engler)m(,)f(D.H.)h
(W)-7 b(allach,)28 b(and)e(G.)h(Ganger)-5 b(.)45 b(Serv)o(er)25
b(operating)g(systems.)46 b(In)26 b Fk(SIGOPS)f(Eur)l(opean)180
4822 y(W)-8 b(orkshop)p Fp(,)19 b(pages)h(141\226148,)d(September)i
(1996.)0 4982 y([50])40 b(Gerry)19 b(Kane)h(and)g(Joe)g(Heinrich.)28
b Fk(MIPS)20 b(RISC)g(Ar)m(c)o(hitectur)m(e)p Fp(.)28
b(Prentice)20 b(Hall,)h(1992.)0 5141 y([51])40 b(K.)26
b(Krue)o(ger)m(,)f(D.)h(Loftesness,)h(A.)f(V)-9 b(ahdat,)26
b(and)f(T)-6 b(.)26 b(Anderson.)43 b(T)-7 b(ools)26 b(for)f(de)n(v)o
(elopment)e(of)j(application\255speci\002c)d(virtual)180
5240 y(memory)e(management.)35 b(In)22 b Fk(Confer)m(ence)h(on)f
(Object\255Oriented)g(Pr)l(o)o(gr)o(amming)f(Systems,)j(Langua)o(g)o
(es,)e(and)g(Applications)180 5340 y(\(OOPSLA\))d(1993)p
Fp(,)f(pages)i(48\22664,)e(October)h(1993.)1908 5589
y(89)p eop
%%Page: 90 91
90 90 bop 0 83 a Fp([52])40 b(B.)19 b(W)-8 b(.)20 b(Lampson.)25
b(Hints)19 b(for)f(computer)e(system)j(design.)26 b(In)18
b Fk(Pr)l(oceedings)g(of)g(the)h(Eighth)f(A)n(CM)g(Symposium)g(on)g
(Oper)o(ating)180 183 y(Systems)i(Principles)p Fp(,)g(pages)g
(33\22648,)e(December)h(1983.)0 344 y([53])40 b(B.W)-8
b(.)21 b(Lampson.)28 b(On)20 b(reliable)g(and)f(e)o(xtendable)g
(operating)f(systems.)30 b Fk(State)19 b(of)i(the)f(Art)h(Report,)e
(Infotec)o(h)p Fp(,)g(1,)h(1971.)0 505 y([54])40 b(B.W)-8
b(.)17 b(Lampson)e(and)h(R.F)-7 b(.)17 b(Sproull.)k(An)16
b(open)f(operating)g(system)h(for)g(a)g(single\255user)f(machine.)21
b Fk(Pr)l(oceedings)16 b(of)g(the)g(Se)o(venth)180 605
y(A)n(CM)k(Symposium)f(on)h(Oper)o(ating)f(Systems)h(Principles)p
Fp(,)g(pages)g(98\226105,)e(December)h(1979.)0 766 y([55])40
b(C.H.)12 b(Lee,)h(M.C.)f(Chen,)i(and)e(R.C.)g(Chang.)i(HiPEC:)e(high)g
(performance)g(e)o(xternal)g(virtual)g(memor)o(y)g(cach)o(ing)o(.)e(In)
i Fk(Pr)l(oceedings)180 866 y(of)20 b(the)g(F)l(ir)o(st)i(Symposium)d
(on)h(Oper)o(ating)f(Systems)h(Design)g(and)f(Implementation)p
Fp(,)f(pages)i(153\226164,)d(1994.)0 1027 y([56])40 b(Ian)28
b(Leslie,)i(Derek)d(McAule)o(y)-5 b(,)29 b(Richard)e(Black,)j(T)m
(imothy)d(Roscoe,)i(P)o(aul)f(Barham,)i(Da)n(vid)e(Ev)o(ers,)h(Robin)e
(F)o(airbairns,)i(,)180 1127 y(and)i(Eoin)g(Hyden.)58
b(The)31 b(design)g(and)g(implementation)e(of)i(an)h(operating)e
(system)h(to)h(support)e(distrib)n(uted)h(multimedia)180
1226 y(applications.)d Fk(IEEE)19 b(J)n(ournal)g(on)h(selected)g(ar)m
(eas)g(in)h(communication)p Fp(,)c(14\(7\):1280\2261297,)d(September)19
