Improving the Reliability of Commodity Operating Systems Mike - - PowerPoint PPT Presentation

Improving the Reliability of Commodity Operating Systems

Mike Swift, Brian Bershad, Hank Levy University of Washington

Slides courtesy of Michael Swift University of Wisconsin-Madison

Outline

• Introduction
• Vision
• Design
• Evaluation
• Summary

The Problem

• Operating system crashes are a huge problem

today

– 5% of Windows systems crash every day

• Device drivers are the biggest cause of

crashes

– Drivers cause 85% of Windows XP crashes – Drivers are 7 times buggier than the kernel in Linux

• We built Nooks, a system that prevents drivers

from crashing the OS

– We can prevent 99% of faults in our tests that crash native Linux

Crashes Today

User Program Kernel Driver User Program

Crashes Today

User Program Kernel Driver User Program

Crashes Today

User Program Kernel Driver User Program

Outline

• Introduction
• Vision
• Design
• Evaluation
• Summary

Vision

User Program Kernel Driver User Program

Vision

User Program Kernel Driver User Program

Reality

• Windows XP

– 113 million copies sold in 2002 – 40 million lines of code – $1 billion development cost – 35,000 drivers available

• Linux:

– 18 million users – 30 million lines of code – Equivalent $1 billion development cost

Vision Requirements

• 1. Isolation
• 2. Recovery
• 3. Compatibility
• No code changes
• No new languages
• No new OS
• No new hardware
• No new perspective

Outline

• Introduction
• Vision
• Design
• Evaluation
• Summary

Assumptions and Principles

• Assumptions:

– Drivers are generally well behaved – Don’t need to prevent every crash to be useful

• Principles:

– Design for fault resistance (not fault tolerance) – Design for mistakes (not abuse)

Goal

We want a practical, “best-effort” solution

• Prevents many crashes
• Good performance
• Works with today’s operating systems and

drivers

Design of Nooks

• Standard Linux kernel and drivers
• Plus:

– Isolation – Recovery

• Compatible with existing code

Existing Kernels

User Program Kernel Driver User Program

Isolation - Memory

User Program Kernel Driver User Program Stack Heap

Lightweight Kernel Protection Domains

Isolation - Control Transfer

User Program Kernel Driver User Program

Isolation - Control Transfer

User Program Kernel Driver User Program

XPC XPC

eXtension Procedure Call

Isolation - Data Access

User Program Kernel Driver User Program

Isolation - Data Access

User Program Kernel Driver User Program

Copy-in / Copy-out

Isolation - Interposition

User Program Kernel Driver User Program

Isolation - Interposition

User Program Kernel Driver User Program

XPC XPC

Wrappers

Design Summary

• Isolation

– Lightweight Kernel Protection Domains – eXtension Procedure Call (XPC) – Copy-in/Copy-out – Wrappers

Recovery - Fault Detection

User Program Kernel Driver User Program Processor Recovery

Recovery - Fault Detection

User Program Kernel Driver User Program Recovery

Recovery - Fault Detection

User Program Kernel Driver User Program Recovery Detector

Recovery

User Program Kernel Driver User Program Recovery

STOP

Stop

Recovery

User Program Kernel User Program Recovery

Stop / Unload

Recovery

User Program Kernel Driver User Program Recovery

Stop / Unload / Reload

GO

Design Summary

• Isolation

– Lightweight Kernel Protection Domains – eXtension Procedure Call (XPC) – Copy-in/Copy-out – Wrappers

• Recovery

– Hardware and software checks – Stop / Unload and GC / Reload

Some Limitations

• Blame the processor
• Blame the operating system
• Blame us

Outline

• Vision
• Design
• Evaluation

– Reliability – Performance – Implementation Cost

• Summary

Tested Drivers

• Sound card drivers

– SoundBlaster 16 (sb) – Ensoniq 1371

• Network drivers

– Intel Pro/1000 Gigabit Ethernet (e1000) – AMD PCnet32 10/100 Mb Ethernet (pcnet32) – 3COM 3c90x 10/100 Mb Ethernet – 3Com 3c59x 10/100 Mb Ethernet

• Filesystems

– VFAT Windows-compatible filesystem (vfat)

• Other

– kHTTPd in-kernel web server (khttpd)

Reliability Test Methodology

Test Inject bugs Reboot Load driver Nothing Failure

Reliability Test Methodology

Test Inject bugs Reboot Load driver Nothing Failure Recovery

Nooks Stops Crashes

50 100 150 200 pcnet32 Extension Number of crashes

No Nooks Nooks 119

Nooks Stops Crashes

50 100 150 200 pcnet32 Extension Number of crashes

No Nooks Nooks 119

Nooks Stops Crashes

50 100 150 200 pcnet32 e1000 Extension Number of crashes

No Nooks Nooks 119 52

Nooks Stops Crashes

50 100 150 200 pcnet32 e1000 Extension Number of crashes

No Nooks Nooks 119 52

Nooks Stops Crashes

50 100 150 200 pcnet32 e1000 sb Extension Number of crashes

No Nooks Nooks 119 52 10 1

Nooks Stops Crashes

50 100 150 200 pcnet32 e1000 sb kHTTPd VFAT Extension Number of crashes

No Nooks Nooks 119 52 10 1 175 2 10 2

Performance

• Dominant cost is XPC

– Performance depends frequency of interaction with kernel

0.2 0.4 0.6 0.8 1 Play MP3 Receive Stream Send Stream Apache SpecWeb Compile Local Simple Web Workload

