Principles of Computer System Design An Introduction Part II Chapters 7–11 Jerome H Saltzer M Frans Kaashoek Massachusetts Institute of Technology Version 5.0 Saltzer & Kaashoek Ch Part II, p i June 24, 2009 12:14 am Copyright © 2009 by Jerome H Saltzer and M Frans Kaashoek Some Rights Reserved This work is licensed under a Creative Commons Attribution-Non­ commercial-Share Alike 3.0 United States License For more information on what this license means, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Designations used by companies to distinguish their products are often claimed as trade­ marks or registered trademarks In all instances in which the authors are aware of a claim, the product names appear in initial capital or all capital letters All trademarks that appear or are otherwise referred to in this work belong to their respective owners Suggestions, Comments, Corrections, and Requests to waive license restrictions: Please send correspondence by electronic mail to: Saltzer@mit.edu and kaashoek@mit.edu Saltzer & Kaashoek Ch Part II, p ii June 24, 2009 12:14 am Contents CHAPTER PART I [In Printed Textbook] List of Sidebars .xix Preface xxvii Where to Find Part II and other On-line Materials xxxvii Acknowledgments xxxix Computer System Design Principles xliii CHAPTER Systems Overview 1.1 Systems and Complexity 1.1.1 Common Problems of Systems in Many Fields 1.1.2 Systems, Components, Interfaces and Environments 1.1.3 Complexity 10 1.2 Sources of Complexity 13 1.2.1 Cascading and Interacting Requirements 13 1.2.2 Maintaining High Utilization 17 1.3 Coping with Complexity I 19 1.3.1 Modularity 19 1.3.2 Abstraction 20 1.3.3 Layering 24 1.3.4 Hierarchy 25 1.3.5 Putting it Back Together: Names Make Connections 26 1.4 Computer Systems are the Same but Different 27 1.4.1 Computer Systems Have no Nearby Bounds on Composition 28 1.4.2 d(technology)/dt is Unprecedented 31 1.5 Coping with Complexity II 35 1.5.1 Why Modularity, Abstraction, Layering, and Hierarchy aren’t Enough 36 1.5.2 Iteration 36 1.5.3 Keep it Simple 39 What the Rest of this Book is about 40 Exercises 41 iii Saltzer & Kaashoek Ch 0, p iii June 24, 2009 12:21 am iv Contents CHAPTER Elements of Computer System Organization 43 Overview 44 2.1 The Three Fundamental Abstractions 45 2.1.1 Memory 45 2.1.2 Interpreters 53 2.1.3 Communication Links 59 2.2 Naming in Computer Systems 60 2.2.1 The Naming Model .61 2.2.2 Default and Explicit Context References 66 2.2.3 Path Names, Naming Networks, and Recursive Name Resolution 71 2.2.4 Multiple Lookup: Searching through Layered Contexts 73 2.2.5 Comparing Names 75 2.2.6 Name Discovery 76 2.3 Organizing Computer Systems with Names and Layers 78 2.3.1 A Hardware Layer: The Bus .80 2.3.2 A Software Layer: The File Abstraction 87 2.4 Looking Back and Ahead 90 2.5 Case Study: UNIX® File System Layering and Naming 91 2.5.1 Application Programming Interface for the UNIX File System 91 2.5.2 The Block Layer 93 2.5.3 The File Layer 95 2.5.4 The Inode Number Layer 96 2.5.5 The File Name Layer 96 2.5.6 The Path Name Layer 98 2.5.7 Links 99 2.5.8 Renaming 101 2.5.9 The Absolute Path Name Layer 102 2.5.10 The Symbolic Link Layer 104 2.5.11 Implementing the File System API 106 2.5.12 The Shell, Implied Contexts, Search Paths, and Name Discovery 110 2.5.13 Suggestions for Further Reading 112 Exercises .112 CHAPTER The Design of Naming Schemes 115 Overview 115 3.1 Considerations in the Design of Naming Schemes 116 3.1.1 Modular Sharing 116 Saltzer & Kaashoek Ch 0, p iv June 24, 2009 12:21 am Contents v 3.1.2 Metadata and Name Overloading 120 3.1.3 Addresses: Names that Locate Objects 122 3.1.4 Generating Unique Names 124 3.1.5 Intended Audience and User-Friendly Names 127 3.1.6 Relative Lifetimes of Names, Values, and Bindings 129 3.1.7 Looking Back and Ahead: Names are a Basic System Component 131 3.2 Case Study: The Uniform Resource Locator (URL) 132 3.2.1 Surfing as a Referential Experience; Name Discovery 132 3.2.2 Interpretation of the URL 133 3.2.3 URL Case Sensitivity 134 3.2.4 Wrong Context References for a Partial URL 135 3.2.5 Overloading of Names in URLs 137 3.3 War Stories: Pathologies in the Use of Names 138 3.3.1 A Name Collision Eliminates Smiling Faces 139 3.3.2 Fragile Names from Overloading, and a Market Solution 139 3.3.3 More Fragile Names from Overloading, with Market Disruption 140 3.3.4 Case-Sensitivity in User-Friendly Names 141 3.3.5 Running Out of Telephone Numbers 142 Exercises 144 CHAPTER Enforcing Modularity with Clients and Services 147 Overview 148 4.1 Client/service organization 149 4.1.1 From soft modularity to enforced modularity 149 4.1.2 Client/service organization 155 4.1.3 Multiple clients and services 163 4.1.4 Trusted intermediaries 163 4.1.5 A simple example service 165 4.2 Communication between client and service 167 4.2.1 Remote procedure call (RPC) 167 4.2.2 RPCs are not identical to procedure calls 169 4.2.3 Communicating through an intermediary 172 4.3 Summary and the road ahead 173 4.4 Case study: The Internet Domain Name System (DNS) 175 4.4.1 Name resolution in DNS 176 4.4.2 Hierarchical name management 180 4.4.3 Other features of DNS 181 Saltzer & Kaashoek Ch 0, p v June 24, 2009 12:21 am vi Contents 4.4.4 Name discovery in DNS 183 4.4.5 Trustworthiness of DNS responses 184 4.5 Case study: The Network File System (NFS) 184 4.5.1 Naming remote files and directories .185 4.5.2 The NFS remote