This is Jim Larus, one of the researchers in the Singularity project and the people in the video. We're thrilled with the number of people who have seen the Channel 9 Singularity videos. Before we quit our day jobs and head for Hollywood, I'd be happy
to answer questions about Singularity.Is Singularity a lot slower then traditional operating systems once hardware protection is activated?
Probably not -- it is a bit hard to answer the question phrased this way, since you are asking for an apples to oranges comparison.
Let me explain.
We have measured Singularity with varying levels of hardware protection enabled. (Details in
Deconstructing Process Isolation,
Mark Aiken, Manuel Fähndrich, Chris Hawblitzel, Galen Hunt, James Larus,
Microsoft Research Technical Report MSR-TR-2006-43)
The results depended a lot on what was running on Singularity. A computationally intensive application wasn't affected by adding hardware protection, since it ran in one process, didn't thrash the TLB, and did little communication.
An IO intensive application ran a lot (~30%) slower with hardware isolation, since it required frequent context switches and a large amount of interprocess communication, both of which became a lot more expensive with hardware protection.
It would be interesting to compare these numbers against another system, but there are so many differences that it would be difficult to isolate the cost of SIPs and hardware domains vs. conventional processes. Instead, we've modelled a conventional systems
as a version of Singularity in which the kernel and device drivers run in one hardware domain and application and system processes each run in their own domain. There is a considerable cost for this arrangement for the IO intensive benchmark.
The other interesting result from this paper was that turning off run-time checks for null pointers and array bounds only saved 4.5%. Language safety isn't necessarily expensive when you have a good compiler.How do you make sure that a pointer does not point to any address space of another process? Are there no classes in your C# dialect that allows that? Is there no IntPtr class and therefore no way to initialize a pointer with an int?
We rely on two aspects of the system design.
First, application and system code (aside from the kernel and run-time system) is written in safe C#. In this language, like Java, you can't create a pointer and you can't mangle a pointer. Period. This is a property that a compiler (and some run-time tests)
can check, and we do.
We're working on reducing the amount of code that is unsafe. It is an interesting set of open research problems (i.e., what would a safe, verified garbage collector look like?), but we don't have answers yet. Stay tuned.
The other property is that a process cannot pass a pointer from its space to any other process (or the kernel). The channels do not allow code to pass addresses (we check in the compiler) and the kernel interfaces do not allow pointer passing either. This has
a lot of benefits in a garbage collected system as well, since we don't have to look for root pointers in other processes.
So, if a process can't create a pointer and it can't be passed a pointer, there is no way for the process to dereference another SIP's objects.