Paper Evaluations: 04-18-2000

Tue, 18 Apr 2000 02:21:39 -0700 (PDT)

Title: "Pilot: An Operating System for a Personal Computer"

The paper describes the Pilot operating system for personal computers.
Pilot is a single-user, single-address space, and single-language
system. The language, called Mesa, was used to implement the operating
system and also is used to develop applications which run on the top
of Pilot. The protection provided by Pilot is based on the
type-checking of the Mesa language and also on file capabilities. The
file capabilities, however, is just a defensive protection against

In the Pilot, the only way to reference files in the backing store is
mapping them to virtual memory. One advantage of this approach is the
possibility of reducing the number of disk transfers by using the
"advice-taking" mechanism provided. Another important feature of the
virtual memory is the use of space entities. Processes request regions
of virtual memory, and each region is referred as a space. Each space
can be further divided into subspaces, creating a hierarchy. For
swapping, the lowest level is always used.

The communication with I/O devices is accomplished by using the
streams mechanism. In this mechanism, filters can be bound to other
filters, and the chain of filters can be bound to a "transducer",
which communicate to a I/O device through a device driver.

In terms of process communication, Pilot provides the abstraction of
socket. Using sockets, two or more processes can communicate in the
same machine or in different machines connected by a network. It is
assumed on the design that all the nodes in the network run the Pilot
system, including the router.

One interesting design characteristic, is the manager/kernel
pattern. Using this pattern, a given facility implements the kernel
level, which provides the core functions, and the manager level, which
extends the kernel functions. The virtual memory and the file systems
are implemented using this approach. One important utility is the
scavenger, which can repair a file system damaged by checking
the file information in each page.

The Pilot system presents several interesting ideas. The protection
based on type-checking seems to work well if a single-user system is
assumed. The restriction of a single language, however, constrains the
use of the system. Nowadays, the programming languages usually depend
on the application being developed. In terms of process
communication, the system is flexible. Nevertheless, it seems that the
kind of protection provided is not enough for machines interconnected
by a network.


Title: "Sharing and Protection in a Single Address Space Operating

The Opal operating system described in the paper assumes a single
address space. One important advantage of this approach is the
reduction of communication overhead for components, which need to
share information. It is possible to share some region to exchange
information instead of communicating using pipes or other process
communication mechanism. In this system, the protection is decoupled
from the address spaces, and is enforced by protection domains. A
protection domain is an execution context for threads, restricting
their access to a set of segments at a particular time. An execution
in a different protection domain is allowed if entry points called
portals are defined. The portals are accessed via RPC calls.

In order to control the access to protection domains and segments,
each one of those resources is named by a capability. Given a segment
capability, a thread can attach that segment to its domain and detach
when the segment is no more necessary. Using a counter for each
segment, a mechanism of resource management based on resource groups
and reference objects control: the use of the segment and also when no
thread is explicitly referencing the segment.

Another important feature of the system is the possibility of persistence
and distribution. Data structures can be made not only persistent, but
also they can be manipulated over a small LAN cluster. In a distributed,
persistent, single-address space system, network nodes can exchange
directly through messages.

An interesting section of the paper discusses the tradeoffs between
single and multiple address spaces. A disadvantage of the single
address space approach that segments cannot grow. Also, segments
created at different times will not be contiguous in the address
space. On the other hand, Opal avoid the complexity and inefficiency
of the Unix FORK, providing the same functionalities. Another
disadvantage of a single-address space is the impossibility of
providing copy-on-write, because there is only one naming
context. Alternatively, copy-on-reference can be used.

The section preceding the conclusions relates the system features to
previous works. Several ideas were used from systems as Multics,
Pilot, Hydra, Monads, etc. Particularly, the Pilot system supports a
single-address space and includes a mapped file system. The Opal
system, different from the Pilot, can support multiple safe and unsafe

When the persistence and distribution features are considered, the
system is restricted to a small LAN cluster. It happens because the
approach is not scalable. In order to evaluate the system, a prototype
using Opal is presented. The results highlight the advantage of Opal
in terms of component communication.

-Flavio Junqueira.

Flavio Paiva Junqueira, PhD Student
Department of Computer Science and Engineering
University of California, San Diego

Office location: AP&M 4349 e-mail: