separation of weak and read-only
Jonathan S. Shapiro
Mon, 25 May 1998 15:16:20 -0400
Because EROS separates weak and read-only, a question arises about
When a process traverses a segment tree by means of a load
instruction, there are nodes whose state can be detected that the
process could not examine by means of equivalent node_copy()
operations. These nodes are rendered opaque by a containing red
This suggests that the load/store address traversal is semantically a
different operation from explicit traversal, which in turn raises the
If a process performs a node_copy via a node key marked weak, the
returned key is weakened and therefore is read-only.
If a process traverses a weak node key in a load/store operation,
should this be true? Is there value in allowing a process to write
into a weak segment while only being able to read weak capabilities
Possibly relevant issues that I can see:
1. It *might* be useful.
2. Read-only behavior, if desired, can be achieved by setting the
read-only bit. Given that this is true, perhaps the more
flexible semantics should be permitted.
3. Copy and load/store traversal are, formally, different
4. Disallowing writes now and permitting them later will cause
valid programs to change behavior without an error being
raised. The reverse is not true: permitting writes now and
changing our minds will cause previously valid programs to cease
to be valid and to signal an access violation.
I am therefore inclined to make another behavioral distinction
between load/store and node_copy in this case.
The pragmatically useful case I can see is wanting to give a process
access to a segment while still knowing that it cannot load new
authority from that segment.
What have I missed?