V22.0202: Operating Systems
1999-2000 Spring
Mon Wed 2-3:13
Ciww 109

Allan Gottlieb
gottlieb@nyu.edu
http://allan.ultra.nyu.edu/~gottlieb
715 Broadway, Room 1001
212-998-3344
609-951-2707
email is best

Administrivia

Web Pages

There is a web page for the course. You can find it from my home page.

Can find these notes there. Let me know if you can't find it.
They will be updated as bugs are found.
Will also have each lecture available as a separate page. I will produce the page after the lecture is given. These individual pages might not get updated.

Textbook

Text is Tanenbaum, "Modern Operating Systems".

Available in bookstore.
We will do part 1, starting with chapter 1.

A Grade of ``Incomplete''

It is university policy that a student's request for an incomplete be granted only in exceptional circumstances and only if applied for in advance. Of course the application must be before the final exam.

Computer Accounts and majordomo mailing list

You are entitled to a computer account, get it.
Sign up for majordomo mailing list for the course. But I use the web more. If you want to send mail to me, use gottlieb@nyu.edu not the mailing list.
You may do assignments on any system you wish, but ...
- You are responsible for the machine. I extend deadlines if the nyu machines are down, not if yours are.
- Be sure to upload your assignments to the nyu systems.
  - If somehow your assignment is misplaced by me or a grader, we need a to have a copy ON AN NYU SYSTEM that can be used to verify the date the lab was completed.
  - When you complete a lab (and have it on an nyu system), do not edit those files. Indeed, put the lab in a separate directory and keep out of the directory. You do not want to alter the dates.

Homework and Labs

I make a distinction between homework and labs.

Labs are

Required
Due several lectures later (date given on assignment)
Graded and form part of your final grade
Penalized for lateness

Homeworks are

Optional
Due the beginning of Next lecture
Not accepted late
Mostly from the book
Collected and returned
Can help, but not hurt, your grade

Upper left board for assignments and announcements.

Homework: Read Chapter 1 (Introduction)

Chapter 1. Introduction

Levels of abstraction (virtual machines)

Software (and hardware, but that is not this course) is done in layers.
The higher layers use the facilities provided by lower layers.
Alternatively said, the upper layers are written using a more powerful and more abstract virtual machine than the lower layers.
Alternatively said, each layer is written as though it runs a the virtual machine supplied by the lower layer and provides a more abstract (pleasent) virtual machine for the higher layer to run on.
Using a broad brush, the layers are.
1. Scripts (e.g. shell scripts)
2. Applications and utilities
3. Libraries
4. The OS proper (the kernel)
5. Hardware
The kernel itself is itself normally layered, e.g.
1. ...
2. Filesystems
3. Machine independent I/O
4. Machine dependent device drivers
The machine independent part is written assuming "virtual (i.e. idealized) hardware". Simply read a block from a "disk". But in reality one must deal with the specific disk controller.
Often the machine independent part is more than one layer.
The term OS is not well defined. Is it just the kernel? How about the libraries? The utilities? All these are certainly system software but not clear how much is part of the OS.

1.1: What is an operating system?

The kernel itself raises the level of abstraction and hides details. Can write to a file (a concept not present in hardware) and ignore whether it is a floppy or hard disk.

The kernel is a resource manager (so users don't conflict).

How is an OS fundamentally different from a compiler (say)?

Answer: Concurrency! Per Brinch Hansen in Operating Systems Principles (Prentice Hall, 1973) writes.

The main difficulty of multiprogramming is that concurrent activities can interact in a time-dependent manner, which makes it practically impossibly to locate programming errors by systematic testing. Perhaps, more than anything else, this explains the difficulty of making operating systems reliable.

1.2 History of Operating Systems

Single user (no OS)
Batch, uniprogrammed, run to completion
Multiprogrammed
- Overlap CPU and I/O
- Multiple batches
  - IBM OS/MFT
  - IBM OS/MVT (then other names)
  - MVT is a more ``efficient'' user of resources but is more difficult.
  - When we study memory management, we will see that with varying size partitions questions like compaction and ``holes'' arise.
- Time sharing
  - This is multiprogramming with rapid switching.
  - We will study scheduling when we do processor management
Multiple computers
- Multiprocessors: Almost from the beginning of the computer age but now are not exotic.
- Network OS: Make use of the multiple PCs/workstations on a LAN.
- Distributed OS: A ``seamless'' version of above
Real time systems
- Often in embedded systems
- Soft vs hard real time. In the latter missing a deadline is a fatal error--sometimes literally.

Homework:1, 2, 5 (unless otherwise stated, problems numbers are from the end of the chapter in Tanenbaum.)

1.3: Operating System Concepts

This will be brief. Much of the rest of the course will consist in ``filling in the details''.

1.3.1: Processes

A program in execution.

Often one distinguishes the state or context (memory image, open file) from the thread of control. Then if one has many threads running in the same task, the result is a ``multithreaded processes''.

The OS keeps information about all processes in the process table. Indeed, the OS views the process as the entry. An example of an active entity being viewed as a data structure (cf. discrete event simulations).

The set of processes forms a tree via the fork system call. The forker is the parent of the forkee.

A signal can be sent to a process to cause it to execute a predefined function (the signal handler). This can be tricky to program since the programmer does not know when in his ``main'' program the signal handler will be invoked.

================ Start Lecture #2 ================

1.3.2: Files

Modern systems have a hierarchy of files. A file system tree.

In MSDOS the hierarchy is a forest not a tree. There is no file, or directory that is an ancestor if both a:\ and c:\.
In unix the existence of symbolic links weakens the tree to a DAG

Files and directories normally have permissions

Normally have at least rwx.
User, group, world
More general is access control lists
Often files have ``attributes'' as well. For example the linux ext2 filesystem supports a ``d'' attribute that is a hint to the dump program not to dump this file.
When a file is opened, permissions are checked and, if the open is permitted, a file descriptor is returned that is used for subsequent operations

Devices (mouse, tape drive, cdrom) are often view as ``special files''. In a unix system these are normally found in the /dev directory. Some utilities that are normally applied to (ordinary) files can as well be applied to some special files. For example, when you are accessing a unix system and do not have anything serious going on (e.g., right after you log in), type the following command

    cat /dev/mouse

and then move the mouse. You kill the cat by typing cntl-C. I tried this on my linux box and no damage occurred. Your mileage may vary.

Many systems have standard files that are automatically made available to a process upon startup. There (initial) file descriptors are fixed

standard input: fd=0
standard output: fd=1
standard error: fd=2

A convenience offered by some command interpretors is a pipe. The pipeline

  ls | wc

will give the number of files in the directory (plus other info).

Homework: 3

1.3.3: System Calls

System calls are the way a user (i.e. program) directly interfaces with the OS. Some textbooks use the term envelope for the component of the OS responsible for fielding system calls and dispatching them. Here is a picture showing some of the components and the external events for which they are the interface.

What happens when a user writes a function call such as read()?

Normal function call (in C, ada, etc.)
Library routine (in C)
Small assembler routine
1. Move arguments to predefined place (perhaps registers)
2. Poof (a trap instruction) and then the OS proper runs in supervisor mode
3. Fixup result (move to correct place)

Homework: 6

1.3.4: The shell

Assumed knowledge

Homework: 9.

1.4: OS Structure

I must note that tanenbaum is a big advocate of the so called microkernel approach in which as much as possible is moved out of the (protected) microkernel into usermode components.

In the early 90s this was popular. Digital Unix and windows NT were examples. Digital unix was based on Mach, a research OS from carnegie mellon university. Lately, the growing popularity of linux has called this into question.

1.4.1: Monolithic approach

The previous picture: one big program

The system switches from user mode to kernel mode during the poof and then back when the OS does a ``return''.

But of course we can structure the system better, which brings us to.

1.4.2: Layered Systems

Some systems have more layers and are more strictly structured.

An early layered system was ``THE'' operating system by Dijkstra. The layers were.

The operator
User programs
I/O mgt
Operator-process communication
Memory and drum management

The layering was done by convention, i.e. there was no enforcement by hardware and the entire OS is linked together as one program. This is true of many modern OS systems as well (e.g., linux).

The multics system was layered in a more formal manner. The hardware provided several protection layers and the OS used them. That is, arbitrary code could not jump to or access data in a more protected layer.

1.4.4: Virtual machines

Use a ``hypervisor'' (beyond supervisor) to switch between multiple Operating Systems

Each App/CMS runs on a virtual 370
CMS is a single user OS
A system call in an App traps to the corresponding CMS
CMS believes it is running on the machine so issues I/O instructions but ...
I/O instructions in CMS trap to VM/370

14.4: Client Server

When implemented on one computer, a client server OS is the microkernel approach in which the microkernel just supplies interprocess communication and the main OS functions are provided by a number of usermode processes.

This does have advantages. For example an error in the file server cannot corrupt memory in the process server. This makes errors easier to track down.

But it does mean that when a (real) user process makes a system call there are more switches from user to kernel mode and back. These are not free.

A distributed system can be thought of as an extension of the client server concept where the servers are remote.

Homework: 11

================ Start Lecture #3 ================

Interlude on Linkers

Originally called linkage editors by IBM.

This is an example of a utility program included with an operating system distribution. Like a compiler, it is not part of the operating system per se, i.e. it does not run in supervisor mode. Unlike a compiler it is OS dependent (what object/load file format is used) and is not (normally) language dependent.

What does a Linker Do?

Link of course.

When the assembler has finished it produces an object module that is almost runnable. There are two primary problems that must be solved for the object module to be runnable. Both are involved with linking (that word, again) together multiple object modules.

Relocating relative addresses.
- Each module (mistakenly) believes it will be loaded at location zero (or some other fixed location). We will use zero.
- So when there is an internal jump in the program, say jump to location 100, this means jump to location 100 of the current module.
- To convert this relative address to an absolute address, the linker adds the base address of the module to the relative address. The base address is the address at which this module will be loaded.
- Example: Module A is to be loaded starting at location 2300 and contains the instruction
  jump 120
  The linker changes this instruction to
  jump 2420
- How does the linker know that Module A is to be loaded starting at location 2300?
- It processes the modules one at a time. The first module is to be loaded at location zero. So the relocating is trivial (adding zero). We say the relocation constant is zero.
- When finished with the first module (say M1), the linker knows the length of M1 (say that length is L1).
- Hence the next module is to be loaded starting at L1, i.e., the relocation constant is L1.
- In general the linker keeps track of the sum of the lengths of all the modules it has already processed and this is the location at which the next module is to be loaded.
Resolving external references.
- If a C (or Pascal) program contains a function call
  f(x)
  to a function f() that is compiled separately, the resulting object module will contain some kind of jump to the beginning of f.
- But this is impossible!
- When the C program is compiled. the compiler (and assembler) does not know the location of f() so there is no way it can supply the starting address.
- Instead a dummy address is supplied and a notation made that this address needs to be filled in with the location of f(). This is called a use of f.
- The object module containing the definition of f() indicates that f is being defined and gives its relative address (which the linker will convert to an absolute address). This is called a definition of f.

The output of a linker is called a load module because it is now ready to be loaded and run.

To see how a linker works lets consider the following example, which is the first dataset from lab #1. The description in lab1 is more detailed.

The target machine is word addressable and has a memory of 1000 words, each consisting of 4 decimal digits. The first (leftmost) digit is the opcode and the remaining three digits form an address.

Each object module contains three parts, a definition list, a use list, and the program text itself. Each definition is a pair (sym, loc). Each use is a pair (sym, loc). The address in loc points to the next use or is 999 to end the chain.

For those text entries that do not form part of a use chain a fifth (leftmost) digit is added. If it is 8, the address in the word is relocatable. If it is 0 (and hence omitted), the address is absolute.

Sample input
1 xy 2
1 z 4
5 81234 5678 2999 88888 7002
0
1 z 3
6 88888 1999 1001 3002 81002 1234
0
1 z 1
2 81234 4999
1 z 2
1 xy 2
3 8000 1999 2001

I will illustrate a two-pass approach: The first pass simply produces the symbol table giving the values for xy and z (2 and 15 respectively). The second pass does the real work (using the values in the symbol table).

It is faster (less I/O) to do a one pass approach, but is harder since you need ``fix-up code'' whenever a use occurs in a module that precedes the module with the definition.

xy=2
z=15

+0
0:      81234           1234+0=1234
1:       5678           5678
2: xy:   2999   ->z     2015
3:      88888           8888+0=8888
4: ->z   7002           7015
+5
0       88888           8888+5=8893
1        1999   ->z     1015
2        1001   ->z     1015
3 ->z    3002           3015
4       81002           1002+5=1007
5        1234           1234
+11
0       81234           1245
1 ->z    4999           4015
+13
0        8000           8000
1        1999   ->xy    1002    
2 z:->xy 2001           2002

The linker on unix is mistakenly called ld (for loader), which is unfortunate since it links but does not load.

Lab #1 Implement a linker. The specific assignment is detailed on the sheet handed out in in class and is due in three weeks 16 February. The content of the handout is available on the web as well (see the class home page).

End of Interlude on Linkers

Chapter 2: Process Management

Tanenbaum's chapter title is ``processes''. I prefer process management. The subject matter is processes, process scheduling, interrupt handling, and IPC (Interprocess communication--and coordination).

2.1: Processes

Definition: A process is a program in execution.

We are assuming a multiprogramming OS that automatically switches from one process to another. Sometimes this is called pseudoparallelism since one has the illusion of a parallel processor. The other possibility is real parallelism in which two or more processes are actually running at once because the computer system is a parallel processor, i.e., has more than one processor. We do not study real parallelism (parallel processing, distributed systems, multiprocessors, etc) in this course.

================ Start Lecture #4 ================

3.1.1: The Process Model

Even though in actuality there are many processes running at once, the OS gives each process the illusion that it is running alone.

Virtual time: The time used by just this processes. Virtual time progresses at a rate independent of other processes. Actually, this is false, the virtual time is typically incremented a little during systems calls used for process switching; so if there are more other processors more ``overhead'' virtual time occurs.
Virtual memory: The memory as viewed by the process. Each process typically believes it has a contiguous chunk of memory starting at location zero. Of course this can't be true of all processes (or they would be using the same memory) and in modern systems it is actually true of no processes (the memory assigned is not contiguous and does not include location zero).

Virtual time and virtual memory are examples of abstractions provided by the operating system to the user processes so that the latter ``sees'' a more pleasant virtual machine than actually exists.

Process Hierarchies

Modern general purpose operating systems permit a user to create and destroy processes. In unix this is done by the fork system call, which creates a child process, and the exit system call, which terminates the current process. After a fork both parent and child keep running (indeed they have the same program text) and each can fork off other processes. A process tree results. The root of the tree is a special process created by the OS during startup.

MS-DOS is not multiprogrammed so when one process starts another, the first process is blocked and waits until the second is finished.

Process states and transitions

The above diagram contains a great deal of information.

Consider a running process P that issues an I/O request
- The process blocks
- At some later point, a disk interrupt occurs and the driver detects that P's request is satisfied.
- P is unblocked, i.e. is moved from blocked to ready
- At some later time the processor looks for a ready job to run and picks P
A preemptive scheduler has the dotted line preempt;
A non-preemptive scheduler doesn't
The number of processes changes only for two arcs: create and terminate
Suspend and resume are medium term scheduling
- Done on a larger time scale
- Involves memory management as well
- Sometimes called two level scheduling

One can organize an OS around the scheduler.

Write a minimal ``kernel'' consisting of the scheduler, interrupt handlers, and IPC (interprocess communication)
The rest of the OS consists of kernel processes (e.g. memory, filesystem) that act as servers for the user processes (which of course act as clients.
The system processes also act as clients (of other system processes).
Called a client server organization

The above is called the client-server model and is one Tanenbaum likes. His ``Minix'' operating system works this way. Indeed, there was reason to believe that it would dominate. But that hasn't happened. Such an OS is sometimes called server based. Systems like traditional unix or linux would then be called self-service since the user process serves itself. That is, the user process switches to kernel mode and performs the system call. To repeat: the same process changes back and forth from/to user<-->system mode and services itself.

