New Embedded OS Approach To Memory Protection Targets High-Availability Systems

Oct. 2, 2000
The protection-domain memory model allows code and data resources to be encapsulated in a protected environment.

Protected-domain support is just one of the innovative features available in a new operating system from Wind River Systems. Named VxWorks AE RTOS/Tornado Tools 3.0, the system retains and extends Wind River's popular VxWorks application programming interface (API). In addition, it includes new fault-tolerant features, like resource reclamation and distributed messaging, as well as a fault-detection, processing, and recovery framework. Support also is included for CompactPCI Hot Swap and chassis support packages for commercial off-the-shelf (COTS) CompactPCI high-availability systems.

VxWorks AE RTOS takes advantage of a processor's memory management unit (MMU) whenever appropriate. The op-erating system is designed to complement VxWorks, which doesn't utilize an MMU.

Deterministic performance was a de-sign goal for the new operating system. Its performance characteristics are the same as VxWorks when MMU support isn't used. Designers can choose the level of protection necessary with the understanding that higher levels of protection incur more overhead. This allows noncritical portions of an application to run in an isolated and protected environment, while high-performance portions of an application can run in a less-restrictive environment. More attention will usually be paid when developing the latter, essentially moving the need for correctness and protection from the hardware to the application developer.

Most operating systems provide a more rigid environment with low-level kernel, or kernel-driver support that has no protection, and applications which have full protection. Wind River's protection domain provides these environments as well as a range of protected environments in between the two extremes.

The AE RTOS allows designers to specify how applications will be protected from one another. Each application is contained within a protected domain and separated from other applications by protection boundaries (see the figure).

Communication across protection boundaries can take place. The amount of overhead is based upon the type of protections that are imposed by the application designer.

Applications encompass tasks, stacks, heaps, physical and virtual memory pages, kernel objects such as semaphores, message queues and file de-scriptors, plus shared library code and data. Applications in the same protection do-main share a common address space. Applications publish entry points that other applications can utilize, allowing both dynamic and static protection specifications.

Protection domains provide per-task stack-overflow detection. Heap-overflow detection in the AE RTOS can be coupled with the "auto-grow" feature. This lets heaps increase in size within specified limits. The operating system supports limited-task priority ranges within protection domains.

Protection-domain creation is new to the VxWorks AE RTOS. But once it's created, a protection domain can be used to run a VxWorks application without modification. The VxWorks AE RTOS loader addresses protection boundaries and linkages to the kernel and other applications.

VxWorks requires an application to clean up before terminating. VxWorks AE RTOS automates this resource reclamation chore per protection domain. Resources allocated by tasks within a protection domain are reclaimed by the system when the application terminates. Resources include objects like memory, files, semaphores, and message queues.

The distributed messaging system in the AE RTOS provides interprocess communication that can span processors. The new message-passing system is transparent to developers who use the existing VxWorks API. Distributed objects are named by service points. A name server provides access to these service points regardless of where they reside within a system.

For redundancy and performance, the name service can be replicated. The default communication protocol is UDP, permitting operation over Ethernet or shared memory. Reliable communication is provided via message acknowledgements and packet se-quence numbers.

The Alarm Management System (AMS) provides a unified fault-recovery infrastructure. Software that detects faults and generates alarms is considered hardened. A standard API allows hardened software to use AMS to invoke the appropriate fault handlers. AMS is an optional component. If AMS isn't incorporated into a system, then alarms are processed by a default handler. All components, including drivers, can be hardened.

The AE RTOS features can be combined to form a sophisticated distributed environment capable of handling automatic redistribution of services when problems arise. AMS provides the detection and response mechanism, while the distributed messaging system enables services to be restarted on different points within an environment, without affecting communication with other applications. The reclamation services make sure that the termination of an application where a fault is detected won't result in inaccessible resources.

Many features found in competing operating systems are included in the VxWorks AE RTOS, along with its unique features, such as protection domains. These unique features can make VxWorks AE RTOS a very interesting choice as a platform for high-availability systems.

Price & AvailabilityVxWorks AE RTOS/Tornado Tools 3.0 is available immediately. Contact Wind River regarding pricing.

Wind River Systems Inc., 500 Wind River Way, Alameda, CA 94501; (510) 742-4100;


To join the conversation, and become an exclusive member of Electronic Design, create an account today!