[cap-talk] EQ and the object-cap model

[Marcus Brinkmann]

At Sun, 10 Dec 2006 20:34:23 -0800,
Charles Landau <clandau at macslab.com> wrote:
> At 12:26 PM -0500 12/10/06, Jonathan S. Shapiro wrote:
> >>From a purist perspective, the one that we want is EQUAL?
> 
> I can't think of much use for an equality operation that isn't 
> durable. For example, it wouldn't satisfy the requirement of the 
> Grant Matcher, which is the only example we have that everyone seems 
> to agree needs EQ. The fact that implementing EQUAL? is undecidable 
> doesn't make it very attractive, either.

There may or may not be a use for such an operation in the client
space.  However there is one particular use of EQ*? that appears to me
important (well, relatively important depending on other aspects of
the infrastructure), and that is supported by a non-durable EQUAL?.

This is if the server which implements an object gets a capability to
another object it implements in an invocation, and wants to perform
the operation on both objects at the same time (say a virtual copy
operation from one object to another).  In EROS this is done with the
branding mechanism.  If such an operation is not available, it can be
implemented using EQUAL? under some definition of EQUAL?.

In this case, it is sufficient for the client to proof that it hold a
valid capability for the object at invocation time.  If it is revoked
afterwards doesn't affect the outcome of the operation in the server.
(Of course, if the server does not implement such operations
atomically it may have to recheck the EQUAL?-ness after reentering a
critical section, etc.  I think this was discussed before here on the
list, but it could have been hurd-l4---if somebody is interesting I
can search for it).

Thanks,
Marcus