$A MARK=1 $A PAGENO=102 $A LEFT=0; LINE=69; PAGE=57 $A TOP=4; BOTTOM=9 $A NLS=2 $A TAB=1,7,13,19,25 $B5 $L1 CM CHAPTER 3 $B5 $L1 CM A FUNCTIONAL CAPABILITY SYSTEM. $N $L1 C 3.0.- INTRODUCTION. $P3 @THE KERNEL ATTEMPTS TO PROVIDE A SYSTEM WIDE PROTECTION AND NAMING MECHANISM BY OFFERING OPERATIONS TO CREATE CAPABILITIES FOR EXTENDED TYPES OF OBJECTS. @HOWEVER, A COMMON PROPERTY OF CAPABILITY SYSTEMS IS THE RELATIVE INDEPENDENCY OF THE DEFINITION OF A TYPE WITH RESPECT TO THE OPERATIONS DEFINED ON THAT TYPE. @EXTENDED OPERATIONS ON EVERY OBJECT, REGARDLESS OF ITS TYPE, ARE DEFINED IN TERMS OF OBJECTS OF THE DISTINGUISHED TYPE 'DOMAIN', EVEN IN SPITE OF THE FACT THAT DOMAINS ARE INTENDED TO IMPLEMENT OPERATIONS ON OBJECTS OF PRECISELY DEFINED TYPES. $P @THE DESIGN TO BE PRESENTED IS BASED ON ONE OF THE PRINCIPAL MOTIVATIONS FOR THE EXISTENCE OF DIFFERENT TYPES: @A WELL DEFINED CORRESPONDENCE BETWEEN THE TYPE AND THE OPERATIONS WHICH CAN BE PERFORMED ON OBJECTS OF THAT TYPE. $P @IN SECTION 3.1 WE PROPOSE A GROUPING OF SYSTEM OBJECTS WHICH ALLOWS THE RIGOROUS DEFINITION OF OPERATIONS ON BASIC AND EXTENDED TYPES OF OBJECTS AS PART OF THE PROTECTION FRAMEWORK. @IN SECTION 3.2 WE DISCUSS THE REPRESENTATION OF EXTENDED OPERATORS: THE SYSTEM OBJECTS WHICH EXECUTE OPERATIONS. @SECTION 3.3 IS A REVIEW OF PARAMETER PASSING IN RELATION TO OUR CHARACTERISATION OF SYSTEM OBJECTS. @THE PARTICULAR PROBLEM OF PREVENTING AN OPERATOR FROM RETAINING THE PRIVILEGES NEEDED TO ACCESS OBJECTS RECEIVED AS PARAMETERS IS DISCUSSED IN DETAIL IN SECTION 3.4. @FINALLY, IN SECTION 3.5 WE EXPOSE THE SET OF KERNEL OPERATIONS NEEDED TO SUPPORT THE FUNCTIONAL CAPABILITY SYSTEM. $N $L1 C 3.1.- OPERANDS AND OPERATORS. $P3 @CONSIDER THE DIVISION OF SYSTEM OBJECTS INTO TWO DISTINCT CLASSES: OPERATORS AND OPERANDS. @IN ADDITION TO THE NORMAL REQUIREMENTS ABOUT THE CREATION AND STORAGE OF CAPABILITIES DISCUSSED IN THE PREVIOUS CHAPTER, THE FOLLOWING CONSTRAINTS ARE IMPOSED ON THE SYSTEM: $A INDENT=2 $B0 $C-3 1) @EVERY ACTION CONSISTS OF THE APPLICATION OF AN OBJECT OF THE OPERATOR CLASS TO AN OBJECT OF THE OPERAND CLASS. @THE SYSTEM ACTION CAN BE DEFINED BY THE CONSTRUCT: $A INDENT=3 $B0 .INVOKE ( @R , @D ) $A INDENT=2 $B0 WHERE $A INDENT=3 $B0 @R = @CAPABILITY FOR AN OPERATOR AND $B0 @D = @CAPABILITY FOR AN OPERAND $A INDENT=2 $B0 $C-3 2) @THE PROTECTION MECHANISM GUARANTEES THAT THE OPERATOR BE APPLIED TO THE OPERAND IF AND ONLY IF: $A INDENT=3 $B0 $C-4 I) $T3 @THE TYPES OF THE OBJECTS SPECIFIED IN THE ACTION ARE IDENTICAL AND $B0 $C-4 II) @THE PRIVILEGES EXERCISED BY THE OPERATOR DO NOT EXCEED THE ACCESS RIGHTS ALLOWED BY THE OPERAND. $A INDENT=0 $V0 $P @THE FORMAT OF THE CAPABILITIES IS SHOWN IN FIGURE 3.1-1. @AS MENTIONED IN THE PREVIOUS CHAPTER, THE ADDRESS FIELD OF THE CAPABILITY FOR AN EXTENDED OBJECT CONTAINS A POINTER TO THE CAPABILITY FOR THE REPRESENTATION OF THE OBJECT. @IN THE CASE OF BASIC OBJECTS THE ADDRESS FIELD GIVES THE LOCATION OF THE OBJECT IN PRIMARY OR SECONDARY STORAGE. THUS, THE ADDRESS FIELD OF THE CAPABILITY FOR AN EXTENDED OPERATOR CONTAINS A POINTER TO THE CAPABILITY FOR THE SEGMENT IN WHICH THE PROGRAM