4.6 Storage Management 153 codeToPSUs : PCODE → MEM The next operation creates the sequence of bytes that will actually be copied to disk on a swap. It uses codeToPSUs as well as two λ expressions that operate more as one would find in a complete model. (When this schema is used, that use will be a little incorrect because the extraction of start and size from data and stack segments is ignored.) CreateProcessImage code ?:PCODE stkstrt?, datastrt?:ADDRESS stksz?, datasz ?:N 1 ; image!:MEM image!=codeToPSUs(code?)  (λ i : datastrt? datasz ? • 0)  (λ i : stkstrt? stksz? • 0) It is now possible to prove a few propositions about the main store and its operations. Proposition 71. RSCanAllocateStore is false iff there are no holes of positive size. Proof. By the predicate, hole size(h) > 0 for some hole, h,inranholes. ✷ Proposition 72. Each use of RSAllocateFromHole monotonically decreases available free storage. Proof. Assume there have already been allocations. Then, by the invariant:  i=#holes i=1 hole size(holes(i)) +  j =#usermem j =1 hole size(usermem(j )) =#mem There are two cases. Case 1. rqsz? = hole size. Then the number of holes decreases by one. The sum decreases by the corresponding amount. Case 2. rqsz? < hole size. The hole is split into two blocks, one of size rqsz? and the other of size memsize(h) − rqsz ?. The size of this new hole is neces- sarily less than memsize(h). Therefore, the available storage decreases. ✷ The following two propositions establish the fact that free store decreases by the action of RSAllocateFromHole (when it is applicable) and the action of RSFreeMainstore increases the amount of free store. Proposition 73. The action of RSAllocateFromHole[k/rqsz ?] decreases the available free store by k units. 154 4 A Swapping Kernel Proof. Again, without loss of generality, assume there have already been allocations. Then, by the invariant:  i=#holes i=1 hole size(holes(i)) +  j =#usermem j =1 hole size(usermem(j )) = #mem If k units are allocated from free store, it follows that #mem  is given by: i=#holes  i=1 hole size(holes(i)) − k + j =#usermem  j =1 hole size(usermem(j )) + k = i=#holes   i=1 hole size(holes  (i)) + j =#usermem   j =1 hole size(usermem  (j )) ✷ Proposition 74. The action of RSFreeMainstore[k/sz?] increases the avail- able free store by k units. Proof. This is the converse of the last proposition. Again, we use the same conjunct of the invariant:  i=#holes i=1 hole size(holes(i)) +  j =#usermem j =1 hole size(usermem(j )) = #mem If k units are returned to free store, it follows that #mem  is given by: i=#holes  i=1 hole size(holes(i)) + k + j =#usermem  j =1 hole size(usermem(j )) − k = i=#holes   i=1 hole size(holes  (i)) + j =#usermem   j =1 hole size(usermem  (j )) ✷ Proposition 75. If a hole is exactly the size of a request, it disappears from thefreelist. Proof. The predicate of RSAllocateFromHole states that room left in hole(rqsz ?, h)=0∧ ran usermem  = ran usermem \{mspec!} Since h = mspec!, ran usermem  =ranusermem \{h},soh ∈ ran usermem  . ✷ Proposition 76. If a hole is larger than that requested, it is split into two and the smaller block is returned to the free list. 4.6 Storage Management 155 Proof. The predicate of RSAllocateFromHole states that: mspec!=(la, rqsz !) ∧ holes  =(holes −  {h})  mkrmemspec(nextblock(mspec!), hsz) where hsz = memsize(h) − rqsz?andnextblock yields the index of the start of the next block: nextblock(mkrmemspec(strt, sz )) = strt + sz. Since hsz is the size of the block added to holes and hsz = memsize(h) − rqsz?andhsz > 0 (by the predicate), it follows that: memsize(mkrmemspec(nextblock(mspec!), hsz)) < memsize(h) ✷ Proposition 77. If all holes have size < rqsz ?, RSAllocateFromHole cannot allocate any store. Proof. Let rqsz?