Introducing a cmp() operation

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Tue Jun 14 23:30:39 CEST 2005 

At Tue, 14 Jun 2005 20:33:37 +0200,
Bernhard Kauer <kauer at os.inf.tu-dresden.de> wrote:
> 
> > The second example was the reference counter, which
> > is the more important one!  The above example you give is just the
> > basic example, while the reference counter shows the bigger problem.
> 
> No, the answer for the reference counter problem is simple: cooperation.
>
> Just as reminder:
> 
> Situation:  S -> C -> (1 reference) A -> B
>     
> Goal:             /-> (1 reference) A
>             S-> C
> 	          \-> (1 reference) B
> 
> 1. In the start situation A is trusted by B to provide the endpoint to S.
>    Since A could unmap this endpoint everytime.
> 
> 2. Therefore B can ask A for a new reference. Since A can not provide this
>    service, it asks C and attaches a [1] return endpoint to B in its message.
> 
> 3. C answers directly to B and maps them a new reference.

This protocol requires that the receiver of the capability, in this
case B, makes a blocking call to the sender, in this case A.  But in
many cases B does not trust A enough to block indefinitely until A
does the right thing.  For example, in the case where a client wants
to submit a capability reference to a server (let's say a name
server).

So, this protocol requires too much cooperation/trust.

> > > A transparent interpose of different endpoints with a
> > > single one is otherwise not possible. 
> > 
> > This just shows that reintroducing global IDs through the backdoor is
> > ill-advised.
> 
> What are the global IDs? We do not have one.

Well, if you restrict the cmp() operation to the holder of the receive
right, than indeed there are no global IDs.  I did not make the
distinction clear, sorry.  But this means that you can not identify
capabilities you don't provide (hold the receive right for), and I
(still) consider this to be insufficient.

If cmp() is unrestricted, it is possible to make distinctions between
capabilities on a global scale (which means you could assign IDs to
capabilities which are globally meaningful, which tantamounts to
having global IDs, even if there are no actual IDs assigned).  I think
we agree it is an undesirable side effect; this has lead you to the
conclusion that cmp() must be restricted, thereby making it less
useful.

Thanks,
Marcus

More information about the l4-hackers mailing list