Date: Thu, 19 Sep 1996 11:56:03 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: michaelh@cet.co.jp (Michael Hancock) Cc: terry@lambert.org, dg@Root.COM, bde@zeta.org.au, proff@suburbia.net, freebsd-hackers@FreeBSD.org Subject: Re: thread stacks and protections (was Re: attribute/inode caching) Message-ID: <199609191856.LAA01219@phaeton.artisoft.com> In-Reply-To: <Pine.SV4.3.93.960919101646.12359A-100000@parkplace.cet.co.jp> from "Michael Hancock" at Sep 19, 96 10:31:23 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > Personally, I'd like to use page anonymity based protections to establish > > Chorus-like access priveledge domains for IPC; specifically, for stacks > > capable of being grown by fault for use by threads. I think the POSIX > > model is broken: I should not be required to preallocate stack for a > > thread just because SVR4 and Solaris have bogus architectures (actually, > > the SVR4 VM does *not* impose this limitation: it is a limitation of > > the threading code alone. Steve Baumel, the author of the SVR4 VM, and > > I discussed this at some length when discussing context sharing models > > that would be useful for the NetWare for UNIX product). > > > > How does one implement a u-area concept on top of Chorus? A lot of stuff > that used to be in the u-area has been moved out to the proc and other > structures in 4.4BSD. Maybe moving the kernel stack out of the u-area and > generalizing the proc and u-cred stuff can be a step toward what your > talking about. Maybe I don't understand the question, or maybe you aren't asking in the context of page-anonymity based protections, which are statistical protections using MMU faulting rather than domain crossing protections using instruction faulting. Chorus, the microkernel, is very Mach-like, except that it moves the IPC facilities out of the realm of domain crossing boundries. An external pager, for instance, would exist in the same protection domain as the kernel itself. The difference is that when you mix in page anonymity-based protections (which are probably unsatisfactory for getting *any* orange-book rating), then you get the ability to allow user processes into the same domain as the kernel. The lack of domain crossing means a lack of copying and a lack of remapping and a lack of exception handling in the non-error case. What Chorus buys is a several orders of magnitude improvement in the IPC facilities, but it doesn't itself rely on page anonymity -- that's something I threw into to mix as an "I'd like to use...". The threading stack issue is one of either splitting or domainizing the stack address space. Splitting requires using different mappings from one thread to another. Domainizing is inherently unsatisfactory because it leads to things like "no one will ever need mre than 4K of stack" (a statement Windows95 and Windows NT implicitly make for VXD's). I think John Dyson's response is best: it can be implemented (I wouldn't say it was as trivial to do as John implies, but then John is a VM guy and I am an FS guy), but we need to make sure that it's the right thing being implemented. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609191856.LAA01219>