procedure calls 187 4.5.3 Extending the UNIX file system to support NFS .190 4.5.4 Coherence 192 4.5.5 NFS version and beyond 194 Exercises .195 CHAPTER Enforcing Modularity with Virtualization 199 Overview 200 5.1 Client/Service Organization within a Computer using Virtualization 201 5.1.1 Abstractions for Virtualizing Computers 203 5.1.1.1 Threads 204 5.1.1.2 Virtual Memory 206 5.1.1.3 Bounded Buffer .206 5.1.1.4 Operating System Interface 207 5.1.2 Emulation and Virtual Machines .208 5.1.3 Roadmap: Step-by-Step Virtualization .208 5.2 Virtual Links using SEND, RECEIVE, and a Bounded Buffer 210 5.2.1 An Interface for SEND and RECEIVE with Bounded Buffers .210 5.2.2 Sequence Coordination with a Bounded Buffer 211 5.2.3 Race Conditions 214 5.2.4 Locks and Before-or-After Actions .218 5.2.5 Deadlock 221 5.2.6 Implementing ACQUIRE and RELEASE 222 5.2.7 Implementing a Before-or-After Action Using the One-Writer Principle 225 5.2.8 Coordination between Synchronous Islands with Asynchronous Connections 228 5.3 Enforcing Modularity in Memory 230 5.3.1 Enforcing Modularity with Domains .230 5.3.2 Controlled Sharing using Several Domains 231 5.3.3 More Enforced Modularity with Kernel and User Mode 234 5.3.4 Gates and Changing Modes .235 5.3.5 Enforcing Modularity for Bounded Buffers 237 Saltzer & Kaashoek Ch 0, p vi June 24, 2009 12:21 am Contents vii 5.3.6 The Kernel 238 5.4 Virtualizing Memory 242 5.4.1 Virtualizing Addresses 243 5.4.2 Translating Addresses using a Page Map 245 5.4.3 Virtual Address Spaces 248 5.4.3.1 Primitives for Virtual Address Spaces 248 5.4.3.2 The Kernel and Address Spaces 250 5.4.3.3 Discussion 251 5.4.4 Hardware versus Software and the Translation Look-Aside Buffer 252 5.4.5 Segments (Advanced Topic) 253 5.5 Virtualizing Processors using Threads 255 5.5.1 Sharing a processor among multiple threads 255 5.5.2 Implementing YIELD 260 5.5.3 Creating and Terminating Threads 264 5.5.4 Enforcing Modularity with Threads: Preemptive Scheduling 269 5.5.5 Enforcing Modularity with Threads and Address Spaces 271 5.5.6 Layering Threads 271 5.6 Thread Primitives for Sequence Coordination 273 5.6.1 The Lost Notification Problem 273 5.6.2 Avoiding the Lost Notification Problem with Eventcounts and Sequencers 275 5.6.3 Implementing AWAIT, ADVANCE, TICKET, and READ (Advanced Topic) 280 5.6.4 Polling, Interrupts, and Sequence coordination 282 5.7 Case study: Evolution of Enforced Modularity in the Intel x86 284 5.7.1 The early designs: no support for enforced modularity 285 5.7.2 Enforcing Modularity using Segmentation 286 5.7.3 Page-Based Virtual Address Spaces 287 5.7.4 Summary: more evolution 288 5.8 Application: Enforcing Modularity using Virtual Machines 290 5.8.1 Virtual Machine Uses 290 5.8.2 Implementing Virtual Machines 291 5.8.3 Virtualizing Example 293 Exercises 294 CHAPTER Performance 299 Overview 300 Saltzer & Kaashoek Ch 0, p vii June 24, 2009 12:21 am viii Contents 6.1 Designing for Performance 300 6.1.1 Performance Metrics 302 6.1.1.1 Capacity, Utilization, Overhead, and Useful Work 302 6.1.1.2 Latency 302 6.1.1.3 Throughput 303 6.1.2 A Systems Approach to Designing for Performance 304 6.1.3 Reducing latency by exploiting workload properties 306 6.1.4 Reducing Latency Using Concurrency .307 6.1.5 Improving Throughput: Concurrency 309 6.1.6 Queuing and Overload 311 6.1.7 Fighting Bottlenecks 313 6.1.7.1 Batching 314 6.1.7.2 Dallying 314 6.1.7.3 Speculation 314 6.1.7.4 Challenges with Batching, Dallying, and Speculation 315 6.1.8 An Example: the I/O bottleneck 316 6.2 Multilevel Memories 321 6.2.1 Memory Characterization 322 6.2.2 Multilevel Memory Management using Virtual Memory .323 6.2.3 Adding multilevel memory management to a virtual memory 327 6.2.4 Analyzing Multilevel Memory Systems 331 6.2.5 Locality of reference and working sets 333 6.2.6 Multilevel Memory Management Policies 335 6.2.7 Comparative analysis of different policies 340 6.2.8 Other Page-Removal Algorithms 344 6.2.9 Other aspects of multilevel memory management 346 6.3 Scheduling 347 6.3.1 Scheduling Resources 348 6.3.2 Scheduling metrics 349 6.3.3 Scheduling Policies 352 6.3.3.1 First-Come, First-Served 353 6.3.3.2 Shortest-job-first 354 6.3.3.3 Round-Robin 355 6.3.3.4 Priority Scheduling 357 6.3.3.5 Real-time Schedulers 359 Saltzer & Kaashoek Ch 0, p viii June 24, 2009 12:21 am Contents ix 6.3.4 Case study: Scheduling the Disk Arm 360 Exercises 362 About Part II 369 Appendix A: The Binary Classification Trade-off 371 Suggestions for Further Reading 375 Problem Sets for Part I 425 Glossary 475 Index of Concepts 513 Part II [On-Line] CHAPTER The Network as a System and as a System Component 7–1 Overview 7–2 7.1 Interesting Properties of Networks 7–3 7.1.1 Isochronous and Asynchronous Multiplexing 7–5 7.1.2 Packet Forwarding; Delay 7–9 7.1.3 Buffer Overflow and Discarded Packets 7–12 7.1.4 Duplicate Packets and Duplicate Suppression 7–15 7.1.5 Damaged Packets and Broken Links 7–18 7.1.6 Reordered Delivery 7–19 7.1.7 Summary of Interesting Properties and the Best-Effort Contract 7–20 7.2 Getting Organized: Layers 7–20 7.2.1 Layers 7–23 7.2.2 The Link Layer 7–25 7.2.3 The Network Layer 7–27 7.2.4 The End-to-End Layer 7–28 7.2.5 Additional Layers and the End-to-End Argument 7–30 7.2.6 Mapped and Recursive Applications of the Layered Model 7–32 7.3 The Link Layer 7–34 7.3.1 Transmitting Digital Data in an Analog World 7–34 7.3.2 Framing Frames 