[FoRK] kragen rides again-
Dave Long <
dave.long at bluewin.ch
> on >
Sat Nov 4 04:55:53 PST 2006
>> Jim Gray's argument is that as cycle times get tighter, the sharing
>> horizon shrinks dramatically...
> Didn't he work at Tandem in the 80s?
Yes, back when the company coffee mugs came with redundant handles.
>> From time to time I wonder what a non-single-level capability system
>> should look like. I'd imagine that with suitable journaling, it'd
>> be fair enough to just toss stale pages -- it might well be cheaper
>> to reconstruct the odd page that eventually turned out not to have
>> been garbage after all.
> Reconstruct them how?
By replaying the log against the last version that made it to store.
Here's where it gets very handwavy: the normal reasoning for
single-level store in a capability system is that the transitive aspect
of the capabilities is precomputed and cached, so if the cache values
are corrupted, who knows whether isolation still holds? Hence,
normally the kernel should be expected to go to a great deal of
checkpointing to ensure that inconsistent states never make it to disk.
(IIRC, the disk channel could be kept pegged during operation)
But maybe this is a feature and not a bug: we don't need to really
restore nodes to their most recently written physical state, only to
their most recently written logical state. Here, could containment
prove to be a feature? The more information that's hidden, the more
ways we have to physically instantiate a given logical state, and the
fewer log entries we need to guarantee we can restore that state. In
the extreme, suitably confined Domains could be identified as functions
and rerun from scratch on their inputs if necessary.
More information about the FoRK