Operating systems principles and practice

For general-purpose systems, users interact with applications, applicationsexecute in an environment provided by the operating system, and the operatingsystem mediates access to the unde

Operating Systems

Principles and Practice

Anderson and Dahlin

v 0.22

Version 0.22Base revision e8814fe, Fri Jan 13 14:51:02 2012 -0600.

Copyright c

2.4 Case Study: Booting an operating system kernel 89

3.4 Case Study: Interprocess communication 121

4.5 Asynchronous I/O and event-driven programming 172

4.6 Conclusion and future directions 175

5 Synchronizing Access to Shared Objects 179

5.2 Shared objects and synchronization variables 189

5.4 Condition variables: Waiting for a change 199

5.6 Designing and implementing shared objects 224

9.1 Cache concept: when it works and when it doesn’t 321

10 Applications of Memory Management 323

10.6 External pagers 323

11 File Systems: Introduction and Overview 327

13.4 Putting it all together: File access in FFS 394

Why We’re Writing This Book

There has been a huge amount of innovation in both the principles and practice

of operating systems over the past two decades The pace of innovation inoperating systems has, if anything, increased over the past few years, with theintroduction of the iOS and Android operating systems for smartphones, theshift to multicore computers, and the advent of cloud computing

Yet many operating systems textbooks treat the field as if it is static — thatalmost everything we need to cover in our classes was invented in the 60’s and70’s No! We strongly believe that students both need to, and can, understandmodern operating systems concepts and modern implementation techniques

At Texas and Washington, we have been teaching the topics covered in thistextbook for years, winning awards for our teaching The approach in thisbook is the same one we use in organizing our own courses: that it is essentialfor students to learn both principles and practice, that is, both concepts andimplementation, rather than either alone

Although this book focuses on operating systems, we believe the conceptsand principles are important for anyone getting a degree in computer science orcomputer engineering The core ideas in operating systems — protection, con-currency, virtualization, resource allocation, and reliable storage — are widelyused throughout computer science Anyone trying to build resilient, secure,flexible computer systems needs to have a deep grounding in these topics and

to be able to apply these concepts in a variety of settings This is especiallytrue in a modern world where nearly everything a user does is distributed, andnearly every computer is multi-core Operating systems concepts are popping

up in many different areas; even web browsers and cloud computing platformshave become mini-operating systems in their own right

Precisely because operating systems concepts are among the most difficult

in all of computer science, it is also important to ground students in how theseideas are applied in practice in real operating systems of today In this book, wegive students both concepts and working code We have designed the book tosupport and be complemented with a rigorous operating systems course project,

v

such as Nachos, Pintos, JOS, or Linux Our treatment, however, is general —

it is not our intent to completely explain any particular operating system orcourse project

Because the concepts in this textbook are so fundamental to much of thepractice of modern computer science, we believe a rigorous operating systemscourse should be taken early in an undergraduate’s course of study For manystudents, an operating systems class is the ticket to an internship and even-tually to a full-time position We have designed this textbook assuming onlythat students have taken a class on data structures and one on basic machinestructures In particular, we have designed our book to interface well if studentshave used the Bryant and O’Halloran textbook on machine structures Sincesome schools only get through the first half of Bryant and O’Halloran in theirmachine structures course, our textbook reviews and covers in much more depththe material from the second half of that book

An Overview of the Content

The textbook is organized to allow each instructor to choose an appropriatelevel of depth for each topic Each chapter begins at a conceptual level, withimplementation details and the more advanced material towards the end Amore conceptual course will skip the back parts of several of the chapters; amore advanced or more implementation-oriented course will need to go intochapters in more depth No single semester course is likely to be able to coverevery topic we have included, but we think it is a good thing for students tocome away from an operating systems course with an appreciation that there isstill a lot for them to learn

Because students learn more by needing to solve problems, we have grated some homework questions into the body of each chapter, to providestudents a way of judging whether they understood the material covered tothat point A more complete set of sample assignments is given at the end ofeach chapter

inte-The book is divided into five parts: an introduction (Chapter 1), kernels andprocesses (Chapters 2-3), concurrency, synchronization and scheduling (Chap-ters 4-7), memory management (Chapters 8-10), and persistent storage (Chap-ters 11-13)

The goal of chapter 1 is to introduce the recurring themes found in the laterchapters We define some common terms, and we provide a bit of the history

of the development of operating systems

Chapter 2 covers kernel-based process protection — the concept and mentation of executing a user program with restricted privileges The concept

imple-of protected execution and safe transfer across privilege levels is a key concept

to most modern computer systems, given the increasing salience of computersecurity issues For a quick introduction to the concepts, students need only

read through 2.3.2; the chapter then dives into the mechanics of system calls,exceptions and interrupts in some detail Some instructors launch directly intoconcurrency, and cover kernels and kernel protection afterwards, as a lead-in toaddress spaces and virtual memory While our textbook can be used that way,

we have found that students benefit from a basic understanding of the role ofoperating systems in executing user programs, before introducing concurrency

Chapter 3 is intended as an impedance match for students of differing grounds Depending on student background, it can be skipped or covered indepth The chapter covers the operating system from a programmer’s per-spective: process creation and management, device-independent input/output,interprocess communication, and network sockets Our goal is that students beable to understand at a detailed level what happens between a user clicking on

back-a link in back-a web browser, back-and thback-at request being trback-ansferred through the ating system kernel on each machine to the web server running at user-level,and back again The second half of Chapter 3 dives into the organization of theoperating system itself — how device drivers and the hardware abstraction layerwork in a modern operating system; the difference between a monolithic and amicrokernel operating system; and how policy and mechanism can be separated

oper-in modern operatoper-ing systems

Chapter 4 motivates and explains the concept of threads Because of theincreasing importance of concurrent programming, and its integration with Java,many students will have been introduced to multi-threaded programming in

an earlier class This is a bit dangerous, as testing will not expose students

to the errors they are making in concurrent programming Thus, the goal ofthis chapter is to provide a solid conceptual framework for understanding thesemantics of concurrency, as well as how concurrent threads are implemented inboth the operating system kernel and in user-level libraries Instructors needing

to go more quickly can omit Section 3.4 and 3.5

Chapter 5 discusses the synchronization of multi-threaded programs, a tral part of all operating systems and increasingly important in many othercontexts Our approach is to describe one effective method for structuringconcurrent programs (monitors), rather than to cover in depth every proposedmechanism In our view, it is important for students to master one methodology,and monitors are a particularly robust and simple one, capable of implement-ing most concurrent programs efficiently Implementation of synchronizationprimitives are covered in Section 5.5; this can be skipped without compromisingstudent understanding

cen-Chapter 6 discusses advanced topics in concurrency, including deadlock, chronization across multiple objects, and advanced synchronization techniqueslike read-copy-update (RCU) This is material is important for students to know,but most semester-long operating systems courses will only be able to brieflytouch upon these issues

syn-Chapter 7 covers the concepts of resource allocation in the specific context of

processor scheduling After a quick tour through the tradeoffs between responsetime and throughput for uniprocessor scheduling, the chapter covers a set ofmore advanced topics in affinity and gang scheduling, power-aware and deadlinescheduling, as well as server scheduling, basic queueing theory and overloadmanagement.