=n and let n be larger than the greatest block size. Then room left in hole(rqsz?, h) < 0 for all h. This falsifies the predicate of the schema. ✷ Proposition 78. If the allocating hole is ≥ rqsz?, the hole is split into two parts: one of size = rqsz ?, the other of size, s, s ≥ 0. Proof. There are two cases to consider, given RSAllocateFromHole’s predi- cate: 1. memsize(h)=rqsz?, and mspec is of size rqsz?, so s = 0 (the smaller part is of zero length); 2. memsize(h)=rqsz?andmspec is of size rqsz?, so memsize(h) − rqsz?is the size of one part and s > 0 is the size of the other. ✷ The next proposition establishes the fact that merging adjacent free blocks (holes) decreases the number of blocks in free store. Proposition 79. MergeAdjacentBlocks ⇒ # ran holes  < # ran holes. Proof. For the purposes of this proposition, the critical line is: holes  =[((holes −  {h 1 }) −  {h 2 })  mergememholes(h 1 , h 2 )] So: 156 4 A Swapping Kernel # ran holes  = # ran[((holes −  {h 1 }) −  {h 2 })  mergememholes(h 1 , h 2 )] = # ran((holes −  {h 1 }) −  {h 2 })+#ranmergememholes(h 1 , h 2 ) = # ran((holes \{h 1 }) \{h 2 })+#ranmergememholes(h 1 , h 2 ) = # ran((holes \{h 1 }) \{h 2 })+1 = (#(ran holes \{h 1 }) − 1) + 1 = (#(ran holes) − 2) + 1 = # ran holes − 1 ≤ # ran holes ✷ If the free blocks are reduced in number, what happens to their size? The following proposition establishes the fact that the merging of adjacent free blocks creates a single new block whose size is the sum of all of the merged blocks. Proposition 80. If h 1 and h 2 are adjacent holes in the store of size n 1 and n 2 , respectively, then MergeAdjacentHoles implies that there exists a hole of size n 1 + n 2 . Proof. Since h 1 and h 2 are adjacent, they can be merged. The definition of mergememholes is: ∀ h 1 , h 2 : MEMDESC • (lower hole addr(h 1 , h 2 ), memsize(h 1 )+memsize(h 2 )) The size of the merged hole is therefore memsize(h 1 )+memsize(h 2 ). Letting memsize(h 1 )=n 1 and memsize(h 2 )=n 2 , it is clear, by the definition of mergememholes, that: memsize(h 1 )+memsize(h 2 )=n 1 + n 2 ✷ It is clear that we do not want operations on the free store to affect the store allocated to processes. The following proposition assures us that nothing happens to user store when adjacent blocks of free store are merged. Proposition 81. MergeAdjacentHoles leaves user store invariant. Proof. The predicate does not alter usermem. ✷ Proposition 82. If h 1 and h 2 are adjacent holes and MergeAdjacentHoles is applied to merge them, then # ran holes  =#ran holes − 1. Proof. By Proposition 79. ✷ 4.6 Storage Management 157 Proposition 83. The predicate of schema FreeMainstoreBlock implies that # ran holes  > # ran holes and that # ran usermem  < # ran usermem. Proof. By the definition of FreeMainstoreBlock: holes  = holes  mkrmemspec(start, sz?) so: # ran holes = # ran(holes  mkrmemspec(start, sz?)) = # ran holes + # ran(mkrmemspec(start, sz?)) = # ran holes +1 and so, # ran holes  > ran holes. Now, # ran usermem  = # ran(usermem −  {mkrmemspec(start, sz ?)}) = #(ran usermem \{mkrmemspec(start, sz ?)}) = # ran usermem − 1 Therefore # ran usermem  < #ranusermem. ✷ Proposition 84. If n calls to the allocator request k units of store, followed immediately by n calls to RSFreeMainStore, each returning k units of store, return the store to its original state. Proof. We need to show that the sizes of usermem and holes are unchanged. By Proposition 73, the size of the store after the n allocations is:  i=#holes i=1 hole size(holes(i)) − nk+  j =#usermem j =1 hole size(usermem(j )) + nk =  i=#holes  i=1 hole size(holes  (i))+  j =#usermem  j =1 hole size(usermem  (j )) while that after the n deallocations is, by Proposition 74:  i=#holes  i=1 hole size(holes  (i)) + nk+  j =#usermem  j =1 hole size(usermem  (j )) − nk =  i=#holes  i=1 hole size(holes  (i))+  j =#usermem  j =1 hole size(usermem  (j )) =  i=#holes i=1 hole size(holes(i))+  j =#usermem j =1 hole size(usermem(j )) ✷ 158 4 A Swapping Kernel Proposition 85. #image!=#code + stksz?+datasz?. Proof. Note that codeToPSUs is of type PCODE → MEM ,so#code = #codeToPSUs since MEM = seq PSU . Now #image!= #(codeToPSU (code?)  (λ i :1 datasz ? • 0)  (λ i :1 stksz ? • 0)) =#(codeToPSU (code?) + #(λ i :1 datasz? • 0) + #(λ i :1 stksz ? • 0)) =#code +#datasz ?