The term computing device as used herein is to be expansively construed to cover any form of electrical device and includes, data recording devices, such as digital still and movie cameras of any form factor, computers of any type or form, including hand held and personal computers, and communication devices of any form factor, including mobile phones, smart phones, communicators which combine communications, image recording and/or playback, and computing functionality within a single device, and other forms of wireless and wired information devices.
Most computing devices are programmed to operate under the control of an operating system (OS). The operating system controls the computing device by way of a series of instructions, in the form of code, fed to a central processing unit of the computing device. These instructions can be regarded as a series of quasi-autonomous fundamental units of execution which are scheduled by the operating system. These fundamental units of execution are, respectively, known as threads and a process to be carried out in the computing device will invariably include one or more threads. A typical operating system will schedule many different threads in order to control the wide variety of tasks to be carried out by the computing device.
The operating system can be regarded as being made up of a number of components and some of these components have a more privileged access to the hardware resources of the computing device than other components. The components having more privileged access are known as privileged components. One or more of these privileged components form what is commonly known as the kernel of the operating system.
OS kernels typically provide those core services on which all the other portions of the operating system itself, together with all applications running on the platform, have to depend. Ideas concerning what constitutes those core services have been changing over time, and the consequent effects on the overall design of operating systems constitute the background to this invention.
However, it is generally acknowledged that there are two fundamental approaches to OS design, and these are frequently referred to as the ‘monolithic kernel’ approach and the ‘microkernel’ approach.
Monolithic kernels are large blocks of code which contain a relatively large proportion of the entire operating system running at the highest privilege level available. This normally includes all of the interfaces with the computing hardware. Modern monolithic kernels have introduced substantial modularity to the design of the kernel, with formal interface layers and run-time loadable kernel modules mitigating the problems of portability, upgradeability and memory usage traditionally associated with such designs. However, the key feature of a very large block of code with substantial functionality running at high privilege level (in what is known as kernel mode) is retained in all the main commercial operating systems which are based on monolithic kernels, including Windows™ from Microsoft and most versions of Linux.
In contrast, the microkernel approach is significantly different to that of the monolithic kernel. The operating services provided are minimised, and typically reduced to ensuring the integrity of processes and address spaces, together with scheduling, synchronization, and interprocess communications. All other operating system services, often including memory management, are provided as loadable modules. But, the critical difference from the monolithic kernel approach is that these other services are not loaded into the kernel memory space and then run in kernel mode, but are instead implemented as servers which are loaded into their own individual memory spaces and run at a lesser privilege level, in what is known as user mode.
FIG. 1 illustrates the key difference between the two architectural paradigms described above. In this regard, FIG. 1 illustrates an example layered monolithic kernel design 102 and an example microkernel design 104, in which the key difference between the two architectural paradigms may be seen.
While early microkernel based operating systems tended to be academic (for instance, the Mach kernel developed at Carnegie-Mellon University), the minimalism and the consequent predictability of microkernel designs have, since the mid-1990s, made them standard for real-time and embedded operating systems. Wind River, QNX, OSE and Mentor Graphics all utilise elements of microkernel designs in their real-time operating systems (RTOSs). More recently, the Mach kernel itself has been integrated into the open-source Darwin XNU kernel which lies at the foundation of Apple's Mac OS X, and Mach is also the basis for the Hurd kernel which the Gnu project have developed as a replacement for standard monolithic Unix/Linux kernels.
As well as their deterministic characteristics, microkernel architectures can also bring advantages in flexibility, extensibility, security and reliability over monolithic kernels.
However, there are also disadvantages. Since a microkernel has to mediate all communication between user mode processes which in a monolithic kernel would have shared the same address space and been able to call directly into each others application program interfaces (APIs), there is a greater frequency of context switching. Depending on the hardware and the memory architecture of the host system, this can result in poorer performance when compared to monolithic kernels.