Chapter 8 explains hardware and software address translation mechanisms.The first part of the chapter covers how to provide flexible memory manage-ment through multilevel segmentation and paging Section 8.3 then considershow hardware makes flexible memory management efficient through translationlookaside buffers and virtually addressed caches, and how these are kept con-sistent as the operating system changes the addresses assigned to each process

We conclude with a discussion of modern software-based protection mechanismssuch as those found in Android

Chapter 9 covers caching and virtual memory Caches are of course central

to many different types of computer systems Most students will have seen theconcept of a cache in an earlier class machine structures, so our goal here is

to cover the theory and implementation of caches: when they work and whenthey don’t, and how they are implemented in hardware and software While

it might seem that we could skip virtual memory, many systems today provideprogrammers the abstraction of memory-mapped files, and these rely on thesame mechanisms as in traditional virtual memory

Chapter 10 discusses advanced topics in memory management Addresstranslation hardware and software can be used for a number of different fea-tures in modern operating systems, such as zero copy I/O, copy on write, pro-cess checkpointing, and recoverable virtual memory As this is more advancedmaterial, it can be skipped for time

Chapter 11 sketches the characteristics of storage hardware, specifically blockstorage devices such as magnetic disks and flash memory The last two decadeshave seen rapid change in storage technology affecting both application pro-grammers and operating systems designers; this chapter provides a snapshot forstudents, as a building block for the next two chapters Classes in which stu-dents have taken a computer architecture course that covers these topics maychoose to skip this chapter

Chapter 12 uses file systems as a case study of how complex data structurescan be organized on block storage devices to achieve flexibility and performance

Chapter 13 explains the concept and implementation of reliable storage, ing file systems as a concrete example Starting with the ad hoc techniques inUNIX fsck for implementing a reliable file system, the chapter explains check-pointing and write ahead logging as alternate implementation strategies forbuilding reliable storage, and it discusses how redundancy such as checksumsand replication are used to improve reliability and availability

us-We are contemplating adding several chapters on networking and distributed

operating systems topics, but we are still considering what topics we can sonably cover We will be developing this material over the coming months.

“Everything I need to know I learned in kindergarten.” – Robert Fulgham

How do we construct reliable, portable, efficient and secure computer tems? An essential component is the computer’s operating system — the soft-ware that manages a computer’s resources

sys-First, the bad news: operating systems concepts are among the most complextopics in computer science A modern general-purpose operating system can run

to over 50 million lines of code, or in other words, more than a thousand times aslong as this textbook New operating systems are being written all the time Ifyou are reading this textbook on an e-book reader, tablet, or smartphone, there

is an operating system managing the device Since we will not be able to covereverything, our focus will be on the essential concepts for building computersystems, ones that every computer scientist should know

Now the good news: operating systems concepts are also among the mostaccessible topics in computer science Most of the topics in this book will seemfamiliar to you — if you have ever tried to do two things at once, or pickedthe wrong line at a grocery store, or tried to keep a roommate or sibling frommessing with your things, or succeeded at pulling off an April Fool’s joke Each

of these has an analogue in operating systems, and it is this familiarity thatgives us hope that we can explain how operating systems do their work in asingle textbook All we will assume of the reader is a basic understanding ofthe operation of a computer and the ability to read pseudo-code

We believe that understanding how operating systems work is essential forany student interested in building modern computer systems Of course, every-one who uses a computer or a smartphone or even a modern toaster uses an

1

Figure 1.1: The operation of a web server.

operating system, so understanding the function of an operating system is useful

to most computer scientists Our goal in this book is to go much deeper thanthat, to explain the technologies used inside operating systems, technologiesmany of us rely on every day without realizing it

Software engineers often encounter challenges similar to those faced by erating systems when building other complex systems, and they use many ofthe same technologies and design patterns Whether your goal is to work onthe internals of an operating system kernel, or to build the next generation ofsoftware for cloud computing, secure web browsers, game consoles, graphicaluser interfaces, media players, databases, or multicore software, the conceptsand abstractions needed for reliable, portable, efficient and secure software aremuch the same In our experience, the best way to learn these concepts is tostudy how they are used in operating systems, but we hope you will apply theseconcepts to a much broader range of computer systems

op-To get started, consider the web server in Figure 1.1 Its behavior is ingly simple: it receives a packet containing the name of the web page fromthe network The web server decodes the packet, fetches the file from disk, andsends the contents back over the network to the user

amaz-Part of an operating system’s job is to make it easy to write applicationslike web servers But if we dig a bit deeper, this simple story quickly raises asmany questions as it answers:

• Many web requests involve both data and computation For example,the Google home page presents a simple text box, but each search queryentered in that box consults databases spread over literally thousands ofmachines To keep their software manageable, web servers often invokehelper applications, e.g., to manage the actual search function Thesehelper applications need to communicate with the main web server for

this to work How does the operating system enable multiple applications

to commmunicate with each other?

• What if two users (or a million) try to request a web page from the server

at the same time? A simple approach might be to handle each request inturn If any individual request takes a long time, however, this approachwould mean that everyone else would need to wait for it to complete Afaster, but more complex, solution is to multitask: to juggle the handling ofmultiple requests at once Multitasking is especially important on modernmulticore computers, as it provides a way to keep many processors busy.How does the operating system enable applications to do multiple things

at once?

• For better performance, the web server might want to keep a copy, times called a cache, of recently requested pages, so that the next user torequest the same page can be returned the results from the cache, ratherthan starting the request from scratch This requires the application tosynchronize access to the cache’s data structures by the thousands of webrequests being handled at the same time How does the operating systemsupport application synchronization to shared data?

some-• To customize and animate the user experience, it is common for webservers to send clients scripting code, along with the contents of the webpage But this means that clicking on a link can cause someone else’scode to run on your computer How does the client operating systemprotect itself from being compromised by a computer virus surreptitiouslyembedded into the scripting code?

• Suppose the web site administrator uses an editor to update the web page.The web server needs to be able to read the file that the editor wrote; howdoes the operating system store the bytes on disk so that later on the webserver can find and read them?

• Taking this a step further, the administrator probably wants to be able tomake a consistent set of changes to the web site, so that embedded linksare not left dangling, even temporarily How can the operating systemenable users to make a set of changes to a web site, so that requests eithersee the old pages or the new pages, but not a mishmash of the two?

• What happens when the client browser and the web server run at differentspeeds? If the server tries to send the web page to the client faster thanthe client can draw the page, where are the contents of the file stored inthe meantime? Can the operating system decouple the client and server

so that each can run at its own speed, without slowing the other down?

• As demand on the web server grows, the administrator is likely to want

to move to more powerful hardware, with more memory, more processors,faster network devices, and faster disks To take advantage of this new

hardware, does the web server need to be re-written from scratch, or can it

be written in a hardware-independent fashion? What about the operatingsystem — does it need to be re-written for every new piece of hardware?

We could go on, but you get the idea This book will help you understandthe answers to these questions, and more

Goals of this chapter

The rest of this chapter discusses three topics in detail:

• OS Definition What is an operating system and what does it do?

• OS Challenges How should we evaluate operating systems, and whatare some of the tradeoffs their designers face?

• OS Past, Present and Future What is the history of operating tems, and what new functionality are we likely to see in future operatingsystems?

An operating system is the layer of software that manages a computer’s resourcesDefinition: operating

system for its users and their applications Operating systems run in a wide range of

computer systems Sometimes they are invisible to the end user, controllingembedded devices such as toasters, gaming systems, and the many computersinside modern automobiles and airplanes Operating systems are also an essen-tial component of more general-purpose systems such as smartphones, desktopcomputers, and servers

Our discussion will focus on general-purpose operating systems, because thetechnologies they need are a superset of the technologies needed for embed-ded systems Increasingly though, technologies developed for general-purposecomputing are migrating into the embedded sphere For example, early mo-bile phones had simple operating systems to manage the hardware and to run

a handful of primitive applications Today, smartphones — phones capable ofrunning independent third party applications — are the fastest growing part

of the mobile phone business These new devices require much more completeoperating systems, with sophisticated resource management, multi-tasking, se-curity and failure isolation

Likewise, automobiles are increasingly software controlled, raising a host ofoperating system issues Can anyone write software for your car? What ifthe software fails while you are driving down the highway? How might theoperating system of your car be designed to prevent a computer virus from

Operating System

A P P

A P P

A P P

Hardware

Figure 1.2: A general-purpose operating system

hijacking control of your car’s computers? Although this might seem far fetched,researchers recently demonstrated that they could remotely turn off a car’sbraking system through a computer virus introduced into the car’s computersthrough a hacked car radio A goal of this book is to explain how to build morereliable and secure computer systems in a variety of contexts

For general-purpose systems, users interact with applications, applicationsexecute in an environment provided by the operating system, and the operatingsystem mediates access to the underlying hardware (Figure 1.2, and expanded

in Figure 1.3) What do we need from an operating system to be able to run agroup of programs? Operating systems have three roles:

• Operating systems play referee — they manage shared resources betweendifferent applications running on the same physical machine For example,

an operating system can stop one program and start another Operatingsystems isolate different applications from each other, so that if there is

a bug in one application, it does not corrupt other applications running

on the same machine The operating system must protect itself and otherapplications from malicious computer viruses And since the applications

An Expanded View of an Operating System

Figure 1.3 shows the structure of a general-purpose operating system, as an sion on the simple view presented in Figure 1.2 At the lowest level, the hardware pro-vides processor, memory, and a set of devices for providing the user interface, storingdata and communicating with the outside world The hardware also provides primi-tives that the operating system can use to provide fault isolation and synchronization.The operating system runs as the lowest layer of software on the computer, with adevice-specific layer interfaces to the myriad hardware devices, and a set of device-independent services provided to applications Since the operating system needs to beable to isolate malicious and buggy applications from affecting other applications or theoperating system itself, much of the operating system runs in a separate execution en-vironment protected from application code A portion of the operating system can alsorun as a library linked into each application In turn, applications run in an executioncontext provided by the operating system The application context is much more than

expan-a simple expan-abstrexpan-action on top of hexpan-ardwexpan-are devices: expan-applicexpan-ations execute in expan-a virtuexpan-al ronment that is both more constrained (to prevent harm), more powerful (to mask hard-ware limitations), and more useful (via common services), than the underlying hardware

envi-are sharing physical resources, the operating system needs to decide whichapplications get which resources

• Operating systems play illusionist — they provide an abstraction ical hardware to simplify application design To write a “hello world”program, you do not need (or want!) to think about how much physicalmemory the system has, or how many other programs might be sharingthe computer’s resources Instead, operating systems provide the illusion

phys-of a nearly infinite memory, as an abstraction on top phys-of a limited amount

of physical memory Likewise, operating systems provide the illusion thateach program has the computer’s processors entirely to itself Obviously,the reality is quite different! These illusions enable applications to bewritten independently of the amount of physical memory on the system

or the physical number of processors Because applications are written to

a higher level of abstraction, the operating system is free to change theamount of resources assigned to each application as applications start andstop

• Operating systems provide glue — a set of common services between cations An important benefit of common services is to facilitate sharingbetween applications, so that, for example, cut and paste works uniformlyacross the system and a file written by one application can be read byanother Many operating systems provide a common set of user interfaceroutines to help applications provide a common “look and feel.” Perhapsmost importantly, operating systems provide a layer separating applica-

appli-A P P

Hardware

Users

mode

User- mode

Kernel-Hardware-Specific Software and Device Drivers

A P P

A P

Kernel-user Interface (Abstract virtual machine)

Hardware Abstraction Layer

File

IP networking

Virtual Memory CPU

scheduling

OS

CPU

Graphics Processor

Address Translation

Network

Figure 1.3: A general-purpose operating system: expanded view

tions from hardware input and output devices, so that applications can

be written independently of which specific keyboard, mouse or disk drive

is being used on a particular computer

We next discuss these three roles in a bit more detail

1.1.1 Resource sharing: Operating system as referee

Sharing is central to most uses of computers Right now, my laptop is running

a browser, podcast library, text editor, email program, document viewer, andnewspaper The operating system must somehow keep all of these activities sep-arate, yet allow each the full capacity of the machine if the others aren’t running

At a minimum, when one program stops running, the operating system should

let me run another Better, the operating system should allow multiple cations to run at the same time, as when I read email while I am downloading

appli-a security pappli-atch to the system softwappli-are

Even individual applications can be designed to do multiple things at once.For instance, a web server will be more responsive to its users if it can handlemultiple requests at the same time rather than waiting for each to completebefore the next one starts running The same holds for the browser — it ismore responsive if it can start drawing a page while the rest of the page isstill being transferred On multiprocessors, the computation inside a parallelapplication can be split into separate units that can be run independently forfaster execution The operating system itself is an example of software written

to be able to do multiple things at once As we will describe later, the operatingsystem is a customer of its own abstractions

Sharing raises several challenges for an operating system:

• Resource Allocation The operating system must keep all of the taneous activities separate, allocating resources to each as appropriate Acomputer usually has only a few processors and a finite amount of memory,network bandwidth, and disk space When there are multiple tasks to do

simul-at the same time, how should the opersimul-ating system choose how many sources to give to each? Seemingly trivial differences in how resources areallocated can have a large impact on user-perceived performance As wewill see later, if the operating system gives too little memory to a program,

re-it will not only slow down that particular program, re-it can dramaticallyhurt the performance of the entire machine

As another example, what should happen if an application executes aninfinite loop:

w h i l e ( t r u e ){

; }

If programs ran directly on the raw hardware, this code fragment wouldlock up the computer, making it completely non-responsive to user input.With resource multiplexing provided by the operating system, the specificapplication might lock up, but other programs can proceed unimpeded.Additionally, the user can ask the operating system to force the loopingprogram to exit

• Isolation An error in one application should not disrupt other tions, or even the operating system itself This is called fault isolation.Definition: fault isolation

applica-Anyone who has taken an introductory computer science class knows thevalue of an operating system that can protect itself and other applicationsfrom programmer bugs Debugging would be vastly harder if an error

in one program could corrupt data structures in other applications wise, downloading and installing a screen saver or other application shouldnot crash other unrelated programs, nor should it be a way for a mali-cious attacker to surreptitiously install a computer virus on the system.Nor should one user be able to access or change another’s data withoutpermission.

