On Fri, 2003-12-05 at 09:52, Marcus Völp wrote:
Jonathan wrote:
Note that "B can ask A to map to C" may not be possible -- B may not have any permission to perform an IPC to A. For example, A may be a fault handler that can be accessed by B only for page faults, but not directly via arbitrary IPCs -- the reason for such a restriction would be to prevent B from sending hostile messages to the fault handler.
Faults are just messages, so to get the page from A as a result of a page-fault, the fault has to be send to A, either directly by B or by some intermediates such as a region mapper. So this line could as well be used to demand the mapping to be established to C. The only way when this does not work is when B awaits a mapping from anyone and A by chance sends this mapping. This however is a very strange situation, isn't it?
By the way, we are now discussing offline the mailing list. Jean also told me that your discussion with him went of the list at some point...
My apologies -- the EROS lists munge reply-to, and I'm having to get used to saying "reply to all" again.
I may have unintentionally tripped over an architecture difference between EROS and L4. In case it is revealing, let me explain it.
In EROS, a memory region has a designated fault handler. This is not exactly the same as L4 tasks. Rather, imagine that each entry in the L4 GPT could optionally specify a fault handler (a thread) to handle that subspace.
Because EROS has this arrangement, it is possible that an address space will hold a fault handler capability that the client application does NOT hold. In this case, the only fault messages that will arrive at the fault handler are those initiated by the kernel in response to load and store instructions.
I do not understand adequately how memory fault handling is structured in L4, but if thread descriptors are ever virtualized I suspect that L4 will have the same possibility.
shap
l4-hackers@os.inf.tu-dresden.de