7–38 7.3.3 Error Handling 7–40 7.3.4 The Link Layer Interface: Link Protocols and Multiplexing 7–41 7.3.5 Link Properties 7–44 Saltzer & Kaashoek Ch 0, p ix June 24, 2009 12:21 am x Contents 7.4 The Network Layer 7–46 7.4.1 Addressing Interface 7–46 7.4.2 Managing the Forwarding Table: Routing 7–48 7.4.3 Hierarchical Address Assignment and Hierarchical Routing .7–56 7.4.4 Reporting Network Layer Errors 7–59 7.4.5 Network Address Translation (An Idea That Almost Works) 7–61 7.5 The End-to-End Layer 7–62 7.5.1 Transport Protocols and Protocol Multiplexing 7–63 7.5.2 Assurance of At-Least-Once Delivery; the Role of Timers 7–67 7.5.3 Assurance of At-Most-Once Delivery: Duplicate Suppression 7–71 7.5.4 Division into Segments and Reassembly of Long Messages 7–73 7.5.5 Assurance of Data Integrity 7–73 7.5.6 End-to-End Performance: Overlapping and Flow Control .7–75 7.5.6.1 Overlapping Transmissions 7–75 7.5.6.2 Bottlenecks, Flow Control, and Fixed Windows 7–77 7.5.6.3 Sliding Windows and Self-Pacing 7–79 7.5.6.4 Recovery of Lost Data Segments with Windows 7–81 7.5.7 Assurance of Stream Order, and Closing of Connections 7–82 7.5.8 Assurance of Jitter Control 7–84 7.5.9 Assurance of Authenticity and Privacy 7–85 7.6 A Network System Design Issue: Congestion Control 7–86 7.6.1 Managing Shared Resources 7–86 7.6.2 Resource Management in Networks 7–89 7.6.3 Cross-layer Cooperation: Feedback 7–91 7.6.4 Cross-layer Cooperation: Control 7–93 7.6.5 Other Ways of Controlling Congestion in Networks 7–94 7.6.6 Delay Revisited 7–98 7.7 Wrapping up Networks 7–99 7.8 Case Study: Mapping the Internet to the Ethernet 7–100 7.8.1 A Brief Overview of Ethernet 7–100 7.8.2 Broadcast Aspects of Ethernet 7–101 7.8.3 Layer Mapping: Attaching Ethernet to a Forwarding Network 7–103 7.8.4 The Address Resolution Protocol .7–105 7.9 War Stories: Surprises in Protocol Design 7–107 7.9.1 Fixed Timers Lead to Congestion Collapse in NFS 7–107 7.9.2 Autonet Broadcast Storms 7–108 7.9.3 Emergent Phase Synchronization of Periodic Protocols 7–108 Saltzer & Kaashoek Ch 0, p x June 24, 2009 12:21 am Complete Index of Concepts INDEX–2 automatic rate adaptation 7–14, 7–93, GL–3 availability 8–9, GL–3 avoid excessive generality xliii, 16 avoid rarely used components xliii, 8–51, 8–60, 11–148 AWAIT 276 B backoff exponential 7–70, GL–11 exponential random 9–78, GL–11 random 227 backup copy 10–10, GL–3 backward error correction 8–22, GL–3 bad-news diode 38, GL–3 bandwidth 7–37, GL–3 bang-bang protocol 7–114 base name 67 batch 314, GL–3 bathtub curve 8–10 be explicit xliii, 8–7, 11–4, 11–10, 11–24, 11–26, 11–53, 11–55, 11–61, 11–67, 11–68 before-or-after atomicity 46, 89, 9–54, GL–3 Belady’s anomaly 337 best effort 7–14, GL–4 contract 7–21 big-endian numbering 158 BIND 63 binding 27, 61, 62, GL–4 stable GL–32 user-dependent 74, GL–36 bit error rate 7–38, GL–4 bit stuffing 7–39, GL–4 blast protocol 7–119 blind write 9–49, 9–66, GL–4 block 245 cipher 11–103 in UNIX® 93 blocking read 9–11 bootstrapping 223, 9–21, 9–43, 9–61, 9–80, GL–4 Saltzer & Kaashoek Ch index, p bot 11–19 bottleneck 300, GL–4 data rate 7–79 bounded buffer 206 broadcast 77, 7–45, 7–102, GL–4 buffer overrun attack 11–22, 11–23 burn in, burn out 8–11 burst 7–7, GL–4 bus 80 address 81 arbitration 81 Byzantine fault 8–53, GL–4 C CA (see certificate authority) cache 51, 332, GL–4 coherence 10–4, GL–4 snoopy 10–8, GL–31 capability 11–74, GL–4 capacity 302, 322, GL–5 careful storage 8–45 carrier sense multiple access 7–100, GL–11 cascading change propagation 11–105 casecoercing 128 preserving 128 sensitive 128 CBC (see cipher-block chaining) cell 46 storage 9–31, GL–5 certificate 11–56, GL–5 authority 11–56, GL–5 self-signed 11–92 certify 11–11, GL–5 checkpoint 9–51, GL–5 checksum 7–10, 7–74, GL–5 cipher 11–99, GL–5 cipher-block chaining 11–105 ciphertext 11–49, GL–5 circuit switch 7–9, GL–5 virtual 7–82, GL–36 cleartext 11–38, GL–5 client 155, 7–63, GL–5 June 24, 2009 12:21 am Complete Index of Concepts INDEX–3 client/service organization 159, GL–5 clock algorithm 344 CLOSE 88 close-to-open consistency 192, GL–5 closure 68, GL–5 coding 8–21 coherence cache 10–4, GL–4 read/write 46, GL–27 collision Ethernet 7–100, GL–11 hash 11–33 name 124, GL–5 commit 9–27, GL–6 two-phase 9–84, GL–35 communication link 59, GL–6 commutative cryptographic transformation 11–153 COMPARE 75 compartment 11–81 compensation 10–31, GL–6 complete mediation xliv, 11–5, 11–15, 11–18, 11–25, 11–136 complexity 10, GL–6 Kolmogorov 11 component computationally secure 11–33 condition variable 276, PS–48 conditional failure rate function 8–14 confidentiality 11–49, GL–6 confinement 11–82, GL–6 conflict 10–19 confusion matrix 372 congestion 7–13, 7–87, GL–6 collapse 7–87, 7–88, GL–6 connection 7–7, GL–6 connectionless 7–8, GL–6 consensus 10–11, GL–6 the consensus problem 10–11 consistency GL–6 close-to-open 192, GL–5 eventual 10–3 external time 9–18 sequential 9–18 Saltzer & Kaashoek Ch index, p strict 10–3, GL–33 strong (see consistency, strict) consistent hashing PS–90 constituent constraint 10–2, GL–7 context 62, GL–7 context reference 63, 66, GL–7 continuous operation 8–35, GL–7 control point 7–89, GL–7 convergent encryption PS–191 cookie 11–124 cooperative multitasking 269 cooperative scheduling 269, GL–7 copy-on-write 326 covert channel 11–84, GL–7 critical section 220 cross-layer cooperation 7–91, 7–93 cryptographic hash function 11–32, GL–7 