From c8d8640bf8d202e3fe9d7e1e64e07e6abf6a27e5 Mon Sep 17 00:00:00 2001 From: Richard Kistruck Date: Fri, 15 Dec 2006 16:09:17 +0000 Subject: [PATCH 1/6] Mps: p4 integ master, for development branch mps/branch/2006-12-15/unfixed-summary to investigate job001548 http://info.ravenbrook.com/project/mps/issue/job001548/ and generally improve AVERs etc to ensure accuracy of summaries. Copied from Perforce Change: 161250 ServerID: perforce.ravenbrook.com From 451c247ba62abe230f4b1e409816ef651ab093c6 Mon Sep 17 00:00:00 2001 From: Richard Kistruck Date: Fri, 15 Dec 2006 18:11:19 +0000 Subject: [PATCH 2/6] Mps mps.h: (comment-only) clarify that format class a and b are alive and well. it's only the _typename_ "mps_fmt_[ab]_t" that is deprecated, and mps_fmt_[ab]_s* should be used instead. (the old terse "deprecated" mislead me every time i saw it). Copied from Perforce Change: 161253 ServerID: perforce.ravenbrook.com --- mps/code/mps.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mps/code/mps.h b/mps/code/mps.h index a6e4ed2317c..14b6466def5 100644 --- a/mps/code/mps.h +++ b/mps/code/mps.h @@ -189,7 +189,8 @@ typedef struct mps_fmt_A_s { mps_fmt_isfwd_t isfwd; mps_fmt_pad_t pad; } mps_fmt_A_s; -typedef struct mps_fmt_A_s *mps_fmt_A_t; /* deprecated */ +typedef struct mps_fmt_A_s *mps_fmt_A_t; +/* type-name mps_fmt_A_t is deprecated: use mps_fmt_A_s* instead */ typedef struct mps_fmt_B_s { mps_align_t align; @@ -201,7 +202,8 @@ typedef struct mps_fmt_B_s { mps_fmt_pad_t pad; mps_fmt_class_t mps_class; } mps_fmt_B_s; -typedef struct mps_fmt_B_s *mps_fmt_B_t; /* deprecated */ +typedef struct mps_fmt_B_s *mps_fmt_B_t; +/* type-name mps_fmt_B_t is deprecated: use mps_fmt_B_s* instead */ typedef struct mps_fmt_auto_header_s { From c8a01c8fda1fc3cfa0e83d910ee34797dfa1fd05 Mon Sep 17 00:00:00 2001 From: Richard Kistruck Date: Tue, 19 Dec 2006 10:01:05 +0000 Subject: [PATCH 3/6] Mps design/shield: write a guide (copying the "guide + initialdesign" layout of dessign/message) Copied from Perforce Change: 161305 ServerID: perforce.ravenbrook.com --- mps/design/shield/index.html | 595 +++++++++++++++++++++++++++++++++++ 1 file changed, 595 insertions(+) create mode 100644 mps/design/shield/index.html diff --git a/mps/design/shield/index.html b/mps/design/shield/index.html new file mode 100644 index 00000000000..5ba0e60f5e2 --- /dev/null +++ b/mps/design/shield/index.html @@ -0,0 +1,595 @@ + + + + + + + + +MPS to client message protocol + + + + + +
+ +

+Ravenbrook / +Projects / +Memory Pool System / +Master Product Sources / +Design Documents +

+ +

Memory Pool System Project

+ +
+ +
+ +

This document contains a guide to the MPS Client Message Protocol, followed by the historical initial design. References, History, Copyright and License are at the end.

+ +
+ +

Guide

+ +

Readership: any MPS Developer.

+ +

Introduction

+ +

Messages are used when the MPS needs to asynchronously send information to the client. Currently, messages are used to signal:

+
    +
  • Finalization
    • +
  • GC-Start
    • +
  • GC-Complete
    • +
+ +

The Originator of the message is some part of the MPS. For example, the finalization system (see poolmrg.c) calls MessagePost() to send a finalization message to the client when an object is no longer referenced.

+ +

The MPS's Message-system (message.c) keeps messages that have been posted and are awaiting collection by the client in an arena-wide queue -- these are "queued messages".

+ +

The Client:

+
    +
  1. periodically calls mps_message_poll() and/or mps_message_get() to get a message from the MPS Message queue;
    2. +
  2. calls accessor functions (eg. mps_message_finalization_ref()) to read data out of the message;
    3. +
  3. calls mps_message_discard() when it has finished using the message.
    4. +
+ + +

The Message-system

+ +

The Message-system does these things:

+
    +
  • class-based method dispatch on any valid message (methods: Delete, slot accessors);
    • +
  • queue for messages that have been Posted but not yet Got;
    • +
  • maintains message lifecycle information (a minimal amount, currently).
    • +
+ + +

Using the Internal Interface

+ +

Any part of the MPS can be a message Originator. The Originator allocates storage for messages it originates.

+ +

Any struct can be a message, as long as it:

+
    +
  • contains an embedded MessageStruct (used by the Message-system for housekeeping);
    • +
  • gets appropriate MessageInit() and MessageFinish() calls (for its embedded MessageStruct);
    • +
  • has a Delete() function, to be called when the Client calls mps_message_discard();
    • +
  • has appropriate accessor functions.
    • +
+ +

Here's an example. Notice the embedded MessageStruct:

+
typedef struct TraceStartMessageStruct {
+  Sig sig;
+  char why[TRACE_START_MESSAGE_WHY_LEN];
+  MessageStruct messageStruct;
+} TraceStartMessageStruct;
+
+ + +

Lifecycle

+ +

The lifecycle of a Message is:

+ +

(alloc Init) unsent (Post) queued (Get) received (Discard Delete Finish free)

+ +

The struct is a valid message between Init and Finish.

+ +

MessagePost() simply links the struct into the message queue (using a RingStruct inside the MessageStruct): no copying occurs. The message is now queued, and MessageOnQueue() returns true. The Originator must not free a queued message, or the Message-system will get upset. Outside this time, the Message-system doesn't care if the message vanishes.

