on GUIs and such things

Mark S. Miller markm@caplet.com
Mon, 24 Jul 2000 22:28:03 -0700 

At 02:20 PM 7/24/00 , Norman Hardy wrote:
>Yet another problem is where I allocate storage and send you a capability
>to the behavior implemented in that storage. There comes a time that I know
>that the capability that I sent you is useless and yet I cannot reclaim my
>storage. See <http://www.mediacity.com/~norm/CapTheory/Language/Lunch.html>
>for a concrete example.
>
>Keykos space-banks provide tools to find and easily work around these problems.

E has both garbage collection and KeyKOS/Joule inspired forcible 
reclamation.  In E, the unit of forcible reclamation is the vat -- a vat as 
a whole may be forcibly destroyed, reclaiming all of the space taken up by 
all the objects hosted by that vat.  Ideally, the creator of a vat would 
also provide a space bank to fund its memory usage along with a meter to 
fund its cpu usage.  In both cases, ideally, a keeper would be invoked, 
KeyKOS style, when the vat exhausted its resource budget.  

(Realistically, while E sits on top of the Java Virtual Machine, we may not 
be able to achieve these ideals.  We may be able to budget space per Java 
process, which would be equivalent if you ran one vat per process.  We might 
be able to budget time per vat, as there's one Java Thread per vat, and Java 
usually maps its Threads to the OS's threads.)

So why is the vat the unit of forcible destruction?  Because the vat is 
already the unit of partial failure.  E programs must treat inter-vat pointers 
as fail-stop rather than reliable anyway, in order to deal with network 
partition.  Forcible vat destruction is something that might happen either 
intentionally or unintentionally.  If a vat's clients are prepared for its 
unintentional destruction, then they can cope with its intentional 
destruction without additional effort.

Implementationally, this allows all intra-vat pointers to simply be hard 
pointers that don't pay the price to cauterize the dangling references that 
would happen if the object they pointed to was forcibly deallocated.  The 
KeyKOS/EROS counter hack for cauterizing capabilities is cheap by OS 
standards, but would be horribly expensive if applied in a programming 
language to all object invocations. Our inter-vat pointers already pay all 
the overheads needed to cauterize dangling references, so we may as well 
make our cuts only at vat boundaries.


         Cheers,
         --MarkM