[cap-talk] Specs for our 'ideal' language?

[David Barbour]

On Sat, Sep 26, 2009 at 1:09 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
> When a page or segment is deleted, part of the delete operation removes it
> from the address map of all processes (domains) which have it mapped. Note
> that this logic is also needed for demand paging.

I'd find a claim of memory-safety quite dubious in the circumstances
you describe.

* Can the mapped region of memory be reused without risk of old
references to the region illegally becoming 'valid' yet point to a new
region (likely of a new type) reusing old memory? Or do you actually
manage to invalidate all old references to the now-unmapped region (as
is necessary for memory-safety)?

* Memory-safety suggests that there are no undefined operations, but
the system you describe essentially means that operations on memory
can become invalid at any arbitrary point in any process that has it
mapped. I suspect this would violate safety guarantees the processes
might otherwise possess when working with concurrency.

> Without actually having performed a careful analysis, it seems to me that
> garbage collection is likely a lot more expensive than the above logic.

It does look cheaper, indeed, since multi-process memory-mapping is
pretty straightforward with cooperation from the kernel. But unless it
achieves memory-safety, it also is not a competitor.