[E-Lang] MintMaker with ACLs

Jonathan S. Shapiro shap@cs.jhu.edu
Thu, 01 Feb 2001 10:18:43 -0500

Tyler Close wrote:
> > Can this be addressed by using cooperating processes for
> > these patterns,
> > with remote procedure calls for the callbacks?  In this way we limit
> > the ownership rights from spreading into subroutines.
> Yes, this would work. This solution would require that every principal
> in the application have its own process and that all communication
> between principals take place through RPC... Are you proposing a system
> in which it is easy and
> efficient to spawn new processes and do synchronous RPC? It seems
> unlikely that this will fit as naturally with the function call
> support of a typical CPU.

Oh indeed. EROS is decidedly unnatural. It does, however, seem to work
fairly well. :-)

> > > It is very dangerous to pass messages between UIDs when
> > those messages
> > > may contain objects that can be used as designators.

Indeed. Actually, I think it may be useful to restate this a little more
precisely: designators have *transitive* consequences, while data is
immediate. If data is passed, the recipient either gets the data or
doesn't get the data. If descriptors are passed, the recipient gets the
transitive closure of state reachable by combining the new descriptor
with any descriptors that they already hold. My dissertation devoted a
chapter to modeling this, but the reader's digest synopsis is that
transitive consequences are much more subtle than they appear.