[cap-talk] Specs for our 'ideal' language?

David-Sarah Hopwood david-sarah at jacaranda.org
Sat Sep 26 16:10:06 PDT 2009 

David Barbour wrote:
> On Sat, Sep 26, 2009 at 1:09 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
>> When a page or segment is deleted, part of the delete operation removes it
>> from the address map of all processes (domains) which have it mapped. Note
>> that this logic is also needed for demand paging.
> 
> I'd find a claim of memory-safety quite dubious in the circumstances
> you describe.
> 
> * Can the mapped region of memory be reused without risk of old
> references to the region illegally becoming 'valid' yet point to a new
> region (likely of a new type) reusing old memory? Or do you actually
> manage to invalidate all old references to the now-unmapped region (as
> is necessary for memory-safety)?

There will still be pointers to the now-unmapped virtual address region
in any domains that had it mapped. The physical memory can certainly be
reused safely by the kernel. Whether the virtual address regions can be
reused safely depends on the code running in each domain; it would have
to respond appropriately to the protection fault that occurs on access
to an unmapped virtual address. That would depend on support from the
language implementation running in each domain (if it is running code in
a high-level language).

> * Memory-safety suggests that there are no undefined operations, but
> the system you describe essentially means that operations on memory
> can become invalid at any arbitrary point in any process that has it
> mapped. I suspect this would violate safety guarantees the processes
> might otherwise possess when working with concurrency.

Yes, that's a significant concern.

>> > Without actually having performed a careful analysis, it seems to me that
>> > garbage collection is likely a lot more expensive than the above logic.

The performance characteristics are quite different for systems based on
hardware memory protection vs those based on language-level security; it
doesn't make sense to lump them together when considering the performance
of reference invalidation relative to GC.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the cap-talk mailing list