[coyotos-dev] Explicit Persistence Considered Harmful

Charles Landau clandau at macslab.com
Mon Aug 18 22:06:26 CDT 2008

Jonathan S. Shapiro wrote:
> By "explicit persistence", I mean the type of persistence in which
> programs write things down explicitly. This is the type of persistence
> used in (e.g.) UNIX.
> By "implicit persistence", I mean the type of persistence used in
> KeyKOS, EROS, Coyotos, and CapROS. This includes the state of active
> processes.

I think there are two independent concepts here.

(a) Whether (1) persistence happens for everything at once, so the 
system state is consistent, or (2) persistence is requested for 
different objects at different times.

(b) Whether active processes (1) can be persistent or (2) can't.

Probably (a1) implies (b1).

> 1. The main high-level advantage to persistence is the ability to
> organize applications into multiple, cooperating programs. In the event
> of system failure, these programs have no need to re-coordinate their
> state.
> 2. Capability safety requires that one maintain a type partition between
> data and capabilities. If persistence is not implicit, then capabilities
> that reference server-implemented objects 

If you count the kernel as a server, then I think all objects are 

> are effectively severed by restart. 

Perhaps you mean, the capabilities must be severed to avoid an 
inconsistent state. This is the implication of concept (a).

Or perhaps you mean, because the server is not persistent, its objects 
aren't either. But it's possible in some implementation for the server 
to be persistent, but not implicitly so. This is the implication of 
concept (b).

> This means that:
>   a) Some form of file system comes to be required, or
>   b) Some form of re-connection protocol implemented by a trusted
>      service becomes necessary.
> Neither is impossible, but both are complex and awkward.

I think a file system is not sufficient, unless it includes an access 
control system, which is in effect a re-connection protocol.

More importantly, it means that persistent objects are effectively 
limited to those types known to the re-connection protocol.

> 1. It is exceptionally hard to implement "notify on last close"
> semantics. 

Possibly, but I'm not convinced this is a consequence of implicit 

More information about the coyotos-dev mailing list