separation of weak and read-only
Jonathan S. Shapiro
shap@eros.cis.upenn.edu
Mon, 25 May 1998 15:16:20 -0400
Because EROS separates weak and read-only, a question arises about
segment traversal.
When a process traverses a segment tree by means of a load
instruction, there are nodes whose state can be detected that the
process could not examine by means of equivalent node_copy()
operations. These nodes are rendered opaque by a containing red
segment node.
This suggests that the load/store address traversal is semantically a
different operation from explicit traversal, which in turn raises the
following question:
If a process performs a node_copy via a node key marked weak, the
returned key is weakened and therefore is read-only.
If a process traverses a weak node key in a load/store operation,
should this be true? Is there value in allowing a process to write
into a weak segment while only being able to read weak capabilities
from it?
Possibly relevant issues that I can see:
1. It *might* be useful.
2. Read-only behavior, if desired, can be achieved by setting the
read-only bit. Given that this is true, perhaps the more
flexible semantics should be permitted.
3. Copy and load/store traversal are, formally, different
operations.
4. Disallowing writes now and permitting them later will cause
valid programs to change behavior without an error being
raised. The reverse is not true: permitting writes now and
changing our minds will cause previously valid programs to cease
to be valid and to signal an access violation.
I am therefore inclined to make another behavioral distinction
between load/store and node_copy in this case.
The pragmatically useful case I can see is wanting to give a process
access to a segment while still knowing that it cannot load new
authority from that segment.
What have I missed?
shap