[cap-talk] Midori in The Register
Jonathan S. Shapiro
shap at eros-os.com
Tue Aug 5 20:19:19 CDT 2008
On Wed, 2008-08-06 at 10:52 +1000, James A. Donald wrote:
> James A. Donald wrote:
> >> I am kind of worried by the references to "managed
> >> code"...
>
> Jonathan S. Shapiro wrote:
> > So far as I know, managed code refers to code that is
> >
> > (a) type safe (and therefore memory safe)
> > (b) runs in a garbage-collected environment.
> >
> > I am not aware that any guarantee stronger than these exists. Have I
> > missed something?
>
> The problem is that these guarantees are a little *too* strong for
> device drivers.
In principle I do not see why. In the absence of DMA, it is obviously
possible to write fully safe device drivers. In the presence of DMA, it
is certainly possible to write fully safe device drivers so long as the
low-level DMA interface is understood and mediated by the VM. That is
not as difficult as it may initially seem.
I do agree that if the program can program a DMA subsystem arbitrarily,
that program can violate the safety of the language type system.
But this is not a failure of the guarantees above. It is a reflection of
the fact that device drivers are one of the places where the layering of
abstractions in a layered system must be crossed.
shap
More information about the cap-talk
mailing list