By: Linus Torvalds (torvalds.delete@this.osdl.org), May 16, 2006 12:00 pm
rwessel (robertwessel@yahoo.com) on 5/16/06 wrote:
>So how do you feel about microkernel-ish single address
>space systems? Obviously the two are separate concepts,
>but it's always struck me that they'd work well together.

Yes. I think that you could potentially get many of the
advantages of both monolithic systems and microkernels
with a sparse 128-bit address space with random allocation
of resources.

However, in the flat version of that, I bet I'm not the
only one worrying about the combination of the statistical
nature of protection in such a system, along with the real
danger of stale pointers (you might not be able to guess a
pointer, but once you have one, you have it, and thus the
protection of hidden addresses is gone).

So then you get back to the notion of indirection (so that
you can revoce pointers and hide the permission bits inside
them) and essentially end up with segments (ie a pointer
ends up really being a combination of a lookup token -
"segment" - and offset).

The segmented model would work, and would have the advantage
of potentially helping debugging quite a bit. But you'd
need some serious hw resources for it, and while it's
a perfectly valid model for C (in fact, a lot of C
programmers would probably love to have variable-sized
segments to protect against walking over your allocations),
I don't think it's likely to happen.

The infrastructure costs would be prohibitive, and it's
very easy to do it wrong (ie to be useful, you'd have to
be able to efficiently create segments on-the-fly in user
space, and be able to pass them on to untrusted parties
that can't look them up - and you can't really limit the
number of active segments in hw).

>You get lot's of little protection domains, but still
>allow easy sharing when needed.

That's the holy grail, but so far the only realistic
model I've seen discussed is the flat randomized 128-bit
virtual address space (which sounds realistic from a hw
perspective, but has some serious sw downsides).

Everybody who has ever done hardware segments have done
them seriously wrong in the past. Now, past performance may
not guarantee future returns, but it sure as hell is worth
thinking about ;)