key 11–39, GL–7 transformation 11–39, 11–99, GL–7 transformation, commutative 11–153 cryptography 11–22, GL–7 public key 11–40, GL–26 shared-secret 11–40, GL–31 CSMA/CD (see carrier sense multiple access) cursor 88 cursor stability 10–30 cut-through 7–10, GL–7 D dally 314 dangling reference 130, GL–7 data integrity in communications 7–73, GL–7 in security assurance 11–36, GL–7 in storage 10–15 data rate 7–4, GL–8 datagram 7–8 deadlock 221, 9–76, GL–8 decay 46, 8–41, GL–8 factor 7–70 set 8–42, GL–8 declassify 11–84 June 24, 2009 12:21 am Complete Index of Concepts INDEX–4 decouple modules with indirection xliii, 27, 106, 123, 173, 243, 286, 325, 7–110 decrypt 7–86, 11–49, GL–8 DECRYPT 11–49 default context reference 66, GL–8 defense in depth 8–3, 11–12 delay 7–9, 7–98 processing 7–10, 7–98, GL–25 propagation 7–3, 7–10, 7–99, GL–25 queuing 7–11, 7–99, GL–26 transmission 7–10, 7–99, GL–34 delayed authentication 11–157 delegation forwarding 112 demand algorithm 339, GL–8 paging 346 dependent outcome record 9–81 design for iteration xliii, 37, 228, 8–8, 8–11, 8–15, 8–37, 11–4, 11–10, 11–26 design principles 40 adopt sweeping simplifications xliii, 40, 149, 160, 7–20, 8–8, 8–37, 8–51, 9–3, 9–29, 9–30, 9–47, 10–11, 11–16 avoid excessive generality xliii, 16 avoid rarely used components xliii, 8–51, 8–60, 11–148 be explicit xliii, 8–7, 11–4, 11–10, 11–24, 11–26, 11–53, 11–55, 11–61, 11–67, 11–68 complete mediation xliv, 11–5, 11–15, 11–18, 11–25, 11–136 decouple modules with indirection xliii, 27, 106, 123, 173, 243, 286, 325, 7–110 design for iteration xliii, 37, 228, 8–8, 8–11, 8–15, 8–37, 11–4, 11–10, 11–26 durability mantra xliv, 10–10 economy of mechanism xliv, 11–16, 11–26 end-to-end argument xliii, 7–31, 8–49, 8–52, 9–79, 10–30, 11–16 Saltzer & Kaashoek Ch index, p escalating complexity principle xliii, 14 fail-safe defaults xliv, 11–16, 11–24, 11–126 golden rule of atomicity xliv, 9–26, 9–42 incommensurate scaling rule xliii, 33, 316, 7–91 keep digging principle xliii, 37, 8–8, 8–64, 11–126 law of diminishing returns xliii, 18, 305, 9–53 least privilege principle xliv, 11–17, 11–24, 11–39, 11–79, 11–80, 11–81, 11–130 minimize common mechanism xliv, 11–16, 11–141 minimize secrets xliv, 11–15, 11–34, 11–39 one-writer principle xliv, 212 open design principle xliii, 11–13, 11–39, 11–64, 11–140 principle of least astonishment xliii, 85, 89, 128, 205, 11–15, 11–138 robustness principle xliv, 29, 8–15 safety margin principle xliv, 24, 8–8, 8–16, 8–58 unyielding foundations rule xliv, 20, 38, 288 destination 7–8, 7–27, 7–46, GL–8 address GL–8 detectable error 8–17, GL–8 dictionary attack 11–34 digital signature 11–44, GL–8 dilemma of the two generals 9–90, GL–35 diminishing returns, law of xliii, 18, 305, 9–53 direct mapping 346 memory access 83 directory 65, GL–8 in UNIX® 97 discipline simple locking 9–72, GL–31 systemwide locking 9–70 two-phase locking 9–73, GL–35 June 24, 2009 12:21 am Complete Index of Concepts INDEX–5 discovery of maximum transmission unit 7–61, GL–19 of names 76 discretionary access control 11–74, 11–81, GL–8 dispatcher 262 distance vector 7–54 divide-by-zero exception 206 DMA (see direct memory access) action (see redo action) domain name 175 virtual memory 230, GL–8 Domain Name System design of 175 eventual consistency in 10–5 fault tolerance of 8–36, 8–39 down time 8–9, GL–9 dry run 9–97 duplex 7–45, GL–9 duplicate suppression 7–17, 7–71, GL–9 durability 46, 8–39, GL–9 log 9–40 durability mantra xliv, 10–10 durable storage 8–38, 8–46, GL–9 dynamic scope 68, GL–9 E earliest deadline first scheduling policy 360, GL–9 early drop 7–92, GL–9 echo request 7–60 economy of mechanism xliv, 11–16, 11–26 element elevator algorithm 361 emergent property 4, GL–9 emulation 208, GL–9 encrypt 7–86, 11–49, GL–9 ENCRYPT 11–49 encryption key 11–49 end-to-end GL–9 layer 7–25, 7–28, 7–62, GL–10 Saltzer & Kaashoek Ch index, p end-to-end argument xliii, 7–31, 8–49, 8–52, 9–79, 10–30, 11–16 enforced modularity 153, GL–10 ENUMERATE 63 enumerate (in naming) 63, GL–10 environment GL–10 of a system of an interpreter 53 reference 53 erasure 8–23, GL–10 ergodic 8–10, GL–10 error 8–4, GL–10 containment 8–2, 8–5, GL–10 correction 7–40, 8–2, 8–57, GL–10 detection 7–40, 8–2, GL–10 escalating complexity principle xliii, 14 Ethernet 7–100, GL–11 event variable PS–45 eventcount 276, GL–11 eventual consistency 10–3, GL–11 EWMA (see exponentially weighted moving average) exactly-once protocol assurance 7–73, GL–11 RPC 171 exception 57, 206, 235, GL–11 divide-by-zero 206 illegal instruction 235 illegal memory reference 233 indirect 325 memory reference 231 missing-page 328, GL–19 permission error 233 TLB miss 253 explicit context reference 66, GL–11 explicitness 11–61, GL–11 exploit brute force 301 exponential backoff 7–70, GL–11 random backoff 9–78, GL–11 exponentially weighted moving average 355, 7–70 export 60, GL–11 external time consistency 9–18 June 24, 2009 12:21 am Complete Index of Concepts INDEX–6 F failfast 8–5, 8–17, GL–11 safe 8–17, GL–12 secure 8–17, GL–12 soft 8–17, GL–12 stop 8–5, GL–12 vote 8–27, GL–12 fail-safe defaults xliv, 11–16, 11–24, 11–126 failure 8–4, GL–12 tolerance 8–16, GL–12 false positive/negative 371 fast start 7–114 fate sharing 153 fault 8–3, GL–12 avoidance 8–6, GL–12 tolerance 8–5, GL–12 tolerance design process 8–6 tolerance model 8–18 FCFS (see first-come, first-served) FIFO (see first-in, first-out) file 