Hints for Computer System Design July 1983 1Hints for Computer System Design1Butler W. LampsonComputer Science LaboratoryXerox Palo Alto Research CenterPalo Alto, CA 94304AbstractStudying the design and implementation of a number of computer has led to some general hintsfor system design. They are described here and illustrated by many examples, ranging fromhardware such as the Alto and the Dorado to application programs such as Bravo and Star.1. IntroductionDesigning a computer system is very different from designing an algorithm:The external interface (that is, the requirement) is less precisely defined, more complex, andmore subject to change.The system has much more internal structure, and hence many internal interfaces.The measure of success is much less clear.The designer usually finds himself floundering in a sea of possibilities, unclear about how onechoice will limit his freedom to make other choices, or affect the size and performance of theentire system. There probably isn’t a ‘best’ way to build the system, or even any major part of it;much more important is to avoid choosing a terrible way, and to have clear division ofresponsibilities among the parts.I have designed and built a number of computer systems, some that worked and some that didn’t.I have also used and studied many other systems, both successful and unsuccessful. From thisexperience come some general hints for designing successful systems. I claim no originality forthem; most are part of the folk wisdom of experienced designers. Nonetheless, even the expertoften forgets, and after the second system [6] comes the fourth one.Disclaimer: These are notnovel (with a few exceptions),foolproof recipes,laws of system design or operation,precisely formulated,consistent,always appropriate,approved by all the leading experts, orguaranteed to work. 1 This paper was originally presented at the. 9th ACM Symposium on Operating Systems Principles and appeared inOperating Systems Review 15, 5, Oct. 1983, p 33-48. The present version is slightly revised.Hints for Computer System Design July 1983 2They are just hints. Some are quite general and vague; others are specific techniques which aremore widely applicable than many people know. Both the hints and the illustrative examples arenecessarily oversimplified. Many are controversial.I have tried to avoid exhortations to modularity, methodologies for top-down, bottom-up, oriterative design, techniques for data abstraction, and other schemes that have already been widelydisseminated. Sometimes I have pointed out pitfalls in the reckless application of popularmethods for system design.The hints are illustrated by a number of examples, mostly drawn from systems I have worked on.They range from hardware such as the Ethernet local area network and the Alto and Doradopersonal computers, through operating systems such as the SDS 940 and the Alto operatingsystem and programming systems such as Lisp and Mesa, to application programs such as theBravo editor and the Star office system and network servers such as the Dover printer and theGrapevine mail system. I have tried to avoid the most obvious examples in favor of others whichshow unexpected uses for some well-known methods. There are references for nearly all thespecific examples but for only a few of the ideas; many of these are part of the folklore, and itwould take a lot of work to track down their multiple sources.And these few precepts in thy memoryLook thou character.It seemed appropriate to decorate a guide to the doubtful process of system design withquotations from Hamlet. Unless otherwise indicated, they are taken from Polonius’ advice toLaertes (I iii 58-82). Some quotations are from other sources, as noted. Each one is intended toapply to the text which follows it.Each hint is summarized by a slogan that when properly interpreted reveals the essence of thehint. Figure 1 organizes the slogans along two axes:Why it helps in making a good system: with functionality (does it work?), speed (is it fastenough?), or fault-tolerance (does it keep working?).Where in the system design it helps: in ensuring completeness, in choosing interfaces, or indevising implementations.Fat lines connect repetitions of the same slogan, and thin lines connect related slogans.The body of the paper is in three sections, according to the why headings: functionality (section2), speed (section 3), and fault-tolerance (section 4).2. FunctionalityThe most important hints, and the vaguest, have to do with obtaining the right functionality froma system, that is, with getting it to do the things you want it to do. Most of these hints depend onthe notion of an interface that separates an implementation of some abstraction from the clientswho use the abstraction. The interface between two programs consists of the set of assumptionsthat each programmer needs to make about the other program in order to demonstrate thecorrectness of his program (paraphrased from [5]). Defining interfaces is the most important partof system design. Usually it is also the most difficult, since the interface design must satisfy threeconflicting requirements: an interface should be simple, it should be complete, and it shouldHints for Computer System Design July 1983 3admit a sufficiently small and fast implementation. Alas, all too often the assumptions embodiedin an interface turn out to be misconceptions instead. Parnas’ classic paper [38] and a more recentone on device interfaces [5] offer excellent practical advice on this subject.The main reason interfaces are difficult to design is that each interface is a small programminglanguage: it defines a set of objects and the operations that can be used to manipulate the objects.Concrete syntax is not an issue, but every other aspect of programming language design ispresent. Hoare’s hints on language design [19] can thus be read as a supplement to this paper.2.1 Keep it simplePerfection is reached not when there is no longer anything to add,but when there is no longer anything to take away. (A. Saint-Exupery)Those friends thou hast, and their adoption tried,Grapple them unto thy soul with hoops of steel;But do not dull thy palm with entertainmentOf each new-hatch’d unfledg’d comrade.• Do one thing at a time, and do it well. An interface should capture the minimum essentials of anabstraction. Don’t generalize; generalizations are generally wrong. Why? FunctionalityDoes it work?SpeedIs it fast