2.1.3: Implementation of Processes

The OS organizes the data about each process in a table naturally called the process table. Each entry in this table is called a process table entry or PTE.

One entry per process
The central data structure for process management
A process state transition (e.g., moving from blocked to ready) is reflected by a change in the value of one or more fields in the PTE
We have converted an active entity (process) into a data structure (PTE). Finkel calls this the level principle ``an active entity becomes a data structure when looked at from a lower level''.
The PTE contains a great deal of information about the process. For example,
- Saved value of registers when process not running
- Stack pointer
- CPU time used
- Process id (PID)
- Process id of parent (PPID)
- User id (uid and euid)
- Group id (gid and egid)
- Pointer to text segment (memory for the program text)
- Pointer to data segment
- Pointer to stack segment
- UMASK (default permissions for new files)
- Current working directory
- Many others

An aside on Interrupts

In a well defined location in memory (specified by the hardware) the OS store an interrupt vector, which contains the address of the (first level) interrupt handler.

Tanenbaum calls the interrupt handler the interrupt service routine.
Actually one can have different priorities of interrupts and the interrupt vector contains one pointer for each level. This is why it is called a vector.

Assume a process P is running and a disk interrupt occurs for the completion of a disk read previously issued by process Q, which is currently blocked. Note that interrupts are unlikely to be for the currently running process.

The hardware stacks the program counter etc (possibly some registers)
Hardware loads new program counter from the interrupt vector.
- Loading the program counter causes a jump
- Steps 1 and 2 are similar to a procedure call. But the interrupt is asynchronous
Assembly language routine saves registers
Assembly routine sets up new stack
- These last two steps can be called setting up the C environment
Assembly routine calls C procedure (tanenbaum forgot this one)
C procedure does the real work
- Determines what caused the interrupt (in this case a disk completed an I/O)
  - How does it figure out the cause?
    - Which priority interrupt was activated.
    - The controller can write data in memory before the interrupt
    - The OS can read registers in the controller
- Mark process Q as ready to run.
  - That is move Q to the ready list (note that again we are viewing Q as a data structure).
  - The state of Q is now ready (it was blocked before).
  - The code that Q needs to run initially is likely to be OS code. For example, Q probably needs to copy the data just read from a kernel buffer into user space.
- Now we have at least two processes ready to run: P and Q
- The scheduler decides which process to run (P or Q or something else). Lets assume that the decision is to run P.
The C procedure (that did the real work in the interrupt processing) continues and returns to the assembly code.
Assembly language restores P's state (e.g., registers) and starts P at the point it was when the interrupt occurred.

2.2: Interprocess Communication (IPC) and Process Coordination and Synchronization

2.2.1: Race Conditions

A race condition occurs when two processes can interact and the outcome depends on the order in which the processes execute.

Imagine two processes both accessing x, which is initially 10.
- One process is to execute x <-- x+1
- The other is to execute x <-- x-1
- When both are finished x should be 10
- But we might get 9 and might get 11!
- Show how this can happen (x <-- x+1 is not atomic)
- Tanenbaum shows how this can lead to disaster for a printer spooler

Homework: 2

2.2.2: Critical sections

We must prevent interleaving sections of code that need to be atomic with respect to each other. That is, the conflicting sections need mutual exclusion. If process A is executing its critical section, it excludes process B from executing its critical section. Conversely if process B is executing is critical section, it excludes process A from executing its critical section.

Goals for a critical section implementation.

No two processes may be simultaneously inside their critical section
No assumption may be made about the speeds or the number of CPUs
No process outside its critical section may block other processes
No process should have to wait forever to enter its critical section
- I do NOT make this last requirement.
- I just require that the system as a whole make progress (so not all processes are blocked)
- I refer to solutions that do not satisfy tanenbaum's last condition as unfair, but nonetheless correct, solutions
- Stronger fairness conditions can also be defined

2.2.3 Mutual exclusion with busy waiting

The operating system can choose not to preempt itself. That is, no preemption for system processes (if the OS is client server) or for processes running in system mode (if the OS is self service). Forbidding preemption for system processes would prevent the problem above where x<--x+1 not being atomic crashed the printer spooler if the spooler is part of the OS.

But this is not adequate

Does not work for user programs. So the Unix printer spooler would not be helped.
Does not prevent conflicts between the main line OS and interrupt handlers
- This conflict could be prevented by blocking interrupts while the mail line is in its critical section.
- Indeed, blocking interrupts is often done for exactly this reason.
- Do not want to block interrupts for too long or the system will seem unresponsive
Does not work if the system has several processors
- Both main lines can conflict
- One processor cannot block interrupts on the other

Software solutions for two processes

Initially P1wants=P2wants=false

Code for P1                             Code for P2

Loop forever {                          Loop forever {
    P1wants <-- true         ENTRY          P2wants <-- true
    while (P2wants) {}       ENTRY          while (P1wants) {}
    critical-section                        critical-section
    P1wants <-- false        EXIT           P2wants <-- false
    non-critical-section }                  non-critical-section }

Explain why this works.

But it is wrong! Why?

================ Start Lecture #5 ================

Let's try again. The trouble was that setting want before the loop permitted us to get stuck. We had them in the wrong order!

Initially P1wants=P2wants=false

Code for P1                             Code for P2

Loop forever {                          Loop forever {
    while (P2wants) {}       ENTRY          while (P1wants) {}
    P1wants <-- true         ENTRY          P2wants <-- true
    critical-section                        critical-section
    P1wants <-- false        EXIT           P2wants <-- false
    non-critical-section }                  non-critical-section }

Explain why this works.

But it is wrong again! Why?

So let's be polite and really take turns. None of this wanting stuff.

Initially turn=1

Code for P1                      Code for P2

Loop forever {                   Loop forever {
    while (turn = 2) {}              while (turn = 1) {}
    critical-section                 critical-section
    turn <-- 2                       turn <-- 1
    non-critical-section }           non-critical-section }

This one forces alternation, so is not general enough. Specifically, it does not satisfy condition three, which requires that no process in its non-critical section can stop another process from entering its critical section. With alternation, if one process is in its non-critical section (NCS) then the other can enter the CS once but not again.

In fact, it took years (way back when) to find a correct solution. Many earlier ``solutions'' were found and several were published, but all were wrong The first true solution was found by dekker. It is very clever, but I am skipping it (I cover it when I teach OS II). Subsequently, algorithms with better fairness properties were found (e.g. no task has to wait for another task to enter the CS twice).

What follows is Peterson's solution. When it was published, it was a surprise to see such a simple soluntion. In fact Peterson gave a solution for any number of processes. A proof that the algorithm satisfies our properties (including a strong fairness condition) can be found in Operating Systems Review Jan 1990, pp. 18-22.

Initially P1wants=P2wants=false  and  turn=1

Code for P1                        Code for P2

Loop forever {                     Loop forever {
    P1wants <-- true                   P2wants <-- true
    turn <-- 2                         turn <-- 1
    while (P2wants and turn=2) {}      while (P1wants and turn=1) {}
    critical-section                   critical-section
    P1wants <-- false                  P2wants <-- false
    non-critical-section               non-critical-section

Hardware assist (test and set)

TAS(b) where b is a binary variable ATOMICALLY sets b<--true and returns the OLD value of b. Of course it would be silly to return the new value of b since we know the new value is true

Now implementing a critical section for any number of processes is trivial.

loop forever {
    while (TAS(s)) {}   ENTRY
    CS
    s<--false           EXIT
    NCS

P and V and Semaphores

Note: Tanenbaum does both busy waiting (like above) and blocking (process switching) solutions. We will only do busy waiting.

Homework: 3

The entry code is often called P and the exit code V (tanenbaum only uses P and V for blocking, but we use it for busy waiting). So the critical section problem is to write P and V so that

loop forever
    P
    critical-section
    V
    non-critical-section

satisfies

Mutual exclusion
No speed assumptions
No blocking by processes in NCS
Forward progress (my weakened version of tanenbaum's last condition

Note that I use indenting carefully and hence do not need (and sometimes omit) the braces {}

A binary semaphore abstracts the TAS solution we gave for the critical section problem.

A binary semaphore S takes on two possible values ``open'' and ``closed''
Two operations are supported

P(S) is

    while (S=closed) {}
    S<--closed     <== This is NOT the body of the while

where finding S=open and setting S<--closed is atomic

That is, wait until the gate is open, then run through and atomically close the gate
Said another way, it is not possible for two processes doing P(S) simultaneously to both see S=open (unless a V(S) is also simultaneous with both of them).
V(S) is simply S<--open

The above code is not real, i.e., it is not an implementation of P. It is, instead, a definition of the effect P is to have.

To repeat: for any number of processes, the critical section problem can be solved by

loop forever
    P(S)
    CS
    V(S)
    NCS

The only specific solution we have seen for an arbitrary number of processes is the one just above with P(S) and V(S) implemented via test and set.

Remark: Peterson's solution requires each process to know its processor number. The TAS soluton does not.

To solve other coordination problems we want to extend binary semaphores.

With binary semaphores, two consecutive Vs do not permit two subsequent Ps to succeed (the gate cannot be doubly opened).
We might want to limit the number of processes in the section to 3 or 4, not always just 1.

The solution to both of these shortcomings is to remove the restriction to a binary variable and define a generalized or counting semaphore.

A counting semaphore S takes on non-negative integer values
Two operations are supported
P(S) is
```
    while (S=0)
    S--
```
where finding S>0 and decrementing S is atomic
That is, wait until the gate is open (positive), then run through and atomically close the gate one unit
Said another way, it is not possible for two processes doing P(S) simultaneously to both see the same positive value of S unless a V(S) is also simultaneous.
V(S) is simply S++

These counting semaphores can solve what I call the semi-critical-section problem, where you premit up to k processes in the section. When k=1 we have the original critical-section problem.

initially S=k

loop forever
    P(S)
    SCS   <== semi-critical-section
    V(S)
    NCS

Producer-consumer problem

Two classes of processes
- Producers, which produce times and insert them into a buffer
- Consumers, which remove items and consume them
What if the producer encounters a full buffer?
Answer: Block it.
What if the consumer encounters an empty buffer?
Answer: Block it.
Also called the bounded buffer problem.
- Another example of active entities being replaced by a data structure when viewed at a lower level (Finkel's level principle).

Initially e=k, f=0 (counting semaphore); b=open (binary semaphore)

Producer                         Consumer

loop forever                     loop forever
    produce-item                     P(f)
    P(e)                             P(b); take item from buf; V(b)
    P(b); add item to buf; V(b)      V(e)
    V(f)                             consume-item

k is the size of the buffer
e represents the number of empty buffer slots
f represents the number of full buffer slots
We assume the buffer itself is only serially accessible. That is, only one operation at a time.
- This explains the P(b) V(b) around buffer operations
- I use ; and put three statements on one line to suggest that a buffer insertion or removal is viewed as one atomic operation.
- Of course this writing style is only a convention, the enforcement of atomicity is done by the P/V.
The P(e), V(f) motif is used to force bounded alternation. If k=1 it gives strict alternation.

================ Start Lecture #6 ================

You may use C++ for the labs.

The email address for the three e-tutors are

Robert Szarek szar9908@cs.nyu.edu
Aldo J Nunez ajn203@omicron.acf.nyu.edu
Franqueli Mendez fm201@omicron.acf.nyu.edu

Dining Philosophers

A classical problem from Dijkstra

5 philosophers sitting at a round table
Each has a plate of spaghetti
There is a fork between each two
Need two forks to eat

What algorithm do you use for access to the shared resource (the forks)?

The obvious solution (pick up right; pick up left) deadlocks
Big lock around everything serializes
Good code in the book.

The point of mentioning this without giving the solution is to give a feel of what coordination problems are like. The book gives others as well. We are skipping these (again this material would be covered in a sequel course). If you are interested look, for example, at http://allan.ultra.nyu.edu/~gottlieb/courses/1997-98-spring/os/class-notes.html

Homework: 14,15 (these have short answers but are not easy).

Readers and writers

Two classes of processes
- Readers, which can work concurrently
- Writers, which need exclusive access
Must prevent 2 writers from being concurrent
Must prevent a reader and a writer from being concurrent
Must permit readers to be concurrent when no writer is active
Perhaps want fairness (i.e. freedom from starvation)
Variants
1. Writer-priority readers/writers
2. Reader-priority readers/writers

Quite useful in multiprocessor operating systems. The ``easy way out'' is to treat all processes as writers in which case the problem reduces to mutual exclusion (P and V). The disadvantage of the easy way out is that you give up reader concurrency. Again for more information see the web page referenced above.

2.4: Process Scheduling

Scheduling the processor is often called ``process scheduling'' or simply ``scheduling''.

The objectives of a good scheduling policy include

Fairness
Efficiency
Low response time (important for interactive jobs)
Low turnaround time (important for batch jobs)
High throughput [the above are from Tanenbaum]
Repeatability. Dartmouth (DTSS) ``wasted cycles'' and limited logins for repeatability.
Fair across projects
- ``Cheating'' in unix by using multiple processes
- TOPS-10
- Fair share research project
Degrade gracefully under load

Recall the basic diagram describing process states

For now we are discussing short-term scheduling running <--> ready.

Medium term scheduling is discussed later.

Preemption

It is important to distinguish preemptive from non-preemptive scheduling algorithms.

The ``preempt'' arc in the diagram
Needs a clock interrupt (or equivalent)
Needed to guarantee fairness
Found in all modern general purpose operating systems
Without preemption, the system implements ``run to completion (or yield or block)''
Even non preemptive systems can be multiprogrammed (processes block).

Deadline scheduling

This is used for real time systems. The objective of the scheduler is to find a schedule for all the tasks (there are a fixed set of tasks) so that each meets its deadline. The run time of each task is known in advance.

Actually it is more complicated.

Periodic tasks
What if we can't schedule all task so that each meets its deadline (penalty function)?
What if the run-time is not constant but has a known probability distribution?

We do not cover deadline scheduling in this course.

The name game

There is an amazing inconsistency in naming the different (short-term) scheduling algorithms. Over the years I have used primarily 4 books: In chronological order they are Finkel, Deitel, Silberschatz, and Tanenbaum. The table just below illustrates the name game for these four books. After the table we discuss each scheduling policy in turn.

Finkel  Deitel  Silbershatz Tanenbaum
-------------------------------------
FCFS    FIFO    FCFS        --    unnamed in tanenbaum
RR      RR      RR          RR      
PS      **      PS          PS
SRR     **      SRR         **    not in tanenbaum
SPN     SJF     SJF         SJF   
PSPN    SRT     PSJF/SRTF   --    unnamed in tanenbaum
HPRN    HRN     **          **    not in tanenbaum
**      **      MLQ         **    only in silbershatz
FB      MLFQ    MLFQ        MQ

First Come First Served (FCFS, FIFO, FCFS, --)

If you ``don't'' schedule, you still have to store the PTEs somewhere. If it is a queue you get FCFS. If it is a stack (strange), you get LCFS. Perhaps you could get some sort of random policy as well.

