ACRN Hypervisor: Modular Design¶
ACRN highly emphasizes modular design, i.e. the separation of functionality info modules that define a concise set of interfaces. The goals of modular design include:
Understandability A modular design is easier to understand due to encapsulation.
Testability Modules can be integrated and tested in the reverse order of dependencies among them. Modular integration tests help improve the coverage of tests and identify corner cases that are hard to trigger when testing the hypervisor as a whole.
Configurability Modular design makes it easy to configure certain functionalities in or out. This is crucial in safety-critical scenarios because absence of irrelevant code is required in both MISRA-C and functional safety standards.
Meet functional safety requirements Functional safety standards explicitly require a hierarchical structure of modules in software architectural design. This applies to any safety integrity level defined in [IEC_61508-3] and [ISO_26262-6].
Each source file shall belong to one module only. One module may consist of one or multiple source files, though. A source file can be a C source, a C header or an assembly file.
Each module shall have well-defined interfaces, including the exported functions and global variables. Functions and variables that are not interfaces shall be static and used inside the module only.
Dependencies among the modules should be acyclic. Any cyclic dependency must be deviated explicitly.
The complexity of a module shall be limited.
Minimizing Cyclic Dependencies¶
Cyclic dependencies can be mostly avoided by carefully defining the boundary of modules. The following methods can be used when certain cyclic dependency cannot be resolved by design.
Use callbacks Callback registration and invocation help reverse dependencies between two modules and break cyclic dependencies. However callbacks shall be used with care due to its dynamic behavior. Send proposals or patches to the acrn-dev mailing list for discussing if specific callbacks are appropriate.
Making the cyclic dependency an exception A specific cyclic dependency can be regarded as an exception if it is well justified and a workaround is available to break the cyclic dependency for integration testing.
ACRN uses the number of functions and the cyclomatic complexity [CC] of each function to measure the complexity of a module. Concrete criteria on complexity will be determined while enhancing the modularity of the hypervisor. The current recommendation is to limit the cyclomatic complexity of a function under 20.
The following figure shows the high-level components of ACRN hypervisor.
The components are listed as follows.
Boot This component carries out the most basic hardware initialization to enable the execution of C code.
Library This component consists of subroutines that require no explicit initialization. Examples include standard memory and string manipulation functions like strncpy, atomic operations and bitmap operations. This component is independent from and widely used in the other components.
Hardware Management and Utilities This component abstracts hardware resources and provide services such as timers and physical interrupt handler registration to the upper layers.
Virtual CPU This component implements CPU, memory and interrupt virtualization. The vCPU loop module in this component handles VM exit events by calling the proper handler in the other components. Hypercalls are implemented as a special type of VM exit event. This component is also able to inject upcall interrupts to the Service VM.
Device Emulation This component implements devices that are emulated in the hypervisor itself, such as the virtual programmable interrupt controllers including vPIC, vLAPIC and vIOAPIC.
Passthrough Management This component manages devices that are passed-through to specific VMs.
Extended Device Emulation This component implements an I/O request mechanism that allows the hypervisor to forward I/O accesses from a User VM to the Service VM. for emulation.
VM Management This component manages the creation, deletion and other lifecycle operations of VMs.
Hypervisor Initialization This component invokes the initialization subroutines in the other components to bring up the hypervisor and start the Service VM in sharing mode or all the VMs in partitioning mode.
ACRN hypervisor adopts a layered design where higher layers can invoke the interfaces of lower layers but not vice versa. The only exception is the invocation of initialization routine in the Boot component, illustrated as the arrow from bottom to top on the left side of figure Figure 128. This exception is made due to the following reasons.
Boot enables the execution of C code and thus has to be the lowest layer in the architecture.
Hypervisor Initialization contains the hypervisor initialization function that calls the initialization functions of each layer. Thus this component is the highest layer to minimize reverse dependencies.
Boot shall invoke the hypervisor initialization routine after bringing up the hardware. This inevitably causes a reverse dependency from Boot to Hypervisor Initialization.
To enable integration testing of a layer in the middle (e.g. Virtual CPU), Boot will invoke a customized function that only invokes the initialization functions of that layer as well as the layers below.
IEC 61508-3:2010, Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements
ISO 26262-6:2011, Road vehicles - Functional safety - Part 6: Product development at the software level
Cyclomatic complexity - Wikipedia, https://en.wikipedia.org/wiki/Cyclomatic_complexity