resume capabilities

[Bill Frantz]

At 11:43 AM 12/30/1999 -0500, Kragen Sitaker wrote:
>As far as I can tell, there are two ways to initiate bidirectional
>communication with another process:
>- call it and wait for it to return;
>- send to it, then return to somebody, and wait for it to call or send to
you.
>
>Does this mean I must trust every process I communicate bidirectionally
>with not to let me hang forever?  Or is it expected that I will use
>trusted intermediaries, or spawn off another process to call me or send
>to me after a while in case I'm hung?

This problem is not unique to EROS-like systems.  As far as I know, an
analog exists in all programming systems.  In general you can divide the
things you call into three categories:

  (1) Ones you trust not to hang you.
  (2) Ones you don't trust, but must depend on anyway
  (3) Ones that may hang you.

In case 1, you don't have a problem.  How you gain the necessary trust is a
difficult problem.  In the KeyKOS manual, we attempted to document the
behavior of objects which could be trusted by describing them as "prompt".
Of course, programs don't always behave according to their specifications.
:-)

In case 2, you are between a rock and a hard place.  You should probably
document you object as being as prompt as the objects you must depend on.

In case 3, you need a trusted intermediary to handle the "no return" case.
Exactly how you handle that case is application dependent.


>Maybe it's premature to be worrying about stuff like this when the OS
>doesn't run Emacs yet.

This kind of trust is so basic, I think you have to consider it from the
very beginning.


Bill Frantz                      "Home pages are passe', everybody's
Communities.com                   building a palace" - Time Magazine
Capability Security Guru         www.thepalace.com,   www.onlive.com
frantz@communities.com                  www.communities.com