b(1996.)0 1388 y([57])40 b(J.)25 b(Liedtk)o(e.)40 b(Impro)o(ving)21
b(IPC)k(by)f(k)o(ernel)g(design.)39 b(In)24 b Fk(Pr)l(oceedings)g(of)g
(the)h(F)-9 b(ourteenth)23 b(A)n(CM)i(Symposium)e(on)h(Oper)o(ating)180
1487 y(Systems)c(Principles)p Fp(,)g(pages)g(175\226188,)d(December)i
(1993.)0 1649 y([58])40 b(J.)17 b(Liedtk)o(e.)22 b(On)17
b(micro\255k)o(ernel)d(construction.)21 b(In)16 b Fk(Pr)l(oceedings)g
(of)h(the)f(F)l(ifteenth)g(A)n(CM)h(Symposium)f(on)g(Oper)o(ating)f
(Systems)180 1748 y(Principles)p Fp(,)20 b(December)f(1995.)0
1910 y([59])40 b(Ste)n(v)o(e)29 b(Lucco.)53 b(Personal)29
b(communication.)51 b(Use)30 b(of)f(undocumented)d(proprietary)h
(formats)i(as)h(a)g(technique)e(to)i(impede)180 2009
y(third\255party)18 b(additions,)h(August)g(1997.)0 2171
y([60])40 b(K)n(enneth)21 b(Mack)o(enzie,)h(John)g(K)o(ubiato)n(wicz,)f
(Matthe)n(w)h(Frank,)h(W)-7 b(alter)23 b(Lee,)g(V)-5
b(ictor)22 b(Lee,)h(Anant)f(Agarw)o(al,)g(and)g(M.)h(Frans)180
2270 y(Kaashoek.)d(UDM:)c(User)g(Direct)g(Messaging)f(for)g
(General\255Purpose)f(Multiprocessing.)19 b(T)-6 b(echnical)15
b(Memo)g(MIT/LCS/TM\255)180 2370 y(556,)k(March)g(1996.)0
2531 y([61])40 b(C.)20 b(Maeda)e(and)h(B.)h(N.)f(Bershad.)27
b(Protocol)18 b(service)h(decomposition)e(for)h(high\255performance)d
(netw)o(orking.)25 b(In)19 b Fk(Pr)l(oceedings)180 2631
y(of)e(the)g(F)-9 b(ourteenth)16 b(A)n(CM)h(Symposium)f(on)h(Oper)o
(ating)e(Systems)j(Principles)p Fp(,)f(pages)g(244\226255,)d(Ashe)n
(ville,)j(NC,)h(USA,)f(1993.)0 2792 y([62])40 b(Da)n(vid)26
b(Mazieres)h(and)f(M.)h(Frans)f(Kaashoek.)46 b(Secure)26
b(applications)f(need)h(\003e)o(xibile)g(operating)f(systems.)47
b(In)26 b Fk(HotOS\255VI)p Fp(,)180 2892 y(1997.)0 3053
y([63])40 b(Da)n(vid)19 b(Mazi)577 3052 y(\036)572 3053
y(eres)g(and)g(M.)g(Frans)g(Kaashoek.)26 b(Secure)19
b(applications)f(need)h(\003e)o(xible)f(operating)g(systems.)27
b(In)19 b Fk(Pr)l(oceedings)f(of)180 3153 y(the6th)h(W)-8
b(orkshop)20 b(on)g(Hot)g(T)-8 b(opics)21 b(in)f(Oper)o(ating)f
(Systems)p Fp(,)h(May)g(1997.)0 3314 y([64])40 b(S.)15
b(McCanne)f(and)h(V)-11 b(.)15 b(Jacobson.)k(The)c(BSD)h(pack)o(et)e
(\002lter:)27 b(A)16 b(ne)n(w)f(architecture)e(for)h(user)n(\255le)n(v)
o(el)g(pack)o(et)g(capture.)19 b(In)c Fk(USENIX)180 3414
y(T)-8 b(ec)o(hnical)19 b(Confer)m(ence)h(Pr)l(oceedings)p
Fp(,)e(pages)i(259\226269,)d(San)k(Die)o(go,)e(CA,)i(W)m(inter)f(1993.)
e(USENIX.)0 3575 y([65])40 b(J.C.)28 b(Mogul,)f(R.F)-7
b(.)28 b(Rashid,)h(and)d(M.J.)i(Accetta.)47 b(The)27
b(pack)o(et)f(\002lter:)44 b(An)27 b(ef)n(\002cient)g(mechanism)e(for)i
(user)n(\255le)n(v)o(el)f(netw)o(ork)180 3675 y(code.)36
b(In)23 b Fk(Pr)l(oceedings)f(of)i(the)f(Ele)o(venth)f(A)n(CM)h
(Symposium)f(on)h(Oper)o(ating)f(Systems)i(Principles)p
Fp(,)f(pages)g(39\22651,)f(Austin,)180 3774 y(TX,)e(USA,)h(No)o(v)o
(ember)c(1987.)0 3936 y([66])40 b(A.)23 b(C.)g(Myers)g(and)f(B.)i(Lisk)
o(o)o(v)-5 b(.)35 b(Decentralized)21 b(model)h(for)g(information)f
(\003o)n(w)i(control.)35 b(In)22 b Fk(Pr)l(oceedings)g(of)h(the)g
(Sixteenth)180 4035 y(A)n(CM)d(Symposium)f(on)h(Oper)o(ating)f(Systems)
h(Principles)p Fp(,)g(October)f(1997.)0 4197 y([67])40
b(D.)25 b(Nagle,)i(R.)f(Uhlig,)g(T)-6 b(.)25 b(Stanle)o(y)-5
b(,)25 b(S.)h(Sechrest,)g(T)-6 b(.)25 b(Mudge,)g(and)g(R.)h(Bro)n(wn.)
42 b(Design)25 b(tradeof)n(fs)f(for)h(softw)o(are\255managed)180
4296 y(TLBs.)30 b(In)20 b Fk(20th)f(Annual)f(International)g(Symposium)
h(on)h(Computer)g(Ar)m(c)o(hitectur)m(e)p Fp(,)f(pages)h(27\22638,)e
(May)i(1993.)0 4458 y([68])40 b(NCSA,)21 b(Uni)n(v)o(ersity)e(of)h
(Illinois,)f(Urbana\255Champaign.)26 b(NCSA)21 b(HTTPd.)29
b(http://hoohoo.ncsa.uiuc.ed)o(u/ind)o(e)o(x)o(.h)o(tml.)0
4619 y([69])40 b(J.)18 b(K.)g(Ousterhout.)23 b(Why)17
b(aren')o(t)f(operating)f(systems)j(getting)f(f)o(aster)h(as)g(f)o(ast)
g(as)g(hardw)o(are?)34 b(In)17 b Fk(Pr)l(oceedings)g(of)g(the)h(Summer)
180 4718 y(1990)h(USENIX)g(Confer)m(ence)p Fp(,)g(pages)h(247\226256,)d
(June)j(1990.)0 4880 y([70])40 b(V)-11 b(.)34 b(P)o(ai,)j(P)-9
b(.)34 b(Druschel,)j(and)c(W)-8 b(.)35 b(Zw)o(aenepoel.)63
b(I/O\255lite:)57 b(a)34 b(uni\002ed)f(I/O)h(b)n(uf)n(fering)d(and)j
(caching)e(system.)65 b(T)-6 b(echnical)180 4979 y(Report)20
b Fk(http://www)-6 b(.cs.rice)o(.edu/)19 b(vivek/IO\255lite)o(.html)p
Fp(,)f(Rice)j(Uni)n(v)o(ersity)-5 b(,)18 b(1997.)0 5141
y([71])40 b(Przemysla)o(w)29 b(P)o(ardyak)g(and)g(Brian)h(Bershad.)56
b(Dynamic)29 b(binding)f(for)i(an)g(e)o(xtensible)f(system.)55
b(In)30 b Fk(Pr)l(oceedings)f(of)i(the)180 5240 y(Second)16
b(USENIX)h(Symposium)f(on)h(Oper)o(ating)f(Systems)i(Design)f(and)f
(Implementation)g(\(OSDI\))p Fp(,)g(pages)h(201\226212,)e(October)180
5340 y(1996.)1908 5589 y(90)p eop
%%Page: 91 92
91 91 bop 0 83 a Fp([72])40 b(R.)19 b(Hugo)e(P)o(atterson,)h(Garth)g
(A.)h(Gibson,)f(Eka)g(Ginting,)g(Daniel)g(Stodolsk)o(y)-5
b(,)17 b(and)h(Jim)h(Zelenka.)25 b(Informed)16 b(prefetching)g(and)180
183 y(caching.)37 b(In)24 b Fk(Pr)l(oceedings)e(of)i(the)g(F)l
(ifteenth)f(A)n(CM)i(Symposium)d(on)h(Oper)o(ating)g(Systems)h
(Principles)p Fp(,)g(Copper)f(Mountain)180 282 y(Resort,)d(CO,)h
(December)e(1995.)0 448 y([73])40 b(D.)32 b(Probert,)h(J.L.)e(Bruno,)i
(and)e(M.)h(Karzaorman.)57 b(SP)-8 b(A)m(CE:)32 b(A)g(ne)n(w)g
(approach)d(to)j(operating)d(system)j(abstraction.)58
b(In)180 548 y Fk(International)18 b(W)-8 b(orkshop)20
b(on)f(Object)h(Orientation)g(in)g(Oper)o(ating)f(Systems)p
Fp(,)h(pages)g(133\226137,)d(October)i(1991.)0 714 y([74])40
b(J.S.)29 b(Quarterman,)f(A.)h(Silberschatz,)h(and)e(J.L.)g(Peterson.)
51 b(4.2BSD)28 b(and)g(4.3BSD)h(as)g(e)o(xamples)e(of)i(the)f(UNIX)h
(system.)180 814 y Fk(Computing)19 b(Surve)n(ys)p Fp(,)g
(17\(4\):379\226418,)c(December)k(1985.)0 980 y([75])40
b(D.D.)23 b(Redell,)i(Y)-11 b(.K.)24 b(Dalal,)h(T)-6
b(.R.)23 b(Horsle)o(y)-5 b(,)23 b(H.C.)h(Lauer)m(,)f(W)-8
b(.C.)25 b(L)-5 b(ynch,)24 b(P)-9 b(.R.)24 b(McJones,)g(H.G.)f(Murray)
-5 b(,)23 b(and)g(S.C.)h(Purcell.)180 1079 y(Pilot:)30
b(An)20 b(operating)e(system)j(for)e(a)i(personal)e(computer)-5
b(.)28 b Fk(Communications)18 b(of)i(the)h(A)n(CM)p Fp(,)f
(23\(2\):81\22692,)c(February)i(1980.)0 1245 y([76])40
b(T)m(imothy)33 b(Roscoe.)68 b Fk(The)35 b(Structur)m(e)g(of)g(a)g
(Multi\255Service)g(Oper)o(ating)e(System)p Fp(.)69 b(Phd)34
b(Thesis,)39 b(T)-6 b(echnical)34 b(Report)h(376,)180
1345 y(Cambridge,)18 b(1995.)0 1511 y([77])40 b(M.)23
b(Rozier)m(,)f(V)-11 b(.)23 b(Abrossimo)o(v)-5 b(,)21
b(F)-7 b(.)24 b(Armand,)d(I.)i(Boule,)g(M.)g(Gien,)g(M.)g(Guillemont,)f
(F)-7 b(.)23 b(Herrmann,)e(C.)j(Kaiser)m(,)f(S.)g(Langlois,)180
1611 y(P)-9 b(.)20 b(Leonard,)e(and)i(W)-8 b(.)21 b(Neuhauser)-5
b(.)28 b(Chorus)20 b(distrib)n(uted)f(operating)g(system.)29
b Fk(Computing)19 b(Systems)p Fp(,)h(1\(4\):305\226370,)15
b(1988.)0 1777 y([78])40 b(M.)25 b(Seltzer)m(,)h(Y)-11
b(.)25 b(Endo,)g(C.)h(Small,)g(and)f(K.)g(Smith.)42 b(Dealing)24
b(with)h(disaster:)39 b(Survi)n(ving)24 b(misbeha)n(v)o(ed)f(k)o(ernel)
h(e)o(xtensions.)180 1876 y(In)j Fk(Pr)l(oceedings)g(of)g(the)h(Second)
e(Symposium)g(on)h(Oper)o(ating)g(Systems)h(Design)f(and)g
(Implementation)p Fp(,)f(pages)i(213\226228,)180 1976
y(October)19 b(1996.)0 2142 y([79])40 b(C.)25 b(Small)f(and)f(M.)h
(Seltzer)-5 b(.)40 b(V)-5 b(ino:)37 b(an)24 b(inte)o(grated)e(platform)
g(for)i(operating)e(systems)i(and)g(database)f(research.)38
b(T)-6 b(echnical)180 2242 y(Report)20 b(TR\25530\25594,)e(Harv)n(ard,)
g(1994.)0 2408 y([80])40 b(Christopher)22 b(Small)h(and)g(Mar)o(go)f
(Seltzer)-5 b(.)38 b(A)24 b(comparison)d(of)i(os)h(e)o(xtension)e
(technologies.)36 b(In)23 b Fk(Pr)l(oceedings)f(of)i(the)f(1996)180
2507 y(USENIX)d(Confer)m(ence)p Fp(,)f(1996.)0 2673 y([81])40
b(Richard)30 b(Stallman.)56 b(Emacs,)33 b(the)d(e)o(xtensible,)i
(customizable)d(self\255documenting)e(display)j(editor)-5
b(.)56 b(In)30 b Fk(A)n(CM)h(SIGPLAN)180 2773 y(SIGO)-5
b(A)20 b(Symposium)f(on)g(T)-8 b(e)n(xt)22 b(Manipulation)p
Fp(,)17 b(June)j(1981.)0 2939 y([82])40 b(V)-11 b(.)18
b(Buch)f(T)-6 b(.)17 b(v)n(on)g(Eick)o(en,)g(A.)g(Basu)h(and)f(W)-8
b(.)18 b(V)-11 b(ogels.)25 b(U\255Net:)j(A)17 b(user)n(\255le)n(v)o(el)
g(netw)o(ork)f(interf)o(ace)g(for)h(parallel)g(and)f(distrib)n(uted)180
3039 y(computing.)46 b(In)27 b Fk(Pr)l(oceedings)f(of)h(the)h(F)l
(ifteenth)f(A)n(CM)g(Symposium)f(on)h(Oper)o(ating)f(Systems)i
(Principles)p Fp(,)h(pages)e(40\22653,)180 3138 y(Copper)19
b(Mountain)g(Resort,)h(CO,)h(USA,)f(1995.)0 3304 y([83])40
b(Madhusudhan)31 b(T)-7 b(alluri,)38 b(Mark)c(D.)h(Hill,)k(and)34
b(Y)-9 b(ousef)33 b(A.)i(Khalidi.)67 b(A)35 b(ne)n(w)g(page)e(table)i
(for)f(64\255bit)f(address)i(spaces.)180 3404 y(In)28
b Fk(Pr)l(oceedings)e(of)j(the)f(F)l(ifteenth)f(A)n(CM)i(Symposium)e
(on)g(Oper)o(ating)g(Systems)h(Principles)p Fp(,)i(Copper)d(Mountain)f
(Resort,)180 3504 y(Colorado,)18 b(December)h(1995.)0
3670 y([84])40 b(A.S.)18 b(T)-7 b(anenbaum,)16 b(R.)j(v)n(an)e
(Renesse,)i(H.)f(v)n(an)g(Sta)n(v)o(eren,)f(G.)i(Sharp,)e(S.J.)i
(Mullender)m(,)d(A.)i(Jansen,)g(and)g(G.)g(v)n(an)g(Rossum.)25
b(Ex\255)180 3769 y(periences)16 b(with)i(the)f(Amoeba)f(distrib)n
(uted)g(operating)g(system.)24 b Fk(Communications)16
b(of)h(the)g(A)n(CM)p Fp(,)h(33\(12\):46\22663,)13 b(December)180
3869 y(1990.)0 4035 y([85])40 b(D.)26 b(T)-7 b(arditi,)27
b(G.)f(Morrisett,)h(P)-9 b(.)26 b(Cheng,)g(C.)h(Stone,)g(R.)g(Harper)m
(,)e(and)h(P)-9 b(.)26 b(Lee.)44 b(T)m(il:)e(A)26 b(type\255directed)e
(optimizing)g(compiler)180 4134 y(for)17 b(ml.)26 b(In)18
b Fk(Pr)l(oceedings)f(of)i(the)f(SIGPLAN)g('96)f(Confer)m(ence)h(on)g
(Pr)l(o)o(gr)o(amming)f(Langua)o(g)o(e)f(Design)i(and)f(Implementation)
p Fp(,)180 4234 y(Philadelphia,)h(P)-8 b(A,)21 b(May)f(1996.)0
4400 y([86])40 b(D.L.)34 b(T)-6 b(ennenhouse)33 b(and)h(Da)n(vid)g(J.)i
(W)-7 b(etherall.)68 b(T)-7 b(o)n(w)o(ards)34 b(an)h(acti)n(v)o(e)f
(netw)o(ork)g(architecture.)66 b(In)35 b Fk(Pr)l(oc.)f(Multimedia,)180
4500 y(Computing)o(,)19 b(and)g(Networking)h(96)p Fp(,)g(January)f
(1996.)0 4666 y([87])40 b(C.)31 b(A.)g(Thekkath)e(and)i(H.)g(M.)g(Le)n
(vy)-5 b(.)56 b(Hardw)o(are)29 b(and)i(softw)o(are)f(support)g(for)g
(ef)n(\002cient)g(e)o(xception)f(handling.)55 b(In)31
b Fk(Sixth)180 4765 y(International)23 b(Confer)m(ence)i(on)h(Ar)m(c)o
(hitectur)m(e)f(Support)f(for)j(Pr)l(o)o(gr)o(amming)d(Langua)o(g)o(es)
g(and)h(Oper)o(ating)g(Systems)p Fp(,)i(pages)180 4865
y(110\226121,)17 b(October)i(1994.)0 5031 y([88])40 b(C.)23
b(A.)g(Thekkath,)e(H.)i(M.)g(Le)n(vy)-5 b(,)22 b(and)g(E.)g(D.)h(Lazo)n
(wska.)35 b(Separating)21 b(data)i(and)f(control)f(transfer)h(in)h
(distrib)n(uted)e(operating)180 5131 y(systems.)28 b(In)19
b Fk(Sixth)f(International)f(Confer)m(ence)i(on)g(Ar)m(c)o(hitectur)m
(e)f(Support)g(for)h(Pr)l(o)o(gr)o(amming)f(Langua)o(g)o(es)g(and)g
(Oper)o(ating)180 5230 y(Systems)p Fp(,)i(pages)g(2\22611,)f(San)h
(Francisco,)f(California,)g(October)g(1994.)1908 5589
y(91)p eop
%%Page: 92 93
92 92 bop 0 83 a Fp([89])40 b(R.)19 b(W)-7 b(ahbe,)19
b(S.)g(Lucco,)f(T)-6 b(.)19 b(Anderson,)e(and)h(S.)h(Graham.)26
b(Ef)n(\002cient)18 b(softw)o(are\255based)f(f)o(ault)h(isolation.)27
b(In)18 b Fk(Pr)l(oceedings)g(of)h(the)180 183 y(F)-9
b(ourteenth)20 b(A)n(CM)h(Symposium)f(on)g(Oper)o(ating)g(Systems)h