Only FCFS is considered
The simplist scheduling policy
Non-preemptive

================ Start Lecture #7 ================

Round Robbin (RR, RR, RR, RR)

An important preemptive policy
Essentially the preemptive version of FCFS
The key parameter is the quantum size q
When a process is put into the running state a timer is set to q.
If the timer goes off and the process is still running, the OS preempts the process.
- This process is moved to the ready state (the preempt arc in the diagram), where it is placed at the rear of the ready list (a queue).
- The process at the front of the ready list is removed from the ready list and run (i.e., moves to state running).
When a process is created, it is placed at the rear of the ready list.
As q gets large, RR approaches FCFS
As q gets small, RR approaches PS (Processor Sharing, described next)
What value of q should we choose?
- Tradeoff
- Small q makes system more responsive
- Large q makes system more efficient since less switching

Homework: 9, 19, 20, 21, and the following problem
Consider the following set of processes, each of which performs no I/O (i.e., no process ever blocks). All times are in milliseconds. The CPU time is the total time required for the process. The creation time is the time when the process is created. So P1 is created when the problem begins and P2 is created 5 miliseconds later.

Process CPU Time Creation Time

P1 20 0

P2 3 3

P3 2 5

Process	CPU Time	Creation Time
P1	20	0
P2	3	3
P3	2	5

Processor Sharing (PS, **, PS, PS)

Merge the ready and running states and permit all ready jobs to be run at once. However, the processor slows down so that when n jobs are running at once each progresses at a speed 1/n as fast if it were running alone.

Clearly impossible as stated due to overhead of process switching.
Of theoretical interest (easy to analyze)
Approximated by RR when the quantum is small. Make sure you understand this last point.

Homework: 18.

Variants of Round Robbin

State dependent RR
- Same as RR but q is varied dynamically depending on the state of the system
- Favor processes holding important resources
  - For example, non-swappable memory
  - Perhaps medium term scheduling
External priorities: RR but can pay more for bigger q

Priority Scheduling

Each job is assigned a priority (externally, perhaps by charging more for higher priority) and the highest priority ready job is run.

Similar to ``External priorities'' above
If many processes with the highest priority, use RR among them.
Can easily starve processes (see aging below for fix).
Can have the priorities changed dynamically to favor processes holding important resources (similar to state dependent RR).
Many policies can be thought of as priority scheduling in which we run the job with the highest priority (with different notions of priority for different policies).

Priority aging

As a job is waiting, raise its priority so eventually it will have the maximum priority. Can apply this to many policies, in particular to priority scheduling described above

Homework: 22, 23

Selfish RR (SRR, , SRR, )

Preemptive.
Perhaps it could be called ``snobbish RR''.
``Accepted processes'' run RR.
A new process waits until its priority reaches that of accepted processes (or until there are no accepted processes). At that point the new process is accepted.
A new process starts at priority 0; its priority increases at rate a>=0.
Accepted process have their priority increase at rate b>=0.
Note that at any time all accepted processes have same priority.
If b>=a, get FCFS.
If b=0, get RR.
If a>b>0, it is interesting

Shortest Job First (SPN, SJF, SJF, SJF)

Sort jobs by total execution time needed and run the shortest first.

Nonpreemptive
First consider a static situation where all jobs are available in the beginning, we know how long each one takes to run, and we implement ``run-to-completion'' (i.e., we don't even switch to another process on I/O). In this situation, then SJF has the shortest average waiting time
- Moving a short job before a long one decreases the wait for the short by the length of the long and increases the wait of the long by the length of the short.
- This decreases the total waiting time for these two.
- Hence decreases the total waiting for all and hence decreases the average waiting time as well.
In the more realistic case where the scheduler switches to a new process when the currently running process blocks (say for I/O), we should call the policy shortest next-CPU-burst first.
The difficulty is predicting the future (i.e., knowing in advance the time required for the job or next-CPU-burst).

Preemptive Shortest Job First (PSPN, SRT, PSJF/SRTF, --)

Preemptive version of above

Permit a process that enters the ready list to preempt the running process if the time for the new process (or for its first burst) is less than the remaining time for the running process (or for its current burst).
It will never happen that an existing process in the ready list will require less time than the remaining time for the currently running process.
- Why?
Can starve processs that have a long burst.
- This is fixed by the standard technique.
- What is that technique?

Highest Penalty Ratio Next (HPRN, HRN, , )

Run job that has been ``hurt'' the most.

For each job, let r = T/t; where T = wall clock time this job has been in system and t = the running time of the job to date.
Run job with highest r
Normally defined to be nonpreemptive (only check r when a burst ends), but there is an preemptive analogue
- Do not worry about a job that just enters the system (its ratio is undefined)
- When putting process in run state commpute the time that it will no longer have the highest ratio and set a timer.
- When a job is moved into the ready state, compute its ratio and preempt if needed.
HRN stands for highest response ratio next
This is another example of priority scheduling

Multilevel Queues (, , MLQ, **)

Put different classes of jobs in different queues

Jobs do not move from one queue to another.
Can have different policies on the different queues.
For example, might have a background (batch) queue that is FCFS and one or more foreground queues that are RR.
Must also have a policy among the queues.
For example, might have two queues, foreground and background, and give the first absolute priority over the second
- Might apply aging to prevent background starvation

Multilevel Feedback Queues (FB, MFQ, MLFBQ, MQ)

Many queues and processs move from queue to queue in an attempt to dynamically separate ``batch-like'' from interactive processs.

Run processs from highest nonempty queue in a RR manner.
When process uses up full quanta (looks a like batch process), move it to a lower queue.
When process doesn't use a full quanta (looks like an interactive process), move it to a higher queue
Long interactive processs (user generating spurious I/O) can keep process in the upper queues.
Might have bottom queue FCFS
Many variants
For example, might let process stay in top queue 1 quantum, next queue 2 quanta (i.e. put back in same queue, at end, after first quantum expires), next queue 4

Theoretical Issues

Considerable theory has been developed

NP completeness results abound
Much work in queuing theory to predict performance
Not covered in this course

Medium Term scheduling

Decisions made at a coarser time scale.

Called two-level scheduling by Tanenbaum
Suspend (swap out) some process if memory is over-committed
Criteria for choosing a victim
- How long since previously suspended
- How much CPU time used recently
- How much memory does it use
- External priority (pay more, get swapped out less)
We will discuss again during next topic (memory management).

Long Term Scheduling

``Job scheduling''. Decide when to start jobs (i.e., do not necessarily start them when submitted.
Force user to log out and/or block logins if over-committed
CTSS for decent interactive response time
Unix if out of processes (i.e. out of PTEs)
``LEM jobs during the day'' (Grumman).

================ Start Lecture #8 ================

See the web page for the command to submit lab1 and your grader's email address

Chapter 3: Memory Management

Also called storage management or space management.

Memory management must deal with the storage hierarchy present in modern machines.

Registers, cache, central memory, disk, tape (backup)
Move date from level to level of the hierarchy.
How should we decide when to move data up to a higher level?
- Fetch on demand (e.g. demand paging, which is dominant now)
- Prefetch
  - Read-ahead for file I/O
  - Large cache lines and pages
  - Extreme example. Entire job present whenever running.

We will see in the next few lectures that there are three independent decision:

Segmentation (or no segmentation)
Paging (or no paging)
Fetch on demand (or no fetching on demand)

Memory management implements address translation.

Convert virtual addresses to physical addresses
- Also called logical to real address translation
- Virtual address is the address expressed in the program
- Physical address is the address understood by the computer
The translation from virtual to physical addresses is performed by the Memory Management Unit or (MMU).
Another example of address translation is the conversion of relative addresses to absolute addresses by the linker.
The translation might be trivial (e.g., the identity) but not in a modern general purpose OS.
The translation might be difficult (i.e., slow)
- Often includes addition/shifts/mask--not too bad
- Often includes memory references
  - VERY serious
  - Solution is to cache translations in a Translation Lookaside Buffer (TLB). Sometimes called a translation buffer (TB)

Homework: 7.

When is the address translation performed?

At compile time
- Primitive
- Compiler generates physical addresses
- Requires knowledge of where the compilation unit will be loaded
- Rarely used (MSDOS .COM files)
At link-edit time (the ``linker lab'')
- Compiler
  - Generates relocatable addresses for each compilation unit
  - References external addresses
- Linkage editor
  - Converts the relocatable addr to absolute
  - Resolves external references
  - Misnamed ld by unix
  - Also converts virtual to physical addresses by knowing where the linked program will be loaded. Unix ld does not do this.
- Loader is simple
- Hardware requirements are small
- A program can be loaded only where specified and cannot move once loaded.
- Not used much any more.
At load time
- Same as linkage editor but do not fix the starting address
- Program can be loaded anywhere
- Program can move but cannot be split
- Need modest hardware: base/limit registers
At execution time
- Dynamically during execution
- Hardware needed to perform the virtual to physical address translation quickly
- Currently dominates
- Much more information later

Extensions

Dynamic Loading
- When executing a call, check if module is loaded.
- If not loaded, call linking loader to load it and update tables.
- Slows down calls (indirection) unless you rewrite code dynamically
Dynamic Linking
- The traditional linking described above is now called statically linked
- With dynamic linking frequently used routines are not linked into the program. Instead, just a stub is linked.
- When the routine is called, the stub checks to see if the real routine is loaded (it may have been loaded by another program).
  - If not loaded, load it.
  - If already loaded, share it. This needs some OS help so that different jobs sharing the library don't overwrite each other's private memory.
- Advantages of dynamic linking
  - Saves space: Routine only in memory once even when used many times
  - Bug fix to dynamically linked library fixes all applications that use that library, without having to relink the application.
- Disadvantages of dynamic linking
  - New bugs in dynamically linked library infect all applications
  - Applications ``change'' even when they haven't changed.

Note: I will place ** before each memory management scheme.

3.1: Memory management without swapping or paging

Job remains in memory from start to finish

The sum of the memory requirements of all jobs in the system cannot exceed the size of physical memory.

** 3.1.1: Monoprogramming without swapping or paging (Single User)

The ``good old days'' when everything was easy.

No address translation done by OS (i.e., address translation is not performed dynamically during execution).
Either reload OS each job (or don't have an OS, which is almost the same) or protect the OS from the job.
- One way to protect (part of) the OS is to have it in ROM.
- Of course, must have the data in ram
- Can have a separate OS address space only accessible in supervisor mode.
User overlays if job memory exceeds physical memory.
- Programmer breaks program into pieces.
- A ``root'' piece is always memory resident.
- The root contains calls to load and unload various pieces.
- Programmer's responsibility to ensure that a piece is already loaded when it is called.
- No longer used, but we couldn't have gotten to the moon in the 60s without it (I think).
- Overlays have been replaced by dynamic address translation and other features (e.g., demand paging) that have the system support logical address sizes greater than physical address sizes.
- Fred Brooks (leader of IBM's OS/360 project, author of ``The mythical man month'') remarked that the OS/360 linkage editor was terrific, especially in its support for overlays, but by the time it came out, overlays were no longer used.

3.1.2: Multiprogramming

Goal is to improve CPU utilization, by overlapping CPU and I/O

Consider a job that is unable to compute (i.e., it is waiting for I/O) a fraction p of the time.
Then for monoprogramming the CPU utilization is 1-p.
Note that p is often > .5 so CPU utilization is poor.
But with a multiprogramming level (MPL) of n, the CPU utilization is approximately 1-p^n.
If p=.5 and n=4, then 1-p^n = 15/16, which is much better.
The rationale for the above formula is that, if the probability that a job is waiting for I/O is p and n jobs are in memory, then the probability that all n are waiting for I/O is p^n.
This is a crude model, but it is correct that increasing MPL does increase CPU CPU utilization.
- The limitation is memory, which is why we discuss it here instead of process management. That is, we must have many jobs loaded at once, which means we must have enough memory for them There are other issues as well and we will discuss them.
- Some of the CPU utilization is time spent in the OS executing context switches.

Homework: 1, 3.

================ Start Lecture #9 ================

3.1.3: Multiprogramming with fixed partitions

This was used by IBM for system 360 OS/MFT (multiprogramming with a fixed number of tasks)
Can have a single input queue instead of one for each partition
- So that if there are no big jobs can use big partition for little jobs
- But I don't think IBM did this
- Can think of the input queue(s) as the ready list(s)
The partition boundaries are not movable (reboot to move)
- MFT can have large internal fragmentation, i.e. wasted space inside a region y
Each job has a single ``segment'' (we will discuss segments later)
- No sharing between jobs
- No dynamic address translation
- At load time must ``establish addressability''
  - i.e. must get a base register set to the location at which job was loaded (the bottom of the partition).
  - The base register is part of the programmer visible register set.
  - This is address translation during load time.
  - Also called relocation.
Storage keys are adequate for protection (IBM method).
Alternative protection method is base/limit registers.
An advantage of base/limit is that it is easier to move a job.
But MVT didn't move jobs.
Tanenbaum says jobs were ``run to completion''. This must be wrong.
He probably meant that jobs not swapped out and each queue is FCFS without preemption.

3.2: Swapping

Moving entire jobs between disk and memory is called swapping.

3.2.1: Multiprogramming with variable partitions

Both the number and size of the partitions change with time.
IBM OS/MVT (multiprogramming with a varying number of tasks).
Also early PDP-10 OS.
Job still has only one segment (as with MFT) but now can be of any size.
Single ready list.
Job can move (might be swapped back in a different place).
This is dynamic address translation (during run time).
Perform an addition on every memory reference (i.e. on every address translation)
Called a DAT (dynamic address translation) box by IBM
Eliminates internal fragmentation
- Find a region the exact right size (leave a hole for the remainder
- Not quite true, can't get a piece with 10A755 bytes. Would get say 10A750. But internal fragmentation is much reduced compared to MFT.
Introduces external fragmentation, holes outside any region.
What do you do if no hole is big enough for request?
- Can compactify
  - Transition from bar 3 to bar 4 in diagram below
  - This is expensive
  - Not suitable for real time (MIT ping pong)
- Can swap out one process to bring in another
  - Bars 5-6 and 6-7 in diagram

Homework: 4

There are more processes than holes. Why?
- Because next to a process there might be a process or a hole but next to a hole there must be a process
- So can have ``runs'' of processes but not of holes
- Above actually shows that there are about twice as many processes as holes.
Base and limit registers are used
- Storage keys not good since compactifying would require changing many keys
- Storage keys might need a fine granularity to permit the boundaries move by small amounts. Hence many keys would need to be changed

MVT Introduces the ``Placement Question'', which hole (partition) to choose

Best fit, worst fit, first fit, circular first fit, quick fit, Buddy
- Best fit doesn't waste big holes, but does leave slivers and is expensive to run.
- Worst fit avoids slivers, but eliminates all big holes so a big job will require compaction. Even more expensive than best worst fit (best fit stops if it finds a perfect fit).
- Quick fit keeps lists of some common sizes (but has other problems, see Tanenbaum).
- Buddy system
  - Round request to next highest power of two (causes internal fragmentation)
  - Look in list of blocks this size (as with quick fit)
  - If list empty, go higher and split into buddies
  - When returning coalesce with buddy
  - Do splitting and coalescing recursively, i.e. keep coalescing until can't and keep splitting until successful
  - See Tanenbaum for more details (or an algorithms book).
A current favorite is circular first fit (also know as next fit)
- Use the first hole that is big enough (first fit) but start looking where you left off last time.
- Doesn't waste time constantly trying to use small holes that have failed before, but does tend to use many of the big holes, which can be a problem.
Buddy comes with its own implementation. How about the others?
- Bit map
  - Only question is how much memory does one bit represent.
    - Big: Serious internal fragmentation
    - Small: Many bits to store and process
- Linked list
  - Each item on list says whether Hole or Process, length, starting location
  - The items on the list are not taken from the memory to be used by processes
  - Keep in order of starting address
  - Double linked
- Boundary tag
  - Knuth
  - Use the same memory for list items as for processes
  - Don't need an entry in linked list for blocks in use, just the avail blocks are linked
  - For the in use blocks, just need a hole/process bit at each end and the length. Keep this in the block itself.
  - See knuth, the art of computer programming vol 1

Homework: 2, 5.