+#stksz? ✷ The real store on the hardware is represented by a unique instance of SharedMainStore.Thisisastorethatreferstotherealstorebutwhoseop- erations are protected by locks. All that is required is that the operations be indivisible. The class is defined as follows: SharedMainStore (INIT , CanAllocateInStore, AllocateFromHole, AllocateFromUsed, FreeMainStore, CopyMainStore, WriteMainStore) lms : LINERAMAINSTORE lck : Lock INIT lms.INIT CanAllocateInStore = lck.Lock o 9 lms.RSCanAllocateInStore o 9 lms.Unlock AllocateFromHole = lck.Lock o 9 RSAllocateFromHole o 9 lck.Unlock AllocateFromUsed = lck.Lock o 9 RMAllocateFromUsed o 9 lck.Unlock FreeMainStore = lck.Lock o 9 RSFreeMainStore o 9 lck.Unlock CopyMainStore  = lck.Lock o 9 RSCopyMainStoreSegment o 9 lck.Unlock WriteMainStore = lck.Lock o 9 RSWriteMainStoreSegment o 9 lck.Unlock 4.6.1 Swap Disk This section contains a high-level model of the swap disk. The swap disk is where swapped process images are stored. It is assumed to be more or less infinite in size. 4.6 Storage Management 159 Communication with the swap disk is in terms of a buffer containing an operation code. The codes are defined as: SWAPRQMSG ::= NULLSWAP | SWAPOUT  PREF × ADDRESS × ADDRESS | SWAPIN  PREF × ADDRESS | NEWSPROC PREF × MEM  | DELSPROC PREF The NULLSWAP operation is a no-operation: if the opcode is this value, the swap disk should do nothing. A SWAPOUT code specifies the identifier of the process whose store is to be swapped out and the start and end addresses of the segment to be written to disk. A SWAPIN code requests the disk to read a segment and transfer it to main store. A NEWSPROC specifies that the store represented by MEM is to be stored on disk and that PREF denotes a newly created process that cannot be allocated in store at present. Finally, the DELSPROC code indicates that the named process is to be removed completely from the disk (it should be removed from the swap disk’s index). The buffer that supplies information to the swap disk is SwapRQBuffer. A semaphore is used to provide synchronisation between the swapper process and the swap disk process. The buffer is modelled by a class and is defined as follows: SwapRQBuffer (INIT , Write, Read ) mutex, msgsema : Semaphore buff : SWAPRQMSG INIT mt?:Semaphore ptab?:ProcessTable sched?:LowLevelScheduler lck?:Lock mutex  = mt? (∃ iv : Z | iv =1• msgsema  = Semaphore.Init[iv/iv ?, ptab?/pt?, sched?/sch?, lck?/lk?]) buff  = NULLSWAP Write = Read  = This class has two main operations, one for reading a request buffer and one for writing a reply buffer. The buffers are protected by semaphores. Semaphores 160 4 A Swapping Kernel are correct at this level because the code that calls Read and Write is executed by system processes, not by kernel primitives. The Write operation is simple and defined as: Write ∆(buff ) rq ?:SWAPRQMSG msgsema.Wait ∧ buff  = rq ? ∧ msgsema.Signal The Read operation is also simple: Read rq !:SWAPRQMSG mutex.Wait msgsema.Wait mutex.Signal rq !=buff buff  = NULLSWAP mutex.Wait msgsema.Signal mutex.Signal Readers should note that the above buffer protocol is asymmetric. If a reader is already reading and a writer is waiting to write, the code will permit other readers to perform reads before the writer is permitted to write new data. In this particular case, this is permissible because there is exactly one reader, the swap-disk driver, and two writers, the swapper and store manager processes. The driver process for the swap disk is relatively simple. Its basic tasks are to store process images and to retrieve them again when required. The images are indexed by process reference or identifier (APREF ). Only “gen- uine” processes can have their images swapped out, and thus only processes whose reference is an element of APREF. The image stored on the swap disk is a copy of a contiguous segment of main store, so the objects stored on the swap disk are elements of type MEM (sequences of PSU ). The swap-disk model uses a finite partial map to represent the disk storage and index. Two semaphores are used, one to synchronise with the device driver that passes requests to the disk-controller process and a semaphore to synchronise with the storage management