[cap-talk] Memory Accounting without partitions(was: Language-based OS domain separation.)
Jonathan S. Shapiro
shap at eros-os.com
Sat Jun 16 11:14:56 EDT 2007
On Sat, 2007-06-16 at 00:25 +0000, Karp, Alan H wrote:
> Every Protection Domain (an e-speak managed resource) was assigned a
> quota. Every time a Client (an e-speak term for the equivalent of a
> process) consumed space in the e-speak repository, the unused quota in
> its Protection Domain was decremented. The right to deallocate was a
> capability that was normally held by the Client that allocated the
> space. When the Client freed space, its unused quota was incremented.
> Each registry entry was tagged with the Protection Domain responsible
> for its existence.
Okay. All of this makes sense. It also follows my rule of thumb that "he
who pays must be able to deallocate". Presumably you had a defined
semantics for attempts to access/invoke a deallocated object. All good.
> Clients were able to transfer quota to each other. The most common case
> was starting a child. The parent needed to provide part of its quota to
> the child...
This certainly helps a lot. We have similar mechanisms in plan for
Coyotos.
It doesn't fully solve the problem if ownership transfers can happen
implicitly, as in Matt Flatt's system. I may be running along just fine
sharing resources. You drop a pointer. I become sole owner while having
insufficient quota. Now what? [I realize this is not an e-Speak issue;
I'm trying to illustrate the gotcha in Matt's design.]
shap
More information about the cap-talk
mailing list