[cap-talk] 'Destroy' vs 'Sever'
Jonathan S. Shapiro
shap at eros-os.com
Mon Nov 26 22:47:12 EST 2007
On Tue, 2007-11-27 at 03:37 +0000, David Hopwood wrote:
> See above for why "clone then destroy" is safer because it creates a
> deep copy. Sever (and NewCap?) is equivalent to atomically creating
> a *shallow* copy and then destroying the original. I claim this is
> usually not what you want.
I claim that "what you want" is entirely dependent on how the object was
built and what tricks of shared representation its implementation is
using; there is no "usually" here.
The sever operation is severing storage, not object. It operates below
the level of object semantics, which is part of why the shallow/deep
issue is confusing.
Note that if NewCap is implemented, it almost requires a per-capability
permission bit that permits or restricts this operation.
shap
More information about the cap-talk
mailing list