87, GL–12 in UNIX® 95 memory-mapped 325 pointer 88 fingerprint 7–10, GL–12 first-come, first-served scheduling policy 353, GL–12 first-in, first-out page-removal policy 336, GL–12 fixed timer 7–69 window 7–78 flooding 2, PS–75 flow control 7–77, GL–12 follow-me forwarding 112 force 320, 9–53, GL–13 forward error correction 8–21, GL–13 secrecy 11–61, GL–13 forwarder 7–9 forwarding table 7–48, GL–13 fragile name 121 Saltzer & Kaashoek Ch index, p fragment GL–13 frame 7–6, 7–8, 7–37, GL–13 freshness 11–61, GL–13 full-duplex 7–45, GL–13 G garbage collection 131 gate (protected entry) 236, GL–13 generality 15 generated name 124, GL–13 GET 50 global name 75, GL–13 golden rule of atomicity xliv, 9–26, 9–42 granularity 8, 9–71 guaranteed delivery 7–14 H half-duplex 7–45, GL–13 Hamming distance 8–21, GL–13 hard-edged 7–6 hard error 8–5 hard link 105 hard real-time scheduling policy 359, GL–13 hash function 125, GL–14 hashed MAC 11–107 hazard function 8–14 header 7–26, GL–14 heartbeat 8–54 hierarchy 25, GL–14 in naming 73 in routing 7–56, GL–14 high-water mark 9–65 hints 40 exploit brute force 301 instead of reducing latency, hide it 309 optimize for the common case 307, 334, 9–39 separate mechanism from policy 331, 349, 11–7, 11–84 hit ratio 333 HMAC (see hashed MAC) hop limit 7–54, GL–14 hot swap 8–35, GL–14 hyperlink 133 June 24, 2009 12:21 am Complete Index of Concepts INDEX–7 I invisible hand 7–98 IP (see Internet protocol) I/O bottleneck 316 ICMP (see Internet control message protocol) ISO (see International Organization for Standardization) idempotent 170, 7–18, 9–47, GL–14 isochronous 7–6, GL–15 identifier 127, GL–14 isolation 220 illegal instruction GL–14 ISP (see Internet service provider) exception 235 iteration 36 illegal memory reference exception 233 IMS (see Information Management System) J in-memory database 9–39 jitter 7–84, GL–15 incommensurate scaling 5, GL–14 job 352, GL–15 incommensurate scaling rule xliii, 33, 316, journal storage 9–31, GL–16 7–91 incremental K backup 10–18, GL–14 KDC (see key distribution center) redundancy 8–21 keep digging principle xliii, 37, 8–8, 8–64, indirect 11–126 name 73, 104, GL–14 kernel 238, GL–16 indirection 27, 61, GL–14 mode 234, GL–16 exception 325 key (see cryptographic key) infant mortality 8–11 key distribution center 11–57, GL–16 information flow control 11–83 key-based cryptographic transformation Information Management System 9–100 11–41 , GL –16 inode 95 Kolmogorov complexity 11 install 9–39, GL–15 instead of reducing latency, hide it 309 L instruction latency 49, 302, 8–5, GL–16 reference 53, GL–15 latent fault 8–4, GL–16 repertoire GL–28 law of diminishing returns xliii, 18, 305, integrity (see data integrity) 9–53 intended load 7–88, GL–15 layer interconnection bypass 79 interface end-to-end 7–25, 7–28, 7–62, GL–10 interleaving 310, GL–15 link 7–25, 7–34, GL–16 intermittent fault 8–5, GL–15 network 7–25, 7–27, 7–46, GL–21 International Organization for layering 24, GL–16 Standardization 7–30, GL–15 leaky abstraction 30 Internet 7–32 least astonishment principle xliii, 85, 89, 128, control message protocol 7–60 205 , 11–15 , 11–138 protocol 7–32 least privilege principle xliv, 11–17, 11–24, service provider 139 11–39, 11–79, 11–80, 11–81, interpreter 53, GL–15 11–130 interrupt 53, 235, 283, GL–15 invalidate 10–7, GL–15 Saltzer & Kaashoek Ch index, p June 24, 2009 12:21 am Complete Index of Concepts INDEX–8 least-recently-used page-removal policy 338, GL–16 least significant component 71 lexical scope (see static scope) lightweight remote procedure call 238, PS–25 limited change propagation 11–100 limited name space 129, GL–16 link in communications 59, GL–6 in naming 73, GL–16 in UNIX® 99 layer 7–25, 7–34, GL–16 soft (see indirect name) symbolic (see indirect name) list system 11–74, GL–16 little-endian numbering 158 livelock 222, 9–78, GL–16 locality of reference 334, GL–17 spatial 334, GL–32 temporal 334, GL–34 location-addressed memory 51 lock 218, 9–69, GL–17 compatibility mode 9–76 manager 9–70 point 9–72, GL–17 set 9–72, GL–17 lock-step protocol 7–75, GL–17 locking discipline simple 9–72, GL–31 systemwide 9–70 two-phase 9–73, GL–35 log 9–39, GL–17 archive 9–40 atomicity 9–40 durability 9–40 performance 9–40 record 9–42 redo 9–50, GL–28 sequence number 9–53 undo 9–50, GL–28 write-ahead 9–42, GL–37 logical copy 10–10, GL–17 locking 9–75, GL–17 Saltzer & Kaashoek Ch index, p lost object 130 LRPC (see lightweight remote procedure call) LRU (see least-recently used) M MAC (see media access control address) (see message authentication code) magnetic disk memory 49 malware 11–19 Manchester code 7–36, GL–17 margin 8–20, GL–17 mark point 9–58, GL–17 marshal/unmarshal 157, GL–17 maskable error 8–18, GL–17 masking 8–2, 8–17, GL–18 massive redundancy 8–25 master 10–10, GL–18 maximum transmission unit 7–45, GL–18 mean time between failures 8–9, GL–18 to failure 8–9, GL–18 to repair 8–9, GL–18 media access control address 126 mediation 11–73, GL–18 memory 45 associative 51 barrier 47 cell 46 location-addressed 51 manager 230, GL–18 manager, multilevel 325 manager, virtual 206, 243, GL–36 -mapped file 325 -mapped I/O 84, GL–18 random access 50, GL–26 transactional 9–69, GL–34 volatile/non-volatile 45, GL–21, GL–36 memory reference exception 231 memoryless 8–13, GL–18 message 59, 7–7, 7–33, GL–18 authentication 11–36, GL–18 authentication code 11–44, GL–19 representation 54 June 