MVT Also introduces the ``Replacement Question'', which victim to swap out

We will study this question more when we discuss demand paging

Considerations in choosing a victim

Cannot replace a job that is pinned, i.e. whose memory is tied down. For example, if Direct Memory Access (DMA) I/O is scheduled for this process, the job is pinned until the DMA is complete.
Victim selection is a medium term scheduling decision
- Job that has been in a wait state for a long time is a good candidate.
- Often choose as a victim a job that has been in memory for a long time.
- Another point is how long should it stay swapped out.
For demand paging, where swaping out a page is not as drastic as swapping out a job, victim is an important memory management decision and we shall study several policies

================ Start Lecture #10 ================

NOTEs:

So far the schemes have had two properties
1. Each job is stored contiguously in memory. That is, the job is contiguous in physical addresses.
2. Each job cannot use more memory than exists in the system. That is, the virtual addresses space cannot exceed the physical address space.
Tanenbaum now attacks the second item. I wish to do both and start with the first
Tanenbaum (and most of the world) uses the term ``paging'' to mean what I call demand paging. This is unfortunate as it mixes together two concepts
1. Paging (dicing the address space) to solve the placement problem and essentially eliminate external fragmentation.
2. Demand fetching, to permit the total memory requirements of all loaded jobs to exceed the size of physical memory.
Tanenbaum (and most of the world) uses the term virtual memory as a synonym for demand paging. Again I consider this unfortunate.
1. Demand paging is a fine term and is quite descriptive
2. Virtual memory ``should'' be used in contrast with physical memory to describe any virtual to physical address translation.

** (non-demand) Paging

Simplest scheme to remove the requirement of contiguous physical memory.

Chop the program into fixed size pieces called pages (invisible to the programmer).
Chop the real memory into fixed size pieces called page frames or simply frames
size of a page (the page size) = size of a frame (the frame size)
Sprinkle the pages into the frames
Keep a table (called the page table) having an entry for each page. The page table entry or PTE for page p contains the number of the frame f that contains page p.

Example: Assume a decimal machine with page size = frame size = 1000.
Assume PTE 3 contains 459.
Then virtual address 3372 corresponds to physical address 459372.

Properties of (non-demand) paging.

Entire job must be memory resident to run.
No holes, i.e. no external fragmentation.
If there are 50 frames available and the page size is 4KB than a job requiring <= 200KB will fit, even if the available frames are scattered over memory.
Hence (non-demand) paging is useful.
Introduces internal fragmentation approximately equal to 1/2 the page size for every process (really every segment).
Can have a job unable to run due to insufficient memory and have some (but not enough) memory available. This is not called external fragmentation since it is not due to memory being fragmented.
Eliminates the placement question. All pages are equally good since don't have external fragmentation.
Replacement question unchanged.
Since page boundaries occur at ``random'' points and can change from run to run (the page size can change with no effect on the program--other than performance), pages are not appropriate units of memory to use for protection and sharing. This is discussed further when we introduce segmentation.

Homework: 13

Address translation

Each memory reference turns into 2 memory references
1. Reference the page table
2. Reference central memory
This would be a disaster!
Hence the MMU caches page#-->frame# translations. This cache is kept near the processor and can be accessed rapidly
This cache is called a translation lookaside buffer (TLB) or translation buffer (TB)
For the above example, after referencing virtual address 3372, entry 3 in the TLB would contain 459.
Hence a subsequent access to virtual address 3881 would be translated to physical address 459881 without a memory reference.

Choice of page size is discuss below

Homework: 8, 13.

3.2: Virtual Memory (meaning fetch on demand)

Idea is that a program can execute even if only the active portion of its address space is memory resident. That is, swap in and swap out portions of a program. In a crude sense this can be called ``automatic overlays''.

Advantages

Can run a program larger than the total physical memory.
Can increase the multiprogramming level since the total size of the active, i.e. loaded, programs (running + ready + blocked) can exceed the size of the physical memory.
Since some portions of a program are rarely if ever used, it is an inefficient use of memory to have them loaded all the time. Fetch on demand will not load them if not used and will unload them during replacement if they are not used for a long time (hopefully).

3.2.1: Paging (meaning demand paging)

Fetch pages from disk to memory when they are referenced, with a hope of getting the most actively used pages in memory.

Very common: dominates modern operating systems
Started by the Atlas system at Manchester University in the 60s (Fortheringham).
Each PTE continues to have the frame number if the page is loaded.
But what if the page is not loaded (exists only on disk)?
- The PTE has a flag indicating if loaded (can think of the X in the diagram above as indicating that this flag is not set
- If not loaded, the location on disk is kept in the PTE (not shown in the diagram)
- When a reference is made to a non-loaded page (sometimes called a non-existent page, but that is a bad name), the system has a lot of work to do. We give more details below
  1. Choose a free frame if one exists
  2. If not
    1. choose a victim frame
      - More on how to choose later
      - Called the replacement question
    2. write victim back to disk if dirty
    3. update the victim PTE to show not loaded and where on disk it has been put (perhaps the disk location is already there)
  3. Copy the referenced page from disk to the free frame
  4. Update the PTE of the referenced page to show that it is loaded and give the frame number
  5. Do the std paging address translation (p#,off)-->(f#,off)
Really not done quite this way
- There is ``always'' a free frame because ...
- There is a deamon active that checks the number of free frames and if this is too low, chooses victims and ``pages them out'' (writing them back to disk if dirty).
Size of page table
- Considerations for plain paging apply
- Large pages are good for I/O (providing the data is used) since it is faster to do one 16KB I/O than four 4KB I/Os and much faster than sixteen 1KB I/Os

Homework: 11.

================ Start Lecture #11 ================

3.3.2: Page tables

A discussion of page tables is also appropriate for (non-demand) paging, but the issues are more acute with demand paging since the tables can be much larger. Why?
Answer: The total size of the active processes is no longer limited to the size of physical memory.

Want access to the page table to be very fast since it is needed for every memory access.

Unfortunate laws of hardware

Big and fast are essentially incompatible
Big and fast and low cost is hopeless

So we can't just say, put the page table in fast processor registers and let it be huge and sell the system for $1500. Put the (one-level) page table in main memory.

Too slow
TLB would help as mentioned above (discussed later in more detail).
Too big
- Currently we are considering contiguous virtual addresses ranges (i.e. the virtual addresses have no holes).
- Typically put the stack at one end of virtual address and the global (or static) data at the other end and let them grow towards each other
- The memory in between is unused.
- This unused memory can be huge (in address range) and hence the page table will mostly contain unneeded PTEs
Works fine if the virtual address range possible is small, which was once true but no longer (e.g. of PDP-11 in Tanenbaum).

Protection bits

Can place protection bits on pages. For example can mark pages as execute only. This requires that boundaries between regions with different protection must be on page boundaries. Protection is more naturally done with segmentation.

Multilevel page tables

The idea, which is also used in Unix inode-based file systems, is to add a level of indirection and have a page table containing pointers to page tables. This topic will not be on the 202 midterm or final.

Imagine one big page table.
Call it the second level page table and cut it into pieces each the size of a page.
Note that you can get many PTEs in one page so you will have far fewer of these pages than PTEs
Now construct a first level page table containing PTEs that point to these pages.
This first level PT is small enough to store in memory.
But since we still have the 2nd level PT, we have made the world bigger not smaller!
Don't store in memory the 2nd level page tables all of whose PTEs refer to unused memory. That is use demand paging on the (second level) page table

For a two level page table the virtual address is divided into three pieces
```
+-----+-----+-------+
| P#1 | P#2 | Offset|
+-----+-----+-------+
```
P#1 gives the index into the first level page table.
Follow the pointer in the corresponding PTE to reach the frame containing the relevant 2nd level page table.
P#2 gives the index into this 2nd level page table
Follow the pointer in the corresponding PTE to reach the frame containing the (originally) requested frame.
Offset gives the offset in this frame where the requested word is located.

Do an example on the board

The VAX used a 2-level page table structure, but with some wrinkles (see Tanenbaum for details).

Naturally, there is no need to stop at 2 levels. In fact the SPARC has 3 levels and the Motorola 68030 has 4 (and the number of bits of Virtual Address used for P#1, P#2, P#3, and P#4 can be varied).

3.3.4: Associative memory (TLBs)

Note: Tanenbaum suggests that ``associative memory'' and ``translation lookaside buffer'' are synonyms. This is wrong. Associative memory is a general structure and translation lookaside buffer is a special case.

An associative memory is a content addressable memory. That is you access the memory by giving the value of some field and the hardware searches all the records and returns the record whose field contains the requested value.

For example

Name  | Animal | Mood     | Color
======+========+==========+======
Moris | Cat    | Finicky  | Grey
Fido  | Dog    | Friendly | Black
Izzy  | Iguana | Quiet    | Brown
Bud   | Frog   | Smashed  | Green

If the index field is Animal and Iguana is given, the associative memory returns

Izzy  | Iguana | Quiet    | Brown

A Translation Lookaside Buffer or TLB is an associate memory where the index field is the page number. The other fields include the frame number, dirty bit, valid bit, and others.

A TLB is small and expensive but at least it is fast. When the page number is in the TLB, the frame number is returned very quickly.
On a miss, the page number is looked up in the page table. The record found is placed in the TLB and a victim is discarded. There is no placement question since all entries are accessed at the same time. But there is a replacement question.

Homework: 15.

3.3.5: Inverted page tables

Keep a table indexed by frame number with the entry f containing the number of the page currently loaded in frame f.

Since modern machine have a smaller physical address space than virtual address space, the table is smaller
But on a TLB miss, must search the inverted page table.
Would be hopelessly slow except that some tricks are employed.
The book mentions some but not all of the tricks, we are skipping this topic.

3.4: Page Replacement Algorithms

These are solutions to the replacement question.

Good solutions take advantage of locality.

Temporal locality: If a word is referenced now, it is likely to be referenced in the near future.
- This argues for caching referenced words, i.e. keeping the referenced word near the processor for a while
Spatial locality: If a word is referenced now, nearby words are likely to be referenced in the near future.
- This argues for prefetching words around the currently referenced word.
These are lumped together into locality: If a page is referenced, it is likely to be referenced in the near future.
- So it is good to bring in the entire page on a miss and to keep the page in memory for a while.
When programs begin there is no history so nothing to base locality on. At this point the paging system is said to be undergoing a ``cold start''.
Programs exhibit ``phase changes'', when the set of pages referenced changes abruptly (similar to a cold start). At the point of a phase change, many page faults occur because locality is poor.

Pages belonging to processes that have terminated are of course perfect choices for victims.

Pages belonging to processes that have been blocked for a long time are good choices as well.

Random

A lower bound on performance. Any decent scheme should do better.

3.4.1: The optimal page replacement algorithm (opt PRA)

Replace the page whose next reference will be furthest in the future

Also called belady's min algorithm
Provably optimal. That is, generates the fewest number of page faults.
Unimplementable: Requires predicting the future.
Good upper bound on performance

3.4.2: The not recently used (NRU) PRA

Divide the frames into four classes and make a random selection from the lowest nonempty class.

Not referenced, not modified
Not referenced, modified
Referenced, not modified
Referenced, modified

Assumes that in each PTE there are two extra flags R (sometimes called U, for used) and M (often called D, for dirty).

Also assumes that a page in a lower priority class is cheaper to evict

If not referenced, probably not referenced again soon so not so important.
If not modified, do not have to write it out so the cost of the eviction is lower
When a page is brought in, OS resets R and M (i.e. R=M=0)
On a read, hardware sets R
On a write, hardware sets R and M

We again have the prisoner problem, we do a good job of making little ones out of big ones, but not the reverse. Need more resets

Every k clock ticks, reset all R bits

Why not reset M?
Answer: Must have M accurate to know if victim must be written back
Could have two M bits one accurate and one reset, but I don't know of any system (or proposal) that does so.

What if hardware doesn't set these bits?

OS can use tricks
When the bits are reset, make the PTE indicate the page is not resident (i.e. lie). On the page fault, set the appropriate bit(s).

3..4.3: FIFO PRA

Simple but poor since usage of the page is ignored.

Belady's Anomaly: Can have more frames yet more faults. Example given later.

3.4.4: Second chance PRA

Fifo but when time to choose a victim if page at the head of the queue has been referenced (R bit), don't evict it. Instead reset R and move the page to the rear of the queue (so it looks new). The page is being a second chance.

What if all frames have been referenced?
Becomes the same as fifo (but takes longer).

Might want to turn off the R bit more often (k clock ticks).

3.4.5: Clock PRA

Same algorithm as 2nd chance, but a better (and I would say obvious) implementation: Use a circular list.

Do an example.

================ Start Lecture #12 ================

LIFO PRA

This is terrible! Why?
All but the last frame are frozen once loaded so you essentially use only one frame.

3.4.6:Least Recently Used (LRU) PRA

When a page fault occurs, choose as victim that page that has been unused for the longest time, i.e. that has been least recently used.

LRU is definitely

Implementable: The past is knowable
Good: Simulation studies
Difficult
- Essentially need to either
  1. Keep a time stamp in each PTE updated on each reference and scan all the PTEs when choosing a victim to find the PTE with the oldest timestamp.
  2. Keep the PTEs in a linked list in usage order, which means on each reference moving the PTE to the end of the list

Homework: 19, 20

A hardware cutsie in Tanenbaum (skipped in 202)

For n pages, keep an nxn bit matrix.
On a reference to page i, set row i to all 1s and col i to all 0s
At any time the 1 bits in the rows are ordered by inclusion. I.e. one row's 1s are a subset of another row's 1s which is a subset of a third. (Tanenbaum forgets to mention this.)
So the row with the fewest 1s is a subset of all the others and is hence least recently used
Cute, but still impractical.

3.4.7: Approximating LRU in Software

The Not Frequently Used (NFU) PRA

Include a counter in each PTE (and have R in each PTE)
Set counter to zero when page is brought into memory
For each PTE, every k clock ticks
1. Add R to counter
2. Clear R
Choose as victim the PTE with lowest count

The Aging PRA

NFU doesn't distinguish between old references and recent one. The following modification does distinguish.

Include a counter in each PTE (and have R in each PTE)
Set counter to zero when page is brought into memory
For each PTE, every k clock ticks
1. Shift counter right one bit
2. Insert R as new high order bit (HOB)
3. Clear R
Choose as victim the PTE with lowest count

R counter
1 10000000
0 01000000
1 10100000
1 11010000
0 01101000
0 00110100
1 10011010
1 11001101
0 01100110

R	counter
1	10000000
0	01000000
1	10100000
1	11010000
0	01101000
0	00110100
1	10011010
1	11001101
0	01100110

Homework: 21, 25

3.5: Modeling Paging Algorithms

3.5.1: Belady's anomaly

Consider a system that has no pages loaded and that uses the FIFO PRU.
Consider the following ``reference string'' (sequences of pages referenced).

 0 1 2 3 0 1 4 0 1 2 3 4

If we have 3 frames this generates 9 page faults (do it).

If we have 4 frames this generates 10 page faults (do it).

Theory has been developed and certain PRA (so called ``stack algorithms'') cannot suffer this anomaly for any reference string. FIFO is clearly not a stack algorithm. LRU is.

Repeat the above calculations for LRU.

================ Start Lecture #13 ================

3.6: Design issues for (demand) Paging

3.6.1 & 3.6.2: The Working Set Model and Local vs Global Policies

I will do these in the reverse order (which makes more sense). Also Tanenbaum doesn't actually define the working set model, but I shall.

A local PRA is one is which a victim page is chosen among the pages of the same process that requires a new page. That is the number of pages for each process is fixed. So LRU means the page least recently used by this process.

Of course we can't have a purely local policy, why?
Answer: A new process has no pages and even if we didn't apply this for the first page loaded, the process would remain with only one page.
Perhaps wait until a process has been running a while.
A global policy is one in which the choice of victim is made among all pages of all processes.

If we apply global LRU indiscriminately with some sort of RR processor scheduling policy, and memory is somewhat over-committed, then by the time we get around to a process, all the others have run and have probably paged out this process.