It is possible to extend the techniques used in developing microkernel designs to the lowest level of the microkernels themselves. This has in fact been done, and is the basis of so-called nanokernel architectures. Arguably, a nanokernel doesn't represent a new departure in OS design methodology, as it is nothing more than a highly minimalist microkernel. Indeed, much of the academic literature on minimising microkernels is highly applicable to nanokernel design. See, for example, section 2 of the article “On μ-Kernel Construction” by Jochen Liedtke, Proceedings of 15th ACM Symposium on Operating System Principles, December 1995.
However, the more primitive the microkernel becomes, the less its role as an integral part of an operating system. This is because it becomes possible to run a variety of discrete operating system personalities, which can all be implemented above the nanokernel. The potential for this development was recognised early on in microkernel development. For an example, see “The KeyKOS Nanokernel Architecture” by Bomberger et al, Proceedings of the USENIX Workshop on Micro-Kernels and Other Kernel Architectures, USENIX Association, April 1992, which describes a nanokernel whose requirements included the ability to run multiple instantiations of several operating systems on a single hardware system.
This possibility is not just theoretical; a version of Jochen Liedtke's L4 microkernel is able to run Linux alongside other tasks. For example, a microkernel with real-time capabilities running on the ×86 and ARM platforms, known as Fiasco and which is compatible with the L4 microkernel, has been demonstrated to run L4Linux, a port of the Linux kernel to the L4 interface which executes completely in user mode, with a DOpE real-time windowing environment running on top of the microkernel, with an instance of L4Linux running in one of the windows.
There are, however, deficiencies with the current technology. The fact that microkernels underpin the entire operating system makes a robust and efficient design highly important. In particular, the microkernel's role in scheduling processes and tasks is critically important for the functioning of the operating system as a whole; it simply cannot be allowed to fail. Such scheduling is not trivial, particularly where a real-time operating system (RTOS) is concerned. RTOSs have to be able to make firm guarantees about response times to particular events. One of the key mechanisms enabling an RTOS to make such guarantees is a priority mechanism which ranks particular tasks in order of real-time criticality, and schedules the most important tasks ahead of less important ones.
A well-known problem with priority mechanisms in multi-tasking operating systems is the phenomenon of priority inversion, where a low-priority task holds a lock (known as a mutual exclusion object, or mutex) on a resource which is needed by a high-priority task. Unless steps are taken to anticipate this situation, the task scheduling algorithm will always try to run the higher priority task ahead of the lower priority one, with the result that the resource lock never gets released, and the higher priority task therefore becomes blocked.
The solution to the problem of priority inversion is priority inheritance, which means that the priority of a task that has a lock on a resource is always boosted to a level at or above that of the highest priority task waiting on that resource. However, traditional methods of priority inheritance can be computationally expensive to implement, and consequently force the operating system designer to trade off robustness against performance.
In at least one well-known case, the 1997 Mars Pathfinder mission, the decision was made on performance grounds not to use priority inheritance. In “What the Media Couldn't Tell You About MarsPathfinder” Robot Science & Technology Issue 1, 1998, Tom Durkin writes:
“In order to prevent communications conflicts, V×Works synchronized access to the bus with mutual exclusion software locks. However, very infrequently, an interrupt was sent to the bus that caused a medium-priority communications task to be scheduled during the split-second interval when a high-priority thread was blocked while waiting for a low-priority meteorological data thread to run . . . the long-running, medium-priority communications task—having a higher priority than the low-priority meteorological task—would prevent the meteorological task from running . . . this scenario is a classic case of priority inversion. Wind River had deliberately turned off the priority inheritance option before launch to optimize the performance of V×Works” A deficiency of many current microkernel designs is that they feature separate and computationally expensive priority inheritance mechanisms. Hence, turning them off to boost operating system performance is always going to be a temptation. An architecture which provides automatic priority inheritance without any performance penalty is therefore preferable to existing designs, since it would not force robustness and performance to be traded off against each other. This is especially true where the nanokernel is used to host one or more operating systems, since any unreliability in the nanokernel translates directly into unreliability in the operating system as a whole.