24, 2009 12:21 am Complete Index of Concepts INDEX–9 message-sending protocol 7–63 message timing diagram 155 metadata 91, 120, GL–19 microkernel 240, GL–19 minimize common mechanism xliv, 11–16, 11–141 minimize secrets xliv, 11–15, 11–34, 11–39 mirror 10–9, GL–19 missing-page exception 328, GL–19 mobile host 7–118 modular sharing 116, GL–19 modularity 19 enforced 153, GL–10 soft 153, GL–32 module 9, 8–2, GL–19 monolithic kernel 238, GL–19 most-recently-used page-removal policy 340, GL–19 most significant component 72 MRU (see most-recently-used) MTBF (see mean time between failures) MTTF (see mean time to failure) MTTR (see mean time to repair) MTU (see maximum transmission unit) MTU discovery 7–61, GL–19 multihomed 7–46, GL–19 multilevel memory 324, GL–19 memory manager 325 multiple lookup 73, GL–19 -reader, single-writer protocol 9–76 register set processor PS–31 multiplexing 7–5, 7–42, 7–47, 7–64, GL–19 multiplicative decrease 7–96 multipoint 7–67, GL–19 multiprogramming 256 multitasking 256 Murphy’s law 86 mutual exclusion 220 N N + redundancy 8–35, GL–20 Saltzer & Kaashoek Ch index, p N-modular redundancy 8–26, GL–20 N-version programming 8–36, GL–20 NAK (see negative acknowledgment) name 44, GL–20 base 67 collision 124 conflict 116, GL–20 discovery 76 fragile 121 generated 124, GL–13 global 75, GL–13 indirect 73, 104, GL–14 lookup, multiple 73, GL–19 opaque 121, GL–21 overloaded 120, GL–22 path GL–23 pure 120, GL–26 qualified 67, GL–26 resolution 62 resolution, recursive 71, GL–27 well-known 77, GL–36 name-mapping algorithm 62 name space 61, GL–20 limited 129, GL–16 unique identifier 64, GL–35 universal 62, GL–35 unlimited 129, GL–35 name-to-key binding 11–45, GL–20 namespace (see name space) naming authority 180 hierarchy 73, GL–20 network 72, GL–20 scheme 61, GL–20 NAT (see network address translation) negative acknowledgment 7–71, 7–83, GL–20 nested outcome record 9–86 network 7–2, GL–21 address 7–46, GL–21 address translation 7–61 attachment point 65, 7–9, 7–27, 7–46, GL–21 layer 7–25, 7–27, 7–46, GL–21 June 24, 2009 12:21 am Complete Index of Concepts INDEX–10 packet 7–8, 7–33, GL–22 forwarding 7–9, GL–22 forwarding network 7–9 switch 7–9, GL–22 page 245, GL–22 fault (see missing-page exception) map 245, GL–22 on-demand zero-filled 326 table 246, GL–22 page-map address register 247, GL–22 page-removal policy 329, GL–22 clock algorithm 344 direct mapping 346 O first-in, first-out 336, GL–12 object 9, 60, GL–21 least-recently used 338, GL–16 object-based virtual memory PS–51 most-recently used 340, GL–19 occasionally connected 10–20 optimal 337, GL–21 offered load 311, 7–88, GL–21 random 345 on-demand zero-filled page 326 pair-and-compare 8–33, GL–22 one-time pad 11–99 pair-and-spare GL–22 one-writer principle xliv, 212 parallel transmission 7–35, GL–23 opaque name 121, GL–21 partition 8–34, 10–18, GL–23 OPEN 88 password 11–31, GL–23 open design principle xliii, 11–13, 11–39, patch 17 11–64, 11–140 path 7–48 operating system 78, 79, GL–21 name 75, GL–23 OPT (see optimal page-removal policy) name, absolute 68, 72, GL–1 optimal page-removal policy 337, GL–21 name, relative 72, GL–27 optimistic concurrency control 9–63, GL–21 search 73, 75, GL–29 optimize for the common case 9–45 selection 7–51, GL–23 optimize for the common case 307, 334, 9–39 vector 7–51 origin authenticity 11–37, GL–22 payload 7–26, GL–23 orphan 130 peer-to-peer OSI (see International Organization for design 164 Standardization) network outcome record 9–32 pending 9–32, GL–23 overhead 302 performance log 9–40 overlay network 7–33, 3, PS–74 permission error exception 233 overload 311, GL–22 persistent 46, GL–23 overloaded name 120, GL–22 fault 8–5, GL–23 overprovisioning 7–94 sender 7–67, GL–23 pessimistic concurrency control 9–63, P GL–23 pacing 7–115 PGP (see protocol, pretty good privacy) services access point GL–21 Network File System 184 NFS (see Network File System) NMR (see N-modular redundancy) non-blocking read 9–12 non-discretionary access control 11–74, 11–81, GL–21 non-preemptive scheduling 269, GL–21 non-volatile memory 45, GL–21 nonce 7–17, 7–71, GL–21 not-found result 64 NSAP (see network services access point) Saltzer & Kaashoek Ch index, p 10 June 24, 2009 12:21 am Complete Index of Concepts INDEX–11 phase encoding 7–36, GL–23 phase-locked loop 7–36 physical address 243, GL–24 copy 10–10, GL–24 locking 9–75, GL–24 piggybacking 7–77, GL–24 pipeline GL–24 PKI (see public key infrastructure) plaintext 11–38, 11–49, GL–24 point-to-point 7–44, GL–24 polling 273, GL–24 port 7–64, GL–24 precision (in information retrieval) 373 preemptive scheduling 269, GL–24 prepaging 346, GL–24 PREPARED message 9–87 state GL–24 presentation protocol 7–23, 7–67, GL–24 service 7–29 presented load (see offered load) preservation 8–40 presumed commit 9–88 preventive maintenance 8–12, GL–24 pricing 7–97 primary copy 10–10, GL–24 device 331, GL–25 principal 11–20, GL–25 principle of escalating complexity xliii, 14 principle of least astonishment xliii, 85, 89, 128, 205, 11–15, 11–138 principles (see design principles) priority inversion 358 scheduling policy 357, GL–25 privacy 11–6, GL–25 private key 11–40, GL–25 probe 7–60 procedure calling convention 150 process 97, 248 processing delay 7–10, 7–98, GL–25 Saltzer & Kaashoek Ch index, p 11 processor multiplexing 256 producer and consumer problem 211 program counter 56, GL–25 progress 9–77, GL–25 propagation