+ +

When/if the client calls mps_message_get(), the Message-system simply unlinks the message from the queue. The message is now received, and is in use by the client.

+ +

When/if the Client calls mps_message_discard(), the Message-system simply calls through to the Originator-supplied Delete method. The Originator may call Finish and free. Or it may recycle the message to unsent by calling Init.

+ +

[Note: the Message-system does not distinguish between unsent and received states, so this recycling is not currently safe. See note below. RHSK 2006-12-11]

+ +

The Originator must not free a queued or received message; and it should not edit the message, or the Client may see inconsistent data.

+ +

If the Client has not enabled messages of this type (with mps_message_type_enable), Posting the message immediately Discards it, which calls the Delete method. The Originator's Delete method must be safe to call from wherever the Originator calls MessagePost().

+ +

Here's a selection of lifecycles:

+ +

(alloc Init) unsent (Post) queued (Get) received (Discard Delete Finish free) -- typical

+ +

(alloc [ Init) unsent (Post) queued (Get) received (Discard Delete ] -- Originator reuses message struct

+ +

... Init) unsent (Post Discard Delete) -- client did not enable this message type

+ +

... Init) unsent (Post) queued -- client never gets message

+ +

... Init) unsent (Post) queued (Get) received -- client never discards message

+ +

Messages can also be dropped from the queue if the client calls mps_message_type_disable() when there are already some messages of that type queued, or if MessageEmpty() is called:

+ +

... Init) unsent (Post) queued (Discard Delete ... -- killing messages

+ + +

Allocation strategy

+ +

The Originator allocates the message struct. The two common allocation strategies are:

+
    +

  • Pre-allocate the message struct when allocating the subject it will refer to. Note that this means you can only have one message in use per subject. (Used for finalization messages and trace start messages).

    • +

  • Allocate the message struct (from control pool) immediately before posting, and free it in the Delete method. (Used for GC-Complete messages).

    • +
+ +

[Note: the Message-system does not currently support re-using message structs, because it does not distinguish between unsent and received states. If Originators would like to safely re-use a message once the client has finished with it (TraceStart messages are the current example), the lifecycle state variable, and check code to do this safely, should be added to the Message-system. RHSK 2006-12-11]

