On Sun, 2005-10-23 at 20:33 +0200, Marcus Brinkmann wrote:
> At Sun, 23 Oct 2005 13:25:33 -0400,
> "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote:
> >
> > On Sat, 2005-10-22 at 12:39 +0200, Marcus Brinkmann wrote:
> > > That's not a bad counter-example. Except that in the Hurd/L4 design,
> > > swapping is voluntary and explicit.
> >
> > What happens when you run out of physical pages and you want to start a
> > new process? Given that the vast majority of processes are untrusted,
> > how to you guarantee that they give up storage?
>
> Well, those are good questions, and we didn't find a satisfactory
> answer yet.
>
> Neal's idea was that the guaranteed physical memory contingent that a
> process (or user) receives is negotiated in a long-term contract,
> which periodically must be renegotiated. At renegotiation time, the
> process gets a chance to swap pages out to disk. After this chance
> passed, pages may be revoked forcefully.
>
> Renegotiation of resources could for example handled with a
> market-model.
I am somewhat amused. The foundational papers on this sort of thing are
the ones published in a collection edited by B.A. Huberman entitled "The
Ecology of Computation". Regrettably, it is now out of print, but the
three most important papers can be found at:
http://www.agorics.com/Library/agoricpapers.html
Mark Miller is currently simulating a PhD student in my lab.
The bad news: what you propose, in essence, is that all of the processes
in the system should get together and communicate periodically to
renegotiate their needs on a presumptively friendly basis. The entire
approach just doesn't work in a world where hostile programs are a
reality.
shap
_______________________________________________
L4-hurd mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/l4-hurd
