[cap-talk] Memory Accounting without partitions(was: Language-based OS domain separation.)

Jonathan S. Shapiro shap at eros-os.com
Sat Jun 16 11:14:56 EDT 2007

On Sat, 2007-06-16 at 00:25 +0000, Karp, Alan H wrote:

> Every Protection Domain (an e-speak managed resource) was assigned a
> quota.  Every time a Client (an e-speak term for the equivalent of a
> process) consumed space in the e-speak repository, the unused quota in
> its Protection Domain was decremented.  The right to deallocate was a
> capability that was normally held by the Client that allocated the
> space.  When the Client freed space, its unused quota was incremented.
> Each registry entry was tagged with the Protection Domain responsible
> for its existence.  

Okay. All of this makes sense. It also follows my rule of thumb that "he
who pays must be able to deallocate". Presumably you had a defined
semantics for attempts to access/invoke a deallocated object. All good.

> Clients were able to transfer quota to each other.  The most common case
> was starting a child.  The parent needed to provide part of its quota to
> the child...

This certainly helps a lot. We have similar mechanisms in plan for

It doesn't fully solve the problem if ownership transfers can happen
implicitly, as in Matt Flatt's system. I may be running along just fine
sharing resources. You drop a pointer. I become sole owner while having
insufficient quota. Now what? [I realize this is not an e-Speak issue;
I'm trying to illustrate the gotcha in Matt's design.]


More information about the cap-talk mailing list