+ + +
+ +

Initial Design

+ +
+                     MPS TO CLIENT MESSAGE PROTOCOL
+                           design.mps.message
+                             incomplete doc
+                             drj 1997-02-13
+
+INTRODUCTION
+
+.readership: Any MPS developer.
+
+.intro: The MCMP provides a means by which clients can receive messages from 
+the MPS asynchronously.  Typical messages may be low memory notification (or in 
+general low utility), finalization notification, soft-failure notification.  
+There is a general assumption that it should not be disastrous for the MPS 
+client to ignore messages, but that it is probably in the clients best interest 
+to not ignore messages.  The justification for this is that the MPS cannot 
+force the MPS client to read and act on messages, so no message should be 
+critical [bogus, since we cannot force clients to check error codes either - 
+Pekka 1997-09-17].
+
+.contents: This document describes the design of the external and internal 
+interfaces and concludes with a sketch of an example design of an internal 
+client.  The example is that of implementing finalization using PoolMRG.
+
+
+REQUIREMENTS
+
+.req: The MPS/Client message protocol will be used for implementing 
+finalization (see design.mps.finalize and req.dylan.fun.final).  It will also 
+be used for implementing the notification of various conditions (possibly 
+req.dylan.prot.consult is relevant here).
+
+
+INTERFACE
+
+
+External Interface
+
+.if.queue:
+
+Messages are presented as a single queue per arena.  Various functions are 
+provided to inspect the queue and inspect messages in it (see below).
+
+
+Functions
+
+.if.fun:
+
+The following functions are provided:
+
+.if.fun.poll: Poll.  Sees whether there are any messages pending.
+
+mps_bool_t mps_message_poll(mps_arena_t arena);
+
+Returns 1 only if there is a message on the queue of arena.  Returns 0 
+otherwise.
+
+.if.fun.enable: Enable.  Enables the flow of messages of a certain type.
+
+void mps_message_type_enable(mps_arena_t arena, mps_message_type_t type);
+
+Enables the specified message type.  The queue of messages of a arena will 
+contain only messages whose types have been enabled.  Initially all message 
+types are disabled.  Effectively this function allows the client to declare to 
+the MPS what message types the client understands.  The MPS does not generate 
+any messages of a type that hasn't been enabled.  This allows the MPS to add 
+new message types (in subsequent releases of a memory manager) without 
+confusing the client.  The client will only be receiving the messages if they 
+have explicitly enabled them (and the client presumably only enables message 
+types when they have written the code to handle them).
+
+.if.fun.disable: Disable.  Disables the flow of messages of a certain type.
+
+void mps_message_type_disable(mps_arena_t arena, mps_message_type_t type);
+
+The antidote to mps_message_type_enable.  Disables the specified message type.  
+Flushes any existing messages of that type on the queue, and stops any further 
+generation of messages of that type. This permits clients to dynamically 
+decline interest in a message type, which may help to avoid a memory leak or 
+bloated queue when the messages are only required temporarily. 
+
+.if.fun.get: begins a message "transaction".
+
+mps_bool_t mps_message_get(mps_message_t *message_return, mps_arena_t arena, 
+mps_message_type_t type);
+
+If there is a message of the specified type on the queue then the first such 
+message will be removed from the queue and a handle to it will be returned to 
+the client in *messageReturn; in this case the function will return TRUE.  
+Otherwise it will return FALSE.  Having obtained a handle on a message in this 
+way, the client can use the type-specific accessors to find out about the 
+message.  When the client is done with the message the client should call 
+mps_message_discard; failure to do so will result in a resource leak.
+
+.if.fun.discard: ends a message "transaction".
+
+void mps_message_discard(mps_arena_t arena, mps_message_t message);
+
+Indicates to the MPS that the client is done with this message and its 
+resources may be reclaimed.
+
+.if.fun.type.any: Determines the type of a message in the queue
+
+mps_bool_t mps_message_queue_type(mps_message_type_t *type_return, mps_arena_t 
+arena);
+
+Returns 1 only if there is a message on the queue of arena, and in this case 
+updates *type_return to be the type of a message in the queue.  Otherwise 
+returns 0.
+
+.if.fun.type: Determines the type of a message (that has already been got).
+
+mps_message_type_t mps_message_type(mps_arena_t arena, mps_message_t message)
+
+Return the type of the message.  Only legal when inside a message transaction 
+(i.e. after mps_message_get and before mps_message_discard).  Note that the 
+type will be the same as the type that the client passed in the call to 
+mps_message_get.
+
+
+Types of messages
+
+.type: The type governs the "shape" and meaning of the message.
+
+.type.int: Types themselves will just be a scalar quantity, an integer.
+
+.type.semantics: A type indicates the semantics of the message.  
+.type.semantics.interpret: The semantics of a message are interpreted by the 
+client by calling various accessor methods on the message.  .type.accessor: The 
+type of a message governs which accessor methods are legal to apply to the 
+message.
+
+.type.example: Some example types:
+
+.type.finalization: There will be a finalization type.  The type is abstractly: 
+FinalizationMessage(Ref).
+
+.type.finalization.semantics: A finalization message indicates that an object 
+has been discovered to be finalizable (see design.mps.poolmrg.def.final.object 
+for a definition of finalizable).  .type.finalization.ref: There is an accessor 
+to get the reference of the finalization message (i.e. a reference to the 
+object which is finalizable) called mps_message_finalization_ref.  
+.type.finalization.ref.scan: Note that the reference returned should be stored 
+in scanned memory.
+
+
+.compatibility:
+
+Compatibility issues
+
+.compatibility.future.type-new: Notice that message of a type that the client 
+doesn't understand are not placed on the queue, therefore the MPS can introduce 
+new types of message and existing client will still function and will not leak 
+resources.  This has been achieved by getting the client to declare the types 
+that the client understands (with mps_message_type_enable, .if.fun.enable).
+
+.compatibility.future.type-extend: The information available in a message of a 
+given type can be extended by providing more accessor methods.  Old clients 
+won't get any of this information but that's okay.
+
+
+Internal Interface
+
+
+.message.instance: Messages are instances of Message Classes.  
+.message.concrete: Concretely a Message is represented by a MessageStruct.  A 
+MessageStruct has the usual signature field (see design.mps.sig).  A 
+MessageStruct has a type field which defines its type, a ring node, which is 
+used to attach the message to the queue of pending messages, a class field, 
+which identifies a MessageClass object.  .message.intent: The intention is that 
+a MessageStruct will be embedded in some richer object which contains 
+information relevant to that specific type of message.
+
+.message.type:
+
+typedef struct MessageStruct *Message;
+
+.message.struct:
+
+struct MessageStruct {
+  Sig sig;
+  MessageType type;
+  MessageClass class;
+  RingStruct node;
+} MessageStruct;
+
+
+.class: A message class is an encapsulation of methods.  It encapsulates 
+methods that are applicable to all types of messages (generic) and methods that 
+are applicable to messages only of a certain type (type-specific).  
+.class.concrete: Concretely a message class is represented by a 
+MessageClassStruct (a struct).  Clients of the Message module are expected to 
+allocate storage for and initialise the MessageClassStruct.  It is expected 
+that such storage will be allocated and initialised statically.
+
+.class.not-type: Note that message classes and message types are distinct.  
+.class.not-type.why: (see also mail.drj.1997-07-15.10-33(0) from which this is 
+derived)  This allows two different implementations (ie classes) of messages 
+with the same meaning (ie type).  This may be necessary because the (memory) 
+management of the messages may be different in the two implemtations (which is 
+bogus).  The case of having one class implement two types is not expected to be 
+so useful.  .class.not-type.why.not: It's all pretty feeble justification 
+anyway.
+
+.class.methods.generic: The generic methods are:
+
+delete - used when the message is destroyed (by the client calling 
+mps_message_discard).  The class implementation should finish the message (by 
+calling MessageFinish) and storage for the message should be reclaimed (if 
+applicable).
+
+.class.methods.specific: 
+
+The type specific methods are:
+
+.class.methods.specific.finalization:
+
+Specific to MessageTypeFinalization
+
+finalizationRef - returns a reference to the finalizable object represented by 
+this message.
+
+.class.methods.specific.collectionstats:
+
+Specific to MessageTypeCollectionStats
+
+collectionStatsLiveSize - returns the number of bytes (of objects) that were 
+condemned but survived.
+
+collectionStatsCondemnedSize - returns the number of bytes condemned in the 
+collection.
+
+collectionStatsNotCondemnedSize - returns the the number of bytes (of objects) 
+that are subject to a GC policy (ie collectable) but were not condemned in the 
+collection.
+
+
+.class.type:
+
+typedef struct MessageClassStruct *MessageClass;
+
+.class.sig.double: The MessageClassStruct has a signature field at both ends.  
+This is so that if the MessageClassStruct changes size (by adding extra methods 
+for example) then any static initializers will generate errors from the 
+compiler (there will be a type error causes by initialising a non-sig type 
+field with a sig) unless the static initializers are changed as well.
+
+.class.struct:
+
+typedef struct MessageClassStruct {
+  Sig sig;                      /* design.mps.sig */
+  const char *name;             /* Human readable Class name */
+
+  /* generic methods */
+  MessageDeleteMethod delete;   /* terminates a message */
+
+  /* methods specific to MessageTypeFinalization */
+  MessageFinalizationRefMethod finalizationRef;
+
+  /* methods specific to MessageTypeCollectionStats */
+  MessageCollectionStatsLiveSizeMethod collectionStatsLiveSize;
+  MessageCollectionStatsCondemnedSizeMethod collectionStatsCondemnedSize;
+  MessageCollectionStatsNotCondemnedSizeMethod collectionStatsNotCondemnedSize;
+
+  Sig endSig;                   /* design.mps.message.class.sig.double */
+} MessageClassStruct;
+
+
+.space.queue: The arena structure is augmented with a structure for managing 
+for queue of pending messages.  This is a ring in the ArenaStruct.
+
+struct ArenaStruct
+{
+  ...
+  RingStruct messageRing;
+  ...
+}
+
+
+Functions
+
+.fun.init:
+/* Initializes a message */
+void MessageInit(Arena arena, Message message, MessageClass class);
+
+Initializes the MessageStruct pointed to by message.  The caller of this 
+function is expected to manage the store for the MessageStruct.
+
+.fun.finish:
+/* Finishes a message */
+void MessageFinish(Message message);
+
+Finishes the MessageStruct pointed to by message.  The caller of this function 
+is expected to manage the store for the MessageStruct.
+
+.fun.post:
+/* Places a message on the client accessible queue */
+void MessagePost(Arena arena, Message message);
+
+This function places a message on the queue of a arena.  .fun.post.precondition
+: Prior to calling the function the node field of the message must be a 
+singleton.  After the call to the function the message will be available for 
+MPS client to access.  After the call to the function the message fields must 
+not be manipulated except from the message's class's method functions (i.e., 
+you mustn't poke about with the node field in particular).
+
+.fun.empty:
+void MessageEmpty(Arena arena);
+
+Empties the message queue.  This function has the same effect as discarding all 
+the messages on the queue.  After calling this function there will be no 
+messages on the queue.  .fun.empty.internal-only: This functionality is not 
+exposed to clients.  We might want to expose this functionality to our clients 
+in the future.
+
+
+
+
+Message Life Cycle
+
+.life: A message will be allocated by a client of the message module, it will 
+be initialised by calling MessageInit.  The client will eventually post the 
+message on the external queue (in fact most clients will create a message and 
+then immediately post it).  The message module may then apply any of the 
+methods to the message.  The message module will eventually destroy the message 
+by applying the Delete method to it.
+
+
+EXAMPLES
+
+
+Finalization
+
+[possibly out of date, see design.mps.finalize and design.mps.poolmrg instead 
+-- drj 1997-08-28]
+
+This subsection is a sketch of how PoolMRG will use Messages for finalization 
+(see design.mps.poolmrg).
+
+PoolMRG has guardians (see design.mps.poolmrg.guardian), guardians are used to 
+manage final references and detect when an object is finalizable.
+
+The link part of a guardian will include a MessageStruct.
+
+The MessageStruct is allocated when the final reference is created (which is 
+when the referred to object is registered for finalization).  This avoids 
+allocating at the time when the message gets posted (which might be a tricky, 
+undesirable, or impossible, time to allocate).
+
+PoolMRG has two queues: the entry queue, and the exit queue.  The entry 
+queue will use a ring; the exit queue of MRG will simply be the 
+external message queue.
+
+[The evil hack of 'borrowing' MessageStruct's ring node for the entry 
+queue was removed from the code ages ago, so I've removed the account 
+of it from this text too.  RHSK 2006-12-11]
+
+MRG Message class
+
+del - frees both the link part and the reference part of the guardian.
+
+
+ +
+ + +