• Perf. Relative to Native Linux

Relative Performance

sb 150 XPC/sec

0.2 0.4 0.6 0.8 1 Play MP3 Receive Stream Send Stream Apache SpecWeb Compile Local Simple Web Workload

• Perf. Relative to Native Linux

Relative Performance

sb e1000 e1000 8,923 60,352 150 XPC/sec

0.2 0.4 0.6 0.8 1 Play MP3 Receive Stream Send Stream Apache SpecWeb Compile Local Simple Web Workload

• Perf. Relative to Native Linux

Relative Performance

sb e1000 e1000 e1000 8,923 60,352 1,960 150 XPC/sec

0.2 0.4 0.6 0.8 1 Play MP3 Receive Stream Send Stream Apace SpecWeb Compile Local Simple Web Workload

• Perf. Relative to Native Linux

Relative Performance

sb e1000 e1000 e1000 VFAT

kHTTPd

61,183 22,653 8,923 60,352 1,960 150 XPC/sec

Implementation Cost

• Changes to old code

– Kernel: 924 out of 1.1 million lines – Device drivers+VFAT: 0 out of 33,000 lines – kHTTPd: 13 out of 2,000 lines

• New code

– Nooks reliability layer: 22,266 lines

Summary

• Nooks provides a new reliability layer

between drivers and the OS

• Nooks prevents 99% of tested faults

that cause Linux to crash

• Nooks imposes a modest performance

cost

Why didn’t we use a microkernel?

• Doesn’t address our limitations

– Isolation not much better – Fault detection not much better – Recovery not much better – Doesn’t improve performance

• Requires more changes to the kernel
• Makes compatibility more difficult

Recovery

• Goals:

– Restore driver state so it can process requests as if it had never failed – Conceal failure from applications

• Observation:

– Driver interface specifies how driver responds to requests

• Approach: Model drivers as state machines

Drivers as State Machines

send complete

Drivers as State Machines

• Recovery:

– Advance driver from initial state to state at time of crash – Reply to requests with valid responses according to driver state

• pen

close config

Shadow Drivers

• Generic code that:

– Normally:

• Records state-changing inputs

– On failure:

• Restarts driver
• Replays inputs to recover
• Emulates driver to applications/OS

One shadow driver handles recovery for an entire class of drivers

write(…) write(…)

Shadow Driver Overview

Kernel Device Driver Tap Shadow Driver

write(…)

Preparing for Recovery

Kernel Device Driver Shadow Driver

config(…) config(…) config(…) config …

Tap

Tap Device Driver

Recovering a Failed Driver

Kernel Shadow Driver Device Driver Tap

r e g i s t e r ( … ) register(…) i n i t ( … ) c

• n

n e c t c

• n

f i g config …

Recovering a Failed Driver

• Summary:

– Reset driver – Reinitialize driver – Replay logged requests

Spoofing a Failed Driver

Kernel Device Driver Shadow Driver Tap

write(…) write(…) return return

Spoofing a Failed Driver

Shadow acts as driver -- replies to requests with valid possible responses

– Applications and OS unaware that driver failed – No device control

General Strategies:

• 1. Answer request from log
• 2. Act busy
• 3. Block caller
• 4. Queue request
• 5. Drop request

Completing Recovery

Kernel Shadow Driver Tap Device Driver Tap Tap

Design Summary

• Isolation

– Lightweight Kernel Protection Domains – eXtension Procedure Call (XPC) – Object Table – Wrappers

• Recovery

– Shadow Drivers

Outline

• Introduction
• Problem
• Design
• Evaluation

– Implementation – Benefit – Cost

• Summary and Future Work

Drivers Tested

ide-disk, ide-cd IDE Storage Intel Pro/1000 Gigabit Ethernet, AMD PCnet32, Intel Pro/100 10/100, 3Com 3c59x 10/100, SMC Etherpower 100 Network Soundblaster Audigy, Soundblaster 16, Soundblaster Live!, Intel 810 Audio, Ensoniq 1371, Crystal Sound 4232 Sound Drivers Class

Implementation Complexity

• Changes to existing code

– Kernel: 924 out of 1.1 million lines – Device drivers: 0 out of 50,000 lines

5,358 13,577 7,381

1 Device Driver L.O.C.

321 198 666

Shadow Driver L.O.C.

29,000 8 264,500 190 118,981 48

All Drivers L.O.C. All Drivers Count

Storage Network Sound

Driver Class

Implementation Complexity

• New code

– Isolation: 23,000 lines – Recovery: 3,300 lines

5,358 13,577 7,381

1 Device Driver L.O.C.

321 198 666

Shadow Driver L.O.C.

29,000 8 264,500 190 118,981 48

All Drivers L.O.C. All Drivers Count

Storage Network Sound

Driver Class

Implementation Complexity

• New code

– Isolation: 23,000 lines – Recovery: 3,300 lines

Outline

• Introduction
• Problem
• Design
• Evaluation

– Implementation – Benefit

• Isolation
• Recovery

– Cost

• Summary and Future Work

Reliability Test Methodology

Test Inject bugs Reboot Load driver Nothing Failure Recovery

Recovery Works

Sound Net Storage

Relative Performance

Sound Net Storage

CPU Usage

Sound Net Storage