The Rambler Operating System Architecture

 

The following figure illustrates the architecture of the Rambler Operating System:

Figure 1. Rambler system architecture and components

 

This page is intended as a brief introduction to the Rambler architecture, which can be regarded as a kernel-less architecture since there is no traditional kernel part. As figure 1 shows, the HAL/IPC module, including the user-level portion and the kernel-level portion, is the only mandatory part common to all other software. Other kernel functions, such as interrupt dispatching, address space management, I/O permission management, and so on, are abstracted as processor devices. In other words, processor-specific functions are abstracted as processor devices. The concept of processor device implies that some processor-specific functions are allowed to work at user mode, depending on the processor architecture. User-level processor devices will result in good performance since no IPC invocation occurs. Another advantage of this concept is that the system becomes more flexible and tailorable with processor devices. OS designers can abstract more future processor-specific functions such as multimedia enhancement, distributed memory management, parallelism support, and so on, as processor devices and use a unified device manager to tailor/reconfigure the system. Based on this concept, the Rambler architecture is allowed to support a variety of processors, and evolve with the advance of computer architectures. Furthermore, a kernel-level plug-and-play mechanism is under design, which will allow the system to dynamically detect processor-specific functions and load the corresponding drivers.

 

In the Rambler architecture, address spaces are treated as short-term object containers called execution domains, some of which are the images of some long-term object containers. The concept of execution domain is like the concept of process, but has some differences: 1) A process is active, which must contain at least one execution unit like a thread. In contrast, an execution domain is passive, which is allowed to contain no execution unit until some events happen. 2) The address space of a process is usually flat, whereas that of an execution domain may be nested, i.e., tree-structured.

 

In the Rambler architecture, all kernel-mode components are put into a kernel-mode execution domain called Processor Domain. Besides the HAL/IPC module and some processor devices, Processor Domain contains some critical devices, which are some performance-sensitive devices not tolerating the overhead of context switching, or some devices that do not tolerate any failures.

 

Different from a traditional operating system like UNIX or Windows 2000 (TM), Rambler puts most devices into a user-mode domain, called Device Domain, for improving robustness. As the corresponding device drivers run in user-mode, these drivers are known as application-level device drivers. For protecting the address space of Device Domain and isolating failures, the Rambler architecture strongly recommends third-party hardware vendors to put their device drivers into some third-party device domains, as Figure 1 shows. If a third-party device driver corrupts, it only corrupts the related address space and any components relying on its functionality, but not the whole system. In contrast, the traditional operating systems may experience a total failure in this case, since there are many third-party device drivers running in kernel mode. The experience of L4 shows application-level device drivers are always helpful for improving robustness except when a hardware components permits system corruption (e.g., by physical memory access via DMA). In this case, "no kernel can prevent the driver from corrupting the system, and risk depends on the hardware accessible to the driver" []. For minimizing this kind of risk, current implementation of Rambler/i386 treats the DMA driver and the keyboard driver as critical device drivers, and put them into Processor Domain.

 

As Figure 1 shows, Service Domain plays a role of Windows NT executive []. This domain contains service modules shipped with the Rambler OS. Other third-party services are supposed to be put into some third-party execution domains for isolating failures.

 

One may notice that there is no thread module in Figure 1. In fact, the thread module is application-level and treated as a library linked into applications. Not like some user-level thread packages such as Threads [], Presto [], uSystem [], C Threads [], uC++ [], and Sun Lightweight Processes [], and so on, the Rambler thread library introduces system-level threads working at application level. Rambler achieves this goal by providing some primitives contained in a user-level HAL/IPC module, as Figure 1 show, for the thread library. Thus, the thread library can use these primitives to cooperate with the system for supporting synchronization and preemption. This approach not only keeps efficiency of user-level threads, but also avoids scheduling stalls as Scheduler Activations [] and First-Class User-Level Threads [] introduce.

 

The following sections expand on the roles of Processor Domain, Device Domain and Service Domain.

 

Processor Domain

 

Processor Domain contains the following major components:

• The kernel-level HAL/IPC module provides well-defined, predictable primitives through which kernel-level components and user-level execution domains can interact with each other by issuing cross-domain invocations. This module merely implements mechanisms and avoids policy making. For the best performance, this module is designed to be processor-dependent, and may have different implementations even with different processor generations in one family. For example, the implementation for Pentium(TM) will differ from the implementation for Pentium Pro(TM). Besides the IPC primitives, this module provides thread primitives for supporting concurrency in Processor Domain.
• Interrupt Dispatcher hides all processor-specific information from interrupt handlers by encapsulating traps, exceptions, and hardware interrupts as concurrent events. Interrupt handlers are some methods of handler objects and allowed to work at application level via the IPC primitives. For example, when a page fault occurs on an i386 machine, the Interrupt Dispatcher extracts the fault reason and the page number from the error code, and uses them as parameters to issue a method call to the handler object.
• Processor Devices include the address space (execution domain) manager, the page manager, and the I/O permission manager, or other processor-specific capabilities in future. The address space manager is responsible for managing creation and destruction of address spaces. The page manager is responsible for managing pages in execution domains. Every execution domain is allowed to have a private pager, as Figure 1 shows. The system will forward page faults occurring in the execution domain to the private pager, which calls methods of the page manger to establish its own memory mapping.
• Critical Devices include the DMA device and the keyboard device. A text display device is included in current implementation for dumping trace information. In future, third-party hardware vendors are allowed to put their device drivers into this domain if these drivers are too performance-sensitive to tolerate the overhead of IPC primitives.
• The user-level HAL/IPC module is loaded by the system at start time. This module provides I/O primitive for supporting application-level device drivers, and IPC primitives for supporting inter-domain invocation between user-level execution domains and user-level execution domains, or between Processor Domain and user-level execution domains. In practice, this module is coupled with the kernel-level HAL/IPC module for maintaining some kernel-user sharing data structures. These data structures help the user-level thread library cooperate with the system for supporting synchronization and preemption.

 

Device Domain

 

Device Domain is a container of device drivers shipped with the Rambler OS. Third-party device drivers are supposed to be put into other domains.

 

• Device drivers are loadable modules preserved in object containers or files. These modules interface between the system and the relevant hardware. Device drivers are responsible for supporting object interfaces for hardware, and so typically written in C-X or C-XX. Usually, device drivers run at application level and play a similar role of COM object server DLL. The Rambler architecture treats almost all loadable modules as drivers. In future, a Plug-and-Play Manager will be added into the current implementation for supporting hot reconfiguration of the system.
• The Object Store Component manages some drivers that support various kinds of object containers, in which long-term resources are preserved as persistent objects. Compared with files, used to preserve long-term resources in traditional operating systems, persistent objects are easy to use and capable of supporting complex data applications. In this respect, these container drivers play a role of file system drivers in traditional operating systems. Using these container drivers, the Rambler OS is built on persistent objects rather than files, and achieve an "Object File System", a concept mentioned by Cairo, the novel OS of Microsoft Corporation.
• The File System Component manages some file system drivers for keeping existing file systems accessible to the Rambler OS. A component called File Mapper, contained in Service Domain, will map files into persistent objects for easy-to-use.
• The GDI driver implements functions for graphics output devices, with functions for line, text, and figure drawing. This driver creates a GDI manager object and attaches this object to the active graphics device object. GDI implements a set of standard object interfaces through which applications communicate with graphics devices, without knowing anything about the devices.
• The GUI User Component implements the windowing system, which deal with windows, controls and drawing.

 

Service Domain

 

Service Domain is a container of services shipped with the Rambler OS. Third-party services are supposed to be put into other domains.

 

• The File Mapper Component offers uniform object access for files by mapping files into objects. With this component, applications access files through an object interface rather than a file interface. For various kinds of files, File Mapper maps them into objects belonging to various classes. For example, bitmap files will be mapped into bitmap objects or canvas objects, through which applications can directly draw figures. This feature provides an object-level representation for various kinds of files and ease access to files. Whereas, traditional operating systems associate various kinds of files with various programs and only support command-level representation.
• The VM Manager Component contains some common exception handlers for handling page faults and protection faults. The page-fault handler is the default pager in the system, and supports the default memory mapping policy for all execution domains. Applications can use their private pagers to overload the default policy and implement their own policies.
• The Image Manager Component manages various image loaders for supporting various kinds of executable images. Using this component, third-party image loaders are allowed to be registered into the system and enable the Rambler OS to support third-party image formats. When an executable image is loaded, Image Manager enumerates all registered image loaders and requests loader to load the requested image. If a loader performs the loading successful, Image Manager will map this loaded module into the corresponding address space.