A. References

+ + + + +

B. Document History

+ + + + + + + + + + + + + + + + + + + + + +
2002-06-07RBConverted from MMInfo database design document.
2006-10-25RHSKCreated guide.
2006-12-11RHSKMore on lifecycle; unmention evil hack in initial design.
+ + +

C. Copyright and License

+ +

This document is copyright © 1995-2002, 2006 Ravenbrook Limited. All rights reserved. This is an open source license. Contact Ravenbrook for commercial licensing options.

+ +

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

+ +
    + +
  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
    2. + +
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
    3. + +
  3. Redistributions in any form must be accompanied by information on how to obtain complete source code for the this software and any accompanying software that uses this software. The source code must either be included in the distribution or be available for no more than the cost of distribution plus a nominal fee, and must be freely redistributable under reasonable conditions. For an executable file, complete source code means the source code for all modules it contains. It does not include source code for modules or files that typically accompany the major components of the operating system on which the executable file runs.
    4. + +
+ +

This software is provided by the copyright holders and contributors "as is" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement, are disclaimed. In no event shall the copyright holders and contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

+ + +
+ +
+ +

$Id$

+ +

+Ravenbrook / +Projects / +Memory Pool System / +Master Product Sources / +Design Documents +

+ +
+ + + + From b762f242d683a88bbf642b9175b5e8b8e1703879 Mon Sep 17 00:00:00 2001 From: Richard Kistruck Date: Tue, 19 Dec 2006 10:11:53 +0000 Subject: [PATCH 4/6] Mps design/message: (cosmetic) centred h1 doc-title "mps to client message protocol" Copied from Perforce Change: 161306 ServerID: perforce.ravenbrook.com --- mps/design/message/index.html | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/mps/design/message/index.html b/mps/design/message/index.html index 5ba0e60f5e2..9f9c427f7e0 100644 --- a/mps/design/message/index.html +++ b/mps/design/message/index.html @@ -6,7 +6,7 @@ -MPS to client message protocol +MPS to Client Message Protocol @@ -26,15 +26,17 @@
+

MPS to Client Message Protocol

+ -

This document contains a guide to the MPS Client Message Protocol, followed by the historical initial design. References, History, Copyright and License are at the end.

+

This document contains a guide to the MPS to Client Message Protocol, followed by the historical initial design. References, History, Copyright and License are at the end.

Guide

-

Readership: any MPS Developer.

+

Readership: any MPS developer. Not confidential.

Introduction

From 9ca341612bdd2dcf11b7d8b95b870c18bbd4e7ab Mon Sep 17 00:00:00 2001 From: Richard Kistruck Date: Tue, 19 Dec 2006 10:13:14 +0000 Subject: [PATCH 5/6] Mps design/shield: (update from design/message for html tweaks) Copied from Perforce Change: 161307 ServerID: perforce.ravenbrook.com --- mps/design/shield/index.html | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/mps/design/shield/index.html b/mps/design/shield/index.html index 5ba0e60f5e2..9f9c427f7e0 100644 --- a/mps/design/shield/index.html +++ b/mps/design/shield/index.html @@ -6,7 +6,7 @@ -MPS to client message protocol +MPS to Client Message Protocol @@ -26,15 +26,17 @@
+

MPS to Client Message Protocol

+ -

This document contains a guide to the MPS Client Message Protocol, followed by the historical initial design. References, History, Copyright and License are at the end.

