[coyotos-dev] Explicit Persistence Considered Harmful
clandau at macslab.com
Mon Aug 18 22:06:26 CDT 2008
Jonathan S. Shapiro wrote:
> By "explicit persistence", I mean the type of persistence in which
> programs write things down explicitly. This is the type of persistence
> used in (e.g.) UNIX.
> By "implicit persistence", I mean the type of persistence used in
> KeyKOS, EROS, Coyotos, and CapROS. This includes the state of active
I think there are two independent concepts here.
(a) Whether (1) persistence happens for everything at once, so the
system state is consistent, or (2) persistence is requested for
different objects at different times.
(b) Whether active processes (1) can be persistent or (2) can't.
Probably (a1) implies (b1).
> ADVANTAGES OF IMPLICIT PERSISTENCE
> 1. The main high-level advantage to persistence is the ability to
> organize applications into multiple, cooperating programs. In the event
> of system failure, these programs have no need to re-coordinate their
> 2. Capability safety requires that one maintain a type partition between
> data and capabilities. If persistence is not implicit, then capabilities
> that reference server-implemented objects
If you count the kernel as a server, then I think all objects are
> are effectively severed by restart.
Perhaps you mean, the capabilities must be severed to avoid an
inconsistent state. This is the implication of concept (a).
Or perhaps you mean, because the server is not persistent, its objects
aren't either. But it's possible in some implementation for the server
to be persistent, but not implicitly so. This is the implication of
> This means that:
> a) Some form of file system comes to be required, or
> b) Some form of re-connection protocol implemented by a trusted
> service becomes necessary.
> Neither is impossible, but both are complex and awkward.
I think a file system is not sufficient, unless it includes an access
control system, which is in effect a re-connection protocol.
More importantly, it means that persistent objects are effectively
limited to those types known to the re-connection protocol.
> DISADVANTAGES OF IMPLICIT PERSISTENCE
> 1. It is exceptionally hard to implement "notify on last close"
Possibly, but I'm not convinced this is a consequence of implicit
More information about the coyotos-dev