[cap-talk] 'Destroy' vs 'Sever'

Charles Landau clandau at macslab.com
Tue Nov 27 00:11:35 EST 2007 

At 3:37 AM +0000 11/27/07, David Hopwood wrote:
>Consider an implementation of a composite data structure [...]
>Now the root object is severed. [...] So
>the presence of the Sever operation implies that this composite is not
>defensively consistent.

I repeat, Sever is not an operation on the object. Therefore clients 
cannot Sever. Your composite object can be defensively consistent by 
not giving out the authority needed to Sever the root, and by not 
using it itself (or using it only with care to avoid the problem you 
mention).

At 10:47 PM -0500 11/26/07, Jonathan S. Shapiro wrote:
>Note that if NewCap is implemented, it almost requires a per-capability
>permission bit that permits or restricts this operation.

Alternatively, as implemented in KeyKOS, Sever is an operation not on 
the object, but on the creator of the object: "Sever this object that 
you created".

>In KeyKOS, Sever was apparently restricted to node and page objects.

We never implemented it for other objects. To do so would simply 
require managing internal references as you point out.

>But these were objects that could provide "backing storage" for other
>arbitrary objects. Revoking the storage for some, but not all of the
>objects that make up a composite can cause similar problems to that
>described above. For this argument, it does not matter whether Sever
>is a primitive, or an operation on an object such as a space bank.

I'm not sure what you mean by "primitive", but it matters because you 
can control who has the authority to Sever.

>See above for why "clone then destroy" is safer because it creates a
>deep copy. Sever (and NewCap?) is equivalent to atomically creating
>a *shallow* copy and then destroying the original. I claim this is
>usually not what you want.

This has been an interesting discussion, but if you recall my 
original question, it was not whether Sever is always safe, nor 
whether Sever is usually what you want. It was, is Sever useful often 
enough to make it worth implementing?

The main argument in favor of it seems to be that it is more 
efficient than clone then destroy.

At 4:49 PM -0800 11/26/07, Jed Donnelley wrote:
>1.  Our NLTSS system had what I believe are these
>operations.  We called them 'Destroy' and 'NewCap'.

Do you know if anyone made good use of NewCap?

More information about the cap-talk mailing list