+

This document contains a guide to the MPS to Client Message Protocol, followed by the historical initial design. References, History, Copyright and License are at the end.

Guide

-

Readership: any MPS Developer.

+

Readership: any MPS developer. Not confidential.

Introduction

From 8592030ad7d44103b74196632066447bcce4ba6f Mon Sep 17 00:00:00 2001 From: Richard Kistruck Date: Tue, 19 Dec 2006 14:01:23 +0000 Subject: [PATCH 6/6] mps design/shield: guide, plus links to initial ideas. Copied from Perforce Change: 161311 ServerID: perforce.ravenbrook.com --- mps/design/shield/index.html | 519 ++++------------------------------- 1 file changed, 52 insertions(+), 467 deletions(-) diff --git a/mps/design/shield/index.html b/mps/design/shield/index.html index 9f9c427f7e0..a065b611248 100644 --- a/mps/design/shield/index.html +++ b/mps/design/shield/index.html @@ -6,7 +6,7 @@ -MPS to Client Message Protocol +MPS Shield @@ -26,11 +26,11 @@
-

MPS to Client Message Protocol

+

MPS Shield

-

This document contains a guide to the MPS to Client Message Protocol, followed by the historical initial design. References, History, Copyright and License are at the end.

+

This document contains a guide to the MPS Shield. There is no historical initial design, but in its place there are some early ideas and discussions: initial ideas. References, History, Copyright and License are at the end.

@@ -40,470 +40,67 @@

Introduction

-

Messages are used when the MPS needs to asynchronously send information to the client. Currently, messages are used to signal:

+

For incremental collection, we need separate control of collector access and mutator (client) access to memory. (The collector must be able to incrementally scan objects, without the mutator being able to see them yet).

+ +

Unfortunately common OSs do not support different access levels (protection maps) for different parts of the same process.

+ +

The MPS Shield is an abstraction that does extra work to overcome this limitation, and give the rest of the MPS the illusion that we can control collector and mutator access separately.

+ + +

Control of mutator access: Raise, Lower, Suspend, Resume

+ +

The MPS uses ShieldRaise and ShieldLower to forbid or permit the mutator access to object memory (that is, memory allocated by MPS):

+ +

ShieldRaise(mode) prevents the mutator accessing the memory in the specified mode (read, write, or both).

+ +

ShieldLower(mode) allows the mutator to access the memory in the specified mode (read, write, or both).

+ +

If the mutator attempts an access that hits a shield, the MPS gets a barrier hit (aka fault, interrupt, exception, etc), quickly does some necessary work, and then makes the access succeed.

+ + +

Some objects (eg. registers) cannot be hardware protected: the only way to prevent mutator access to them is to halt all mutator threads. The MPS uses ShieldSuspend and ShieldResume to do this.

+ + +

Control of collector access: Enter, Leave, Expose, Cover

+ +

When the collector wants to access object memory (that is, memory allocated by MPS), it must call ShieldEnter, then wrap any accesses with a ShieldExpose / ShieldCover pair, and finally call ShieldLeave.

+ +

ShieldExpose might for example be called around:

    -
  • Finalization
    • -
  • GC-Start
    • -
  • GC-Complete
    • +
  • format-scan (when Scanning);
    • +
  • format-skip (when marking grains in a non-moving Fix);
    • +
  • format-isMoved, AddrCopy (aka memcpy), and format-move (during a copying Fix);
    • +
  • format-pad (during reclaim).
-

The Originator of the message is some part of the MPS. For example, the finalization system (see poolmrg.c) calls MessagePost() to send a finalization message to the client when an object is no longer referenced.

+

Note that there is no need to call ShieldExpose when accessing pool management memory such as bit tables etc. This is not object memory, is never (legally) accessed by the mutator, and so is never shielded.

-

The MPS's Message-system (message.c) keeps messages that have been posted and are awaiting collection by the client in an arena-wide queue -- these are "queued messages".

+

On common OSs, the only way to allow collector access is to allow access from the whole process, including the mutator. So if the shield is asked to allow collector access but deny mutator access, it will halt all mutator threads to prevent any mutator access. The MPS Shield performs suspension and restart; normal collector code does not need to worry about it.

-

The Client:

-
    -
  1. periodically calls mps_message_poll() and/or mps_message_get() to get a message from the MPS Message queue;
    2. -
  2. calls accessor functions (eg. mps_message_finalization_ref()) to read data out of the message;
    3. -
  3. calls mps_message_discard() when it has finished using the message.
    4. -
+

Collector code can make multiple sequential, overlapping, or nested calls to ShieldExpose on the same segment. (Each must be balanced by a ShieldCover before ShieldLeave is called). A usage count is maintained in seg->depth: a positive "depth" means a positive number of outstanding reasons why the segment must be exposed to the collector.

+

When the usage count reaches zero, the Shield could re-instate hardware protection. However, as a performance-improving hysteresis, it defers this, maintaining a cache of the last 16 times a segment no longer had a reason to be collector-accessible. Presence in the cache counts as a 'reason': segments in the cache have seg->depth increased by one. As segments get pushed out of the cache, or at ShieldLeave, this artificial 'reason' is decremented from seg->depth, and (if depth is now zero) the deferred reinstatement of hardware protection happens.

-

The Message-system

+

So whenever hardware protection is temporarily removed to allow collector access, there is a 'nurse' that will ensure this protection is re-established: the nurse is either the balancing ShieldCover call in collector code, or an entry in the shield cache.