WHICH IMPLEMENTS THE EXTENDED OPERATION IS CONTAINED. @THE PRECISE STRUCTURE OF EXTENDED OPERATORS WILL BE DISCUSSED IN THE NEXT SECTION. @SIMILARLY, THE ADDRESS FIELD OF THE CAPABILITY FOR A KERNEL OPERATOR (A MACHINE INSTRUCTION) CONTAINS THE ADDRESS OF THE MICRO PROGRAM (OR CIRCUIT) WHICH IMPLEMENTS THE OPERATION. $P @RECALL THAT THE CAPABILITIES AS SHOWN IN THE FIGURE ARE STORED IN A TABLE ACCESSIBLE ONLY TO THE KERNEL. @THE ARGUMENTS TO THE .INVOKE FUNCTION ARE ONLY THE UNIQUE .ID FIELDS OF THE CAPABILITIES. $P @THE PURPOSE OF THE ACCESS RIGHTS FIELD IN THE CAPABILITY FOR AN OPERATOR IS TO 'DECLARE' TO THE PROTECTION MECHANISM THE SET OF ACCESS RIGHTS WHICH THE OPERATOR INTENDS TO EXERCISE. @FOR EXAMPLE, THE PRIVILEGES FIELD OF THE CAPABILITY FOR A .LOAD OPERATOR CONTAINS A 1 IN THE POSITION CORRESPONDING TO THE .READ ACCESS RIGHT IN A SEGMENT'S CAPABILITY. @THE OPERATOR, A PROGRAM OR MACHINE INSTRUCTION IS ENTERED FOLLOWING THE VERIFICATION OF CONSTRAINTS 1) AND 2) BY THE PROTECTION MECHANISM. $P @IMPLICIT IN THE .INVOKE FUNCTION IS THE EXECUTING PROGRAM'S DESIRE TO MAKE THE REPRESENTATION OF THE OPERAND OBJECT AVAILABLE TO THE INVOKED OPERATOR. @TO THIS END, THE PROTECTION MECHANISM, RETRIEVES THE CAPABILITY FOR THE REPRESENTATION OF THE OBJECT FROM THE ADDRESS FIELD OF THE CAPABILITY PRESENTED AS OPERAND TO .INVOKE AND PASSES IT TO THE OPERATOR WHICH IS BEING ENTERED. @THUS, THE ARGUMENT RECEIVED BY THE EXTENDED OPERATOR IS THE CAPABILITY REQUIRED TO PERFORM THE OPERATION ON THE REPRESENTATION OF THE EXTENDED OBJECT. $P @ADDITIONAL ACTIVITIES OF THE .INVOKE ACTION ARE: TO DEFINE A NEW PROTECTION REGIME FOR THE NEW OPERATOR, TO SAVE THE STATE OF THE INVOKING OPERATOR IN ORDER TO RESTORE IT AT A LATER TIME, AND TO PASS A RETURN CAPABILITY TO THE INVOKED OPERATOR AS WELL AS THE ARGUMENT DESCRIBED ABOVE. @WHEN AN OPERATOR CONCLUDES ITS ACTIVITIES, IT REQUESTS FROM THE PROTECTION MECHANISM A RETURN TO THE OPERATOR WHICH INVOKED IT. @THIS IS ACCOMPLISHED VIA THE AD HOC SYSTEM ACTION: $B0 $T2 .RETURN $B0 @THE OBJECTIVE OF .RETURN IS TO UNRAVEL THE ACTIVITIES PERFORMED BY THE MATCHING .INVOKE AND RESUME EXECUTION OF THE CALLING OPERATOR. $P @THE SIGNIFICANCE OF THE PROPOSED SCHEME DERIVES FROM THE UNIFORM CHARACTERISATION OF EXTENDED OBJECTS AS WELL AS THE OPERATIONS DEFINED ON THOSE OBJECTS: @THEY ARE ALL MEMBERS OF THE SAME TYPE. @AN IMPORTANT ADVANTAGE OF THIS APPROACH TO THE CONSTRUCTION OF CAPABILITIES FOR BASIC AND EXTENDED OBJECTS IS THE POSSIBILITY OF DETERMINING THE TYPE AND HENCE THE SEMANTIC PROPERTIES OF EVERY OBJECT BY EXAMINING ITS CAPABILITY. @IN CONTRAST, THE CAPABILITY FOR AN OBJECT OF TYPE DOMAIN MERELY INDICATES THAT THE OBJECT IS THE IMPLEMENTOR OF AN OPERATION ON SOME UNKNOWN TYPE. $P @ALTHOUGH A FEW OPERATORS ARE INTENDED SIMPLY TO MODIFY IN SOME WAY THE REPRESENTATION OF AN EXTENDED OBJECT, E. G. SORT A SEGMENT, THE PURPOSE OF MOST OPERATIONS IS TO ADD INFORMATION TO OR RETRIEVE INFORMATION FROM THE REPRESENTATIONS OF OBJECTS. @MOREOVER, THE DATA WHICH IS TO BE INSERTED INTO (OR RETRIEVED FROM) THE REPRESENTATION OF THE OBJECT IS, IN GENERAL, SUPPLIED BY (RETURNED TO) THE