[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problems with hierarchy: L4 pagers

From: Neal H. Walfield
Subject: Re: problems with hierarchy: L4 pagers
Date: Mon, 17 Oct 2005 21:44:54 +0100
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI)

At Sat, 08 Oct 2005 16:27:57 -0400,
Jonathan S. Shapiro wrote:
> In fact, there is a hierarchy problem in L4.x2 today in the memory
> manager. Consider two process A, B with respective pagers A', B'. Now:
>       A' maps to A
>       A maps to B
>       A' revokes
>       B' knows nothing and cannot reconstruct the mapping.
> This problem is now well-known by the L4 designers, and it is a direct
> consequence of using REVOCABLE COPY as the primitive operation. In every
> real system that has been constructed on top of L4.x2, the solution has
> been to require that either
>       A' and B' are identical, or
>       A' and B' have a commonly trusted parent who knows how to
>         recover, or
>       The design is broken, so unmaps are not performed.
> The current L4sec design will require that every capability interaction
> must use the same kinds of solutions.

A can only map to be B if B accepts an IPC containing a map item.
That is, B always knows when someone maps to it and can inform B'
about such a mapping.  If B' doesn't trust B or if B' is unwilling to
accept this information this is not a problem: B can still create a
new thread (LB) and set it as its pager (B' cannot prevent this).
When a page fault occurs, LB looks up how to reconstruct the mapping.
If it doesn't have the required information, it simply propagates the
fault to B':

   B -page fault-> LB -fault propagation -> B'

Do you find this a reasonable solution?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]