-

The Message-system does these things:

-
    -
  • class-based method dispatch on any valid message (methods: Delete, slot accessors);
    • -
  • queue for messages that have been Posted but not yet Got;
    • -
  • maintains message lifecycle information (a minimal amount, currently).
    • -
+

[Why is there a fixed-size cache? This is not the simple approach! All we need is a chain of segs that might need their hardware protection to be sync'd with their shield mode. Head in the shield, and one pointer in each seg struct. I guess we try hard to avoid bloating SegStruct. But is 16 the right size? A cache-miss wastes two kernel calls. RHSK 2006-12-19]

+

[Also, I don't like the cache code. For example, why does ShieldFlush break out early if arena->shDepth is 0? This should never happen until the cache is completely flushed, ie. we have reached shCacheLimit. Why does ShieldFlush not reset shCacheLimit? Why does flush() silently accept NULL cache entries? RHSK 2006-12-19]

-

Using the Internal Interface

- -

Any part of the MPS can be a message Originator. The Originator allocates storage for messages it originates.

- -

Any struct can be a message, as long as it:

-
    -
  • contains an embedded MessageStruct (used by the Message-system for housekeeping);
    • -
  • gets appropriate MessageInit() and MessageFinish() calls (for its embedded MessageStruct);
    • -
  • has a Delete() function, to be called when the Client calls mps_message_discard();
    • -
  • has appropriate accessor functions.
    • -
- -

Here's an example. Notice the embedded MessageStruct:

-
typedef struct TraceStartMessageStruct {
-  Sig sig;
-  char why[TRACE_START_MESSAGE_WHY_LEN];
-  MessageStruct messageStruct;
-} TraceStartMessageStruct;
-
- - -

Lifecycle

- -

The lifecycle of a Message is:

- -

(alloc Init) unsent (Post) queued (Get) received (Discard Delete Finish free)

- -

The struct is a valid message between Init and Finish.

- -

MessagePost() simply links the struct into the message queue (using a RingStruct inside the MessageStruct): no copying occurs. The message is now queued, and MessageOnQueue() returns true. The Originator must not free a queued message, or the Message-system will get upset. Outside this time, the Message-system doesn't care if the message vanishes.

- -

When/if the client calls mps_message_get(), the Message-system simply unlinks the message from the queue. The message is now received, and is in use by the client.

- -

When/if the Client calls mps_message_discard(), the Message-system simply calls through to the Originator-supplied Delete method. The Originator may call Finish and free. Or it may recycle the message to unsent by calling Init.

- -

[Note: the Message-system does not distinguish between unsent and received states, so this recycling is not currently safe. See note below. RHSK 2006-12-11]

- -

The Originator must not free a queued or received message; and it should not edit the message, or the Client may see inconsistent data.

- -

If the Client has not enabled messages of this type (with mps_message_type_enable), Posting the message immediately Discards it, which calls the Delete method. The Originator's Delete method must be safe to call from wherever the Originator calls MessagePost().

- -

Here's a selection of lifecycles:

- -

(alloc Init) unsent (Post) queued (Get) received (Discard Delete Finish free) -- typical

- -

(alloc [ Init) unsent (Post) queued (Get) received (Discard Delete ] -- Originator reuses message struct

- -

... Init) unsent (Post Discard Delete) -- client did not enable this message type

- -

... Init) unsent (Post) queued -- client never gets message

- -

... Init) unsent (Post) queued (Get) received -- client never discards message

- -

Messages can also be dropped from the queue if the client calls mps_message_type_disable() when there are already some messages of that type queued, or if MessageEmpty() is called:

- -

... Init) unsent (Post) queued (Discard Delete ... -- killing messages

- - -

Allocation strategy

- -

The Originator allocates the message struct. The two common allocation strategies are:

-
    -

  • Pre-allocate the message struct when allocating the subject it will refer to. Note that this means you can only have one message in use per subject. (Used for finalization messages and trace start messages).

    • -

  • Allocate the message struct (from control pool) immediately before posting, and free it in the Delete method. (Used for GC-Complete messages).

    • -
- -

[Note: the Message-system does not currently support re-using message structs, because it does not distinguish between unsent and received states. If Originators would like to safely re-use a message once the client has finished with it (TraceStart messages are the current example), the lifecycle state variable, and check code to do this safely, should be added to the Message-system. RHSK 2006-12-11]

- +

[Also, why is seg->depth never checked for overflow? It is only a 4-bit-wide bit field, currently. RHSK 2006-12-19]

-

Initial Design

+

Initial Ideas

-
-                     MPS TO CLIENT MESSAGE PROTOCOL
-                           design.mps.message
-                             incomplete doc
-                             drj 1997-02-13
+
See this very helpful
+  overview of protected tracing
+  .
+  Note that this overview is old, and the details may be inaccurate.