Like-Fault isolation requires restricting the behavior of applications to less thanthe full power of the underlying hardware Given access to the full capabil-ity of the hardware, any application downloaded off the web, or any scriptembedded in a web page, would have complete control of the machine.Thus, it would be able to install spyware into the operating system tolog every keystroke you type, or record the password to every website youvisit Without fault isolation provided by the operating system, any bug

in any program might cause the disk to become irretrievably corrupted.Erroneous or malignant applications would cause all sorts of havoc

• Communication The flip side of isolation is the need for communicationbetween different applications and between different users For example, aweb site may be implemented by a cooperating set of applications: one toselect advertisements, another to cache recent results, yet another to fetchand merge data from disk, and several more to cooperatively scan the webfor new content to index For this to work, the various programs need

to be able to communicate with one another If the operating systems

is designed to prevent bugs and malicious users and applications fromaffecting other users and their applications, how does the operating systemsupport communication to share results? In setting up boundaries, anoperating system must also allow for those boundaries to be crossed incarefully controlled ways as the need arises

In its role as a referee, an operating system is somewhat akin to that of agovernment, or perhaps a particularly patient kindergarten teacher, balancingneeds, separating conflicts, and facilitating sharing One user should not beable to hog all of the system’s resources or to access or corrupt another user’sfiles without permission; a buggy application should not be able to crash theoperating system or other unrelated applications; and yet applications also need

to be able to work together Enforcing and balancing these concerns is the role

of the operating system

Exercises

Take a moment to speculate We will provide answers to these questionsthroughout the rest of the book, but given what you know now, how would youanswer them? Before there were operating systems, someone needed to developsolutions, without being able to look them up! How would you have designedthe first operating system?

1 Suppose a computer system and all of its applications are completely bugfree Suppose further that everyone in the world is completely honest andtrustworthy In other words, we do not need to consider fault isolation.

a How should the operating system allocate time on the processor?Should it give all of the processor to each application until it nolonger needs it? If there are multiple tasks ready to go at the sametime, should it schedule the task with the least amount of work to

do or the one with the most? Justify your answer

b How should the operating system allocate physical memory betweenapplications? What should happen if the set of applications do notall fit in memory at the same time?

c How should the operating system allocate its disk space? Should thefirst user to ask be able to grab all of the free space? What wouldthe likely outcome be for that policy?

2 Now suppose the computer system needs to support fault isolation Whathardware and/or operating support do you think would be needed to ac-complish this goal?

a For protecting an application’s data structures in memory from beingcorrupted by other applications?

b For protecting one user’s disk files from being accessed or corrupted

appli-a Through the file system?

b Through messages passed between applications?

c Through regions of memory shared between the applications?

d All of the above? None of the above?

1.1.2 Mask hardware limitations: Operating system as

il-lusionist

A second important role of operating systems is to mask the restrictions inherent

in computer hardware Hardware is necessarily limited by physical constraints

— a computer has only a limited number of processors and a limited amount

A P P

Operating System Hardware

Guest Operating System

Guest Operating System

A P P

A P P

Figure 1.4: An operating system virtual machine

of physical memory, network bandwidth, and disk Further, since the operatingsystem must decide how to split the fixed set of resources among the variousapplications running at each moment, a particular application will have differ-ent amounts of resources from time to time, even when running on the samehardware While a few applications might be designed to take advantage of acomputer’s specific hardware configuration and their specific resource assign-ment, most programmers want to use a higher level of abstraction

We have just discussed one example of this: a uniprocessor can run only oneprogram at a time, yet most operating systems allow multiple applications toappear to the user to be running at the same time The operating system does sothrough a concept called virtualization Virtualization provides an application Definition: virtualizationwith the illusion of resources that are not physically present For example, the

operating system can present to each application the abstraction that it has anentire processor dedicated to it, even though at a physical level there may be only

a single processor shared among all the applications running on the computer

With the right hardware and operating system support, most physical resourcescan be virtualized: examples include the processor, memory, screen space, disk,and the network Even the type of processor can be virtualized, to allow thesame, unmodified application to be run on a smartphone, tablet, and laptopcomputer

Pushing this a step further, some operating systems virtualize the entirecomputer, to run the operating system as an application running on top ofanother operating system (see Figure 1.4) This is called creating a virtualmachine The operating system running in the virtual machine, called the guest Definition: virtual

machineoperating system, thinks it is running on a real, physical machine, but this is

Definition: guest operating system

an illusion presented by the true operating system running underneath Onereason for the operating system to provide a virtual machine is for applicationportability If a program only runs on an old version of an operating system,then we can still run the program on a new system running a virtual machine.The virtual machine hosts the application on the old operating system, running

on top of the new operating system Another reason for virtual machines is as

an aid in debugging If an operating system can be run as an application, thenthe operating system developers can set breakpoints, stop, and single step theircode just as they would an application

In addition to virtualization, operating systems mask many other tions inherent in physical hardware, by providing applications with the illusion

limita-of hardware capabilities that are not physically present For example, on a puter with multiple processors sharing memory, each processor can update only

com-a single memory loccom-ation com-at com-a time The memory system in hcom-ardwcom-are ensuresthat any updates to the same memory word are atomic, that is, the value storedDefinition: atomic

in memory is the last value stored by one of the processors, not a mixture of theupdates of the different processors Atomicity at the level of a memory word

is preserved in hardware even if more than one processor attempts to write tomemory at exactly the same time While this might seem sufficient, applica-tions (and the operating system itself) need to be able to update larger datastructures, ones spread over many memory locations What happens when twoprocessors attempt to update the same data structure at roughly the same time?

As we’ll discuss later, the results can be quite unexpected and quite differentfrom what would have happened had each of the processors updated the datastructure in turn Ideally, the programmer would like to have the abstraction

of an atomic update to the entire data structure, not just to a single memoryword As we will discuss, the illusion of atomic updates to data structures isprovided by the operating system using some specialized mechanisms provided

in hardware

Persistent block storage devices, such as magnetic disk or flash RAM, provideanother example At a physical level, these systems support block writes tostorage, where the size of the block depends on physical device characteristics

If the computer crashes in the middle of a block write, it could leave the disk

in an unknown state, with neither the old nor the new value stored at thatlocation Of course, applications need to be able to store data on disk that isvariable in size, possibly spanning multiple disk blocks And users want theirdata to be preserved even — or especially — if there is a machine failure whilethe disk is being updated

We will discuss techniques that the operating system uses to accomplishthese and other illusions In each of these cases, the operating system provides

a more convenient and flexible programming abstraction than what is provided

by the underlying hardware

Take a moment to speculate; to build the systems we use today, someoneneeded to answer these questions Consider how you might answer them, beforeseeing how others solved these puzzles

4 How would you design combined hardware and software support to providethe illusion of a nearly infinite virtual memory on a limited amount ofphysical memory?

5 How would you design a system to run an entire operating system as anapplication running on top of another operating system?

6 How would you design a system to update complex data structures ondisk in a consistent fashion despite machine crashes?

1.1.3 Common services: Operating system as glue

Operating system also play a third role: providing a set of common, standardservices to applications to simplify and regularize their design We saw anexample of this with the web server outlined at the beginning of this chapter.The operating system hides the specifics of how the network and disk deviceswork, providing a simpler abstraction to applications based on receiving andsending reliable streams of bytes, and reading and writing named files Thisallows the web server can focus on its core task of decoding incoming requestsand filling them, rather than on the formatting of data into individual networkpackets and disk blocks

An important reason for the operating system to provide common services,rather than leaving it up to each application, is to facilitate sharing betweenapplications The web server needs to be able to read the file that the text editorwrote If applications are to share files, they need to be stored in a standardformat, with a standard system for managing file directories Likewise, mostoperating systems provide a standard way for applications to pass messages,and to share memory, to facilitate sharing

The choice of which services an operating system should provide is often amatter of judgment For example, computers can come configured with a bliz-zard of different devices: different graphics co-processors and pixel formats, dif-ferent network interfaces (WiFi, Ethernet, and Bluetooth), different disk drives(SCSI, IDE), different device interfaces (USB, Firewire), and different sensors(GPS, accelerometers), not to mention different versions of each of those stan-dards Most applications will be able to ignore these differences, using only

a generic interface provided by the operating system For other applications,

such as a database, the specific disk drive may matter quite a bit For thoseapplications that can operate at a higher level of abstraction, the operatingsystem serves as an interoperability layer, so that both applications, and thedevices themselves, can be independently evolved without requiring simultane-ous changes to the other side.

Another standard service in most modern operating systems is the graphicaluser interface library Both Microsoft’s and Apple’s operating systems provide

a set of standard user interface widgets This facilitates a common “look andfeel” to users, so that frequent operations such as pull down menus and “cut”and “paste” are handled consistently across applications

Most of the code of an operating system is to implement these common vices However, much of the complexity of operating systems is due to resourcesharing and masking hardware limits Because the common service code is built

ser-on the abstractiser-ons provided by the other two operating system roles, this bookwill focus primarily on those two topics

1.1.4 Operating system design patterns

The challenges that operating systems address are not unique — they apply

to many different computer domains Many complex software systems havemultiple users, run programs written by third party developers, and/or need

to coordinate many simultaneous activities These pose questions of resourceallocation, fault isolation, communication, abstractions of physical hardware,and how to provide a useful set of common services for software developers.Not only are the challenges the same, but often the solutions are as well: thesesystems use many of the design patterns and techniques described in this book

For now, we focus on the challenges these systems have in common withoperating systems:

• Cloud computing (Figure 1.5) is a model of computing where large-scaleapplications are run on shared computing and storage infrastructure indata centers, instead of on the user’s own desktop computer A similarapproach is to run compute-intensive applications in the idle cycles ofremote desktop computers In both cases, many of the same issues arise

as in operating systems, in terms of sharing, abstraction, and commonservices

– Referee How are resources allocated between competing tions running in the cloud? How are buggy or malicious applicationsprevented from disrupting other applications?

applica-– Illusionist The computing resources in the cloud are continuallyevolving; what abstractions are provided to isolate application devel-opers from changes in the underlying hardware?

Cloud Software

A P P

A P P

A P P

Figure 1.5: Cloud computing

– Glue Cloud services often distribute their work across different chines What abstractions should the cloud software provide to helpservices coordinate and share data between their various activities?

ma-• Web browsers (Figure 1.6) such as Chrome, Internet Explorer, Firefox, andSafari each play a role similar to an operating system Browsers load anddisplay web pages, but as we mentioned earlier, many web pages embedscripting programs that the browser must execute These scripts are oftenbuggy and sometimes malicious; hackers have used them to take over vastnumbers of home computers Like an operating system, the browser mustisolate the user, other web sites, and even the browser itself from errors

or malicious activity by these scripts Similarly, most browsers have aplug-in architecture for supporting extensions, and these extensions alsoneed to be isolated from causing harm

– Referee How can a browser ensure responsiveness, when a user hasmultiple tabs open and each tab is running a script from a differentweb site? How can we sandbox web scripts and plug-ins to preventbugs from crashing the browser, and to prevent malicious scripts fromaccessing sensitive user data?

– Illusionist Many web services are geographically distributed forbetter fault tolerance This way, if one server crashes or if its net-work connection has problems, the browser can connect to a different

Web Page

Good Web

Site

Plug-in Browser

OS

Web Page Script

Figure 1.6: Web browser

site The user in most cases doesn’t notice the difference, even whenupdating a shopping cart or web form How does the browser maskserver changes transparently to the user?

– Glue How does the browser achieve a portable execution ment for scripts that works consistently across operating systems andhardware platforms?

environ-• Media players, such as Flash and Silverlight, are often packaged as browserplug-ins, but they themselves provide an execution environment for script-ing programs Thus, these systems face many of the same issues as boththe browsers and the operating systems on which they run: isolation ofbuggy or malicious code, concurrent background and foreground tasks,and plug-in architectures

• Multi-user database systems (Figure 1.7) such as Oracle and Microsoft’sSQL Server provide the ability for large organizations to store, query,and update large data sets, such as detailed records of every purchaseever made at Walmart Large scale data analysis provides a huge benefit

to optimizing business operations, but a consequence is that databasesface many of the same challenges as operating systems Databases are

OS Database

A P P

A P P

A P P

Figure 1.7: Database

simultaneously accessed by many different users in many different tions Databases therefore need to allocate resources among different userrequests, isolate concurrent updates to shared data, and ensure data isstored consistently on disk In fact, several of the file system storage tech-niques we will discuss for operating systems, were originally developed fordatabase systems

loca-– Referee How should resources be allocated among the various users

of a database? How does the database enforce data privacy so thatonly authorized users access relevant data?

– Illusionist How does the database mask machine failures so thatdata is always stored consistently regardless of when the failure oc-curs?

– Glue What common services make it easier for database users todevelop their programs?

• Parallel applications (Figure 1.8) are programs that have been designed

to take advantage of multiple processors on a single computer Each cation multiplexes its work onto a fixed number of processors and needs toensure that accesses to shared data structures are coordinated to preserveconsistency While some parallel programs directly use the services pro-

appli-Parallel App

Runtime System OS

Processors

Figure 1.8: Parallel Application

IP

HTTP SKYPE TCP UDP

DSL CABLE ETHERNET WIFI PHONE

Figure 1.9: Internet

vided by the underlying operating system, others need more careful trol of the assignment of work to processors to achieve good performance.These systems interpose a runtime system on top of the operating system

con-to manage user-level parallelism, essentially building a mini-operating tem on top of the operating system

sys-• On the Internet (Figure 1.9), multiple users share the underlying physicalnetwork, posing the challenge of how the system should handle resourcecontention The Internet is rife with malicious behavior, such as denial-of-service attacks that flood traffic on certain links to prevent legitimate usersfrom communicating Various attempts are underway to design solutions

to allow the Internet to continue to function despite such attacks

– Referee Should the Internet treat all users identically (e.g., networkneutrality) or should ISPs have the ability to favor some uses over

others? Can the Internet be re-designed to prevent denial-of-service,spam, phishing, and other malicious behavior?