If this happens each process will need to page fault at a high rate; this is called thrashing. It is therefore important to get a good idea of how many pages a process needs, so that we can balance the local and global desires.

The working set policy (Peter Henning)

The goal is to specify which pages a given process needs to have memory resident in order for the give process to run without too many page faults.

But this is impossible since it requires predicting the future.
So we make the assumption that the immediate future is well approximated by the immediate past.
Measure time in units of memory references, so t=1045 means the time when the 1045th memory reference is issued.
In fact we measure time separately for each process, so t=1045 really means the time when this process made its 1045th memory reference.
W(t,&omega) is the set of pages referenced (by the given process) from time t-omega to time t.
That is, W(t,&omega) is the set pages referenced during the window of size omega ending at time t.
That is, W(t,&omega) is the set of pages referenced by the last &omega memory references ending at reference t.
W(t,&omega) is called the working set at time t (with window &omega).
(Netscape doesn't support &omega to give the Greek letter, ouch)
w(t,omega) is the size of the set W(t,omega), i.e. is the number of pages referenced in the window.

The idea of the working set policy is to ensure that each process keeps its working set in memory.

One possibility is to allocate w(t,&omega) frames to each process (this number differs for each process and changes with time) and then use a local policy.
What if there aren't enough frames to do this?
Reduce the multiprogramming level (MPL)! That is, we have a connection between memory management and process management. This is the suspend/resume arcs we saw way back when.

Interesting questions include:

What value should be used for &omega?
How should we calculate W(t,&omega)?

Various approximations to the working set frequency have been devised.

Wsclock
- Use the aging algorithm above to maintain a counter for each PTE and declare a page whose counter is above a certain threshold to be part of the working set.
- Apply the clock algorithm globally (i.e. to all pages) but refuse to page out any page in a working set, the resulting algorithm is called wsclock.
- What if we find there are no pages we can page out?
  Answer: Reduce the multiprogramming level (MPL).
Page Fault Frequency (PFF)
- For each process keep track of the page fault frequency, which is the number of faults divided by the number of references.
- Actually, must use a window or a weighted calculation since you are really interested in the recent page fault frequency
- If the PFF is too high, allocate more frames to this process. Either
  1. Raise its number of frames and use local policy; or
  2. Bar its frames from eviction (for a while) and use a global policy.
- What if there are not enough frames?
  Answer: Lower the MPL.

3.6.3: Page size

Page size ``must'' be a multiple of the disk block size. Why?
Answer: When copying out a page if you have a partial disk block, you must do a read/modify/write (i.e., 2 I/Os).
Important property of I/O that we will learn later this term is that eight I/Os each 1KB takes considerably longer than one 8KB I/O
Large page size
- Good for user I/O
  - If I/O done using physical addresses, then I/O crossing a page boundary is not contiguous and hence requires multiple I/Os
  - If I/O uses virtual addresses, then page size doesn't effect this aspect of I/O. That is the addresses are contiguous in virtual address and hence one I/O is done.
- Good for demand paging I/O.
  - Better to swap in/out one big page than several small pages
  - But if page too big you will be swapping in data that is really not local and hence might well not be used.
- Large internal fragmentation (1/2 page size)
- Small page table
- Very few pages. Process will have many faults if using demand paging and the process frequently references more regions than frames.
Small page size has the opposite properties

3.6.4: Implementation Issues

Don't worry about instruction backup. Very machine dependent and modern implementations tend to get it right.

Locking (pinning) pages

We discussed pinning jobs already. The same (mostly I/O) considerations apply to pages.

Shared pages

Really should share segments

Must keep reference counts or something so that when a process terminates, pages (even dirty pages) it shares with another process are not automatically discarded.
Similarly a reference count would make a widely shared page (correctly) look like a poor choice for a victim.
A good place to store the reference count would be in a structure pointed to by both PTEs.

Backing Store

The issue is where on disk do we put pages

For program text, which is presumably read only, a good choice is the file itself.
Data and stack grow so either be prepared to grow the space on disk (same issues as MVT).

Paging Daemons

Done earlier

Page Fault Handling (not on 202 exams)

Hardware traps to the kernel (switches to supervisor mode; saves state)
Assembly language code save more state, establishes the C-language environment, calls the OS
OS determines that a fault occurred and which page
If virtual address is invalid, shoot process. If valid, seek a free frame. If no free frames, select a victim.
If the victim frame is dirty, schedule an I/O write to copy the frame to disk. This process is blocked so the process scheduler is invoked to perform a context switch.
- Tanenbaum ``forgot'' some here
- Disk interrupt occurs when I/O complete
- Hardware trap / assembly code / OS determines I/O done
- Process moved from blocked to ready
- Some time later a context switch occurs to this ready process. Since this process is in kernel mode, perhaps it was scheduled to run as soon as it was ready. (I am using a ``self-service'' model where the process moves from user mode to kernel mode.)
Now the frame is clean (this may be much later in wall clock time). Schedule an I/O to read the desired page into this clean frame. The process is again blocked and hence the process scheduler is invoked to perform a context switch.
Disk interrupt occurs when I/O complete (trap / asm / OS determines I/O done) / process made ready / process starts running). PTE updated
Fix up process (e.g. reset PC)
Process put in ready queue and eventually runs. The OS returns to the first asm routine.
Asm routine restores registers, etc. and returns to user mode.

The process is unaware that all this happened.

3.7: Segmentation

Up to now, the virtual address space has been contiguous.

Among other issues this makes it difficult when there are more that two dynamically growing regions.
With two regions you start them on opposite sides of the virtual space as we did before.
Better is to have many virtual address spaces each starting at zero.
This split up is user visible.
Without segmentation (equivalently said with just one segment) all procedures and are packed together so if one changes in size all the virtual addresses following are change and the program must be re-linked.
Eases flexible protection and sharing (share a segment). For example, can have a shared library.

The following table mostly from Tanenbaum compares demand paging with demand segmentation.

Consideration Demand
Paging Demand
Segmentation
Programmer aware No Yes

How many addr spaces 1 Many

VA size > PA size Yes Yes

Protect individual
procedures separately No Yes

Accommodate elements
with changing sizes No Yes

Ease user sharing No Yes

Why invented let the VA size
exceed the PA size Sharing, Protection,
independent addr spaces

Internal fragmentation Yes No, in principle

External fragmentation No Yes

Placement question No Yes

Replacement question Yes Yes

Consideration	Demand Paging	Demand Segmentation
Programmer aware	No	Yes
How many addr spaces	1	Many
VA size > PA size	Yes	Yes
Protect individual procedures separately	No	Yes
Accommodate elements with changing sizes	No	Yes
Ease user sharing	No	Yes
Why invented	let the VA size exceed the PA size	Sharing, Protection, independent addr spaces

Internal fragmentation	Yes	No, in principle
External fragmentation	No	Yes
Placement question	No	Yes
Replacement question	Yes	Yes

Homework: 29.

** Two Segments

Late PDP-10s and TOPS-10

One shared text segment, that can also contain shared (normally read only) data.
One (private) writable data segment
Permission bits on each segment.
Which kind of segment is better to evict?
- Swap out shared segment hurts many tasks
- The shared segment is read only (probably) so no writeback is needed.
``One segment'' is OS/MVT done above.

** Three Segments

Traditional Unix shown above.

Shared text execute only
Data segment (global and static variables)
Stack segment (automatic variables)

** Four Segments

Just kidding.

** General (not necessarily demand) Segmentation

Permits fine grained sharing and protection
Visible division of program
Variable size segments
Address = (seg#, offset)
Does not mandate how stored in memory.
- One possibility is that the entire program must be in memory to run it. Use whole process swapping. Early unix did this
- Can also implement demand segmentation.
- Can combine with demand paging (done below)
Segment table with a base and limit value for each segment
(seg#, offset) --> base address + offset
External fragmentation as with whole program swapping. Since segments are smaller than programs (several segments make up one program), the external fragmentation is not as bad.

** Demand Segmentation

Same idea as demand paging applied to segments

If segment is loaded, base and limit are stored in processor registers and used in each memory reference.
If segment is not loaded, the base and limit as well as the disk address of the segment is store in the STE (segment table entry).
Generate a segment fault (analogous to page fault) if reference a non-loaded segment
To load a segment have the placement question in addition to replacement question.
I believe this was one implemented but am not sure; it is not done now.

** 3.7.2: Segmentation with paging

Combines both segmentation and paging to get advantages of both at a cost in complexity. This is very common now.

Virtual address is now a triple (seg#, page#, offset)
Each segment table entry points to the page table for that segment (similar to multi-level paging).

The page# field in the address gives the entry in the chosen page table and the offset gives the offset in the page.
Instead of a limit field, the STE contains the length of the segment in pages (which equals the size of the corresponding page table in PTEs)
Straightforward implementation requires 3 memory references so a TLB is crucial.
Sometimes say the segments are of fixed size. This is wrong. They are of variable size with a fixed maximum.
The first example of this was Multics
Keep protection and sharing information on segments
Do replacement and placement on pages (no external fragmentation)
Share a segment by sharing the page table for that segment.
- Thus there is no aliasing
- Good thing or eviction would be problematic

Homework: 30.

Some last words

Segmentation / Paging / Demand Loading
- Each is a yes or no alternative
- Gives 8 possibilities
Placement and Replacement
Internal and External Fragmentation
Page Size and locality of reference
Multiprogramming level and medium term scheduling

================ Start Lecture #14 ================

Review material from last lecture for midterm

Chapter 4: File Systems

Requirements

Size: Store very large amounts of data
Persistence: Data survives the creating process
Access: Multiple processes can access the data concurrently

Solution: Store data in files that together form a file system

4.1: Files

4.1.1: File Naming

Very important. A major function of the file system.

Does each file have a unique name?
Answer: Often no. We will discuss this below when we study links.
Extensions, e.g. the ``html'' in ``class-notes.html''
1. Conventions just for humans: letter.teq (my convention)
2. Conventions giving default behavior for some programs
  - Emacs thinks .html files should be edited in html mode but can edit them in any mode and can edit any file in html mode
  - Netscape thinks .html means an html file but
    <html> ... </html> works as well
  - Gzip thinks .gz means a compresses file but accepts a --suffix flag
3. Required extensions for programs
  - The gnu C compiler (and probably others) requires C programs be named *.c and assembler programs be named *.s
4. Required extensions by operating systems
  - MS-DOS treats .com files specially
  - I think windows 95 requires shortcuts to end in .lnk
Case sensitive?

================ Start Lecture #15 ================

Midterm exam

================ Start Lecture #16 ================

Review midterm answers

Hand out lab2

4.1.2: File structure

A file is a

Byte stream
- Unix, dos, windows (I think)
- Max flexibility
- Min structure
(fixed size) Record stream: Out of date
Varied and complicated beast
- Indexed sequential
- B-trees
- Supports rapidly finding a record with a specific key
- Supports retrieving (varying size) records in key order.
- Treated in depth in database courses

4.1.3: File types

Examples

(Regular) files
Directories: studied below
Special files (for devices)
- Uses the naming power of files to unify many actions
- dir # prints on screen
- dir > file # result put in a file
- dir > /dev/tape # results written to tape
``Symbolic'' Links (similar to ``shortcuts''): Also studied below.

``Magic number'': Identifies an executable file.

There can be several different magic numbers for different types of executables.
unix: #!/usr/bin/perl

Strongly typed files: Easy (hopefully normal) case easier (and safer) hard case harder.

4.1.4: File access

Basically two possibilities, sequential access and random access (a.k.a. direct access). Previously, files were declared to be sequential or random. Modern systems do not do this.

Sequential access where the bytes (or records) are accessed in order (i.e., n-1, n, n+1, ...) is most common and gives the highest performance. For some devices (e.g. tapes) access ``must'' be sequential.
In random access, the bytes are accessed in any order. Thus each access must specify which bytes are desired.

4.1.5: File attributes

A laundry list of properties that can be specified for a file, e.g.

hidden
do not dump
owner
key length (for keyed files)
4.1.6: File operations
- Create: Essential if a system is to add files. Need not be a separate system call (can be merged with open).
- Delete: Essential if a system is to delete files.
- Open: Not essential. An optimization. Do the translation from file name to disk locations only once per file rather than once per access.
- Close: Not essential. Free resources.
- Read: Essential. Must specify filename, file location, number of bytes, where to put data read in. Several of these parameters can be set by other system calls and in many OS's they are.
- Write: Essential if updates are to be supported. See read for parameters.
- Seek: Not essential (could be in read/write). Specify the file offset of the next (read or write) access
- Get attributes: Essential if attributes are to be used.
- Set attributes: Essential if attributes are to be user settable.
- Rename: Tanenbaum has strange words. Copy and delete is not acceptable for big files. Moreover copy-delete not atomic. Indeed link-delete is not atomic so even with link (discussed below) renaming a file adds functionality.
Homework: 2, 3, 4.
Read and understand ``copyfile'' on page 155.
================ Start Lecture #17 ================
Ridiculously non-cost-effective extra credit for lab 2:
1. Add worst fit and circular best fit. Hence there will be four curves on each graph.
2. Add the number of allocated blocks, and the size of the largest allocated block to the standard statistics. Hence there will be 12 graphs.
3. Add buddy system. Now allocations should be restricted to powers of two. Do not compare with the other four algorithms graphically, i.e. just produce the numerical output.
4. If done completely correctly 10 points extra credit will be given.
5. Don't even try this extra credit. I only added it on the request of a (presumably masochistic) student.
Notes on copyfile
- Normally in unix one wouldn't call read and write directly.
- Indeed, for copyfile, getchar() and putchar() would be nice since they take care of the buffering (standard I/O, stdio).
- Tanenbaum is correct that the error reporting is atrocious.
  The worst is exiting the loop on error and thus generating an exit(0) as if nothing happened.
4.1.7: Memory mapped files (not on 202 exams)

Conceptually simple and elegant. Associate a segment with each file and then normal memory operations take the place of I/O.
Thus copyfile does not have fgetc/fputc (or read/write). Instead it is just like memcopy
```
while ( (dest++)* = (src++)* );
```
The implementation is via demand paging (on top of segmentation) but the backing store for the pages is the file. This all sounds great but ...
1. How do you tell the length of a newly created file? You know which pages were written but not what words in those pages. So a file with one byte or 10, looks like a page.
2. What if same file is accessed by both I/O and memory mapping.
3. What if the file is bigger than the size of virtual memory (will not be a problem in 5 years on modern systems).
4.2: Directories

Unit of organization.
4.2.1: Hierarchical directory systems

Possibilities
- One directory in the system
- One per user
- One tree
- One tree per user
- One forest
- One forest per user
These are not as wildly different as they sound.
- If the system only has one directory, but allows the character / in a file name. Then one could fake a tree by having a file named
  /allan/gottlieb/courses/arch/class-notes.html
  rather than a directory allan, a subdirectory gottlieb, ..., a file class-notes.html.
- Dos (windows) is a forest, unix a tree. In dos there is no common parent of a:\ and c:\.
- But windows explorer makes the dos forest look quite a bit like a tree. Indeed, the gnome file manager, looks A LOT like windows explorer.
- You can get an effect similar to (but not the same as) one X per user by having just one X in the system and having permissions that permits each user to visit only a subset. Of course if the system doesn't have permissions, this is not possible
- Today's systems have a tree per system or a forest per system.
4.2.2: Path Names
- Absolute versus Relative file names.
- The former is starts at the (or a) root, the latter starts at the current (a.k.a working) directory.
- The special directories . and ..
Homework: 1, 8.
4.2.3: Directory operations
1. Create: Normally comes with . and ..
2. Delete: First empty the directory (except for . and ..)
3. Opendir: Same as with files (creates a ``handle'')
4. Closedir: Same as files
5. Readdir: In the old days (of unix) could read directories as files so there was no special readdir (or opendir/closedir). It was believed that the uniform treatment would make programming (or at least system understanding) as there was less to learn.
  However, experience has taught that this was not a good idea since the structure of directories then becomes exposed. Early unix had a simple structure (and there was only one). Modern systems have more sophisticated structures and more importantly they are not fixed across implementations.
6. Rename: As with files
7. Link: Add a second name for a file; discussed below.
8. Unlink: Remove a directory entry. This is how a file is deleted. But if there are many links, the file remains. Discussed in more detail below.
4.3: File System Implementation