 
-INTRODUCTION
-
-.readership: Any MPS developer.
-
-.intro: The MCMP provides a means by which clients can receive messages from 
-the MPS asynchronously.  Typical messages may be low memory notification (or in 
-general low utility), finalization notification, soft-failure notification.  
-There is a general assumption that it should not be disastrous for the MPS 
-client to ignore messages, but that it is probably in the clients best interest 
-to not ignore messages.  The justification for this is that the MPS cannot 
-force the MPS client to read and act on messages, so no message should be 
-critical [bogus, since we cannot force clients to check error codes either - 
-Pekka 1997-09-17].
-
-.contents: This document describes the design of the external and internal 
-interfaces and concludes with a sketch of an example design of an internal 
-client.  The example is that of implementing finalization using PoolMRG.
-
-
-REQUIREMENTS
-
-.req: The MPS/Client message protocol will be used for implementing 
-finalization (see design.mps.finalize and req.dylan.fun.final).  It will also 
-be used for implementing the notification of various conditions (possibly 
-req.dylan.prot.consult is relevant here).
-
-
-INTERFACE
-
-
-External Interface
-
-.if.queue:
-
-Messages are presented as a single queue per arena.  Various functions are 
-provided to inspect the queue and inspect messages in it (see below).
-
-
-Functions
-
-.if.fun:
-
-The following functions are provided:
-
-.if.fun.poll: Poll.  Sees whether there are any messages pending.
-
-mps_bool_t mps_message_poll(mps_arena_t arena);
-
-Returns 1 only if there is a message on the queue of arena.  Returns 0 
-otherwise.
-
-.if.fun.enable: Enable.  Enables the flow of messages of a certain type.
-
-void mps_message_type_enable(mps_arena_t arena, mps_message_type_t type);
-
-Enables the specified message type.  The queue of messages of a arena will 
-contain only messages whose types have been enabled.  Initially all message 
-types are disabled.  Effectively this function allows the client to declare to 
-the MPS what message types the client understands.  The MPS does not generate 
-any messages of a type that hasn't been enabled.  This allows the MPS to add 
-new message types (in subsequent releases of a memory manager) without 
-confusing the client.  The client will only be receiving the messages if they 
-have explicitly enabled them (and the client presumably only enables message 
-types when they have written the code to handle them).
-
-.if.fun.disable: Disable.  Disables the flow of messages of a certain type.
-
-void mps_message_type_disable(mps_arena_t arena, mps_message_type_t type);
-
-The antidote to mps_message_type_enable.  Disables the specified message type.  
-Flushes any existing messages of that type on the queue, and stops any further 
-generation of messages of that type. This permits clients to dynamically 
-decline interest in a message type, which may help to avoid a memory leak or 
-bloated queue when the messages are only required temporarily. 
-
-.if.fun.get: begins a message "transaction".
-
-mps_bool_t mps_message_get(mps_message_t *message_return, mps_arena_t arena, 
-mps_message_type_t type);
-
-If there is a message of the specified type on the queue then the first such 
-message will be removed from the queue and a handle to it will be returned to 
-the client in *messageReturn; in this case the function will return TRUE.  
-Otherwise it will return FALSE.  Having obtained a handle on a message in this 
-way, the client can use the type-specific accessors to find out about the 
-message.  When the client is done with the message the client should call 
-mps_message_discard; failure to do so will result in a resource leak.
-
-.if.fun.discard: ends a message "transaction".
-
-void mps_message_discard(mps_arena_t arena, mps_message_t message);
-
-Indicates to the MPS that the client is done with this message and its 
-resources may be reclaimed.
-
-.if.fun.type.any: Determines the type of a message in the queue
-
-mps_bool_t mps_message_queue_type(mps_message_type_t *type_return, mps_arena_t 
-arena);
-
-Returns 1 only if there is a message on the queue of arena, and in this case 
-updates *type_return to be the type of a message in the queue.  Otherwise 
-returns 0.
-
-.if.fun.type: Determines the type of a message (that has already been got).
-
-mps_message_type_t mps_message_type(mps_arena_t arena, mps_message_t message)
-
-Return the type of the message.  Only legal when inside a message transaction 
-(i.e. after mps_message_get and before mps_message_discard).  Note that the 
-type will be the same as the type that the client passed in the call to 
-mps_message_get.
-
-
-Types of messages
-
-.type: The type governs the "shape" and meaning of the message.
-
-.type.int: Types themselves will just be a scalar quantity, an integer.
-
-.type.semantics: A type indicates the semantics of the message.  
-.type.semantics.interpret: The semantics of a message are interpreted by the 
-client by calling various accessor methods on the message.  .type.accessor: The 
-type of a message governs which accessor methods are legal to apply to the 
-message.
-
-.type.example: Some example types:
-
-.type.finalization: There will be a finalization type.  The type is abstractly: 
-FinalizationMessage(Ref).
-
-.type.finalization.semantics: A finalization message indicates that an object 
-has been discovered to be finalizable (see design.mps.poolmrg.def.final.object 
-for a definition of finalizable).  .type.finalization.ref: There is an accessor 
-to get the reference of the finalization message (i.e. a reference to the 
-object which is finalizable) called mps_message_finalization_ref.  
-.type.finalization.ref.scan: Note that the reference returned should be stored 
-in scanned memory.
-
-
-.compatibility:
-
-Compatibility issues
-
-.compatibility.future.type-new: Notice that message of a type that the client 
-doesn't understand are not placed on the queue, therefore the MPS can introduce 
-new types of message and existing client will still function and will not leak 
-resources.  This has been achieved by getting the client to declare the types 
-that the client understands (with mps_message_type_enable, .if.fun.enable).
-
-.compatibility.future.type-extend: The information available in a message of a 
-given type can be extended by providing more accessor methods.  Old clients 
-won't get any of this information but that's okay.
-
-
-Internal Interface
-
-
-.message.instance: Messages are instances of Message Classes.  
-.message.concrete: Concretely a Message is represented by a MessageStruct.  A 
-MessageStruct has the usual signature field (see design.mps.sig).  A 
-MessageStruct has a type field which defines its type, a ring node, which is 
-used to attach the message to the queue of pending messages, a class field, 
-which identifies a MessageClass object.  .message.intent: The intention is that 
-a MessageStruct will be embedded in some richer object which contains 
-information relevant to that specific type of message.
-
-.message.type:
-
-typedef struct MessageStruct *Message;
-
-.message.struct:
-
-struct MessageStruct {
-  Sig sig;
-  MessageType type;
-  MessageClass class;
-  RingStruct node;
-} MessageStruct;
-
-
-.class: A message class is an encapsulation of methods.  It encapsulates 
