3 * In grading scripts, warn when a fault is caused by an attempt to
4 write to the kernel text segment. (Among other things we need to
5 explain that "text" means "code".)
7 * Reconsider command line arg style--confuses everyone.
11 * Godmar: Extend memory leak robustness tests.
12 multi-oom should still pass in project 3/4 because kernel will run out
13 of kernel pool memory before running out of swap space.
15 * Godmar: Another area is concurrency. I noticed that I had passed all
16 tests with bochs 2.2.1 (in reproducibility mode). Then I ran them
17 with qemu and hit two deadlocks (one of them in rox-*,
18 incidentally). After fixing those deadlocks, I upgraded to bochs
19 2.2.5 and hit yet another deadlock in reproducibility mode that
20 didn't show up in 2.2.1. All in all, a standard grading run would
21 have missed 3 deadlocks in my code. I'm not sure how to exploit
22 that for grading - either run with qemu n times (n=2 or 3), or run
23 it with bochs and a set of -j parameters. Some of which could be
24 known to the students, some not, depending on preference. (I ported
25 the -j patch to bochs 2.2.5 -
26 http://people.cs.vt.edu/~gback/pintos/bochs-2.2.5.jitter.patch but I
27 have to admit I never tried it so I don't know if it would have
28 uncovered the deadlocks that qemu and the switch to 2.2.5
31 * Godmar: There is also the option to require students to develop test
32 workloads themselves, for instance, to demonstrate the effectiveness
33 of a particular algorithm (page eviction & buffer cache replacement
34 come to mind.) This could involve a problem of the form: develop a
35 workload that you cover well, and develop a "worst-case" load where
36 you algorithm performs poorly, and show the results of your
37 quantitative evaluation in your report - this could then be part of
40 * Godmar: the spec says that illegal syscall arguments can be handled either by
41 terminating the process, or by returning an error code such as -1.
43 Looking at http://gback.cs.vt.edu:8080/source/xref/tests/userprog/write-bad-ptr.c
44 and http://gback.cs.vt.edu:8080/source/xref/tests/userprog/write-bad-ptr.ck
45 I'm wondering if write-bad-ptr isn't forcing them to terminate the
46 process(?). Even though write-bad-ptr.ck has a provision to allow
47 continuation after returning -1, wouldn't it still fail since the test
49 fail ("should have exited with -1");
52 * Godmar: mmap-inherit needs a IGNORE_USER_FAULTS since we say to "not output
53 any messages Pintos doesn't already print." - which technically puts
54 the onus on us to ignore the default page fault msg whenever a test is
57 * Godmar: add _end to user.lds script and construct some tests that fail
58 unless students check a region for validity rather than just the first
59 address of a region. Right now, unfortunately, they pass all p2 tests
60 with just checking the first address. [A possible problem is that the
61 tests may be unable to tell termination due to unintentional fault
62 from willful termination when address check fails. Should we require
63 they return -1/EINVAL on a bad address and disallow termination? Or
64 construct a test that they'll likely fail if they unintentionally
65 terminate, maybe while holding the filesystem lock? Or require that
66 the diagnostic message only be output when fault occurs in user mode?
67 Something to think about.]
73 >> Describe a potential race in thread_set_priority() and explain how
74 >> your implementation avoids it. Can you use a lock to avoid this race?
76 I'm not sure what you're getting at here:
77 If changing the priority of a thread involves accessing the ready
78 list, then of course there's a race with interrupt handlers and locks
79 can't be used to resolve it.
81 Changing the priority however also involves a race with respect to
82 accessing a thread's "priority" field - this race is with respect to
83 other threads that attempt to donate priority to the thread that's
84 changing its priority. Since this is a thread-to-thread race, I would
85 tend to believe that locks could be used, although I'm not certain. [
86 I should point out, though, that lock_acquire currently disables
87 interrupts - the purpose of which I had doubted in an earlier email,
88 since sema_down() sufficiently establishes mutual exclusion. Taking
89 priority donation into account, disabling interrupts prevents the race
90 for the priority field, assuming the priority field of each thread is
91 always updated with interrupts disabled. ]
93 What answer are you looking for for this design document question?
95 - Godmar: Another thing: one group passed all tests even though they
96 wake up all waiters on a lock_release(), rather than just
97 one. Since there's never more than one waiter in our tests, they
98 didn't fail anything. Another possible TODO item - this could be
99 part a series of "regression tests" that check that they didn't
100 break basic functionality in project 1. I don't think this would
101 be insulting to the students.
105 - Get rid of rox--causes more trouble than it's worth
107 - Extra credit: specifics on how to implement sbrk, malloc.
108 Godmar: I have a sample solution and tests for that! Stay tuned.
110 - Godmar: We're missing tests that pass arguments to system calls
111 that span multiple pages, where some are mapped and some are not.
112 An implementation that only checks the first page, rather than all
113 pages that can be touched during a call to read()/write() passes
116 - Godmar: There does not appear to be a test that checks that they
117 close all fd's on exit. Idea: add statistics & self-diagnostics
118 code to palloc.c and malloc.c. Self-diagnostics code could be
119 used for debugging. The statistics code would report how much
120 kernel memory is free. Add a system call
121 "get_kernel_memory_information". User programs could engage in a
122 variety of activities and notice leaks by checking the kernel
124 - note: multi-oom tests that now.
126 - Godmar: In the wait() tests, there's currently no test that tests
127 that a process can only wait for its own children. There's only
128 one test that tests that wait() on an invalid pid returns -1 (or
129 kills the process), but no test where a valid pid is used that is
130 not a child of the current process.
132 The current tests also do not ensure that both scenarios (parent waits
133 first vs. child exits first) are exercised. In this context, I'm
134 wondering if we should add a sleep() system call that would export
135 timer_sleep() to user processes; this would allow the construction of
136 such a test. It would also make it easier to construct a test for the
137 valid-pid, but not-a-child scenario.
139 As in Project 4, the baseline implementation of timer_sleep() should
140 suffice, so this would not necessarily require basing Project 2 on
141 Project 1. [ A related thought: IMO it would not be entirely
142 unreasonable to require timer_sleep() and priority scheduling sans
143 donation from Project 1 working for subsequent projects. ]
147 - Godmar: Get rid of mmap syscall, add sbrk.
149 - Godmar: page-linear, page-shuffle VM tests do not use enough
150 memory to force eviction. Should increase memory consumption.
152 - Godmar: fix the page* tests to require swapping
154 - Godmar: make sure the filesystem fails if not properly
155 concurrency-protected in project 3.
157 - Godmar: Another area in which tests could be created are for
158 project 3: tests that combine mmap with a paging workload to see
159 their kernel pages properly while mmapping pages - I don't think
160 the current tests test that, do they?
164 - Need a better way to measure performance improvement of buffer
165 cache. Some students reported that their system was slower with
166 cache--likely, Bochs doesn't simulate a disk with a realistic
169 (Perhaps we should count disk reads and writes, not time.)
171 - Need lots more tests.
173 - Detect implementations that represent the cwd as a string, by
174 removing a directory that is the cwd of another process, then
175 creating a new directory of the same name and putting some files
176 in it, then checking whether the process that had it as cwd sees
179 - dir-rm-cwd should have a related test that uses a separate process
180 to try to pin the directory as its cwd.
182 - Godmar: I'm not sure if I mentioned that already, but I passed all
183 tests for the filesys project without having implemented inode
184 deallocation. A test is needed that checks that blocks are
185 reclaimed when files are deleted.