PROGRAM WHICH EXECUTES THE .INVOKE OPERATION. @FOR THE TIME BEING, LET US ASSUME THAT ALL THE INFORMATION REQUIRED TO PERFORM THE EXTENDED OPERATION IS STORED WITHIN THE REPRESENTATION OF THE EXTENDED OPERAND OBJECT. @THE ASSUMPTION IGNORES THE FACT THAT, IN GENERAL, THE PROGRAM WHICH EXECUTES AN .INVOKE DOES NOT ENJOY ACCESS TO THE REPRESENTATION OF THE OPERAND OBJECT. @WE POSTPONE THE STUDY OF THIS PROBLEM UNTIL THE SECTION ON PARAMETER PASSING (SECTION 3.3) AND PROCEED TO ANALYSE THE STRUCTURE OF EXTENDED OPERATORS. $N $L1 C 3.2.- REPRESENTATION OF EXTENDED OPERATORS. $P3 @EXTENDED OPERATORS HAVE TO BE DEFINED IN TERMS OF BASIC OPERATORS, I. E. MACHINE INSTRUCTIONS, AND EXTENDED OPERATORS DEFINED PREVIOUSLY. @IN OTHER WORDS, EXTENDED OPERATORS ARE SIMPLY PROGRAMS. @IT FOLLOWS FROM THE DEFINITION OF THE .INVOKE SYSTEM ACTION THAT PROGRAMS CAN CONSIST OF: A) SEQUENCES OF PAIRS OF CAPABILITIES, B) SEQUENCES OF PAIRS OF POINTERS INTO SEGMENTS CONTAINING CAPABILITIES OF C) SEQUENCES OF MIXED PAIRS OF POINTERS AND CAPABILITIES. @IN A TAGGED STORAGE ARCHITECTURE, A FREE CHOICE OF THE THREE OPTIONS IS AVAILABLE. @A SEGMENTED MACHINE AFFORDS A CHOICE BETWEEN OPTIONS A) AND B). $V0 $P @FROM THE POINT OF VIEW OF THE EFFICIENCY OF THE ADDRESS TRANSLATION MECHANISM, OPTION B) REQUIRES AN ADDITIONAL STEP OVER OPTION A): @FETCHING THE CAPABILITIES USING THE PROGRAM GENERATED POINTERS. @ON THE OTHER HAND, THE USE OF OPTION B) ALLOWS PROGRAMS WHOSE REPRESENTATIONS ARE INDEPENDENT FROM THE FORM AND SIZE OF CAPABILITIES AND SIMPLIFIES THE BINDING OF INDEPENDENTLY COMPILED PROGRAMS. @FURTHERMORE, THE ADDRESSES GENERATED BY PROGRAMS WHICH CAN BE WRITTEN FOR CONVENTIONAL MACHINES ARE SIMPLY POINTERS. @THE PROGRAM STRUCTURE IS SHOWN SCHEMATICALLY IN FIGURE 3.2-1 AS A PROGRAM PROPER SEGMENT (@P-SEG) AND THE SPECIAL CAPABILITY SEGMENT CALLED THE IMPLICIT SEGMENT (@I-SEG). @THE FORMER CONTAINS A SEQUENCE OF PAIRS OF POINTERS INTO THE LATTER. @THE @I-SEG CONTAINS THE SET OF OPERAND AND OPERATOR OBJECTS WHICH DELIMIT THE ADDRESS SPACE OF THE PROCESS BOUND TO THE OPERATOR. @THE CAPABILITY FOR THE @I-SEG, WITH ITS INHERENT BASE AND LIMIT (ADDRESS FIELD AND LENGTH FIELD) REGISTERS IS STORED WITHIN A SPECIAL PROCESSOR REGISTER: THE @I-REG. @THE POINTERS ORIGINATING FROM THE @P-SEG ARE INTERPRETED RELATIVE TO THE @I-REG. $P @THE PROCESSOR USES THE INSTRUCTIONS FETCHED FROM THE @P-SEG TO COMPUTE THE VALUES OF THE POINTERS DEPICTED IN FIGURE 3.2-1 AND USES THESE VALUES TOGETHER WITH THE @I-REG TO LOCATE THE PAIR OF CAPABILITIES TO BE PRESENTED TO THE .INVOKE MECHANISM. @SINCE THE @P-SEG IS ITSELF AN OBJECT, INSTRUCTION FETCH MUST BE AUTHORISED BY THE CAPABILITY OF THE OBJECT. @IT FOLLOWS THAT THE @P-SEG IS PART OF THE OPERATOR'S ENVIRONMENT AND HENCE ITS CAPABILITY SHOULD BE STORED WITHIN ONE OF THE SLOTS OF THE @I-SEG. @NEVERTHELESS, WE HAVE CHOSEN TO REGARD THE @P-SEG AS AN INDEPENDENT COMPONENT OF THE REPRESENTATION OF THE OPERATOR. @THEREFORE, INSTRUCTION FETCH CANNOT BE DEFINED AS AN OPERATION ON ONE OF THE OBJECTS WHOSE CAPABILITY IS FOUND IN THE @I-SEG. @INSTEAD, A SEPARATE PROCESSOR REGISTER WHICH WE CALL THE @P-REG