> > … but points to a general use case: One of the attractions of clean object > capability models is that any operation can be transparently virtualised. If > an > original cap can be derived, but a derived one cannot, then this breaks > transparency at some point.
I can't see the relationship between derivation and virtualisation of object invocation? A level of indirection can be obtained by substitution of a real object reference, and a "virtual" object reference. It's length of chains of delegation that we have compromised on, more specifically control of the scope of revocation of delegation. > There’s the old saying that in CS there are only three valid constants: zero, > one and infinity. We have a two in there, which clearly smells badly. I thought that is what I implied. We have two valid constants and no invalid ones :-) The addition of infinity is what one wants in the ideal. Though I'd argue that if you can design your user-level system to only need zero and one, one can avoid taking the space hit for infinity in the kernel. The move to 64-bit may actually free up enough space in caps to implement an infinity, which would be pretty compelling if it came for "free". - Kevin ________________________________ The information in this e-mail may be confidential and subject to legal professional privilege and/or copyright. National ICT Australia Limited accepts no liability for any damage caused by this email or its attachments. _______________________________________________ Devel mailing list [email protected] https://sel4.systems/lists/listinfo/devel
