on GUIs and such things
Mark S. Miller
Mon, 24 Jul 2000 22:28:03 -0700
At 02:20 PM 7/24/00 , Norman Hardy wrote:
>Yet another problem is where I allocate storage and send you a capability
>to the behavior implemented in that storage. There comes a time that I know
>that the capability that I sent you is useless and yet I cannot reclaim my
>storage. See <http://www.mediacity.com/~norm/CapTheory/Language/Lunch.html>
>for a concrete example.
>Keykos space-banks provide tools to find and easily work around these problems.
E has both garbage collection and KeyKOS/Joule inspired forcible
reclamation. In E, the unit of forcible reclamation is the vat -- a vat as
a whole may be forcibly destroyed, reclaiming all of the space taken up by
all the objects hosted by that vat. Ideally, the creator of a vat would
also provide a space bank to fund its memory usage along with a meter to
fund its cpu usage. In both cases, ideally, a keeper would be invoked,
KeyKOS style, when the vat exhausted its resource budget.
(Realistically, while E sits on top of the Java Virtual Machine, we may not
be able to achieve these ideals. We may be able to budget space per Java
process, which would be equivalent if you ran one vat per process. We might
be able to budget time per vat, as there's one Java Thread per vat, and Java
usually maps its Threads to the OS's threads.)
So why is the vat the unit of forcible destruction? Because the vat is
already the unit of partial failure. E programs must treat inter-vat pointers
as fail-stop rather than reliable anyway, in order to deal with network
partition. Forcible vat destruction is something that might happen either
intentionally or unintentionally. If a vat's clients are prepared for its
unintentional destruction, then they can cope with its intentional
destruction without additional effort.
Implementationally, this allows all intra-vat pointers to simply be hard
pointers that don't pay the price to cauterize the dangling references that
would happen if the object they pointed to was forcibly deallocated. The
KeyKOS/EROS counter hack for cauterizing capabilities is cheap by OS
standards, but would be horribly expensive if applied in a programming
language to all object invocations. Our inter-vat pointers already pay all
the overheads needed to cauterize dangling references, so we may as well
make our cuts only at vat boundaries.