[cap-talk] Another "core" principle - Brinkmann

[Jonathan S. Shapiro]

On Thu, 2006-12-28 at 18:19 -0800, Jed Donnelley wrote:

> On a meta note I'll mention that I'm often unhappy with what I
> regard as the varied nuances of descriptor type object-capability
> operating systems because they can provide so many different
> sorts of capability communication mechanisms.  The implementors
> of such systems seem to regard this opportunity to vary the
> interface as valued flexibility.  To me it argues against
> consistency in the object-capability paradigm and works against
> any hope for a consistent object-capability message.

Every "nuance" of this form in KeyKOS/EROS/Coyotos can be viewed as an
optimization of something that can be done by a server in a completely
conventional capability system. In light of this, I would argue that the
consistency of the object-capability paradigm has been fully preserved
to the extent that it ever existed.

In many cases the optimization provides the ability to statically
analyze information flow that would otherwise require program analysis.

There is one area where object-capability systems do not (and never
have) agreed: the design of communication primitives. Some impose
stack-like control flow by providing only a CALL/RETURN mechanism.
Others provide unidirectional send. They differ on whether messaging is
synchronous or asynchronous and whether messaging is blocking or not.
The systemic implications of these differences are *huge*, touching on
resource management, scheduling, storage management, request
interleaving, and many other central issues. This is so fundamental that
any assertion of "consistency in the object-capability model" needs to
be held at arms length and inspected dubiously while firmly pinching
one's nose. Baby wipes may be indicated at this point. :-)


shap