module. The second semaphore is used to signal the fact that the transfer has been completed; if this semaphore were not included, there is the risk that the storage management module would assume that a transaction had been completed, while, in fact, it had not. 4.6 Storage Management 161 Requests to the swap disk process are placed in the SwapRQBuffer.This is a piece of shared storage and is guarded by its own semaphore. The read and write operations are to main store. Main store is, of course, shared, so locking is used to prevent interrupts from occurring while read and write operations are under way. It would be natural to assume that, since this is the only process running at the time reads and writes are performed, main store would, in effect, belong to this process. However, an interrupt could cause another process to be resumed and that process might interact with this one. This is, it must be admitted, a bit unlikely, but it is safer to use the scheme employed here. The alternative is to guard main store with a semaphore. This is not an option here because the storage-management software is implemented as a module, not a process. The driver uses a semaphore to synchronise with the swapper process for reading the SwapRQBuffer. This is the semaphore called devsema in the definition of the class. It also uses a second semaphore, called donesema,which is used to indicate the fact that the disk read has been completed (the reason for this will become clear below). The class that follows is, in fact, a combination of the process that performs the copy to and from disk and the disk itself. The reason for this is that the disk image is as important a part of the model as the operations to read and write the byte sequences and process references. The swap disk’s driver process is defined as: SWAPDISKDriverProcess (INIT , RunProcess) devsema : Semaphore donesema : Semaphore dmem : APREF  → MEM sms : SharedMainStore rqs : SwapRqBuffer INIT dsma?:Semaphore devsemaphore?:Semaphore rqbuff ?:SwapRqBuffer store?:SharedMainStore donesema  = dsma? devsema  = devsemaphore? dom dmem  = ∅ rqs  = rqbuff ? sms  = store? 162 4 A Swapping Kernel writeProcessStoreToDisk = readProcessStoreFromDisk = deleteProcessFromDisk = sleepDriver = handleRequest = RunProcess = Even though this is a system process, the main store is locked when read and write operations are performed. This is because arbitrary interrupts might occur when these operations are performed; even though it is controlled by a semaphore (so processes cannot interfere with any operation inside it), the body of critical regions is still open to interrupts. The lock is used as an additional safety measure, even though it is not particularly likely that an interrupt would interfere with the store in question. writeProcessStoreToDisk ∆(dmem) p?:APREF ms?:MEM dmem  = dmem ⊕{p? → ms?} readProcessStoreFromDisk p?:APREF ms!:MEM ms!=dmem(p?) deleteProcessFromDisk ∆(dmem) p?:APREF dmem  = {p?} −  dmem When the driver is not performing any operations, it waits on its devsema. ThedriverisawakenedupbyaSignal on devsema. When the request has been handled, the Wait operation is performed to block the driver. This is a safe and somewhat standard way to suspend a device process. sleepDriver = devsema.Wait The remaining operation is the one that handles requests. When the device process has the semaphore, it reads the data in the request block; in particular, [...]... dom dmem Proof Both parts are a consequence of the definition of ⊕: f ⊕ g(x ) = g(x ) if x ∈ dom g and f (x ) otherwise 2 4. 6.2 Swapper This subsection is about the process swapper In fact, the swapper is better described as a storage-management module The software is a module because 1 64 4 A Swapping Kernel it implements a set of tables describing the state of each user process’ storage In particular,... therefore, necessary to unready the children of a swapped-out parent The following schema defines this operation The schema named BlockProcessChildren blocks the descendant processes of a given parent The complete set of descendants is represented by the transitive closure of the childof relation; the complete set of descendants of a given process are represented by childof + (| {p?