[cap-talk] Specs for our 'ideal' language?

[Bill Frantz]

dmbarbour at gmail.com (David Barbour) on Saturday, September 26, 2009 wrote:

>To achieve memory-safety without GC requires some sort of memory-safe
>semantics for explicit deletion of a memory-object that is still
>referenced from elsewhere. Two possible semantics are: (a) refuses to
>delete object that is referenced from elsewhere. (b) dereference
>causes a particular exception (i.e. null-ptr exception).

KeyKOS/EROS/CapROS chose the latter. In all cases, the memory-object is a
page or a segment, the only objects that can be mapped into addressability.


>In combination with concurrency, your memory-safe semantics need also
>to handle the case of explicit delete from one thread while another
>thread is still utilizing the memory-object.  One might be able to
>modify (b) for concurrency, via telling the object to self-terminate
>the moment it is no longer in immediate use (i.e. by combining an
>active usage-counter with the indirect reference).

When a page or segment is deleted, part of the delete operation removes it
from the address map of all processes (domains) which have it mapped. Note
that this logic is also needed for demand paging.
>
>A hybrid for (a) and (b) might be to use some equivalent of weakrefs
>which are promoted to 'strong' refs explicitly or at need, but not
>deleting until explicit destruction.
>
>All of this is very expensive compared to plain-old garbage collection.

Without actually having performed a careful analysis, it seems to me that
garbage collection is likely a lot more expensive than the above logic.
YMMV

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"After all, if the conventional wisdom was working, the
408-356-8506       | rate of systems being compromised would be going down,
www.periwinkle.com | wouldn't it?" -- Marcus Ranum