HAS TO BE PROVIDED TO CONTAIN THE @P-SEG'S CAPABILITY. @MOREOVER, THE @P-REG CONTAINS THE CAPABILITY FOR A CAPABILITY SEGMENT WHICH IN TURN CONTAINS CAPABILITIES FOR A SET OF EXECUTABLE SEGMENTS. @THE ADDITIONAL LEVEL OF INDIRECTION IS NEEDED TO PERMIT SEGMENTATION OF PROGRAMS CONTAINED IN THE ENVIRONMENTS OF OPERATORS. $P @THE PRINCIPAL IMPLICATION OF THE DECISION TO DEFINE THE CONTROL AND DATA PARTS OF AN OPERATOR AS DISTINCT COMPONENTS IS THAT INSTRUCTION ADDRESSES ARE OF DIFFERENT FORM THAN DATA ADDRESSES. @THE ADDRESS GENERATED BY A PROGRAM IS OF THE FORM: $B0 $T2 R , S , D $B0 WHERE R INDICATES THE REGISTER (@I-REG OR @P-REG) TO BE USED AS THE HEAD OF THE INDIRECTION CHAIN; S IS A DISPLACEMENT EMPLOYED TO LOCATE THE CAPABILITY FOR A PARTICULAR SEGMENT AND D REFERENCES A WORD WITHIN THE SEGMENT. @THE R BIT CAN BE ELIMINATED FROM INSTRUCTION ADDRESSES, I. E. OPERANDS OF INSTRUCTIONS WHICH MODIFY THE VALUE OF THE PROCESSOR'S PROGRAM COUNTER, SINCE THE VALUE OF THE R BIT IS KNOWN TO THE FETCH-INSTRUCTION SEQUENCE. @HOWEVER, TRUE OPERAND ADDRESSES MUST TAKE THE R BIT INTO ACCOUNT. $P @WITH THE PROPOSED STRUCTURE OF THE REPRESENTATIONS OF OPERATORS IT BECOMES NATURAL TO DEFINE THE INTERPRETATION OF OPERAND ADDRESSES AND INSTRUCTION ADDRESSES IN DIFFERENT WAYS. @IN PARTICULAR, THE SIZE OF THE PROGRAM COUNTER CAN BE SMALLER THAN A GENERAL OPERAND ADDRESS. @FOR EXAMPLE, SUPPOSE THE HOST MACHINE HAS 16 BIT REGISTERS (INCLUDING THE PROGRAM COUNTER) AND THAT INSTRUCTIONS CONSIST OF A FUNCTION FIELD FOLLOWED BY A 16 BIT DISPLACEMENT FIELD WHICH IS MODIFIED BY THE VALUE OF AN INDEX REGISTER TO PRODUCE THE OPERAND ADDRESS [@IN71]. @WITHOUT MODIFICATION OF THE INSTRUCTION FORMAT, THE OPERATOR CAN DISPOSE OF 16 EXECUTABLE SEGMENTS OF 4K BYTES EACH. @ON THE OTHER HAND, THE SIZE OF OPERAND ADDRESSES CAN BE EXTENDED BY CONCATENATING THE VALUE OF A PROCESSOR REGISTER WITH THE 16 BIT LONG PROGRAM GENERATED ADDRESS. @THE MOST SIGNIFICANT 16 BITS OF THE CONCATENATION CAN BE USED TO DETERMINE THE HEAD OF THE INDIRECTION CHAIN AND TO SELECT ONE OF THE CAPABILITIES TO BE PRESENTED TO THE .INVOKE MECHANISM. @THIS LEAVES A TOTAL OF 16 BITS FOR THE DISPLACEMENT (D) FIELD OF THE PROGRAM GENERATED ADDRESS; I. E., A SEGMENT CAN CONSIST OF UP TO 64K BYTES. $P @THE COST OF IMPLEMENTING THE PROPOSED STRUCTURE OF OPERATORS IS SIGNIFICANT. @FIRSTLY, AN ADDITIONAL PROCESSOR REGISTER TO CONTAIN THE @P-SEG'S CAPABILITY MUST BE PROVIDED. @SECONDLY, TWO ADDITIONAL SEGMENTS ARE NEEDED TO DEFINE THE REPRESENTATION OF THE OPERATOR. @THE RUN-TIME EXPENSE IS ALSO INCREASED BY THE NEED TO SAVE THE VALUES OF TWO REGISTERS WHEN THE PROTECTION REGIME OF A PROCESS IS CHANGED AS A RESULT OF THE EXECUTION OF AN .INVOKE. $P @IT MAY BE ARGUED THAT THE RADICAL DISTINCTION BETWEEN DATA AND PROGRAMS IMPOSES ON THE PROGRAMMERS OR COMPILER WRITERS THE INCONVENIENCE OF HAVING TO DISTINGUISH CONTANTLY BETWEEN THEM. @IN PRACTICE HOWEVER, PROGRAMS AND DATA ARE TREATED CONSISTENTLY IN DIFFERENT FASHIONS; OUR FORCEFUL SEPARATION OF THESE TWO CONSTITUENTS OF AN OPERATOR MERELY EMPHASISES THE DIFFERENCE. $V0 $P @THE FINAL FORM OF THE CAPABILITY FOR AN EXTENDED OPERATOR AND THE REPRESENTATION OF THE OBJECT IS SHOWN IN FIGURE 3.2-2. @THE ADDRESS FIELD OF THE OPERATOR'S CAPABILITY CONTAINS A POINTER TO THE CAPABILITY FOR THE REPRESENTATION OF THE OPERATOR: @A CAPABILITY SEGMENT (@C-SEG) WHERE THE CAPABILITIES FOR THE COMPONENTS OF THE OPERATOR ARE STORED. @THE LENGTH FIELD OF THE CAPABILITY IS USED TO STORE THE INITIAL VALUE OF THE PROGRAM COUNTER FOR THE OPERATOR. @THE COMPONENTS OF THE REPRESENTATION ARE: @THE @I-SEG AND THE @P-SEG. @THE @P-SEG CONTAINS THE CAPABILITIES FOR THE EXECUTABLE SEGMENTS. @DEPENDING ON THE RELATIVE COST OF MAP STORAGE VS. NORMAL STORAGE, AN INTERMEDIATE CAPABILITY CAN BE USED TO CONTAIN THE CAPABILITIES FOR THE TWO COMPONENTS OF THE OPERATOR. @FIGURE 3.2-3 SHOWS THE OPERATOR STRUCTURE CORRESPONDING TO THE SECOND ALTERNATIVE. @NOTE THAT IF THE CAPABILITIES FOR THE EXECUTABLE SEGMENTS ACCESSIBLE TO THE OPERATOR WERE STORED WITHIN THE @I-SEG, THE REPRESENTATION OF THE OPERATOR WOULD BE REDUCED TO A SINGLE CAPABILITY SEGMENT; NAMELY, THE @I-SEG. @CLEARLY, THE CAPABILITY FOR THE REPRESENTATION OF THE OPERATOR CAN BE BY-PASSED IN THE IMPLEMENTATION FOR IT PROTECTS ONLY A CAPABILITY SEGMENT WHICH WILL NOT BE MISUSED BY THE .INVOKE MECANISM. $N $L1 C 3.3.- ARGUMENT PASSING. $P3 @THE .INVOKE MECHANISM NEEDS TO SAVE THE VALUES OF THE @I-REG AND @P-REG AS WELL AS THE RETURN ADDRESS OF THE EXECUTING OPERATOR. @IN ADDITION, THE PROTECTION MECHANISM CAN OFFER THE CONVENIENCE OF SAVING THE VALUES OF THE PROCESSOR'S REGISTERS AT THE TIME OF THE .INVOKE. @THIS INFORMATION MUST BE SAVED WITHIN A STACK ASSOCIATED PRIVATELY WITH THE EXECUTING PROCESS AND ACCESSIBLE ONLY TO THE .INVOKE AND .RETURN MECHANISMS. @THE STACK MUST BE A @C-SEG BECAUSE IT IS INTENDED TO HOLD THE CAPABILITIES FOR THE @I-SEG AND THE @P-SEG. @THE NORMAL DATA SAVED BY THE .INVOKE MECHANISM, E. G. THE VALUES OF THE NORMAL REGISTERS, CAN BE DEPOSITED WITHIN AN @N-SEG WHOSE CAPABILITY CAN BE STORED ALSO WITHIN THE PROCESS CAPABILITY STACK. @THEREFORE, THE PROCESSORS MUST BE PROVIDED WITH YET ANOTHER CAPABILITY REGISTER: THE @S-REG. @THE @S-REG CONTAINS THE CAPABILITY FOR THE STACK SEGMENT OR @S-SEG. @ALSO, A NON-PROGRAMMABLE TOP-OF-STACK REGISTER MUST BE PROVIDED; IT CONTAINS THE DISPLACEMENT, RELATIVE TO THE START OF THE @S-SEG, WHERE THE STATE OF THE CALLER OF THE CURRENT OPERATOR IS FOUND. $P @ACCORDING TO THE DEFINITION OF THE .INVOKE MECHANISM, THE CAPABILITY FOR THE REPRESENTATION OF THE EXTENDED OBJECT IS ALWAYS PASSED AS ARGUMENT TO THE INVOKED OPERATOR. @WITHOUT LOSS OF GENERALITY NOR PROTECTION VIOLATION, THE PROTECTION MECHANISM CAN STORE THE CAPABILITY FOR THE ARGUMENT TO THE OPERATOR IN THE @S-SEG; BEYOND THE CURRENT TOP OF THE STACK. @THE OPERATOR CAN BE PERMITTED TO ACCESS THE PARTICULAR LOCATION OF THE @S-SEG IN ORDER TO MANIPULATE THE CAPABILITY FOR ITS ARGUMENT. @PROVIDED THE OPERATOR IS CAREFUL TO ERASE THE CAPABILITY FOR ITS ARGUMENT BEFORE EXECUTING A .RETURN, THE CALLER CANNOT ACCESS THE CAPABILITY FOR THE REPRESENTATION OF THE EXTENDED OPERAND OBJECT. @IN FACT. THE KERNEL CAN, VIA THE .RETURN MACHANISM, EXERCISE THIS PRECAUTION ON BEHALF OF OPERATORS. $P @AT THE END OF SECTION 3.1 WE POINTED OUT THAT MOST OPERATIONS ON EXTENDED OBJECTS REQUIRE THE PASSING OF ADDITIONAL PARAMETERS FROM THE USER TO THE IMPLEMENTOR AND OF RESULTS FROM THE IMPLEMENTOR TO THE USER. @FOR COMPLETENESS, WE WILL FIRST ANALYSE THE POSSIBILITY OF PASSING ADDITIONAL INFORMATION BETWEEN OPERATORS USING EXCLUSIVELY THE REPRESENTATION OF THE EXTENDED OBJECT AS THE TRANSMISSION LINK. $V0 $P @IT IS POSSIBLE TO IMPLEMENT PARAMETER PASSING BY MEANS OF GIVING THE USER OF AN EXTENDED OBJECT ACCESS TO PART OF THE EXTENDED OPERAND'S REPRESENTATION. @THAT IS TO SAY, IT IS NECESSARY TO INCLUDE A CAPABILITY SEGMENT AMONGST THE COMPONENTS OF THE EXTENDED OBJECT'S REPRESENTATION. @THE USER OF THE EXTENDED OBJECT RECEIVES, IN ADDITION TO THE CAPABILITY FOR THE EXTENDED OBJECT, THE CAPABILITY FOR THE (CAPABILITY) SEGMENT WHICH IS TO BE USED FOR PARAMETER PASSING. @THE RESULTING STRUCTURE OF THE EXTENDED OPERAND IS SHOWN IN FIGURE 3.3-1. @ACCORDING TO THE DIAGRAM, THE USER OF THE EXTENDED OBJECT AND THE IMPLEMENTOR OF OPERATIONS ON THE OBJECT SHARE A CAPABILITY SEGMENT WHICH THEY HAVE AGREED TO USE FOR PARAMETER PASSING. @AT THE SAME TIME, THE CAPABILITIES FOR THE OTHER COMPONENTS OF THE EXTENDED OPERAND OBJECT REMAIN HIDDEN FROM THE USER. @CLEARLY, THE USER OF THE EXTENDED OPERAND CAN EMPLOY THE @C-SEG SHOWN IN THE FIGURE TO DEPOSIT THE CAPABILITY FOR ANY ADDITIONAL OBJECTS WHICH IT INTENDS TO PASS TO THE IMPLEMENTOR. @SIMILARLY, THE IMPLEMENTOR CAN EMPLOY THE COMPONENT OF THE SHARED COMPONENT OF THE EXTENDED OPERAND IN ORDER TO RETURN TO ITS CALLER ANY INFORMATION WHICH IT DEEMS NECESSARY. $P @UNFORTUNATELY, THERE IS A GRAVE LIMITATION IN THIS APPROACH TO PARAMETER PASSING. @EXTENDED OPERAND OBJECTS CANNOT BE SHARED BETWEEN VARIOUS PROCESSES UNLESS CERTAIN LIMITATIONS ARE IMPOSED ON THE CONCURRENT INVOCATION OF THE SAME OPERATOR BY SEVERAL PROCESSES WHICH MIGHT SHARE THE SINGLE EXTENDED OPERAND. @THE PROBLEM DERIVES FROM THE FACT THAT THE COMMUNICATION CHANNEL IS ASSOCIATED WITH THE OBJECT RATHER THAN PRIVATELY WITH THE PROCESS WHICH WISHES TO PERFORM THE OPERATION ON THE OBJECT. @THE USERS OF THE EXTENDED OBJECTS WOULD HAVE TO ENTER A CRITICAL SECTION FOR THE PURPOSE OF DEPOSITING THE PARAMETERS WITHIN THE @C-SEG MENTIONED ABOVE, LEST ANOTHER PROCESS BE ATTEMPTING TO DO SO CONCURRENTLY AND CORRUPT THE PARAMETERS OF ONE OF THE .INVOKES. @ADDITIONAL PROBLEMS ARE THE NEED TO CARRY TWO CAPABILITIES WHENEVER IT IS NECESSARY TO PASS PARAMETERS AND THE PROLIFERATION OF SMALL @C-SEG'S WHICH ARE USED SOLELY FOR PARAMETER PASSING. $P @IN CONCLUSION, THE ARGUMENT OF THE OPERATOR, I. E. THE CAPABILITY FOR THE REPRESENTATION OF THE EXTENDED OPERAND OBJECT, AS WELL AS ALL THE PARAMETERS REQUIRED TO PERFORM THE OPERATION MUST BE DEPOSITED WITHIN STORAGE MEDIA ACCESSIBLE TO BOTH, THE INVOKING AND INVOKED OPERATORS, AND PRIVATE TO THE EXECUTING PROCESS. @THE PROCESS' CAPABILITY STACK IS SUCH A DEPOSITORY. @IT CAN BE ESTABLISHED BY SOFTWARE CONVENTION THAT THOSE CAPABILITIES RESIDING BEYOND A CERTAIN SLOT IN THE PROCESS @S-SEG WILL REMAIN ACCESSIBLE TO ANY OPERATOR WHICH IS INVOKED BY THE CURRENT OPERATOR. @THUS, THE .INVOKE MECHANISM DEFINES A WINDOW WITHIN THE PROCESS' @S-SEG WHICH CAN BE ACCESSED BY THE CURRENT OPERATOR. @THE @S-SEG WINDOW IS ADJUSTED WITH EVERY .INVOKE OF EXTENDED OPERATORS AND EACH .RETURN FROM EXTENDED OPERATORS. @ALTERNATIVELY, THE .INVOKE MECHANISM CAN BE EXTENDED TO RECEIVE A FURTHER OPERAND, FOR EXAMPLE THE CAPABILITY FOR A @C-SEG, WHOSE REPRESENTATION MAY CONTAIN ALL ADDITIONAL PARAMETERS TO BE PASSED TO THE INVOKED OPERATOR. @THE PROTECTION MECHANISM IS THEN IN CHARGE OF MAKING THAT CAPABILITY ACCESSIBLE TO THE INVOKED OPERATOR. @THIS APPROACH UNDERLINES THE DRASTIC BOUNDARIES BETWEEN OPERATORS AT THE COST OF MAKING THE .INVOKE MECHANISM SLIGHTLY MORE EXPENSIVE. @A CONSIDERABLE ADVANTAGE OF LEAVING ALL THE RESPONSIBILITIES OF ARGUMENT PASSING IN THE HANDS OF THE .INVOKE MECHANISM IS THE REMOVAL OF CONVENTIONS. @ON THE ONE HAND, THIS PRECLUDES ERRORS CAUSED BY OPERATORS WHICH DISOBEY CONVENTIONS. @ON THE OTHER, IT MAKES IT POSSIBLE TO MODIFY THE IMPLEMENTATION DETAILS OF PARAMETER PASSING WITHOUT HAVING TO RE- COMPILE EVERY PROGRAM. $P @WE HAVE OPTED FOR THE FIRST SCHEME FOR VARIOUS REASONS. @THE PASSING OF A CAPABILITY SEGMENT CONTAINING CAPABILITIES FOR THE ADDITIONAL PARAMETERS CONSTITUTES A DUPLICATION OF THE PROCESS' CAPABILITY STACK (@S-SEG). @THIS CAN BE THE CAUSE OF CONSIDERABLE INEFFICIENCIES SINCE AN OPERATOR NEEDS TO COPY ALL THE CAPABILITIES INTO A SPECIAL CAPABILITY SEGMENT BEFORE INVOKING AN EXTENDED OPERATOR. @ON THE RECIEVING SIDE, THE OPERATOR MUST COPY THE CAPABILITIES FOR ADDITIONAL PARAMETERS INTO THE @S-SEG BEFORE IT CAN ADDRESS THEM. @IF INDIRECT ADDRESSING IS AVAILABLE, COPYING OF CAPABILITIES IS REDUCED AT THE EXPENSE OF REQUIRING VERY LONG OPERAND ADDRESSES. @IT IS IMPORTANT TO NOTE THAT PROTECTION IS NOT RELAXED BY ALLOWING OPERATORS TO ACCESS PARTS OF THE ADDRESS SPACES OF OPERATORS TO BE INVOKED AT A LATER TIME. @THE REASON IS THAT, AFTER AN OPERATOR HAS BEEN ENTERED, IT IS FREE TO USE OR IGNORE INFORMATION WHICH IT FINDS IN ITS @S-SEG WINDOW. @NEVERTHELESS, IT IS VITALLY IMPORTANT TO ENSURE THAT AN OPERATOR CANNOT BE MISLED INTO CONFUSING THE CAPABILITY FOR ITS ARGUMENT WITH THE CAPABILITY FOR ONE OF THE ADDITIONAL PARAMETERS. @THAT IS TO SAY, THE POSITION OF THE OPERATOR'S ARGUMENT, I. E. THE CAPABILITY FOR THE REPRESENTATION OF THE EXTENDED OPERAND EXTRACTED FROM THE CAPABILITY FOR THE EXTENDED OBJECT, MUST BE SPECIFIED UNAMBIGUOUSLY WITHIN THE OPERATOR'S @S-SEG WINDOW. $P @FINALLY, WE FEEL THAT THIS USAGE OF THE @S-SEG IS A SMOOTH EXTENSION OF THE PART PLAYED BY THE PROCESSOR'S REGISTERS. @THE REGISTERS CAN BE VIEWED AS AN IMPLICIT, UNPROTECTED EXTENSION OF OF THE REPRESENTATION OF EVERY @N-SEG. @THEY ARE UNPROTECTED IN THE SENSE THAT THEY CAN BE ACCESSED WITHOUT INTERVENTION FROM THE PROTECTION MECHANISM. @THEY ARE AN EXTENSION OF EVERY @N-SEG IN THAT, FOLLOWING ACCESS VALIDATION TO THE PROTECTED PART OF THE @N-SEG'S REPRESENTATION, THE IMPLEMENTING OPERATOR (IN THIS CASE THE HARDWARE) IS FREE TO TRANSFER INFORMATION BETWEEN THE PROTECTED PART OF THE @N-SEG AND SOME OF THE REGISTERS. @ANALOGOUSLY, THE PROCESS CAPABILITY STACK CAN