– Illusionist The Internet provides the illusion of a single worldwidenetwork, with the ability to deliver a packet from any machine onthe Internet to any other machine However, network hardware is

in fact a large number of discrete network elements, with the ability

to transmit limited size packets over a limited distance, and withsome chance that the packet is garbled in the process The Internettransforms the network into something more useful for applicationslike the web — a facility to reliably transmit data of arbitrary length,anywhere in the world

– Glue The Internet protocol suite was explicitly designed to act

as an interoperability layer, to allow network applications to evolveindependently of changes in network hardware, and vice versa Doesthe success of the Internet hold any lessons for operating systemdesign?

Many of these systems use the same techniques and design patterns as ating systems to address these challenges; studying operating systems is a greatway to understand how these others systems work In a few cases, differentmechanisms are used to achieve the same goals, but even here, the boundarycan be fuzzy For example, browsers often use compile-time checks to preventscripts from gaining control over the browser, while most operating systemsuse hardware-based protection to limit application programs from taking overthe machine More recently, however, some smartphone operating systems havebegun to use the same compile-time techniques as browsers, but for protect-ing the smartphone operating system In turn, some browsers have begun touse operating system hardware-based protection to improve the isolation theyprovide

oper-To avoid spreading our discussion too thinly, we focus this book on howoperating systems work Just as it is easier to learn a second computer pro-gramming language after you are fluent in the first, it is better to see how theseoperating systems principles are applied in one context before moving on tohow these concepts are applied in other settings We hope and expect however,that you will be able to apply the concepts in this book more widely than justoperating system design

Exercises

7 Society must also grapple with managing resources What ways do weuse for allocating resources, isolating misuse, and fostering sharing in reallife?

1.2.1 Reliability

Perhaps the most important characteristic of an operating system is its ity Reliability is that a system does exactly what it is designed to do As theDefinition: Reliability

reliabil-lowest level of software running on the system, errors in operating system codecan have devastating and hidden effects If the operating system breaks, theuser will often be unable to get any work done, and in some cases, may even loseprevious work, e.g., if the failure corrupts files on disk By contrast, applicationfailures can be much more benign, precisely because operating systems providesfault isolation and a rapid and clean restart after an error

Making the operating system reliable is challenging Operating systems oftenoperate in a hostile environment, where computer viruses and other maliciouscode may often be trying to take control of the system for their own purposes byexploiting design or implementation errors in the operating system’s defenses

Unfortunately, the most common ways for improving software reliability,such as running test cases for common code paths, are less effective when applied

to operating systems Since malicious attacks can target a specific vulnerabilityprecisely to cause execution to follow a rare code path, literally everything has towork correctly for the operating system to be reliable Even without maliciousattacks that trigger bugs on purpose, extremely rare corner cases can occurregularly in the operating system context If an operating system has a millionusers, a once in a billion event will eventually occur to someone

A related concept is availability, the percentage of time that the system is Definition: availability

us-able A buggy operating system that crashes frequently, losing the user’s work,

is both unreliable and unavailable A buggy operating system that crashes quently, but never loses the user’s work and cannot be subverted by a maliciousattack, would be reliable but unavailable An operating system that has beensubverted, but continues to appear to run normally while logging the user’skeystrokes, is unreliable but available

fre-Thus, both reliability and availability are desirable Availability is affected

by two factors: the frequency of failures, called the mean time to failure , and the time it takes to restore a system to a working state after a failure (forDefinition: mean time to

(MTTF)-failure (MTTF) example, to reboot), the mean time to repair (MTTR) Availability can be Definition: mean time to

im-repair (MTTR)

proved by increasing the MTTF or reducing the MTTR, and we will presentoperating systems techniques that do each.

Throughout this book, we will present various approaches to improving erating system reliability and availability In many cases, the abstractions mayseem at first glance overly rigid and formulaic It is important to realize this

op-is done on purpose! Only precop-ise abstractions provide a basop-is for constructingreliable and available systems

9 MTTR, and therefore availability, can be improved by reducing the time

to reboot a system after a failure What techniques might you use tospeed up booting? Would your techniques always work after a failure?

1.2.2 Security

Two concepts closely related to reliability are security and privacy

Security-is the property that the computer’s operation cannot be compromSecurity-ised by a Definition: Securitymalicious attacker Privacy is a part of security — that data stored on the Definition: Privacycomputer is only accessible to authorized users

Alas, no useful computer is perfectly secure! Any complex piece of softwarehas bugs, and even otherwise innocuous bugs can be exploited by an attacker togain control of the system Or the hardware of the computer might be tamperedwith, to provide access to the attacker Or the computer’s administrator mightturn out to be untrustworthy, using their privileges to steal user data Or thesoftware developer of the operating system might be untrustworthy, inserting abackdoor for the attacker to gain access to the system

Nevertheless, an operating system can, and should, be designed to minimizeits vulnerability to attack For example, strong fault isolation can prevent thirdparty applications from taking over the system Downloading and installing

a screen saver or other application should not provide a way for a maliciousattacker to surreptitiously install a computer virus on the system A computer Definition: computer virusvirus is a computer program that modifies an operating system or application

to provide the attacker, rather than the user, control over the system’s resources

or data An example computer virus is a keylogger: a program that modifiesthe operating system to record every keystroke entered by the user and sendthose keystrokes back to the attacker’s machine In this way, the attacker couldgain access to the user’s passwords, bank account numbers, and other privateinformation Likewise, a malicious screen saver might surreptiously scan thedisk for files containing personal information or turn the system into an emailspam server.

Even with strong fault isolation, a system can be insecure if its applicationsare not designed for security For example, the Internet email standard provides

no strong assurance of the sender’s identity; it is possible to form an email sage with anyone’s email address in the “from” field, not necessarily the actualsender Thus, an email message can appear to be from someone (perhaps some-one you trust), when in reality it is from someone else (and contains a maliciousvirus that takes over the computer when the attachment is opened) By now,you are hopefully suspicious of clicking on any attachment in an email If westep back, though, the issue could instead be cast as a limitation of the inter-action between the email system and the operating system — if the operatingsystem provided a cheap and easy way to process an attachment in an isolatedexecution environment with limited capabilities, then even if the attachmentcontained a virus, it would be guaranteed not to cause a problem

mes-Complicating matters is that the operating system must not only preventunwanted access to shared data, it must also allow access in many cases Wewant users and programs to interact with each other, to be able to cut and pastetext between different applications, and to read or write data to disk or overthe network If each program was completely standalone, and never needed tointeract with any other program, then fault isolation by itself would be enough.However, we not only want to be able to isolate programs from one another, wealso want to be able to easily share data between programs and between users

Thus, an operating system needs both an enforcement mechanism and asecurity policy Enforcement is how the operating system ensures that onlyDefinition: enforcement

permitted actions are allowed The security policy defines what is permittedDefinition: security policy

— who is allowed to access what data and who can perform what operations.Malicious attackers can target vulnerabilities in either enforcement mechanisms

or security policy

1.2.3 Portability

All operating systems provide applications an abstraction of the underlyingcomputer hardware; a portable abstraction is one that does not change as theDefinition: portable

hardware changes A program written for Microsoft’s Windows 7 should runcorrectly regardless of whether a specific graphics card is being used, whetherpersistent storage is provided via flash memory or rotating magnetic disk, orwhether the network is Bluetooth, WiFi, or gigabit Ethernet

Portability also applies to the operating system itself Operating systems areamong the most complex software systems ever invented, so it is impractical tore-write them from scratch every time some new hardware is produced or everytime a new application is developed Instead, new operating systems are oftenderived, at least in part, from old ones As one example, iOS, the operatingsystem for the iPhone and iPad, is derived from the OS X code base.