4.3.1; Implementing Files
- A disk cannot read or write a single word. Instead it can read or write a sector, which is often 512 bytes.
- Disks are written in blocks whose size is a multiple of the sector size.
- For memory management we dealt with words (or bytes). Here we deal with blocks.
Contiguous allocation
- This is like OS/MVT.
- The entire file is stored as one piece
- Simple and fast for access, but ...
- Problem with growing files
  - Must either evict the file itself or the file it is bumping into.
  - Same problem with an OS/MVT kind of system if jobs grow.
- Problem with external fragmentation.
- Not used for general purpose systems. Ideal for systems where files do not change size.
Homework: 7.
Linked allocation
- The directory entry contains a pointer to the first block of the file.
- Each block contains a pointer to the next.
- Horrible for random access.
- Not used.
FAT (file allocation table)
- Used by dos / windows (but not windows/NT)
- Directory entry points to first block (i.e. specifies the block number)
- A FAT is maintained in memory having one (word) entry for each disk block. The entry for block N contains the block number of the next block in the same file as N.
- This is linked but the links are store separately.
- Still is linear in size of file but now all the entries are to this one table which is in memory. So it is bad but not horrible for random access.
- Size of table is one word per disk block. If one writes all blocks of size 4K and uses 4-byte words, the table is one megabyte for each disk gigabyte. Large but not prohibitive.
- If write blocks of size 512 bytes (the sector size of most disks) then the table is 8 megs per gig, which is prohibitive
================ Start Lecture #18 ================
Lab 2 due date extended until 10 April and may be done on acf5 as well as omicron
Inodes
- Used by unix
- Directory entry points to inode (index-node)
- Inode points to first few data blocks
- Inode points to an indirect block, which points to disk blocks
- Inode points to a double indirect, which points an indirect ...
- For some implementations there are triple indirect as well
- The inode is in memory for open files so many references just take one I/O
- Big files take two (indirect + data)
- Huge files take three
4.3.2; Implementing Directories

Maps file (or subdirectory) names to the files (or subdirectories) themselves.
Trivial File System (CP/M)
- Only one directory in the system
- Directory entry contains pointers to disk blocks.
- If need more blocks, get another directory entry.
MS-DOS (FAT)
- Subdirectories supported
- Directory entry contains metatdata such as date and size as well as pointer to first block.
Unix
- Entry contains name and pointer to inode.
- Metadata is in inode
- Early unix had limit of 14 character names.
- Name field now is varying length.
- To go down a level in directory takes two steps: get inode, get file (or subdirectory).
- Do on board steps for /allan/gottlieb/courses/os/class-notes.html
Homework: 11
4.3.3: Shared files (links)
- Sharing is Tanenbaum's terminology.
- More descriptive would ``multinamed files''.
- If a file exists, one can create another name for it (quite possibly in another directory)
- Often called creating a (or another) link to the file.
- Unix has two flavor, hard links and symbolic links or symlinks.
- Dos/windows has symlinks, but I don't believe it has hard links.
Start with an empty file system (i.e. just root) and then execute
```
cd /
mkdir /A; mkdir /B
touch /A/X; touch /B/Y
```
We have the situation shown on the right.
Note that names are on edges not nodes. When there are no multinamed files, it doesn't much matter.

Now execute
```
ln /B/Y /A/New
```
This gives the new diagram to the right.
At this point there are two equally valid name for the right hand yellow file, B/Y and A/New. The fact that B/Y was created first is NOT detectable.
- Both point to the same inode
- Only one owner (the one who created the file initially)
- One date, one set of permissions, one ...
Assume Bob created /B and /B/Y and Alice created /A, /A/X, and /A/New Later Bob tires of /B/Y and removes it by executing
```
rm /B/Y
```
The file /A/New is still fine (see third diagram on the right). But it is owned by Bob, who can't find it! If the system enforces quotas bob will likely be charged (as the owner) but he can neither find nor delete the file (since bob cannot unlink, i.e. remove, files from /A)

Since hard links are only permitted to files (not directories) the resulting file system is a dag (directed acyclic graph). That is there are no directed cycles. We will now proceed to give away this useful property by studying symlinks, which can point to directories.
Symlinks
- Asymmetric multinamed files.
- When a symlink is created another file is created, one that points to the original file.
Again start with an empty file system and this time execute
```
cd /
mkdir /A; mkdir /B
touch /A/X; touch /B/Y
ln -s /B/Y /A/New
```
We now have an additional file /A/New, which is a symlink to /B/Y.
- The file /A/New has the name /B/Y as its data (not metadata).
- The system notices that A/New is a diamond (symlink) so reading /A/New will return the contents of /B/Y (assuming the reader has read permission for /B/Y).
- If /B/Y is removed /A/New becomes invalid.
- If a new /B/Y is created, A/New is once again valid.
- Removing /A/New has no effect of /B/Y.
- If a user has write permission for /B/Y, then writing /A/New is possible and writes /B/Y.
The bottom line is that, with a hard link, a new name is created that has equal status to the original name. This can cause some surprised (e.g., you create a link but Id own it). With a symbolic link a new file is created (owned by the creator naturally) that points to the original file.
Question: Consider the hard link setup above. If Bob removes /B/Y and then creates another /B/Y, what happens to /A/X?
Answer: Nothing. /A/X is still a file with the same contents as the original /B/Y.
Question: What about with a symlink?
Answer: /A/X becomes invalid and then valid again, this time pointing to the new /B/Y. (It can't point to the old /B/Y as that is completely gone.)
================ Start Lecture #19 ================

What about symlinking a directory?
```
cd /
mkdir /A; mkdir /B
touch /A/X; touch /B/Y
ln -s /B /A/New
```
Is there a file named /A/New/Y ?
Yes.
What happens if you execute cd /A/New/.. ?
Answer: Not clear!
What did I mean when I said the pictures made it all clear?
Answer: From the file system perspective it is clear. Not always so clear what programs will do.
4.3.4: Disk space management

All general purpose systems use a (non-demand) paging algorithm for file storage. Files are broken into fixed size pieces, called blocks that can be scattered over the disk. Note that although this is paging, it is never called paging.
The file is completely stored on the disk
- One can imagine systems that store only parts of the file on disk with the rest on tertiary storage (some kind of tape).
- This would be just like demand paging.
- Perhaps NASA does this with their huge datasets.
- Caching (as done for example in microprocessors) is also the same as demand paging.
- We unify these concepts in the computer architecture course.
Choice of block size
- We discussed this before when studying page size.
- Current commodity disk characteristics (not for laptops) result in about 15ms to transfer the first byte and 10K bytes per ms for subsequent bytes (if contiguous).
  - We will explain the following terms in the I/O chapter
  - Rotation rate is 5400, 7600, or 10,000 RPM (15K just now available).
  - Recall that 6000 RPM is 100 rev/sec or one rev per 10ms. So half a rev (the average time for to rotate to a given point) is 5ms.
  - Transfer rates around 10MB/sec = 10KB/ms.
  - Seek time around 10ms.
- This favors large blocks, 100KB or more.
- But the internal fragmentation would be severe since many files are small.
- Multiple block sizes have been tried as have techniques to try to have consecutive blocks of a given file near each other.
- Typical block sizes are 4KB-8KB.
Storing free blocks
1. In-memory bit map.
  - One bit per block
  - If blocksize=4K, 1 bit per 32K bits
  - So 32GB disk (potentially all free) needs 1MB ram
2. Bit map paged in
3. Linked list with each free block pointing to next: Extra disk access per block
4. Linked list with links stored contiguously, i.e. an array of pointers to free blocks. Store this in free blocks and keep one in memory.
4,3.5: File System reliability

Bad blocks on disks

Not so much of a problem now. Disks more reliable and more importantly, disks take care of the bad blocks themselves
Backups

All modern systems support full and incremental dumps.
- A level 0 dump is a called a full dump (i.e., dumps everything).
- A level n dump (n>0) is called an incremental dump and dumps all files that have changed since the previous level n-1 dump.
- Keep on the disk the dates of the most recent level i dumps for all i. In Unix this is traditionally in /etc/dumpdates.
- What about the nodump attribute?
  - Default policy (for Linux at least) is to dump such files anyway when doing a full dump, but not dump them for incremental.
  - Another way to say this is the nodump attribute is honored for level n dumps if n>1.
  - The dump command has an option to override the default policy (can specify k so that nodump is honored for level n dumps if n>k).
Consistency
- Fsck (file system check) and chkdsk
  - If the system crashed, it is possible that not all meta was written to disk. As a result the file system may be inconsistent. These programs check, and often correct, inconsistencies.
  - Scan all inodes (or fat) to check that each block is in exactly one file, or on the free list, but not both.
  - Also check that the number of links to each file (part of the metadata in the file's inode) is correct (by looking at all directories).
  - Other checks as well.
  - Offers to ``fix'' the errors found (for most errors).
- ``Journaling'' file systems (not on 202 exams)
  - An idea from database theory (transaction logs).
  - Eliminates the need for fsck.
  - NTFS has had journaling from day 1.
  - Many Unix systems have it. IBM's AIX converted to journaling in the early 90s.
  - Linux does not yet have journaling, a serious shortcoming. It is under very active development.
  - FAT does not have journaling.
4.3.6 File System Performance

Buffer cache or block cache

An in-memory cache of disk blocks
- Demand paging again!
- Clearly good for reads as it is much faster to read memory than to read a disk.
- What about writes?
  - Must update the buffer cache (otherwise subsequent reads will return the old value).
  - The major question is whether the system should also update the disk block.
  - The simplest alternative is write through in which all writes performed to the disk before declared complete.
    - Can remove floppy as soon as operation done.
    - Heavy I/O write traffic
      - If a block is written many times all the writes are sent the disk. Only the last one was ``needed''.
      - If a temporary file is created, written, read, and deleted, all the disk writes were wasted.
    - DOS
  - The other alternative is write back in which the disk is not updated until the in-memory copy is evicted (i.e., the replacement question).
    - Much less write traffic than write through.
    - Trouble if a crash occurs.
    - Unix
    - Can write dirty blocks periodically, say every minute. This limits the possible damage, but also the possible gain.
    - Ordered writes. Do not write a block containing pointers until the block pointed to has been written. Especially if the block pointed to contains pointers since the version of these pointers on disk may be wrong and you are giving a file pointers to some random blocks.
- Research in ``log-structured'' file systems tries to make all writes sequential (i.e., writes are treated as if going to a log file).
Homework: 12.
4.4: Security

