Software:Spring (operating system)

From HandWiki
Short description: Microkernel operating system
Spring
DeveloperSun Microsystems
OS familyUnix-like
Working stateDiscontinued
Initial release1993; 31 years ago (1993)
Available inEnglish
Update methodRecompile from source code
PlatformsSPARCstation 2, SPARCstation 4, SPARCstation 5, SPARCstation Voyager, SPARCstation 10, SPARCstation 20[1]
Kernel typeMicrokernel

Spring is a discontinued project in building an experimental microkernel-based object-oriented operating system (OS) developed at Sun Microsystems in the early 1990s. Using technology substantially similar to concepts developed in the Mach kernel, Spring concentrated on providing a richer programming environment supporting multiple inheritance and other features. Spring was also more cleanly separated from the operating systems it would host, divorcing it from its Unix roots and even allowing several OSes to be run at the same time. Development faded out in the mid-1990s, but several ideas and some code from the project was later re-used in the Java programming language libraries and the Solaris operating system.

History

Spring Research Distribution 1.0 CD cover

Spring started in a roundabout fashion in 1987, as part of Sun and AT&T's collaboration to create a merged UNIX. Both companies decided it was also a good opportunity to "reimplement UNIX in an object-oriented fashion".[2] However, after only a few meetings, this part of the project died.

Sun decided to keep their team together and instead explore a system on the leading edge. Along with combining Unix flavours, the new system would also be able to run almost any other system, and in a distributed fashion. The system was first running in a "complete" fashion in 1993, and produced a series of research papers. In 1994, a "research quality" release was made under a non-commercial license, but it is unclear how widely this was used. Described as a "clean slate" intended to help Sun improve its existing Unix products, the software was made available at a cost of $75, with Sun targeting universities and computer scientists.[3] Commercial research institutions could obtain the software at a cost of $750.[4] The team broke up and moved to other projects within Sun, using some of the Spring concepts on a variety of other projects.

Background

The Spring project began soon after the release of Mach 3. In earlier versions Mach was simply a modified version of existing BSD kernels, but in Mach 3 the Unix services were separated out and run as a user-space program like any other, a concept Mach referred to as a server. Data which would normally be private in the kernel under a traditional Unix system was now passed between the servers and user programs using an inter-process communication (IPC) system, ending in ports which both programs held. Mach implemented these ports in the kernel, using virtual memory to move data from program to program, relying on the memory management unit (MMU) and the copy on write algorithm to do so with reasonable performance.

In its ultimate development, an OS on Mach would consist of a number of such servers, each handling a specific task. Examples would include the file system or network stack. The operating system server in such a system would be quite small, providing services unique to that OS, and forwarding most other calls to other servers. Since the OS was running on top of single set of common servers, several OS servers could be run at the same time, allowing a single system to "natively" support DOS, Unix and other operating systems at the same time.

This capability was particularly exciting to companies like IBM, who were already supporting several different systems, and saw Mach as a way to combine these with common underlying code. In fact this was not so easy. Mach made several decisions at a low-level which made any system running on it Unix-like to some degree. Most notable was a security system which was modelled on fairly inflexible inherited model of Unix programs. Additionally the IPC system proved to be a major performance problem, although the nature of this issue didn't become clear until later. The performance was so poor that many commercial projects to port existing operating systems to Mach, notably IBM's Workplace OS, were eventually abandoned.

Rationale

Although Sun was also interested in supporting multiple operating systems, their needs were nowhere as pressing as IBM or Apple. By this point in time they had already moved platforms from their early 68k-based machines to their SPARC-based lineup, and their UNIX System V-based Solaris operating system was taking over from their BSD-based SunOS. Sun's concerns were somewhat more subtle: keeping developers interested in Sun's version of Unix; and, allowing their system to scale downwards onto smaller devices such as set-top boxes. A microkernel-based system would be particularly useful in this latter role.

Spring concentrated on "programmability"; making the system easier to develop on. The primary addition in this respect was the development of a rich interface definition language (IDL), which exported interfaces with considerably more information than the one used in Mach. In addition to functions and their parameters, Spring's interfaces also included information about what errors can be raised and the namespace they belong to. Given a proper language, programs, including operating system servers, could import multiple interfaces and combine them as if they were objects native to that language — notably C++. Some time later the Spring IDL was adopted with minor changes as the CORBA IDL.

Spring also explored a number of specific software advances in file systems, virtual memory and IPC performance. The result was a single Unix-like system with much better performance than Mach. Some of these changes are detailed below.

