Predictable and configurable component-based scheduling in the Composite OS
ACM Transactions on Embedded Computing Systems (TECS) - Special Section on ESTIMedia'10
| Hi-index | 0.00 |
Systems in general, and embedded systems in particular, are increasing in software complexity. This trend will only continue as we expect more functionality from our computational infrastructure. With complexity, the system's ability to tolerate and be resilient to faulty or malicious software becomes ever more challenging. Additionally, as system capabilities increase, it becomes impossible for the operating system (OS) designer to predict the policies, abstractions, and mechanisms required by all possible applications. These trends motivate a system architecture that places an emphasis on both dependability and extensibility. This thesis presents the COMPOSITE component-based OS that focuses on system-provided fault tolerance and application-specific system composition. A goal of this system is to define resource management policies and abstractions as replaceable user-level components. Importantly, this enables the component-based control of both the temporal- and memory-isolation properties of the system. All system scheduling decisions are component-defined, as are policies that determine the configuration of fault-isolation barriers throughout the system. In achieving this goal, we posit a philosophy in which fault-isolation is not a binary condition (that is, present or not), but rather dynamically controlled by the system's components. This thesis first focuses on how COMPOSITE is able to migrate the system CPU scheduling policy implementation from the trusted kernel to user-space component. In this way, scheduling policy is application-specific and fault-isolated from other components. We demonstrate how different component-defined policies for controlling temporal aspects of the system are able to predictably schedule interrupt execution to prevent livelock. The second main focus of this thesis is an investigation of the trade-off between fault-isolation and system performance. Protection domains between components provide fault-isolation, but inter-protection domain communication incurs a performance overhead. In recognition of this trade-off, we introduce Mutable Protection Domains, a novel mechanism to dynamically construct and remove isolation boundaries within the system in response to changing inter-protection domain communication overheads. Using this mechanism, we demonstrate that a component-based web-server is able to manipulate its protection domain configuration to achieve throughput improvements of up to 40% over a static configuration while concurrently maintaining high fault isolation.