Very serious subject. Could easily be a course in itself. My treatment is very brief.
4.4.1: Security environment
1. Accidental data loss
  - Fires, floods, etc
  - System errors
  - Human errors
2. Intruders
  - Sadly an enormous problem.
  - The NYU ``greeting'' no longer includes the word ``welcome'' since that was somehow interpreted as some sort of license to break in.
    Indeed, the greeting is not friendly.
    It once was.
```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           WARNING:  UNAUTHORIZED PERSONS ........ DO NOT PROCEED
           ~~~~~~~   ~~~~~~~~~~~~~~~~~~~~          ~~~~~~~~~~~~~~
 This computer system is operated by New York University (NYU) and may be
 accessed only by authorized users.  Authorized users are granted specific,
 limited privileges in their use of the system.  The data and programs
 in this system may not be accessed, copied, modified, or disclosed without
 prior approval of NYU.  Access and use, or causing access and use, of this
 computer system by anyone other than as permitted by NYU are strictly pro-
 hibited by NYU and by law and may subject an unauthorized user, including
 unauthorized employees, to criminal and civil penalties as well as NYU-
 initiated disciplinary proceedings.  The use of this system is routinely
 monitored and recorded, and anyone accessing this system consents to such
 monitoring and recording.  Questions regarding this access policy or other
 topics should be directed (by e-mail) to comment@nyu.edu or (by phone) to 
 212-998-3333.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
1. Privacy
  - An enormously serious (societal) subject
4.4.2: Famous flaws
- Good bathroom reading
- Trojan horse attack: Planing a program of your choosing in place of a well known program and having an unsuspecting user execute it.
- Some trivial examples
  1. Install a new version of login that does everything normal but mails the username and plaintext password to gottlieb@nyu.edu.
  2. Put a new version of ls in your home directory and ask the sysadmin for help. ``Hopefully he types ls while in your directory and has . early in his path''.
4.4.3: The internet worm
- Not a virus.
- A worm divides itself and sends one portion to another machine.
- A virus attaches itself to (``infects'') a part of the system so that it remains until explicitly removed. In particular, rebooting the system does not remove it.
- The famous internet (Morris) worm exploited silly bugs in unix to crack systems automatically.
- Specifically, it exploited careless use of gets(), which does not check the length of its argument.
- Attacked Sun and Vax unix systems.
- NYU was hit hard.
4.4.4: Generic Security attacks

More bathroom reading
Viruses
- Attach to an existing program or to a portion of the disk that is used for booting.
- When the virus is run it tries to attach itself to other files
- Often implemented the same was as a binary patch: Change the first instruction to jump to somewhere where you put the original first instruction, then your patch, then a jump back to the second instruction
================ Start Lecture #20 ================

4.4.5: Design principles for security

More bathroom reading
4.4.6: User authentication

Passwords
- Publically available cracking software
- Use this software for prevention
- One time passwords: e.g. SecurId.
- Current practice here and elsewhere is that when you telnet to a remote machine, your password is sent in the clear along the ethernet.
  So maybe .rhosts is aren't that bad after all.
- Physical identification: Opens up a bunch of privacy questions. Should we require fingerprinting for entering the subway?
Homework: 15, 16, 19, 24.
4.5: Protection mechanisms

4.5.1: Protection domains
- Objects (passive) and subjects (active)
  For example processes examine files
- Protection domain: A collection of (object, rights) pairs
- At any given time a subject is given a protection domain that specifies its rights.
- In Unix a subject's domain is determined by its (uid, gid) (and whether it is in kernel mode).
- Generates a matrix called the protection or permission matrix
  - Each row corresponds to a domain (i.e. a subject at some time)
  - Each column corresponds to an object (e.g. file, device)
  - Each entry gives the rights the domain/subject has on this object
- Can model Unix suid/sgid by permitting columns whose headings are domains and the only right possible in the corresponding entries is entry. If this right is there the subject can s[ug]id to this new domain.
4.5.2: Access Control Lists (ACLs)

Keep the columns of the matrix separate and only keep the non-null entries.
4.5.3: Capabilities

Keep the rows of the matrix separate and only keep the non-null entries.
4.5.4: Protection models

Give objects and subjects security levels and enforce
1. A subject may read only those objects whose level is at or below her own.
2. A subject may write only those objects whose level is at or above her own.
4.5.5: Covert channels

The bad guys are getting smart and use other means of getting out information. For example give good service for a zero and bad for a one. The figure of merit is what rate can bits be sent, i.e. the bandwidth of the covert channel.
Homework: 20.
Chapter 5: Input/Output

5.1: Principles of I/O Hardware

5.1.1: I/O Devices
- Not much to say. Devices are varied
- Block versus character devices:
  - Devices, like disks or CDROMs, with addressable chunks (sectors in this case) are called block devices.
    These devices do not support seeking.
  - Devices, like an Ethernet or modem connection, that are a stream of characters are called character devices
    These devices do not support seeking
  - Some cases, like tapes, are not so clear
5.1.2: Device Controllers

These are the ``real devices'' as far as the OS is concerned. That is the OS code is written with the controller spec in hand not with the device spec.
The figure in the book is so oversimplified as to be borderline false. The following picture is closer to the truth (but really there are several I/O buses of different speeds).

================ Start Lecture #21 ================
- The controller abstracts away some of the low level features of the device.
- For disks, the controller does error checking, buffering and handles interleaving of sectors. (Sectors are interleaved if the controller or CPU cannot handle the data rate and would otherwise have to wait a full revolution. I do not believe this is a concern with modern machines where the electronics have increased in speed faster than the devices.)
- For analog monitors (CRTs) the controller does a great deal. Analog video is far from a bunch of ones and zeros.
- Controllers are also called adaptors.
- Typically the interface the OS sees consists of some device registers located on the controller (address to access, read vs write, length, data value, etc).
- Memory-mapped I/O vs. I/O space. In memory mapped I/O the device registers are mapped into normal memory space. So you need to know that
```
load 8888<--4
```
  tells the disk read the sector whose address you previously loaded into 8800. In the I/O space you used different instructions (not ordinary loads and stores) to do essentially the same thing.
Homework: 2

5.1.3: Direct Memory Access (DMA)
- The disk controller gets the desired data from the disk to its buffer
- For programmed I/O (PIO) the cpu then does loads and stores (or I/O instructions) to copy the data from the buffer to the desired memory location.
- With a DMA controller, the controller writes the memory without intervention of the CPU.
- Clearly DMA saves CPU work. But this might not be important if the CPU is limited by the memory or by system buses.
- Very important is that there is less data movement so the buses are used less and the entire operation takes less time.
- Since PIO is pure software it is easier to change, which is an advantage.
- DMA does need a number of bus transfers from the CPU to the controller to specify the DMA. So DMA is most effective for large transfers where the setup is amortized.
- Why have the buffer? Why not just go from the disk straight to the memory.
  Answer: Speed matching. The disk supplies data at a fixed rate, which might exceed the rate the memory can accept it. In particular the memory might be busy servicing a request from the processor or from another DMA controller.
Homework: 5
5.2: Principles of I/O Software

As with any large software system, good design and layering is important.
5.2.1: Goals of the I/O Software

Device independence

We want to have most of the OS, unaware of the characteristics of the specific devices attached to the system. Indeed we also want the OS to be largely unaware of the CPU type itself.
Due to this device independence programs are written to read and write generic devices and then at run time specific devices are assigned. Writing to a disk has differences from writing to a terminal, but Unix cp and DOS copy do not see these differences. Indeed, most of the OS, including the file system code, is unaware of whether the device is a floppy or hard disk.
Uniform naming

Recall that we discussed the value of the name space implemented by file systems. There is no dependence between the name of the file and the device on which it is stored. So a file called IAmStoredOnAHardDisk might well be stored on a floppy disk.
Error handling
There are several aspects to error handling including: detection, correction (if possible) and reporting.
1. Detection should be done as close to where the error occurred as possible before more damage is done (fault containment). This is not trivial.
2. Correction is sometimes easy, for example ECC memory does this automatically (but the OS wants to know about the error so that it can schedule replacement of the faulty chips before unrecoverable double errors occur).
  Other easy cases include successful retries for failed ethernet transmissions. In this example, while logging is appropriate, it is quite reasonable for no action to be taken.
3. Error reporting tends to be awful. The trouble is that the error occurs at a low level but by the time it is reported the context is lost. Unix/Linux in particular is horrible in this area.
Creating the illusion of synchronous I/O
- I/O must be asynchronous for performance. That is the OS cannot simply wait for an I/O to complete. Instead, it proceeds with other activities and responds to the notification when the I/O has finished.
- Users (mostly) want no part of this. The code sequence
```
Read X
Y <-- X+1
Print Y
```
  should print a value one greater than that read. But if the assignment is performed before the read completes, the wrong value is assigned.
- Performance junkies sometimes do want the asynchrony so that they can have another portion of their program executed while the I/O is underway.
Sharable vs dedicated devices

For devices like printers and tape drives, only one user at a time is permitted. These are called serially reusable devices and are studied next chapter. Devices like disks and Ethernet ports can be shared by processes running concurrently.

Layering

Layers of abstraction as usual prove to be effective. Most systems are believed to use the following layers (but for many systems, the OS code is not available for inspection).
1. User level I/O routines
2. Device independent I/O software
3. Device drivers
4. Interrupt handlers
We give a bottom up explanation.
5.2.2: Interrupt Handlers

We discussed an interrupt handler before when studying page faults. Then it was called ``assembly language code''.
In the present case, we have a process blocked on I/O and the I/O event has just completed. So the goal is to make the process ready. Possible methods are.
- Releasing a semaphore on which the process is waiting
- Sending a message to the process.
- Inserting the process table entry onto the ready list.
5.2.3: Device Drivers

The portion of the OS that ``knows'' the characteristics of the controller.
The driver has two ``parts'' corresponding to its two access points. Recall the following figure from the beginning of the course.
1. Access by the main line OS with an I/O request.
2. Accessed by the interrupt handler when the I/O completes (this completion is signaled by an interrupt).
Tanenbaum describes the actions of the driver assuming it is implemented as a process (which he recommends). I give both that view point and the self-service paradigm in which the driver is invoked by the OS acting in behalf of a user process (more precisely the process shifts into kernel mode).
Driver as a process (Tanenbaum)
- The user issues an I/O request. The main line OS prepares a generic (e.g. read, not read using Buslogic BT-958 SCSI controller) request for the driver and the driver is awakened (perhaps a message is sent to the driver to do both jobs).
  1. The driver wakes up
    1. If the driver was idle (i.e., the controller is idle), the driver writes device registers on the controller ending with a command for the controller to begin the actual I/O.
    2. If the controller is busy (doing work the driver gave it), the driver simply queues the current request (the driver dequeues this below).
  2. The driver blocks waiting for an interrupt or for more requests.
- An interrupt arrives (i.e. an I/O has been completed)
  1. The driver informs the main line perhaps passing data and surely passing status (error, OK).
  2. Find next work item or block
    1. If the queue of requests is non-empty dequeue one and proceed as if just received a request from the main line.
    2. If queue is empty, the driver blocks waiting for an interrupt or a request from the main line.
Driver in a self-service paradigm
- The user issues an I/O request. The main line OS prepares a generic request for the driver and calls the driver.
  1. The driver is called
    1. If the driver was idle (i.e., the controller is idle), the driver writes device registers on the controller ending with a command for the controller to begin the actual I/O.
    2. If the controller is busy (doing work the driver gave it), the driver simply queues the current request (the driver dequeues this below).
  2. The driver returns to the main line
- An interrupt arrives (i.e. an I/O has been completed)
  1. The driver informs the main line perhaps passing data and surely passing status (error, OK).
  2. Find next work item or return
    1. If the queue of requests is non-empty dequeue one and proceed as if just received a request from the main line.
    2. If queue is empty, the driver returns to the main line.
================ Start Lecture #22 ================

5.2.4: Device-Independent I/O Software

Most of the functionality. But not necessarily most of the code since there can be many drivers all doing essentially the same thing is slightely different way due to slightly different controllers.
- Naming. Again an important O/S functionality. Must offer a consistent interface to the device drivers.
  In Unix this is done by associating each device with a (special) file in the /dev directory. The inodes for these files contain an indication that these are special files and also contain so called major and minor device numbers. The major device number gives the number of the driver. (These numbers are rather ad hoc, they correspond to the position of the function pointer to the driver in a table of function pointers.)
- Protection. A wide range of possibilities are actually done in real systems. Including both extreme examples of everything is permitted and nothing is permitted (directly).
  - In ms-dos any process can write to any file. Presumably our offensive nuclear missile launchers do not run dos.
  - In IBM and other mainframe OS's, normal processors do not access devices. Indeed the main CPU doesn't issue the I/O requests. Instead an I/O channel is used and the mainline constructs a channel program and tells the channel to invoke it.
  - Unix uses normal rwx bits on files in /dev (I don't believe x is used).
- Buffering is necessary since requests come in a size specified by the user and data is delivered in a size specified by the device.
- Enforce exclusive access for non-shared devices like tapes.
5.2.5: User-Space Software

A good deal of I/O code is actually executed in user space. Some is in library routines linked into user programs and some is in daemon processes.
- Some library routines are trivial and just move their arguments int the corrct place (e.g. registers) and then issue a trap to the correct system call.
- Some, notably standard-IO (stdio) in Unix, are definitely not trivial. For example consider the formatting of floating point numbers done in printf and the reverse in scanf.
- Printing to a local printer is often in part by a regular program (lpr in Unix) and part by a deamon (lpd in Unix). The daemon might be started when the system boots or might be started on demand. I guess it is called a daemon because it is not under the control of any user.
- Pringing uses spooling, i.e., the file to be printed is copied somewhere by lpr and then the daemon works with this copy. Mail uses a similar technique (but generally it is not called spooling but queuing).
Homework: 6, 7, 8.
5.3: Disks

The ideal storage device is
1. Fast
2. Big (in capacity)
3. Cheap
4. Impossible
Disks are big and cheap, but slow.
5.3.1: Disk Hardware

Show a real disk opened up and illustrate the components
- Platter
- Surface
- Head
- Track
- Sector
- Cylinder
- Seek time
- Rotational latency
- Transfer time
Overlapping I/O operations is important. Many controllers can do overlapped seeks, i.e. issue a seek to one disk while another is already seeking.
Despite what Tanenbaum says, modern disks cheat and do not have the same number of sectors on outer cylinders as on inner one. Often the controller ``cover for them'' and protect the lie.
Again contrary to Tanenbaum, it is not true that when one head is reading from cylinder C, all the heads can read from cylinder C with no penalty.
Choice of block size
- We discussed this before when studying page size.
- Current commodity disk characteristics (not for laptops) result in about 15ms to transfer the first byte and 10K bytes per ms for subsequent bytes (if contiguous).
  - Rotation rate is 5400, 7600, or 10,000 RPM (15K just now available).
  - Recall that 6000 RPM is 100 rev/sec or one rev per 10ms. So half a rev (the average time for to rotate to a given point) is 5ms.
  - Transfer rates around 10MB/sec = 10KB/ms.
  - Seek time around 10ms.
- This favors large blocks, 100KB or more.
- But the internal fragmentation would be severe since many files are small.
- Multiple block sizes have been tried as have techniques to try to have consecutive blocks of a given file near each other.
- Typical block sizes are 4KB-8KB.
================ Start Lecture #23 ================

5.3.2: Disk Arm Scheduling Algorithms

These algorithms are relevant only if there are several I/O requests pending. For many PCs this is not the case. For most commercial applications, I/O is crucial.
1. FCFS (First Come First Served): Simple but has long delays.
2. Pick: Same as FCFS but pick up requests for cylinders that are passed on the way to the next FCFS request
3. SSTF (Shortest Seek Time First): Greedy algorithm. Can starve requests for outer cylinders and almost always favors middle requests.
4. Scan (Look, Elevator): The method used by an old fashioned jukebox (remember ``Happy Days'') and by elevators. The disk arm proceeds in one direction picking up all requests until there are no more requests in this direction at which point it goes back the other direction. This favors requests in the middle, but can't starve any requests.
5. C-Scan (C-look, Circular Scan/Look): Similar to Scan but only service requests when moving in one direction. When going in the other direction, go directly to the furthest away request. This doesn't favor any spot on the disk. Indeed, it treats the cylinders as though they were a clock, i.e. after the highest numbered cylinder comes cylinder 0.
6. N-step Scan: This is what the natural implementation of Scan gives.
  - While the disk is servicing a Scan direction, the controller gathers up new requests and sorts them.
  - At the end of the current sweep, the new list becomes the next sweep.
Minimizing Rotational Latency

Use Scan, which is the same as C-Scan. Why?
Because the disk only rotates in one direction.
Homework: 9, 10.
RAID (Redundant Array of Inexpensive Disks)

Tanenbaum's treatment is not very good.
- This name is from Berkeley.
- IBM changed the name to Redundant Array of Independent Disks
- A simple form is mirroring, where two disks contain the same data.
- Another simple form striping (interleaving) where consecutive blocks are spread across multiple disks. This helps bandwidth but is not redundant so shouldn't be called RAID but it sometimes is.
- One of the normal RAIDs is to have N (say 4) data disks and one parity disk. Data is striped across the data disks and the bitwise parity of these sectors is written in the corresponding sector of the parity disk.
- A variation is to rotate the parity. That is, for some stripes disk 1 has the parity, for others disk 2, etc.
- A serious concern is the small write problem. Writing a sector requires 4 I/O. Read the old data sector, compute the change, read the parity, compute the new parity, write the new parity and the new data sector. Hence one sector I/O became 4, which is 300% overhead.
- Writing a full stripe is not bad. Compute the parity of the N (say 4) data sectors to be written and then write the data sectors and the parity sector. Thus 4 sector I/Os became 5, which is only a 20% penalty and is smaller for larger N, i.e., larger stripes.
5.3.3: Error Handling

Disks error rates have dropped in recent years. Moreover, bad block forwarding is done by the controller (or disk electronic).
5.3.4: Track Caching

Often the disk/controller caches a track, since the seek penalty has already been paid. In fact modern disks have megabyte caches that hold recently read blocks. Since modern disks cheat and don't have the same number of blocks on each track, it is better for the disk electronics to do the caching since it is the only part of the system to know the true geometry.
