[cap-talk] gauntlet - one way IPC considered useless, practical MLS?

[David Hopwood]

I wrote:
> Suppose that a process A wants to tell processes B and C to perform some
> actions P_B and P_C respectively, and be assured that all effects of P_B happen
> before effects of P_C. B and C do not know anything about each other. There are
> only a few possible ways to implement this:
> 
> 1. A relies on timing, e.g. it assumes that effects of P_B happen within some
>    maximum time. This is too unreliable.

... and too inefficient, because it means that P_C cannot start before a worst
case estimate of the latency of P_B, rather than how long P_B actually takes.

> 2. Some protocol is used that requires B and C to communicate to ensure that
>    P_B completes before P_C. But by assumption, B and C know nothing about each
>    other, so this is unworkable.
> 
> 3. A receives an acknowledgement from B that P_B has completed, and only then
>    asks C to do P_C. This is by far the simplest and most reliable solution --
>    but it introduces communication channels from B to A and from C to A.

... from C to A under the assumption that the protocol must be composable, and so
there might be a P_D that has to be done next.

> Any nontrivial operating system or environment will have thousands of cases where
> such ordering constraints, requiring acknowledgements in order to be implemented
> reliably, have to happen between processes that would be at different MLS levels,
> in the case of an MLS system.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>