-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathTODO.txt
189 lines (115 loc) · 4.8 KB
/
TODO.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
May 2020
---------
Domains
--------
- Domain create traits should be unified --- we don't need 20 identical traits,
we only need one for each type -- the create has to take a blob as an argument
- Domain destroy logic -- when? Explicit call? Reference count drops to 0 (most
likely)? -- that's a big one.
- Call domain init function through the proxy/continuation -- domain might
panic on entry.
> Can we wrap the domain init with unwind? From within the generated domain
init
> yeah, that's a good strategy too, we can rely on normal Rust panic
mechanism... but it doesn't work because we really might want to terminate an
undresponsive init function inside the domain with a timeout
RRefs
- We shall carefully reason about the race condition when the accessor moves
the reference outside of the domain. What happens when the domain crashes
right there in the middle of the operation? Imagine the thread gets slow and it
took the RRef out the Option is empty, but not yet assigned domain id to the
RRef. If we unwind the thread to the proxy, the id will never get assigned. I
think we need to introduce some notion of the _do_not_unwind_ flag that can be
set from a trusted place, like from the accessor to make sure that the thread
continues to run until it leaves the _do_not_unwind_ block.
Recovery/shadows
- Protect the RpcErr type with an unsafe constructor so the domain cannot itself
return a failure Err(Unwind) and fake unwind
- How do we shut down the DMA engine when device driver domain crashes? We need some
notion of destructors, but for what? Who owns the BAR and runst the device? The owner of
the BAR capability. So the BAR has to be on the shared heap and we should call its
destructor.
Rv6 [Tian]
- Proxy for the rv6 kernel -- we need a full proxy, but also need some support from RRefs
- thread support for rv6 and SMP
- FS write is 5x slower than read
- Moving to NVMe ... to make sure that FS is ruuning on top of NVMe
RRefs [Dan]
- Type registry for "drop"
- immutable borrows (add tests to C and D domains)
- TLS (performance degradation because of current)
Maglev [Zhaofang]
- Booting on baremetal (Redleaf)
- Build system
Signing and fingerprinting [Zhaofeng]
- Analysis of what can bring non-determinism
- Compiler flags (fingerprint)
Thesis/performance analysis [Zhaofeng]
- Port Sashstore to DPDK
IDL [David]
-
Sockets [Tian]
- Network subsystem for rv6
- Socket support for rv6
- TCP (smoltcp) [Zhaofeng/Tian]
Memory management [Vikram]
- Dropping
NVMe [Vikram]
- Synchronous interface
Domain recovery
- Ixgbe and NVMe [Tian/Vikram]
- Fast recover of the data section [Vikram]
Multi-queue support for devices [Vikram]
-
SIMD [Anton]
- SIMD support
- Fast get_current()
- Domain alive
- Linked list for continuations
- memcpy [Anton/Tian]
Bugs
- get_current () --- linear increase from 100 to 10,000 -- Tian has a test to reproduce
- Maglev is extremely slow in rv6() --- rpc calls
-
-------------------------------------------------------------------------------
--
-- OLD (possibly irrelevant)
--
-------------------------------------------------------------------------------
Domains
-------
-- Support for memory allocator to run Box [Vikram, done]
-- We need "domain_create()" system call and how we pass system calls
- Here it's a bit tricky, we need to pass unique system calls into each
domain type. For example, device drvier domains get ukern syscalls, xv6
domains get both xv6 system calls and ukern syscalls (maybe it's not strictly
needed (we thought we need this for memory allocator to work, but maybe xv6 can
implement it's own allocator, but maybe it's not possible as it has to be
unsafe)
domain_create()
- Jump into entry point with a specific set of system calls (i.e., ukern
syscalls), we don't create a new thread (domains can be passive). If the
domain needs a thread it will create it inside the main() function.
- TSS support for per-thread data structures
- Scheduler support to "create or migrate threads to specific CPUs"
- Syscall wrappers [done]
- support for println system call [done]
xv6
-----
-- Move xv6 into ELF files [Tian?]
-- Interrupt support for xv6, i.e. we need a layer that
starts interrupts as threads, the thread is parked waiting on an interrupt
and is woken up when the interrupt arrives
- Scheduling support, i.e., all system calls to allow control over scheduling
decisions
-- xv6 user process creation
-- Need to figure out a prototype for "safe compilation"
Device drviers
--------------
-- Move block device driver into loadable domains
Software Fault Isolation
------------------------
-- Interface wrapping
Secure compilation
--------------------------------------------------------------------
-- Generation of the