5.3.5: Ram Disks
- Fairly clear. Organize a region of memory as a set of blocks and pretend it is a disk.
- A problem is that memory is volatile.
- Often used during OS installation, before disk drivers are available (there are many types of disk but memory all memory looks the same so only one ram disk driver is needed).
5.4: Clocks

Also called timers.
5.4.1: Clock Hardware
- Generates an interrupt when timer goes to zero
- Counter reload can be automatic or under software (OS) control.
- If done automatically, the interrupt occurs periodically and thus is perfect for a time of day (TOD) clock (assuming time of day initialized somehow).
5.4.2: Clock Software
1. TOD: Bump a counter each tick (clock interupt). If counter is only 32 bits must worry about overflow so keep two counters: low order and high order.
2. Time quantum for RR: Decrement a counter at each tick quantum expires when counter is zero. Load this counter when the scheduler runs a process.
3. Accounting: At each tick, bump a counter in the process table entry for the currently running process.
4. Alarm system call and system alarms:
  - Users can request an alarm at some future time and the system also needs to do things specific future times (e.g. turn off floppy motor).
  - The conceptually simplest solution is to have one timer for each event. Instead, we simulate many timers with just one.
  - The data structure on the right works well.
  - The time in each list entry is the time after the preceding entry that this entry's alarm is to ring. The other entry is a pointer to the action to perform.
  - At each tick, decrement next-signal.
  - When next-signal goes to zero. process the first entry on the list and any others following immediately after with a time of zero (which means they are to be simultaneous with this alarm. Then set next-signal to the value in the next alarm
5. Profiling
  - Want a histogram giving how much time was spent in each 1KB (say) block of code.
  - At each tick check the PC and bump the appropriate counter.
  - At the end of the run can assign the 1K blocks to software modules.
  - If use fine granularity (say 10B instead of 1KB) get higher accuracy but more memory overhead.
Homework: 12
5.5: Terminals

5.5.1: Terminal Hardware

Quite dated. It is true that modern systems can communicate to a hardwired ascii terminal, but most don't. Serial ports are used, but they are normally connected to modems and then some protocol (SLIP, PPP) is used not just a stream of ascii characters.
5.5.2: Memory-Mapped Terminals
- Less dated. But it still discusses the character not graphics interface.
- Today, the idea is to have the software write into video memory the bits to be put on the screen and then the graphics controller converts these bits to analog signals for the monitor (actually laptop displays and very modern monitors are digital).
- But it is much more complicated than this. The graphics controllers can do a great deal of video themselves (like filling).
- This is a subject that would take many lectures to do well.
Keyboards

Tanenbaum description of keyboards is correct.
- At each key press and key release a code is written into the keyboard controller and the computer is interrupted.
- By remembering which keys have been depressed and not released the software can determine Cntl-A, Shift-B, etc.
5.5.3: Input Software
- We are just looking at keyboard input. Once again graphics is too involved to be treated here.
- Two fundamental modes of input raw and cooked.
- In raw mode the application sees every ``character'' the user types. Indeed, raw mode is character oriented.
  - All the OS does is convert the keyboard ``scan codes'' to ``characters'' and and pass these characters to the application. to w
  - Some examples
    1. down-cntl down-x up-x up-cntl is converted to cntl-x
    2. down-cntl up-cntl down-x up-x is converted to x
    3. down-cntl down-x up-cntl up-x is converted to cntl-x (I just tried it to be sure).
    4. down-x down-cntl up-x up-cntl is converted to x
  - Full screen editors use this mode.
- Cooked mode is line oriented. The OS delivers lines to the application program.
  - Special characters are interpreted as editing characters (erase-previous-character, erase-previous-word, kill-line, etc).
  - Erased characters are not seen by the application but are erased by the keyboard driver.
  - Need an escape character so that the editing characters can be passed to the application if desired.
  - The cooked characters must be echoed (what should one do if the application is also generating output at this time?)
- The (possibly cooked) characters must be buffered until the application issues a read (and an end-of-line EOL has been received for cooked mode).
5.5.4: Output Software

Again too dated and the truth is too complicated to deal with in a few minutes.
Homework: 16.
================ Start Lecture #24 ================
Remark Please make the following change to lab3 (addition of mod ProgramSize). If a run has D programs (mix 1 has D=1 the others have D=6), then program j 1<=j<=D begins by referencing word 111*j mod ProgramSize.

Chapter 6: Deadlocks

A deadlock occurs when a every member of a set of processes is waiting for an event that can only be caused by a member of the set.
Often the event waited for is the release of a resource.
In the automotive world deadlocks are called gridlocks.
- The processes are the cars.
- The resources are the spaces occupied by the cars
Reward: One point extra credit on the final exam for anyone who brings a real (e.g., newspaper) picture of an automotive deadlock. You must bring the clipping to the final and it must be in good condition. Hand it in with your exam paper.
For a computer science example consider two processes A and B that each want to print a file currently on tape.
1. A has obtained ownership of the printer and will release it after printing one file.
2. B has obtained ownership of the tape drive and will release it after reading one file.
3. A tries to get ownership of the tape drive, but is told to wait for B to release it.
4. B tries to get ownership of the printer, but is told to wait for A to release the printer.
Bingo: deadlock!

6.1: Resources:

The resource is the object granted to a process.
- Resources come in two types
  1. Preemptable, meaning that the resource can be taken away from its current owner (and given back later). An example is memory.
  2. Non-preemptable, meaning that the resource cannot be taken away. An example is a printer.
- The interesting issues arise with non-preemptable resources so those are the ones we study.
- Life history of a resource is a sequence of
  1. Request
  2. Allocate
  3. Use
  4. Release
- Processes make requests, use the resourse, and release the resourse. The allocate decisions are made by the system and we will study policies used to make these decisions.
6.2: Deadlocks

To repeat: A deadlock occurs when a every member of a set of processes is waiting for an event that can only be caused by a member of the set.
Often the event waited for is the release of a resource.
6.3: Necessary conditions for deadlock

The following four conditions (Coffman; Havender) are necessary but not sufficient for deadlock. Repeat: They are not sufficient.
1. Mutual exclusion: A resource can be assigned to at most one process at a time (no sharing).
2. Hold and wait: A processing holding a resource is permitted to request another.
3. No preemption: A process must release its resources; they cannot be taken away.
4. Circular wait: There must be a chain of processes such that each member of the chain is waiting for a resource held by the next member of the chain.
6.2.2: Deadlock Modeling

On the right is the Resource Allocation Graph, also called the Reusable Resource Graph.
- The processes are circles.
- The resources are squares.
- An arc (directed line) from a process P to a resource R signifies that process P has requested (but not yet been allocated) resource R.
- An arc from a resource R to a process P indicates that process P has been allocated resource R.
Homework: 1.
Consider two concurrent processes P1 and P2 whose programs are.
```
P1: request R1       P2: request R2
    request R2           request R1
    release R2           release R1
    release R1           release R2
```
On the board draw the resource allocation graph for various possible executions of the processes, indicating when deadlock occurs and when deadlock is no longer avoidable.
There are four strategies used for dealing with deadlocks.
1. Ignore the problem
2. Detect deadlocks and recover from them
3. Avoid deadlocks by carefully deciding when to allocate resources.
4. Prevent deadlocks by violating one of the 4 necessary conditions.
6.3: Ignoring the problem--The Ostrich Algorithm

The ``put your head in the sand approach''.
- If the likelihood of a deadlock is sufficiently small and the cost of avoiding a deadlock is sufficiently high it might be better to ignore the problem. For example if each PC deadlocks once per 100 years, the one reboot may be less painful that the restrictions needed to prevent it.
- Clearly not a good philosophy for nuclear missile launchers.
- For embedded systems (e.g., missile launchers) the programs run are fixed in advance so many of the questions Tanenbaum raises (such as many processes wanting to fork at the same time) don't occur.
6.4: Detecting Deadlocks and Recovering from them

6.4.1: Detecting Deadlocks with single unit resources

Consider the case in which there is only one instance of each resource.
- So a request can be satisfied by only one specific resource.
- In this case the 4 necessary conditions for deadlock are also sufficient.
- Remember we are making an assumption (single unit resources) that is often invalid. For example, many systems have several printers and a request is given for ``a printer'' not a specific printer. Similarly, one can have many tape drives.
- So the problem comes down to finding a directed cycle in the resource allocation graph. Why?
  Answer: Because the other three conditions are either satisfied by the system we are studying or are not in which case deadlock is not a question. That is, conditions 1,2,3 are conditions on the system in general not on what is happening right now.
To find a directed cycle in a directed graph is not hard. The algorithm is in the book. The idea is simple.
1. For each node in the graph do a depth first traversal (hoping the graph is a DAG (directed acyclic graph), building a list as you go down the DAG.
2. If you ever find the same node twice on your list, you have found a directed cycle and the graph is not a DAG and deadlock exists among the processes in your current list.
3. If you never find the same node twice, the graph is a DAG and no deadlock occurs.
4. The searches are finite since the list size is bounded by the number of nodes.
6.4.2: Detecting Deadlocks with multiple unit resources

This is more difficult.
- The figure on the right shows a resource allocation graph with multiple unit resources.
- Each unit is represented by a dot in the box.
- Request edges are drawn to the box since they represent a request for any dot in the box.
- Allocation edges are drawn from the dot to represent that this unit of the resource has been assigned (but all units of a resource are equivalent and the choice of which one to assign is arbitrary).
- Note that there is a directed cycle in black, but there is no deadlock. Indeed the middle process might finish, erasing the magenta arc and satisfying the process on the right.
- The book gives an algorithm for detecting deadlocks in this more general setting. The idea is as follows.
  1. look for process that might be able to terminate (i.e. all its request arcs can be satisfied).
  2. If one is found pretend that it does terminate (erase all its arcs) and repeat step 1.
  3. If any processes remain, they are deadlocked.
- We will really do an algorithm later (the Banker's algorithm) that has some of this flavor.
6.4.3: Recovery from deadlock

Preemption

Perhaps you can temporarily preempt a resource from a process. Not likely.
Rollback

Database (and other) systems take periodic checkpoints. If the system does take checkpoints, one can roll back to a checkpoint whenever a deadlock is detected. Somehow must guarantee forward progress.
Kill processes

Can always be done but might be painful. For example some processes have had effects that can't be simply undone. Print, launch a missile, etc.
Remark: We are doing 6.6 before 6.5 since 6.6 is easier.
6.6: Deadlock Prevention

Attack one of the coffman/havender conditions
6.6.1: Attacking Mutual Exclusion

Idea is to use spooling instead of mutual exclusion. Not possible for many kinds of resources
6.6.2: Attacking Hold and Wait

Require each processes to request all resources at the beginning of the run. This is often called One Shot.
6.6.3: Attacking No Preempt

Normally not possible.
6.6.4: Attacking Circular Wait

Establish a fixed ordering of the resources and require that they be requested in this order. So if a process holds resources #34 and #54, it can request only resources #55 and higher.
It is easy to see that a cycle is no longer possible.
6.5: Deadlock Avoidance

Let's see if we can tiptoe through the tulips and avoid deadlock states even though our system does permit all four of the necessary conditions for deadlock.
An optimistic resource manager is one that grants every request as soon as it can. To avoid deadlocks with all four conditions present, the manager must be smart not optimistic.
6.5.1 Resource Trajectories
- We have two processes H (horizontal) and V.
- The origin represents them both starting.
- Their combined state is a point on the graph.
- The parts where the printer and plotter are needed by each process are indicated.
- The dark green is where both processes have the plotter and hence execution cannot reach this point.
- Light green represents both having the printer; also impossible.
- Pink is both having both printer and plotter; impossible.
- Gold is possible (H has plotter, V has printer), but you can't get there.
- The upper right corner is the goal both processes finished.
- The red dot is ... (cymbals) deadlock. We don't want to go there.
- The cyan is safe. From anywhere in the cyan we have horizontal and vertical moves to the finish line without hitting any impossible area.
- The magenta interior is very interesting. It is
  - Possible: each processor has a different resource
  - Not deadlocked: each processor can move within the magenta
  - Deadly: deadlock is unavoidable. You will hit a magenta-green boundary and then will no choice but to turn and go to the red dot.
- The cyan-magenta border is the danger zone
- The dashed line represents a possible execution pattern.
- With a uniprocessor no diagonals are possible. We either move to the right meaning H is executing or move up indicating V.
- The trajectory shown represents.
  1. H excuting a little
  2. V excuting a little
  3. H executes; requests the printer; gets it; executes some more
  4. V executes; requests the plotter
- The crisis is at hand!
- If the resource manager gives V the plotter, the magenta has been entered and all is lost. ``Abandon all hope yee who enter here'' --Dante.
- The right thing to do is to deny the request, let H execute moving horizontally under the magenta and dark green. At the end of the dark green, no danger remains, both processes will complete successfully. Victory!
================ Start Lecture #25 ================

6.5.2: Safe States

Avoiding deadlocks given some extra knowledge.
- Not surprisingly, the resource manager knows how many units of each resource it had to begin with.
- Also it knows how many units of each resource it has given to each process
- It would be great to see all the programs in advance and thus know all future requests, but that is asking for too much.
- Instead, each process when it starts gives its maximum usage. That is each process at startup states, for each resource, the maximum number of units it can possibly ask for. This is called the claim of the process.
  - If during the run the process asks for more than its claim, abort it.
  - If it claims more than it needs, the result is that the resource manager will be more conservative than need be and there will be more waiting.
Definition: A state is safe if there one can find an ordering of the processes such that if the processes are run in this order, they will all terminate (assuming none exceeds its claim).
Give an example of all four possibilities. A state that is
1. Safe and deadlocked
2. Safe and not deadlocked
3. Not safe and deadlocked
4. Not safe and not deadlocked
A manager can determine if a state is safe.
- Since the manager know all the claims, it can determine the maximum amount of additional resources each process can request.
- The manager knows how many units of each resource it has left.
The manager then follows the following procedure called Banker's Algorithms discovered by Dijkstra
1. If there are no processes remaining, the state is safe.
2. Seek a process P whose max additional requests is less than what remains (for each resource).
  - If no such process can be found, then the state is not safe.
  - The banker (manager) knows that if it refuses all requests excepts those from P, then it will be able to satisfy all of P's requests. Why?
    Look at how P was chosen.
3. The banker now pretends that P has terminated (since the banker knows that it can guarantee this will happen). Hence the banker pretends that all of P's currently held resources are returned. This makes the banker richer and hence perhaps a process that was not eligible to be chosen as P previously, can now be chosen.
4. Repeat these steps.
Example 1

process claim current

X 3 1

Y 11 5

Z 19 10

total 16
- One resource type R with 22 unit
- Three processes X, Y, and Z with claims 3, 11, and 19 respectively.
- Currently the processes have 1, 5, and 10 units respectively.
- Hence the manager currently has 6 units left.
- Also note that the max additional needs for processes are 2, 6, 9
- So the manager cannot assure (with its current remaining supply of 6 units that Z can terminate. But that is not the question.
- This state is safe
  1. Use 2 units to satisfy X; now the manager has 7 units.
  2. Use 6 units to satisfy Y; now the manager has 12 units.
  3. Use 9 units to satisfy Z; done!
Example 2

process claim current

X 3 1

Y 11 5

Z 19 12

total 18

Assume that Z now requests 2 units and we grant them.
- Currently the processes have 1, 5, and 12 units respectively.
- The manager has 4 units.
- The max additional needs are 2, 6, and 7.
- This state is unsafe
  1. Use 2 unit to satisfy X; now the manager has 5 units.
  2. Y needs 6 and Z needs 7 so we can't guarantee satisfying either
- Note that we were able to find a process that can terminate (X) but then we were stuck. So it is not enough to find one process. Must find a sequence of all the processes.
Remark: An unsafe state is not necessarily a deadlocked state. Indeed, if one gets lucky all processes may terminate successfully. A safe state means that the manager can guarantee that no deadlock will occur.
6.5.3: The Banker's Algorithm (Dijkstra) for a Single Resource

The algorithm is simple: Stay in safe states.
- Check before any process starts that the state is safe (this means that no process claims more than the manager has). If not, then this process is trying to claim more than the system has so cannot be run.
- When the manager receives a request, it pretends to grant it and checks if the resulting state is safe. If it is safe the request is granted, if not the process is blocked.
- When a resource is returned, the manager checks to see if any of the pending requests can be granted (i.e., if the result would now be safe). If so the request is granted and the manager checks to see if another can be granted.
6.5.4: The Banker's Algorithm for Multiple Resources

At a high level the algorithm is identical: Stay in safe states.
- What is a safe state?
- The same definition (if processes are run in a certain order they will all terminate).
- Checking for safety is the same idea as above. The difference is that to tell if there enough free resources for a processes to terminate, the manager must check that for all resources, the number of free units is at least equal to the max additional need of the process.
================ Start Lecture #26 ================

Limitations of the banker's algorithm
- Often users don't know the maximum requests a process will make. They can estimate conservatively (i.e., use big numbers for the claim) but then the manager becomes very conservative.
- New processes arriving cause a problem (but not so bad as Tanenbaum suggests).
  - The process's claim must be less than the total number of units of the resource in the system. If not, the process is not accepted by the manager.
  - Since the state without the new process is safe, so is the state with the new process! Just use the order you had originally and put the new process at the end.
  - Insuring fairness (starvation freedom) needs a little more work, but isn't too hard either (once an hour stop taking new processes until all current processes finish).
- A resource becoming unavailable (e.g., a tape drive breaking), can result in an unsafe state.
Homework: 11, 14 (do not hand in).
6.7: Other Issues

6.7.1: Two-phase locking

This is covered (MUCH better) in a database text. We will skip it.
6.7.2: Non-resource deadlocks

You can get deadlock from semaphores as well as resources. This is trivial. Semaphores can be considered resources. P(S) is request S and V(S) is release S. The manager is the module implementing P and V. When the manager returns from P(S), it has granted the resource S.
6.7.3: Starvation

As usual FCFS is a good cure. Often this is done by priority aging and picking the highest priority process to get the resource. Also can periodically stop accepting new processes until all old ones get their resources.