} |) for any process identifier... #readyqueues(userqueue) + p 2 The following is an immediate consequence of the last proposition Corollary 7 Operation ReadyProcessChildren changes the state of all processes affected by it to pstready Proposition 90 BlockProcessChildren o ScheduleNext implies that currentp 9 is not a descendant of the ancestor of the process just blocked Proof This requires the proof of the following lemma Lemma 16 For any process, p,... BlockProcessChildren, the length of the user-level queue will be n − 1 Proof Without loss of generality, it can be assumed that all descendants of process ϕ, and all processes that it blocks, have user-level priority Let blocks = ps ∪ offspring and #blocks = p By the predicate of the schema, it follows that ∀ p ∈ blocks • MakeUnready[p/pid ?], so there must be p applications of MakeUnready to blocks By Proposition... notation Proposition 87 For any parent process, p, BlockProcessChildren ⇒ (∀ p1 : APREF | childof (p1 , p) • p ∈ ran userqueue) Proof The predicate of BlockProcessChildren contains an instance of MakeUnready inside the scope of the universal quantifier The universal quantifier ranges over all possible descendants of input process p? Since MakeUnready removes its argument from the ready queue, the result... removes all zombies from the system Proof Zombies are only stored in the zombies list The KillAllZombies operation is defined as the conjunction of two operations The crucial parts of the definition (after simplification and substitution) are: deadzombs! ⊆ zombies ∧ zombies = zombies \ deadzombs! ∧ procs = deadzombies! − procs where deadzombs! is a set composed of the identifiers of those zombies whose children... blocked are determined by pd BlocksProcesses Next, identifiers of all the descendants of the process are determined by AlDescendants Next, each of the identifiers in the union of these two sets is marked as being present in store and then added to the ready queue so that it can be scheduled 3 The actual limit is imposed by the maximum number of entries in the process table This fact is a clear problem... children of p in the ready queue after the operation completes Proof In the predicate of schema BlockProcessChildren, ps represents the descendants of process p From this, using the predicate, it can be seen that MakeUnready[p/pid ?] for all p ∈ ps implies p ∈ ran userqueue In other words, the process, p, is removed from the ready queue by the operation MakeUnready Therefore, there are no children of p... excludes pstready) The amount of store the candidate occupies must be at least the same as that requested for the incoming process (this is represented by rqsz ?) The candidate must also have the greatest main-store residency time System and device processes do not appear in any of the storage-management tables, so it is not possible for an attempt to be made to swap one of them out 4. 6 Storage Management... pstterm} it follows that the process can only be in the ready state (pstready) 2 4. 6.3 Clock Process The clock process is an extremely important component of the system As has been seen, the clock is used to pre-empt user-level processes In addition, processes of all kinds can use the clock to suspend themselves for a specified period of time; when that time has expired, the processes receive an “alarm” call . closure of the childof relation; the complete set of descendants of a given process are represented by childof + (|{p?}|) for any process identifier p?. In BlockProcessChildren, ps is the set of descendants. descendant of the ancestor of the process just blocked. Proof. This requires the proof of the following lemma. Lemma 16. For any process, p, BlockProcessChildren implies that there are no children of. better described as a storage-management module. The software is a module because 1 64 4 A Swapping Kernel it implements a set of tables describing the state of each user process’ storage. In particular,