[cap-talk] In Defense of Identities - not
Jonathan S. Shapiro
shap at eros-os.com
Wed Dec 6 15:01:09 CST 2006
On Wed, 2006-12-06 at 15:44 -0500, Jonathan S. Shapiro wrote:
> 1. Introducing a wrapper is incredibly expensive (thousands of cycles).
And when you think about it, this is quite a nasty statement. If
membranes are a frequently manipulated pattern this will almost
certainly perturb the OS, because it means that for efficiency reasons
the OS must have explicit cognizance of membrane domain boundaries.
This in turn means that we are introducing an entirely new capability
model, because one of the operations (we may want others) takes the
form:
domain->revoke(cap)
and we don't want to search the domain to hunt them down. This is quite
a serious mess.
But there is a bigger problem. I haven't heard anybody articulate a
sensible algebra for membrane construction. Consider processes in three
different revocation domains A, B, C.
A sends cap 'c' to C.
B sends cap 'c' to C.
A revokes cap 'c'. Does C still have it? Which copies? Must the sender
be explicitly aware of membrane domain boundaries, or should the
"wrapping" be implicit in the transport? What are the implications for
EQ and EQUAL?
--
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100
More information about the cap-talk
mailing list