Description

The Sun engineers used non-standard terminology for a number of common components, which makes discussing the system somewhat confusing. For instance, Mach tasks are referred to as domains, ports as doors, and the kernel as the nucleus.[5]

The nucleus

The Spring kernel was divided into two parts: a virtual memory system and the nucleus. Although the nucleus is equivalent to only one portion of the Mach kernel, the kernels of each OS are analogous enough to be considered to perform the same function.

The Spring kernel includes only the most basic functionality and state needed to support user-side applications. Primarily this includes state to maintain lists of running programs (domains) and their threads, as well as the communications links between them (doors).

The Spring kernel is not multi-threaded. Normally this would preclude it from use in realtime settings, but it is not clear that is the case. Normally kernels need to be threaded in order to ensure a long-running task such as disk I/O won't tie up the system and prevent a subsequent call from being serviced in time; under Spring the kernel almost immediately hands off the vast majority of requests to the servers, so under this model it is only the servers which, in theory, need to be threaded.

IPC model

One major difference between Mach and Spring was the IPC system. In Mach, the system was arranged as a set of one-way asynchronous pipes (ports) between programs, a concept derived from Unix pipes. In programming, however, the most common method of communications is the procedure call, or call/return, which Mach did not support directly. Call/return semantics could only be supported via additional code in higher-level libraries based on the underlying ports mechanism, thereby adding complexity.

Spring instead directly supported call/return semantics in the basic communications system. This resulted in a change of terminology from ports in Mach, to doors in Spring. Doors were known to the kernel only; programs were handed a "handle" to the door with an identifier which was unique to that program. The system worked similarly to ports for the initial message; messages sent to a door were examined by the nucleus in order to find the target application and translate the door handle, but the nucleus then recorded small amounts of information from the caller in order to be able to return data quickly. This sped up the return by about 40%.

Additionally, the Mach model was asynchronous — the call would return if and when the server had data. This followed the original Unix model of pipes, which allowed other programs to run if the server was busy. However, for a call/return system this has serious drawbacks, because the task scheduler has to run to select the next program to be serviced. Hopefully this was the server the call was requesting data from, but it this was not guaranteed. Under Spring, IPC is synchronous; control is immediately passed to the server without running the scheduler, improving the round trip time in the common case when the server can immediately return.

Under Mach, the virtual memory system, supported by the memory management unit (MMU), was expected to provide a lightweight solution to copying data, by simply mapping the same data in memory into the two programs. In reality this solution was not at all efficient, as many MMUs had design features which made this mapping slow or even impossible.

Unlike Mach's one-size-fits-all solution to IPC, Spring used a variety of methods to physically pass data between programs. One of these, the bulk-path, was basically identical to Mach's ports and messages, but in practice the bulk-path was the least common message type. For smaller messages Spring provided the vanilla-path, which directly copied the data from one space to another, something which proved to be faster than memory mapping in the real world for less than 5k of data.

The fast-path allowed for extremely fast invocations — at least when running on SPARC-based platforms. The fast-path used a unique "half-trap" to avoid much of the context switching overhead which plagued Mach systems. Instead of saving out all of the processor state—the normal procedure in the case of a trap into the kernel—Spring only saved out the top 16 SPARC registers, a number which was defined by specific implementation details of the SPARC architecture. The other portions of the register stack were rendered invisible to the receiver using the SPARC's WIM instruction, providing some level of security. The fast-path strongly resembles a classic procedure call within a single application, which uses register windows on the SPARC, adding some MMU work to move the context from one program to another.

The fast-path was only available for calls passing simple values which didn't have to be translated (no door references, for instance) with up to 16 values in total. Although this would seem to be quite limiting, the fast-path is actually used by the vast majority of calls in Spring—generally over 80% of the calls and about 60% of the returns. Returns often respond with large blocks of data, for instance, a disk block, explaining why the returns more often used the other IPC systems.

On 32-bit SPARC V8 systems, a complete round-trip call using the fast-path took just over 100 instructions, making it many times faster than a typical Mach call. It remains unclear whether or not the fast-path could be implemented on other machines, so the overall performance improvement of Spring is difficult to compare with Mach, which was typically measured on IA-32 systems. Specifically, a full syscall took under 20 µs on a 486DX-50 for existing BSD Unix systems, and 114 µs under Mach. This led to a performance hit of 50% or more, and doomed most Mach projects. In contrast, Spring using the fast-path boasted an IPC time of only 11 µs on a SPARCstation 2.

Virtual memory

Another key area of improvement in Spring was the implementation of the virtual memory (VM) system, also part of the kernel. Virtual memory is a system which ties together the physical random-access memory (RAM) in a machine, the MMU, and the disk system to create the illusion that every program on the system has its own block of RAM equal to the maximum the machine and operating system can support. The most prevalent memory addressing model in computers and operating systems in use in the 1980s and 1990s, was 32-bit, providing access to a theoretical limit of 4 GiB of memory, but until the early 2000s, only relatively expensive computers would have that much physical RAM. The VM system creates the illusion of more by using the hard disk as a backing store, an area of much slower memory used to offload inactive portions of RAM.