As a result, most successful operating systems have a lifetime measured indecades: the initial implementation of Microsoft Windows 8 began with thedevelopment of Windows NT starting in 1990, when the typical computer wasmore than 10000 times less powerful and had 10000 times less memory anddisk storage, than is the case today Operating systems that last decades are

no anomaly: Microsoft’s prior operating system code base, MS/DOS, was firstintroduced in 1981 It later evolved into the early versions of Microsoft Windowsbefore finally being phased out around 2000

This means that operating systems need to be designed to support cations that have not been written yet and to run on hardware that has yet

appli-to be developed Likewise, we do not want appli-to have appli-to re-write applications asthe operating system is ported from machine to machine Sometimes of course,the importance of “future-proofing” the operating system is discovered only inretrospect Microsoft’s first operating system, MS/DOS, was designed in 1981assuming that personal computers had no more than 640KB of memory Thislimitation was acceptable at the time, but today, even a cellphone has orders ofmagnitude more memory than that

How might we design an operating system to achieve portability? We willdiscuss this in more depth, but an overview is provided above in Figure 1.3

For portability, it helps to have a simple, standard way for applications tointeract with the operating system, through the abstract machine interface Theabstract machine interface (AMI) is the interface provided by operating systems Definition: abstract

machine interface (AMI)

to applications A key part of the AMI is the application programming interface(API), the list of function calls the operating system provides to applications Definition: application

programming interface (API)

The AMI also includes the memory access model and which instructions can belegally executed For example, an instruction to change whether the hardware isexecuting trusted operating system code, or untrusted application code, needs

to be available to the operating system but not to applications

A well-designed operating system AMI provides a fixed point across whichboth application code and hardware can evolve independently This is sim-ilar to the role of the Internet Protocol (IP) standard in networking — dis-tributed applications such as email and the web, written using IP, are insulatedfrom changes in the underlying network technology (Ethernet, WiFi, optical)

Equally important is that changes in applications, from email to instant saging to file sharing, do not require simultaneous changes in the underlyinghardware

mes-This notion of a portable hardware abstraction is so powerful that operating

systems use the same idea internally, so that the operating system itself canlargely be implemented independently of the specifics of the hardware Thisinterface is called the hardware abstraction layer (HAL) It might seem at firstDefinition: hardware

abstraction layer (HAL) glance that the operating system AMI and the operating system HAL should

be identical, or nearly so — after all, both are portable layers designed to hideunimportant hardware details The AMI needs to do more, however As wenoted, applications execute in a restricted, virtualized context and with access

to high level common services, while the operating system itself is implementedusing a procedural abstraction much closer to the actual hardware

Today, Linux is an example of a highly portable operating system Linuxhas been used as the operating system for web servers, personal computers,tablets, netbooks, ebook readers, smartphones, set top boxes, routers, WiFiaccess points, and game consoles Linux is based on an operating system calledUNIX, originally developed in the early 1970’s UNIX was written by a smallteam of developers, and because they could not afford to write very much code,

it was designed to be very small, simple to program against, and highly portable,

at some cost in performance Over the years, UNIX’s and Linux’s portabilityand convenient programming abstractions have been keys to its success

1.2.4 Performance

While the portability of an operating system can become apparent over time,the performance of an operating system is often immediately visible to its users.Although we often associate performance with each individual application, theoperating system’s design can have a large impact on the application’s perceivedperformance because it is the operating system that decides when an applicationcan run, how much memory it can use, and whether its files are cached inmemory or clustered efficiently on disk The operating system also mediatesapplication access to memory, the network, and the disk The operating systemneeds to avoid slowing down the critical path while still providing needed faultisolation and resource sharing between applications

Performance is not a single quantity, but rather it can be measured in severaldifferent ways One performance metric is the efficiency of the abstractionDefinition: efficiency

presented to applications A related concept to efficiency is overhead , the addedDefinition: overhead

resource cost of implementing an abstraction One way to measure efficiency (orinversely, overhead) is the degree to which the abstraction impedes applicationperformance Suppose the application were designed to run directly on theunderlying hardware, without the overhead of the operating system abstraction;how much would that improve the application’s performance?

Operating systems also need to allocate resources between applications, andthis can affect the performance of the system as perceived by the end user.One issue is fairness, between different users of the same machine, or betweenDefinition: fairness

different applications running on that machine Should resources be divided

equally between different users or different applications, or should some getpreferential treatment? If so, how does the operating system decide what tasksget priority?

Two related concepts are response time and throughput Response time, Definition: response time

Definition: throughputsometimes called delay, is how long it takes for a single specific task from when

it starts until it completes For example, a highly visible response time fordesktop computers is the time from when the user moves the hardware mouseuntil the pointer on the screen reflects the user’s action An operating systemthat provides poor response time can be unusable Throughput is the rate atwhich a group of tasks can be completed Throughput is a measure of efficiencyfor a group of tasks rather than a single one While it might seem that designsthat improve response time would also necessarily improve throughput, this isnot the case, as we will discuss later in this book

A related consideration is performance predictability, whether the system’s Definition: predictabilityresponse time or other metric is consistent over time Predictability can often

be more important than average performance If a user operation sometimestakes an instant, and sometimes much longer, the user may find it difficult toadapt Consider, for example, two systems In one, the user’s keystrokes arealmost always instantaneous, but 1% of the time, a keystroke takes 10 seconds

to take effect In the other system, the user’s keystrokes always take 0.1 seconds

to be reflected on the screen Average response time may be the same in bothsystems, but the second is more predictable Which do you think would be moreuser-friendly?

For a simple example illustrating the concepts of efficiency, overhead, ness, response time, throughput, and predictability, consider a car driving to itsdestination If there were never any other cars or pedestrians on the road, thecar could go quite quickly, never needing to slow down for stop lights Stop signsand stop lights enable cars to share the road, at some cost in overhead and re-sponse time for each individual driver As the system becomes more congested,predictability suffers Throughput of the system is improved with carpooling

fair-In congested situations and especially with dedicated carpool lanes, carpoolingcan also improve latency even though carpoolers need to coordinate their pick-ups Predictability, throughput, and arguably fairness can all be improved byscrapping the car and installing mass transit

1.2.5 Adoption

In addition to reliability, portability and performance, the success of an ating system depends on two factors outside its immediate control: the (wide)availability of applications ported to that operating system, and the (wide) avail-ability of hardware that the operating system can support An iPhone runs iOS,but without the preinstalled applications and the contents of the App Store, theiPhone would be just a cellphone with (allegedly) bad phone reception

oper-The network effect occurs when the value of some technology depends notDefinition: network effect

only on its intrinsic capabilities, but also on the number of other people who haveadopted that technology Application and hardware designers spend their efforts

on those operating system platforms with the most users, while users favor thoseoperating systems with the best applications or the cheapest hardware If thissounds circular, it is! More users imply more applications and cheaper hardware;more applications and cheaper hardware imply more users, in a virtuous cycle