-methods that are applicable to all types of messages (generic) and methods that 
-are applicable to messages only of a certain type (type-specific).  
-.class.concrete: Concretely a message class is represented by a 
-MessageClassStruct (a struct).  Clients of the Message module are expected to 
-allocate storage for and initialise the MessageClassStruct.  It is expected 
-that such storage will be allocated and initialised statically.
-
-.class.not-type: Note that message classes and message types are distinct.  
-.class.not-type.why: (see also mail.drj.1997-07-15.10-33(0) from which this is 
-derived)  This allows two different implementations (ie classes) of messages 
-with the same meaning (ie type).  This may be necessary because the (memory) 
-management of the messages may be different in the two implemtations (which is 
-bogus).  The case of having one class implement two types is not expected to be 
-so useful.  .class.not-type.why.not: It's all pretty feeble justification 
-anyway.
-
-.class.methods.generic: The generic methods are:
-
-delete - used when the message is destroyed (by the client calling 
-mps_message_discard).  The class implementation should finish the message (by 
-calling MessageFinish) and storage for the message should be reclaimed (if 
-applicable).
-
-.class.methods.specific: 
-
-The type specific methods are:
-
-.class.methods.specific.finalization:
-
-Specific to MessageTypeFinalization
-
-finalizationRef - returns a reference to the finalizable object represented by 
-this message.
-
-.class.methods.specific.collectionstats:
-
-Specific to MessageTypeCollectionStats
-
-collectionStatsLiveSize - returns the number of bytes (of objects) that were 
-condemned but survived.
-
-collectionStatsCondemnedSize - returns the number of bytes condemned in the 
-collection.
-
-collectionStatsNotCondemnedSize - returns the the number of bytes (of objects) 
-that are subject to a GC policy (ie collectable) but were not condemned in the 
-collection.
-
-
-.class.type:
-
-typedef struct MessageClassStruct *MessageClass;
-
-.class.sig.double: The MessageClassStruct has a signature field at both ends.  
-This is so that if the MessageClassStruct changes size (by adding extra methods 
-for example) then any static initializers will generate errors from the 
-compiler (there will be a type error causes by initialising a non-sig type 
-field with a sig) unless the static initializers are changed as well.
-
-.class.struct:
-
-typedef struct MessageClassStruct {
-  Sig sig;                      /* design.mps.sig */
-  const char *name;             /* Human readable Class name */
-
-  /* generic methods */
-  MessageDeleteMethod delete;   /* terminates a message */
-
-  /* methods specific to MessageTypeFinalization */
-  MessageFinalizationRefMethod finalizationRef;
-
-  /* methods specific to MessageTypeCollectionStats */
-  MessageCollectionStatsLiveSizeMethod collectionStatsLiveSize;
-  MessageCollectionStatsCondemnedSizeMethod collectionStatsCondemnedSize;
-  MessageCollectionStatsNotCondemnedSizeMethod collectionStatsNotCondemnedSize;
-
-  Sig endSig;                   /* design.mps.message.class.sig.double */
-} MessageClassStruct;
-
-
-.space.queue: The arena structure is augmented with a structure for managing 
-for queue of pending messages.  This is a ring in the ArenaStruct.
-
-struct ArenaStruct
-{
-  ...
-  RingStruct messageRing;
-  ...
-}
-
-
-Functions
-
-.fun.init:
-/* Initializes a message */
-void MessageInit(Arena arena, Message message, MessageClass class);
-
-Initializes the MessageStruct pointed to by message.  The caller of this 
-function is expected to manage the store for the MessageStruct.
-
-.fun.finish:
-/* Finishes a message */
-void MessageFinish(Message message);
-
-Finishes the MessageStruct pointed to by message.  The caller of this function 
-is expected to manage the store for the MessageStruct.
-
-.fun.post:
-/* Places a message on the client accessible queue */
-void MessagePost(Arena arena, Message message);
-
-This function places a message on the queue of a arena.  .fun.post.precondition
-: Prior to calling the function the node field of the message must be a 
-singleton.  After the call to the function the message will be available for 
-MPS client to access.  After the call to the function the message fields must 
-not be manipulated except from the message's class's method functions (i.e., 
-you mustn't poke about with the node field in particular).
-
-.fun.empty:
-void MessageEmpty(Arena arena);
-
-Empties the message queue.  This function has the same effect as discarding all 
-the messages on the queue.  After calling this function there will be no 
-messages on the queue.  .fun.empty.internal-only: This functionality is not 
-exposed to clients.  We might want to expose this functionality to our clients 
-in the future.
-
-
-
-
-Message Life Cycle
-
-.life: A message will be allocated by a client of the message module, it will 
-be initialised by calling MessageInit.  The client will eventually post the 
-message on the external queue (in fact most clients will create a message and 
-then immediately post it).  The message module may then apply any of the 
-methods to the message.  The message module will eventually destroy the message 
-by applying the Delete method to it.
-
-
-EXAMPLES
-
-
-Finalization
-
-[possibly out of date, see design.mps.finalize and design.mps.poolmrg instead 
--- drj 1997-08-28]
-
-This subsection is a sketch of how PoolMRG will use Messages for finalization 
-(see design.mps.poolmrg).
-
-PoolMRG has guardians (see design.mps.poolmrg.guardian), guardians are used to 
-manage final references and detect when an object is finalizable.
-
-The link part of a guardian will include a MessageStruct.
-
-The MessageStruct is allocated when the final reference is created (which is 
-when the referred to object is registered for finalization).  This avoids 
-allocating at the time when the message gets posted (which might be a tricky, 
-undesirable, or impossible, time to allocate).
-
-PoolMRG has two queues: the entry queue, and the exit queue.  The entry 
-queue will use a ring; the exit queue of MRG will simply be the 
-external message queue.
-
-[The evil hack of 'borrowing' MessageStruct's ring node for the entry 
-queue was removed from the code ages ago, so I've removed the account 
-of it from this text too.  RHSK 2006-12-11]
-
-MRG Message class
-
-del - frees both the link part and the reference part of the guardian.
-
-
+

See + idea.shield + .

@@ -537,21 +134,9 @@ del - frees both the link part and the reference part of the guardian. - - - - - - - + - - - - - - - +
2002-06-07RBConverted from MMInfo database design document.
2006-10-252006-12-19 RHSKCreated guide.
2006-12-11RHSKMore on lifecycle; unmention evil hack in initial design.Created: Guide, plus links to initial ideas.
@@ -559,7 +144,7 @@ del - frees both the link part and the reference part of the guardian.

C. Copyright and License

-

This document is copyright © 1995-2002, 2006 Ravenbrook Limited. All rights reserved. This is an open source license. Contact Ravenbrook for commercial licensing options.

+

This document is copyright © 2006 Ravenbrook Limited. All rights reserved. This is an open source license. Contact Ravenbrook for commercial licensing options.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: