> On 23 Aug 2021, at 18:16, Branden Robinson <[email protected]>
> wrote:
>
> I'm glad you mentioned Rotate. Last I checked the only place it was
> used in any seL4 project was in the kernel's test suite.
Similar to Mutate ;-)
> And it's good that it's there, since it is an exposed interface and
> absolutely should be tested, but the bad news is that we have no
> demonstrable use cases for it. When I asked around about it, there were
> some recollections that it was thought necessary, either for logical
> completeness or to avoid a wasteful context switch (much as seL4 has
> many more than just the "fundamental" three system calls[1], but also
> fused calls like ReplyRecv to cut down on round trips through the
> kernel). But I was unable to pin down anything authoritative enough to
> put in writing from the authorities available to me.
As far as I remember, the use case was (in a dynamic system) a CSpace manager
for
another thread T wanting to change a sub-space of T's CSpace. That is,
replacing an
existing CNode cap in T's space with another CNode cap, to a different
(previously
prepared) CNode.
With Rotate you can do that while T is running, because the replacement is
atomic
within one syscall. Without Rotate, you need at least to Move operations, and
in between
those two operations, T might be looking up caps and fail because of it.
We haven't built any larger such systems, so Rotate is definitely currently
underused.
The (remaining) use case for Mutate is to change the guard of an existing cap.
My argument was that you can do this with Mint + Move, and this time there does
not
seem to be a scenario for atomicity.
It has been pointed out on the RFC in the meantime that there is one thing that
removal
of Mutate would take away: after Mutate you can still revocably copy, after
Mint + Move
you cannot.
Cheers,
Gerwin
_______________________________________________
Devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