Consider how you might design an operating system to take advantage ofthe network effect, or at least to avoid being crushed by it An obvious stepwould be designing the system to make it easy to accommodate new hardware,and to make it easy for applications to be ported across different versions of thesame operating system

A more subtle issue is the choice of whether the operating system ming interface (API), or the operating system source code itself, is open orproprietary A proprietary system is one under the control of a single com-Definition: proprietary

program-pany, so it can be changed at any time by its provider to meet the needs ofits customers An open system is one where the system’s source code is public,Definition: open system

allowing anyone the ability to inspect the code and change it Often, an opensystem will have an API that can only be changed with the agreement of a publicstandards body Adherence to standards provides assurance to the applicationdeveloper that the API will not be changed except by general agreement; on theother hand, standards bodies can make it difficult to quickly add new, desiredfeatures

Neither open systems nor proprietary ones are obviously better for widespreadadoption Windows 7 and MacOS are examples of proprietary operating sys-tems; Linux is an example of an open operating system All three are widelyused! Open systems are easier to adapt to a wide variety of hardware platforms,but risk fragmentation, impairing the network effect Purveyors of proprietaryoperating systems argue that their systems are more reliable and better adapted

to the needs of their customers Interoperability problems are reduced if boththe hardware and software are controlled by the same company, but limiting anoperating system to one hardware platform impairs the network effect

Making it easy to port applications from existing systems to a new operatingsystem can help a new system become established, and conversely, designing

an operating system API to make it difficult to port applications away fromthe operating system can help prevent competition from becoming established.Thus, there are often commercial pressures for operating system interfaces tobecome idiosyncratic Throughout this book, we will discuss operating systemsissues at a conceptual level, but it is important to realize that the details willvary quite a bit for any specific operating system, due to important, but alsosomewhat chaotic, commercial interests

Android vs iPhone

One avenue to improving system reliability might be to limit third party applications,

or to vet them in some way Of course, limiting applications can hurt adoption Twooperating systems vendors taking opposite positions on this recently are Apple andGoogle For the iPhone, Apple requires pre-approval before any application can beloaded on the iPhone, possibly enhancing reliability In practice, however, it can bedifficult to verify all aspects of application behavior, e.g., to prevent a game applica-tion from downloading telephone numbers stored on the smartphone for telemarketingpurposes Thus, it is unclear how much benefit users will have in practice Googletakes the opposite approach: it gives the users control over which applications can

be installed on Android phones, possibly enhancing wider user adoption, but potentiallyhurting system reliability It will be interesting to see which approach is more successful

1.2.6 Tradeoffs

Most practical operating system designs need to strike a balance between thegoals of reliability, security, portability, performance, and adoption Designchoices that improve portability — for example, by preserving legacy interfaces

— often make the system as a whole less reliable and less secure Similarly,there will often be ample room for breaking an abstraction to tweak some addedperformance out of the system However, such performance optimizations come

at a cost of added complexity and therefore potentially decreased reliability.The operating system designer must carefully weigh these competing goals

To illustrate the tradeoff between performance and complexity, we relate thefollowing true story An operating system was designed and implemented in thelate 1980’s, using a type-safe language to reduce the incidence of programmererrors For speed, the most frequently used routines at the core of the operat-ing system were implemented in assembly code In one of these routines, theimplementers decided to use a sequence of instructions that shaved a single in-struction off a very frequently used code path, but that would sometimes break

if the operating system exceeded a particular size At the time, the operatingsystem was nowhere near this limit After a few years of production use, how-ever, the system started mysteriously crashing, apparently at random, and onlyafter many days of execution Many weeks of painstaking investigation revealedthe problem: the operating system had grown beyond the limit assumed in theassembly code implementation The fix was easy, once the problem was found,but the question for the reader is: do you think the original optimization wasworth the risk?

Exercises

Figure 1.10: Computer performance over time

10 For the computer you are currently using, how should the operating systemdesigners prioritize among reliability, security, portability, performance,and adoption? Explain why

1.3 A brief history of operating systems

We conclude this chapter with a discussion of the origins of operating systems,

as a way of illustrating where operating systems are headed in the future Asthe lowest layer of software running on top of computer hardware, operatingsystems have been around nearly as long as the first computers, and they haveevolved nearly as rapidly as computer hardware

1.3.1 Impact of technology trends on operating systems

The most striking aspect of the last fifty years in computing technology hasbeen the cumulative effect of Moore’s Law, and the comparable advances inrelated technologies such as memory and disk storage Moore’s Law statesthat transistor density increases exponentially over time; similar exponentialimprovements have occurred in many other component technologies Figure 1.10provides an overview of the past thirty years of technology improvements incomputer hardware The cost of processing has decreased by over five orders ofmagnitude over the past thirty years; the cost of memory and disk capacity hasfollowed a similar trajectory Of course, not all technologies have improved atthe same rate; disk latency has improved over time, but at a much slower rate

than disk capacity These relative changes have radically altered both the use

of computers and the tradeoffs faced by the operating system designer

It is hard to imagine how things used to be Today, we are able to carrysmartphones with incredibly powerful computers around in our pockets Thou-sands of server computers wait patiently for a user to type in a search query;when the query arrives, the servers can synthesize a response in a fraction of

a second In the early years of computing, however, the computers were moreexpensive than the salaries of the people who used them Users would queue up,often for days, for their turn to run a program A similar progression from ex-pensive to cheap devices occurred with telephones over the past hundred years.Initially, telephone lines were very expensive, so that a single line was sharedamong everyone in a neighborhood Over time, of course, both computers andtelephones have become cheap enough to sit idle until we need them

Despite these changes, operating systems still face the same conceptual lenges as they did fifty years ago To manage computer resources for applicationsand users, operating systems must allocate resources among applications, pro-vide fault isolation and communication services, abstract hardware limitations,and so forth Tremendous progress has been made towards improving the relia-bility, security, efficiency, and portability of operating systems, but much furtherprogress is still needed Despite the fact we do not know how computing tech-nology or application demand will evolve over the next 10-20 years, it is highlylikely we will continue to need to address these fundamental operating systemchallenges in the future

chal-1.3.2 Early operating systems

The first operating systems were runtime libraries, intended to simplify ming early computer systems Rather than the tiny, inexpensive yet massivelycomplex hardware and software systems we have today, the first computers of-ten took up an entire floor of a warehouse, cost millions of dollars, yet were onlycapable of being used by a single person at a time The user would first resetthe computer, load in their program, and hit go, producing output that could

program-be pored over while the next user took their turn If the user made an error,they needed to wait their turn to try the run over again, often the next day

Although it might seem like there was no need for an operating system

in this setting, if computers are enormously expensive, anything that reducesthe likelihood of programmer error is extremely valuable The first operatingsystems were seen as a way of reducing errors by providing a standard set

of common services For example, early operating systems provided standardroutines to perform input/output (I/O) processing, which each user could linkinto their program By using these services, a user’s program would be morelikely to run correctly and produce useful output

Even though these initial operating systems were a huge step forward, the