(Principles)p Fp(,)g(pages)g(203\226216,)d(Ashe)n(ville,)j(NC,)g(USA,)h
(December)180 282 y(1993.)0 448 y([90])40 b(C.)23 b(A.)g(W)-7
b(aldspur)o(ger)20 b(and)i(W)-8 b(.)24 b(E.)e(W)-7 b(eihl.)36
b(Lottery)21 b(scheduling:)33 b(Fle)o(xible)22 b(proportional\255share)
c(resource)j(management.)33 b(In)180 548 y Fk(Pr)l(oceedings)21
b(of)h(the)g(F)l(ir)o(st)i(Symposium)d(on)h(Oper)o(ating)e(Systems)j
(Design)f(and)f(Implementation)p Fp(,)f(pages)i(1\22611,)f(No)o(v)o
(ember)180 648 y(1994.)0 814 y([91])40 b(C.)22 b(A.)g(W)-7
b(aldspur)o(ger)20 b(and)h(W)-8 b(.)23 b(E.)e(W)-7 b(eihl.)34
b(Stride)22 b(scheduling:)30 b(deterministic)21 b
(proportional\255share)d(resource)i(management.)180 913
y(T)-6 b(echnical)19 b(Memorandum)e(MIT/LCS/TM528,)h(MIT)-6
b(,)20 b(June)g(1995.)0 1079 y([92])40 b(D.)25 b(A.)f(W)-7
b(allach,)26 b(D.)f(R.)g(Engler)m(,)f(and)g(M.)g(F)-7
b(.)26 b(Kaashoek.)39 b(ASHs:)g(Application\255speci\002c)22
b(handlers)h(for)h(high\255performance)180 1179 y(messaging.)58
b(In)31 b Fk(A)n(CM)g(Communication)f(Ar)m(c)o(hitectur)m(es,)j(Pr)l
(otocols,)h(and)c(Applications)g(\(SIGCOMM)h('96\))p
Fp(,)i(Stanford,)180 1279 y(California,)19 b(August)h(1996.)0
1445 y([93])40 b(Deborah)18 b(A.)j(W)-7 b(allach.)30
b Fk(Supporting)17 b(application\255speci\002c)g(libr)o(aries)j(for)h
(communication)p Fp(.)27 b(PhD)20 b(thesis,)h(M.I.T)-6
b(.,)18 b(1996.)0 1611 y([94])40 b(W)-8 b(.)32 b(W)l(ulf,)h(E.)e
(Cohen,)i(W)-8 b(.)32 b(Corwin,)h(A.)e(Jones,)i(R.)f(Le)n(vin,)g(C.)g
(Pierson,)h(and)d(F)-7 b(.)32 b(Pollack.)57 b(HYDRA:)32
b(The)e(k)o(ernel)h(of)f(a)180 1710 y(multiprocessing)18
b(operating)g(system.)30 b Fk(Communications)18 b(of)i(the)h(A)n(CM)p
Fp(,)f(17\(6\):337\226345,)15 b(July)20 b(1974.)0 1876
y([95])40 b(M.)18 b(Y)-9 b(uhara,)17 b(B.)h(Bershad,)g(C.)g(Maeda,)g
(and)f(E.)h(Moss.)26 b(Ef)n(\002cient)17 b(pack)o(et)g(demultiple)o
(xing)e(for)j(multiple)f(endpoints)f(and)i(lar)o(ge)180
1976 y(messages.)41 b(In)25 b Fk(Pr)l(oceedings)e(of)i(the)g(W)-5
b(inter)25 b(1994)f(USENIX)g(Confer)m(ence)p Fp(,)h(pages)f
(153\226165,)f(San)i(Francisco,)g(CA,)g(USA,)180 2076
y(January)19 b(1994.)1908 5589 y(92)p eop
%%Trailer
end
userdict /end-hook known{end-hook}if
%%EOF