At Tue, 14 Jun 2005 20:33:37 +0200, Bernhard Kauer kauer@os.inf.tu-dresden.de wrote:
The second example was the reference counter, which is the more important one! The above example you give is just the basic example, while the reference counter shows the bigger problem.
No, the answer for the reference counter problem is simple: cooperation.
Just as reminder:
Situation: S -> C -> (1 reference) A -> B
Goal: /-> (1 reference) A S-> C -> (1 reference) B
In the start situation A is trusted by B to provide the endpoint to S. Since A could unmap this endpoint everytime.
Therefore B can ask A for a new reference. Since A can not provide this service, it asks C and attaches a [1] return endpoint to B in its message.
C answers directly to B and maps them a new reference.
This protocol requires that the receiver of the capability, in this case B, makes a blocking call to the sender, in this case A. But in many cases B does not trust A enough to block indefinitely until A does the right thing. For example, in the case where a client wants to submit a capability reference to a server (let's say a name server).
So, this protocol requires too much cooperation/trust.
A transparent interpose of different endpoints with a single one is otherwise not possible.
This just shows that reintroducing global IDs through the backdoor is ill-advised.
What are the global IDs? We do not have one.
Well, if you restrict the cmp() operation to the holder of the receive right, than indeed there are no global IDs. I did not make the distinction clear, sorry. But this means that you can not identify capabilities you don't provide (hold the receive right for), and I (still) consider this to be insufficient.
If cmp() is unrestricted, it is possible to make distinctions between capabilities on a global scale (which means you could assign IDs to capabilities which are globally meaningful, which tantamounts to having global IDs, even if there are no actual IDs assigned). I think we agree it is an undesirable side effect; this has lead you to the conclusion that cmp() must be restricted, thereby making it less useful.
Thanks, Marcus