In traditional Unix systems VM is a part of the kernel, as are the disk and memory handlers it ties together. Under Mach the decision of where to place the VM system is not so obvious—although the kernel is in control of RAM and the MMU, the disk handlers are part of external client programs. To solve this problem Mach 3 introduced a new two-layer VM system, with control of the actual VM system in the kernel, which would then ask an external client-space pager to interact with the disk system to physically copy memory around. Unfortunately this proved to be a serious performance issue, requiring several trips in and out of the kernel (with resulting context switches along with it) as the various layers of the VM system called each other.

The Spring team had the advantage of being able to examine what went wrong with the Mach model and fix it. The result was a much more cleanly separated system of address spaces in programs, mapped by the VM into various memory objects, which were in turn managed by a pager for backing store handling. When a program made a request for data the request was passed to the VM system in the kernel, which would find the appropriate pager and ask it to create and set up an appropriate memory object. In exchange the pager was passed a cache manager from the VM, which was responsible for keeping track of clean/dirty status of the local cache of that memory object. Implementation details added considerable complexity to this model, but most of this was hidden. In the end the basic system had pagers which were in charge of the memory, and address spaces which were in charge of the caches. The two had well-defined interfaces allowing them to pass commands back and forth to keep their data in sync.

This split in duties led to one very real performance improvement. Since programs could share the memory objects, and microkernel systems like Spring are based on the idea of copying memory around, Spring allowed programs sharing memory in this fashion to share it in the VM system as well. Thus under Mach if a network file server is handing data to a program both programs will end up using up memory in the VM system, whereas under Spring the two would naturally share the same memory objects, as the pager implementing that memory object would simply return another handle to the same memory. Only inside the VM would they be considered different objects, and would be handled by separate cache managers. Therefore, the data would only be cached in RAM once. In theory this could lead to considerably better real-world RAM usage.

Additionally, the use of external pagers with a well defined API allowed the system to be cleanly separated when this was needed. Spring also allowed programs themselves to state which pager would be best suited to their needs, including themselves, allowing Spring programs to easily implement private VM systems for known workloads. For applications like file servers, web servers and database management systems, custom VMs and file systems often lead to dramatically improved performance.

Name service

Most operating systems include a variety of naming services. The most basic example is a file system, in which the files are internally referred to by a "handle", a small number, while a separate directory gives the files names with which the users interact. The same kind of name/identifier dichotomy occurs many other parts of the typical Unix system; printers are named in the etc/printcap file, small numbers and strings in the environment variables, and network locations in DNS. Each of these systems provided its own names, with a custom API, making the different objects appear completely different even in concept.

Other systems had attempted to add naming systems to existing Unix systems, but generally these were "covers" over the existing functionality which simply collected up all the names from these various services and presented them in one collection. Due to the fact they relied on knowing about the underlying system layout they tended to be rather inflexible, not making it easy for new services to be added. These seem to have seen little use.

Only in a completely new operating system could one hope to provide a universal service. For instance, Plan 9 used the file system as a universal naming service; everything from printers to windows could be accessed by name through the file system. This is an extension of the original Unix concept, one which had slowly disappeared as more and more functionality had been added over the years.

Mach did not have a naming service of any sort for its ports. This proved to be a serious problem, because programs had to know in advance what servers they had to call in order to ask the kernel to provide a port. This meant that replacing functionality was much more difficult than it should have been; a new printer server needed to sit on the same ports as the old one for instance: there would be no way to run two side by side for development. If ports were instead referred to by name, servers could sit on different ports and simply use the same name. This functionality, provided by a name server, was considered highly important under Spring.

Spring's approach essentially inverted the Plan 9 system: under Spring the file system was one example of a server which used the single unified name service. The same service could be used to name files on disk, environment variables, hardware devices, programs and even objects inside programs. The system was hierarchical, only the system namespace was directly supported, by a server which started at boot time. Other servers would then "bind" the names they knew into the system, the printer server would produce a list of printers, the file system would bind in the directories of attached disks. In this way a mapping of all the objects on the system was built up, potentially at runtime, and could be accessed in a file-like fashion very similar to Plan 9. All of these could be accessed using a single API, although the system also provided a variety of stub libraries to make it appear as classical services as well, notably in the Unix emulation server.

