[coyotos-dev] Explicit Persistence Considered Harmful

Jonathan S. Shapiro shap at eros-os.com
Mon Aug 18 22:18:12 CDT 2008 

On Mon, 2008-08-18 at 20:06 -0700, Charles Landau wrote:
> > 2. Capability safety requires that one maintain a type partition between
> > data and capabilities. If persistence is not implicit, then capabilities
> > that reference server-implemented objects 
> 
> If you count the kernel as a server, then I think all objects are 
> server-implemented.

Yes. In the context of this discussion, the kernel is not a server.

> > are effectively severed by restart. 
> 
> Perhaps you mean, the capabilities must be severed to avoid an 
> inconsistent state. This is the implication of concept (a).

Not so. I mean: are necessarily severed. In non-implicit persistence,
names of objects are not durable across restart except by invocation of
some sort of reconnection protocol.

> Or perhaps you mean, because the server is not persistent, its objects 
> aren't either. But it's possible in some implementation for the server 
> to be persistent, but not implicitly so. This is the implication of 
> concept (b).

Yes. But in a non-implicit persistence mechanism, the server and the
client must together make provision for re-establishment of
connectivity.

> > This means that:
> > 
> >   a) Some form of file system comes to be required, or
> >   b) Some form of re-connection protocol implemented by a trusted
> >      service becomes necessary.
> > 
> > Neither is impossible, but both are complex and awkward.
> 
> I think a file system is not sufficient, unless it includes an access 
> control system, which is in effect a re-connection protocol.

Yes. I probably should have written "an object system".

> > 1. It is exceptionally hard to implement "notify on last close"
> > semantics. 
> 
> Possibly, but I'm not convinced this is a consequence of implicit 
> persistence.

I believe that it is. The problem is that it is very difficult to know
when the last on-disk capability to an object disappears without disk
GC. The problem arises primarily because the object graph in all KeyKOS
derivatives may contain cycles.


shap

More information about the coyotos-dev mailing list