delay 7–3, 7–10, 7–99, GL–25 propagation of effects 4, GL–25 protection 11–6, GL–25 group 11–76, GL–25 protocol 7–21, GL–25 address resolution 7–105, GL–1 application 7–23 bang-bang 7–114 blast 7–119 bus arbitration 81 carrier sense multiple access 7–100, GL–11 challenge-response 11–64 Diffie-Hellman key agreement 11–68 Internet 7–32 internet control message 7–60 Kerberos 11–58 lock-step 7–75, GL–17 message-sending 7–63 multiplexing 7–42 Network File System 184 presentation 7–23, 7–67, GL–24 pretty good privacy 11–98 ready/acknowledge 7–35, GL–27 real-time transport 7–67 reliable message stream 7–66 request/response 7–66 routing 7–50 secure shell 11–46 secure socket layer 11–117 security 11–36, 11–54, GL–29 simple network time service 7–109 stream transport 7–82 transmission control 7–65 transport 7–23, 7–63, GL–34 transport layer security 11–116 two-phase commit 9–84, GL–35 user datagram 7–65 proxy 7, 371 June 24, 2009 12:21 am Complete Index of Concepts INDEX–12 pseudocode representation 54 pseudorandom number generator 11–101 public key 11–40, GL–25 cryptography 11–40, GL–26 infrastructure 11–93, 11–114 publish/subscribe 173, GL–26 pull 172 pure name 120, GL–26 purging 8–33, GL–26 push 172 PUT 50 read-capture 9–63 read/write coherence 46, GL–27 ready/acknowledge protocol 7–35, GL–27 real time 359, 7–84, GL–27 real-time scheduling policy 359, GL–27 scheduling policy, hard 359, GL–13 scheduling policy, soft 359, GL–32 transport protocol 7–67 reassembly 7–8, GL–27 recall (in information retrieval) 373 RECEIVE 59 Q receive livelock 350 quad component 8–26 reconciliation 10–12, 10–19, GL–27 qualified name 67, GL–26 recovery 8–38 quantum 356 recursive quench 7–13, 7–91, GL–26 name resolution 71, GL–27 query 77 replication 8–27 queuing delay 7–11, 7–99, GL–26 RED (see random early detection) quorum 10–16, GL–26 redo quota 313 action 9–43, GL–27 log 9–50, GL–28 R reduced instruction set computer 55 race condition 215, GL–26 redundancy 8–2, GL–27 RAID 52, GL–26 redundant array of independent disks (see RAID 8–47 RAID) RAID 8–24 reference 60, GL–27 RAID 8–67 monitor 11–20 RAM (see random access memory) string 334, GL–27 random register renaming 9–67 access memory 50, GL–26 relative path name 72, GL–27 backoff 227 RELEASE 225, 9–70 backoff, exponential 9–78, GL–11 reliability 8–13, GL–28 drop 7–92, GL–26 reliable early detection 7–92, GL–26 delivery 7–74, GL–28 number generator 11–99 message stream protocol 7–66 page-removal policy 345 remote procedure call 167, GL–28 pseudorandom number generator 11–101 reorder buffer 9–67 rate monotonic scheduling policy 360, repair 8–31, GL–28 GL–26 repertoire 53, GL–28 raw storage 8–42 replica 8–26, GL–28 RC4 cipher 11–101 replicated state machine 10–11, GL–28 READ 45 replication GL–28 read and set memory 224, GL–27 recursive 8–27 Saltzer & Kaashoek Ch index, p 12 June 24, 2009 12:21 am Complete Index of Concepts INDEX–13 reply 155 representations bit order numbering 158 confusion matrix 371 message 54 pseudocode 54 timing diagram 155 Venn diagram 372 version history 9–55 wait-for graph 221 repudiate GL–28 request 155, GL–28 request/response protocol 7–66 resolution, name 62 resolve GL–28 RESOLVE 63 response 155, GL–28 restartable atomic region PS–34 revectoring 8–46 reverse lookup 64 revocation 11–73 RISC (see reduced instruction set computer) Rivest, Shamir, and Adleman cipher 11–109 robustness principle xliv, 29, 8–15 roll-forward recovery 9–50, GL–28 rollback recovery 9–50, GL–28 root 72, GL–28 in UNIX® 102 round-robin scheduling policy 262, 356, GL–29 round-trip time 7–67, GL–29 estimation 7–69, 7–80 route 7–9, 7–48 router 7–9, 7–50, GL–29 routing 7–48 algorithm 7–49, GL–29 protocol 7–50 RPC (see remote procedure call) RSA (see Rivest, Shamir, and Adleman cipher) RSM (see read and set memory) RTP (see real-time transport protocol) Saltzer & Kaashoek Ch index, p 13 S safety margin principle xliv, 24, 8–8, 8–16, 8–58 safety net approach 11–10 safety-net approach 8–7 scheduler 348, GL–29 scheduling policy earliest deadline first 360, GL–9 first-come, first-served 353, GL–12 hard real-time 359, GL–13 priority 357, GL–25 rate monotonic 360, GL–26 real-time 359, GL–27 round-robin 262, GL–29, 356 shortest-job-first 354 soft real-time 359, GL–32 scope 75, GL–29 dynamic 68, GL–9 lexical (see scope, static) static 68, GL–32 search 73, GL–29 in key word query 75 in name discovery 76 search path 73, 75, GL–29 second-system effect 39 secondary device 331, GL–29 secrecy GL–29 secure area GL–29 secure channel 11–22, 11–116, GL–29 Secure Socket Layer 11–117 security 11–6, GL–29 protocol 11–36, 11–54, GL–29 seed 11–101 segment of a message 7–8, 7–33, GL–30 virtual memory 68, 253, 285, GL–30 self-describing storage 365 self-pacing 7–80, GL–30 semaphore 276, 277, GL–30 separate mechanism from policy 331, 349, 11–7, 11–84 sequence coordination 211, 273, 9–13, GL–30 sequencer 276, GL–30 June 24, 2009 12:21 am Complete Index of Concepts INDEX–14 sequential consistency 9–18 serial transmission 7–35, GL–30 serializability PS–138 serializable 9–18, GL–30 server 157, GL–30 service 155, 7–63, GL–30 time 311, 7–87 session service 7–29 set up 7–7, GL–31 shadow copy 9–29, GL–31 Shannon’s capacity theorem 7–37 shared-secret cryptography 11–40, GL–31 key 11–40, GL–31 sharing 60, 7–5, GL–31 shortcut (see indirect name) shortest-job-first scheduling policy 354 sign 7–86, 11–41, GL–31 simple locking discipline 9–72, GL–31 