The name service was also the central location for security and permissioning. Since doors, the real accessors in Spring, were handed out by the name service, the server included a complete access control list-based permission checking system. So in addition to providing permissions on the file system, under Spring any object could be controlled using the same set of permissions and user interface. Contrast this with Windows NT for instance, which includes about a dozen permissioning systems (file system, DCOM, SQL access, IIS, etc.), all of which have to be set up separately. In order to improve performance, the system included the concept of trust, allowing nameservers to assume requests from other servers were valid. For instance, if a user asked the file server to access a file, the system nameserver would pass along the request to the file system, which would immediately honor it. However, since the user was not known, the ACL's would be check against the file being accessed.

Groups of related names were known as contexts. Contexts were also names, and thus similar to the file system concept of a directory. Users could build their own contexts out of seemingly unrelated objects; printers using completely separate drivers (servers) could be collected into a single list, a file could have different names in different places (or for different users), or a single domain could be built up containing every personal file in it for searching purposes. In this manner Spring allowed file directories to be "unioned", a useful feature lacking from traditional Unixen.

Spring did not include a built-in object persistence system, but the name service was persistent and could be used to find objects in this sort of manner. To some degree the series of servers started during boot time provided a persistent name space which survived boots, as they copied their names into the same server. In theory the system could allow the name server to provide a "lazy launch" system, not starting the networking server until someone requests it for instance, but it does not appear it included this functionality. In fact the separation of name spaces would allow this to be separated out to the service which actually implemented the naming of doors, making implementation considerably easier.

File system

As stated earlier, the Spring VM allowed any program to define what pager it should use. Additionally the Spring system was based on a single universal naming system. These two concepts were combined to produce the Spring file system.

Key to the Spring file system's operation was tight integration with the VM system. Since it was "known" that the VM system would be managing the local cache of the data from the file system, the file system was reduced to a command structure only, and was its own pager. That is, the file system was responsible for loading and saving data from memory objects when needed, but caching of that data would be handled for it by the VM. As mentioned before, this means that under Spring a file only exists in RAM in one place, no matter how it is being shared by the programs in the system.

Spring used two sorts of file systems, a local file system which was similar to most common Unix systems, as well as a caching file system for network devices. The caching system demonstrates the utility of Spring's VM/pager split, using the same physical memory from the VM which it would have to use normally, the CFS short-circuited all read requests to the local cache, and did lazy write-backs every 30 seconds to the source file system. This would be particularly notable if common Unix directories were being loaded over the network, the normal setup for labs of workstations. Most Unix systems use similar caching mechanisms for the same performance reasons, but would end up using RAM twice, once in the cache, and again in the programs using it. The CFS also cached names from the remote system, making the initial directory traversal and open requests much faster.

The Spring file system is also a name service context provider, lazily mapping directories from the on-disk structure into new contexts in the name service. These could then be accessed using the universal naming API, or alternately via a Unix emulation library which presented them as a traditional unix file system.

Note that Spring's use of the term file system is somewhat confusing. In normal usage the term refers to a particular way to physically store files on a disk.

Unix emulation

Spring also needed to support existing Unix applications, the basis of Sun's business. To do this, Spring also shipped with two key extensions: a Unix process server which mimicked a full Unix, and a re-write of the standard libc library called libue which redirected Unix kernel requests to various servers. For instance, a Unix application which required file or network services would be directed to the associated Spring server, while one which wanted to list the currently running programs would be directed to the Unix process server. The process server was also responsible for handling signals, a concept which had no analog under Spring – nor was it really needed other than for backward compatibility, since signals are essentially an inflexible single-purpose IPC mechanism.

Running a Unix application under Spring required that it be re-linked against libue; the system shipped with the majority of basic Unix utilities and an X11 server relinked and ready to use. However this method of compatibility was neither invisible nor guaranteed to work; Spring documents note that "many" applications will run unmodified (presumably other than relinking), but fail to mention what sort of problem areas the developer should expect if they do not.

Subcontracts

Although not directly related to Spring per se, the Sun engineers working on the project found that existing mechanisms for supporting different flavors of calls were not well defined. In order to provide a richer interface, they developed the concepts of subcontracts.

Other systems

Sun has added a "Unixified" version of Doors to Solaris.

In the years since the Spring system work ended, work on operating systems in general has essentially ended. With the market quickly stratifying into a world dominated by Windows and Unix-like operating systems, there appear to be only niche markets open for any other system. Additionally, the poor performance of Mach 3 seems to have taken the wind out of the sails of many projects.

Nevertheless, there have been some newer systems. One in particular, the L4 microkernel, shares many features with Spring's kernel. In particular it also uses a synchronous call/return system for IPC, and has a similar VM model. L4 has, so far, concentrated almost solely on the kernel itself; there is nothing analogous to Spring's naming service, security model, or file system.

References