187 - Godmar: I'm in the middle of project 4, I've started by
188 implementing a buffer cache and plugging it into the existing
189 filesystem. Along the way I was wondering how we could test the
192 Maybe one could adopt a similar testing strategy as in project 1
193 for the MLQFS scheduler: add a function that reads
194 "get_cache_accesses()" and a function "get_cache_hits()". Then
195 create a version of pintos that creates access traces for a
196 to-be-determined workload. Run an off-line analysis that would
197 determine how many hits a perfect cache would have (MAX), and how
198 much say an LRU strategy would give (MIN). Then add a fudge
199 factor to account for different index strategies and test that the
200 reported number of cache hits/accesses is within (MIN, MAX) +/-
203 (As an aside - I am curious why you chose to use a clock-style
204 algorithm rather than the more straightforward LRU for your buffer
205 cache implementation in your sample solution. Is there a reason
206 for that? I was curious to see if it made a difference, so I
207 implemented LRU for your cache implementation and ran the test
208 workload of project 4 and printed cache hits/accesses. I found
209 that for that workload, the clock-based algorithm performs almost
210 identical to LRU (within about 1%, but I ran nondeterministally
211 with QEMU). I then reduced the cache size to 32 blocks and found
212 again the same performance, which raises the suspicion that the
213 test workload might not force any cache replacement, so the
214 eviction strategy doesn't matter.)
216 - Godmar: I haven't analyzed the tests for project 4 yet, but I'm
217 wondering if the fairness requirements your specification has for
218 readers/writers are covered in the tests or not.
223 - Add "Digging Deeper" sections that describe the nitty-gritty x86
224 details for the benefit of those interested.
226 - Add explanations of what "real" OSes do to give students some
229 * To add partition support:
231 - Find four partition types that are more or less unused and choose
232 to use them for Pintos. (This is implemented.)
234 - Bootloader reads partition tables of all BIOS devices to find the
235 first that has the "Pintos kernel" partition type. (This is
236 implemented.) Ideally the bootloader would make sure there is
237 exactly one such partition, but I didn't implement that yet.
239 - Bootloader reads kernel into memory at 1 MB using BIOS calls.
240 (This is implemented.)
242 - Kernel arguments have to go into a separate sector because the
243 bootloader is otherwise too big to fit now? (I don't recall if I
244 did anything about this.)
246 - Kernel at boot also scans partition tables of all the disks it can
247 find to find the ones with the four Pintos partition types
248 (perhaps not all exist). After that, it makes them available to
249 the rest of the kernel (and doesn't allow access to other devices,
252 - "pintos" and "pintos-mkdisk" need to write a partition table to
253 the disks that they create. "pintos-mkdisk" will need to take a
254 new parameter specifying the type. (I might have partially
255 implemented this, don't remember.)
257 - "pintos" should insist on finding a partition header on disks
258 handed to it, for safety.
260 - Need some way for "pintos" to assemble multiple disks or
261 partitions into a single image that can be copied directly to a
262 USB block device. (I don't know whether I came up with a good
263 solution yet or not, or whether I implemented any of it.)
265 * To add USB support:
267 - Needs to be able to scan PCI bus for UHCI controller. (I
268 implemented this partially.)
270 - May want to be able to initialize USB controllers over CardBus
271 bridges. I don't know whether this requires additional work or
272 if it's useful enough to warrant extra work. (It's of special
273 interest for me because I have a laptop that only has USB via
276 - There are many protocol layers involved: SCSI over USB-Mass
277 Storage over USB over UHCI over PCI. (I may be forgetting one.)
278 I don't know yet whether it's best to separate the layers or to
279 merge (some of) them. I think that a simple and clean
280 organization should be a priority.
282 - VMware can likely be used for testing because it can expose host
283 USB devices as guest USB devices. This is safer and more
284 convenient than using real hardware for testing.
286 - Should test with a variety of USB keychain devices because there
287 seems to be wide variation among them, especially in the SCSI
288 protocols they support. Should try to use a "lowest-common
289 denominator" SCSI protocol if any such thing really exists.
291 - Might want to add a feature whereby kernel arguments can be
292 given interactively, rather than passed on-disk. Needs some
295 ==========================================================================
296 ============================== COMPLETED TASKS ===========================
297 ==========================================================================
299 * Godmar: Introduce memory leak robustness tests - both for the
300 well-behaved as well as the mis-behaved case - that tests that the
301 kernel handles low-mem conditions well.
303 - handled by new multi-oom.
305 * Godmar: improved priority inheritance tests (see priority-donate-chain)
projects / pintos-anon / blob