network time service protocol 7–109 serialization 9–54, GL–31 simplex 7–44, GL–31 simplicity 39 single -event upset 8–5, GL–31 -acquire protocol 220, GL–31 point of failure 8–63 state machine 10–13 single-writer, multiple-reader protocol 9–76 Six sigma 8–15 slave 10–10, GL–31 sliding window 7–79, GL–31 slow start 7–95 snapshot isolation 9–68 snoopy cache 10–8, GL–31 SNTP (see protocol, simple network time service) soft error 8–5 link (see indirect name) modularity 153, GL–32 real-time scheduling policy 359, GL–32 state 189, GL–32 Saltzer & Kaashoek Ch index, p 14 source 7–27, 7–46, GL–32 address GL–32 spatial locality 334, GL–32 speaks for 11–85, GL–32 speculate 314, GL–32 spin loop 212, GL–32 SSH (see protocol, secure shell) SSL (see Secure Socket Layer) stability 46, GL–32 cursor 10–30 stable binding 64, GL–32 storage 45 stack algorithm 341, GL–32 discipline 150 pointer 56 starvation 355, GL–32 static discipline 29 routing 7–49, GL–32 scope 68, GL–32 station 7–50, 7–101, GL–33 identifier 7–101 stop and wait (see lock-step protocol) storage 50, GL–33 atomic GL–2 careful 8–45 cell 46, 9–31, GL–5 durable 8–38, 8–46, GL–9 fail-fast 8–43 journal 9–31, GL–16 leak 130 raw 8–42 stable 45 store and forward 7–14, GL–33 stream 7–7, 7–33, GL–33 cipher 11–99 transport protocol 7–82 strict consistency 10–3, GL–33 strong consistency (see strict consistency) stub 167, GL–33 subassembly submodule June 24, 2009 12:21 am Complete Index of Concepts INDEX–15 subsystem supermodule 8–27, GL–33 supervisor call instruction 236, GL–33 SVC (see supervisor call instruction) swapping 347, GL–33 sweeping simplifications (see adopt sweeping simplifications) symbolic link (see indirect name) synonym 72, GL–33 system 8, GL–33 systemwide lock 9–70 TMR (see triple-modular redundancy) tolerance 23 tolerated error 8–18, GL–34 tombstone 7–72, GL–34 tracing garbage collection 131 trade-off binary classification 7, 371 tragedy of the commons 7–93 trailer 7–26, GL–34, GL–36 transaction 9–3, 9–4, GL–34 transactional memory 9–69, GL–34 TRANSFER operation 9–5 T transient fault 8–5, GL–34 Taguchi method 8–16 transit time 7–9, GL–34 tail drop 7–92, GL–33 translation look-aside buffer 253 TCB (see trusted computing base) transmission TCP (see transmission control protocol) control protocol 7–65 TDM (see time-division multiplexing) delay 7–10, 7–99, GL–34 tear down 7–7, GL–33 parallel 7–35, GL–23 temporal serial 7–35, GL–30 database 10–28 transport locality 334, GL–34 protocol 7–23, 7–63, GL–34 tentatively committed 9–82 service 7–29 test and set memory (see read and set memory) Transport Layer Security 11–116 thrashing 335, GL–34 triple-modular redundancy 8–26, GL–35 thread 204, GL–34 trusted manager 205, GL–34 computing base 11–26, GL–35 threat 11–7, GL–34 intermediary 163, GL–35 insider 11–8 TTL (see time-to-live) throughput 303, 323, GL–34 tunnel (in networks) 7–33 ticket system 11–74, GL–34 two generals dilemma 9–90, GL–35 tiger team 11–27 two-phase time-division multiplexing 7–6 commit 9–84, GL–35 time domain addressing 10–28 locking discipline 9–73, GL–35 time-sharing 256 U time-to-live 10–6 timed capability 11–156 UDP (see user datagram protocol) timer UNBIND 63 adaptive 7–69 undo fixed 7–69 action 9–43, GL–35 timing diagram 155, 156 log 9–50, GL–28 TLB (see translation look-aside buffer) Uniform Resource Locator 133 TLB miss exception 253 unique identifier name space 64, GL–35 TLS (see Transport Layer Security) universal name space 62, GL–35 Saltzer & Kaashoek Ch index, p 15 June 24, 2009 12:21 am Complete Index of Concepts INDEX–16 universe of values 62, GL–35 unlimited name space 129, GL–35 untolerated error 8–18, GL–35 unyielding foundations rule xliv, 20, 38, 288 upcall 7–27 URL (see Uniform Resource Locator) useful work 302 user datagram protocol 7–65 -dependent binding 74, GL–36 mode 234, GL–36 utilization 302, GL–36 V valid construction 8–37, GL–36 validation (see valid construction) value 62, GL–36 verify 7–86, 11–41 version history 9–30, GL–36 virtual address 206, 243, GL–36 address space 206, 248 circuit 7–82, GL–36 machine 208, 290, GL–36 machine monitor 208, 290, GL–36 memory 206, 332 memory manager 206, 243, GL–36 memory, object-based PS–51 shared memory 326 virtualization 201, GL–36 virus 11–19 volatile memory 45, GL–36 Saltzer & Kaashoek Ch index, p 16 voter 8–26, GL–36 W wait-for graph 221 WAL (see write-ahead log) watchdog 8–54 waterbed effect well-known name/address 77, GL–36 port 7–64 window 7–78, GL–36 fixed 7–78 of validity 11–33 sliding 7–79, GL–31 wired down (page) 331 witness 7–10, 10–21, 11–48, work factor 11–33 working directory 67, GL–37 set 335, GL–37 worm 11–19 WRITE 45 write-ahead log 9–42, GL–37 write tearing 47, GL–2 write-through GL–37 GL–37 X X Window System 162 Y yield (in manufacturing) 8–11 YIELD (thread primitive) 257 June 24, 2009 12:21 am ... This textbook, Principles of Computer System Design: An Introduction, is an introduction to the principles and abstractions used in the design of computer systems It is an out­ growth of notes written... textbook began as a set of notes for the advanced undergraduate course Engineering of Computer Systems (6.033, originally 6.233), offered by the Department of Electrical Engineering and Computer. .. been borrowed Hari Balakrishnan provided many suggestions and corrections and helped sort out muddled explanations, and Julie Sussman and Susan Ruff pointed out many opportunities to improve