BE REGARDED AS AN IMPLICIT EXTENSION OF THE REPRESENTATION OF EVERY EXTENDED OBJECT END EVERY @C-SEG. @THE JOB OF THE PROTECTION MECHANISM IS TO AUTHORISE ACCESS TO THE PROTECTED PART OF THE OBJECT AND TO DETERMINE THE SECTION OF THE UNPROTECTED PART WHICH IS TO BE ACCESSIBLE TO EVERY OPERATOR. $N $P @IN SECTION 2.4 WE LISTED FOUR CONDITIONS WHICH MUST BE ADHERED TO WHEN DEALING WITH EXTENDED OBJECTS. @IT IS TRIVIAL TO VERIFY THAT THE STRUCTURE OF EXTENDED OBJECTS PROPOSED IN THE PRESENT CHAPTER TOGETHER WITH THE SPECIFICATIONS OF THE .INVOKE MECHANISM CONFORM WITH THE FIRST THREE CONSTRAINTS. $P @IN ACCORDANCE WITH THE FIRST CONDITION, CAPABLILITIES FOR EXTENDED OBJECTS ARE, BY CONSTRUCTION, ASSOCIATED WITH THE CAPABILITIES FOR THE REPRESENTATIONS OF THE OBJECTS. @THE SECOND AND THIRD CONSTRAINTS ARE SATISFIED SINCE THE POSSESSOR OF THE CAPABILITY FOR AN EXTENDED OBJECT IS AUTHORISED ONLY TO .INVOKE THE OPERATOR DESIGNED TO MANIPULATE THE OBJECT'S REPRESENTATION AND THE .INVOKE MECHANISM IS THE ONLY COMPONENT CAPABLE OF RETRIEVING THE CAPABILITY FOR THE REPRESENTATION OF THE EXTENDED OPERAND OBJECT WHICH IS PASSED AS ARGUMENT TO THE INVOKED OPERATOR. @THE FOURTH CONSTRAINT STATES THAT AN OPERATOR SHOULD BE ABLE TO ACCESS THE REPRESENTATION OF THE EXTENDED OBJECT ONLY UPON REQUEST. @THAT IS TO SAY, FOLLOWING THE EXECUTION OF A .RETURN OPERATION, THE CAPABILITY WHICH THE OPERATOR RECEIVED AS ARGUMENT WHEN IT WAS INVOKED MUST CEASE TO BE ACCESSIBLE TO THE OPERATOR; IF IT REMAINS ACCESSIBLE, THE ACCESS RIGHTS OF THE CAPABILITY MUST BE REVOKED. @WE NOW PROCEED TO TAKE A CLOSER LOOK AT THE OPERATOR'S @I-SEG IN ORDER TO DETERMINE THE RESTRICTIONS WHICH MUST BE IMPOSED IN ORDER TO FULFIL THE CONDITION. $N $L1 C 3.4.- RESTRICTIONS ON THE ADDRESS SPACES OF OPERATORS. $P2 @THE INFORMATION CONTAINED IN AN OPERATOR'S @I-SEG IS LOGICALLY DIVIDED INTO A SET OF CAPABILITIES FOR OPERATOR OBJECTS AND A SET OF CAPABILITIES FOR OPERAND OBJECTS. @THE OPERAND OBJECTS ACCESSIBLE THROUGH THE CAPABILITIES CONTAINED IN AN OPERATOR'S @I-SEG CAN BE SUB-DIVIDED INTO VARIANT AND INVARIANT OBJECTS. @BY INVARIANT WE MEAN ULTIMATELY READ-ONLY OBJECTS. @THAT IS TO SAY, OBJECTS WHOSE ULTIMATE REPRESENTATIONS IN TERMS OF PHYSICAL STORAGE MEDIA ARE NOT ALTERED BY ANY OPERATOR. @VARIANT OBJECTS ARE THE COUNTERPART OF INVARIANT OBJECTS. $P @THE ONLY SERIOUS PROBLEM WHICH ARISES IN THE HANDLING OF INVARIANT OBJECTS BY CONCURRENTLY EXECUTING OPERATORS IS MEMORY CONTENTION. @THEREFORE, WE WILL ONLY CONSIDER THE PROTECTION AND PRIVACY ISSUES INVOLVED IN THE MANIPULATION OF VARIANT OBJECTS. $P @ASSUME THE @I-SEG OF A GIVEN OPERATOR, SAY .R, CONTAINS THE CAPABILITY FOR A @C-SEG ALLOWING READ/WRITE ACCESS AND THAT THE OPERATOR CAN COPY THE CAPABILITY FOR ITS ARGUMENT INTO THAT SEGMENT. @SUPPOSE NOW THAT PROCESS .P1 PERFORMS: $B0 $T2 .INVOKE ( @R , .X1 ) $B0 RESULTING IN THE CAPABILITY FOR AN OBJECT CALLED .A1 (THE REPRESENTATION OF .X1) TO BE PASSED AS THE ARGUMENT TO .R. @OPERATOR @R IS NOW FREE TO COPY THE CAPABILITY FOR .A1 INTO THE @C-SEG MENTIONED ABOVE. @FROM NOW ON, @R IS CAPABLE OF DISTRIBUTING THE CAPABILITY FOR .A1 TO ANY PROCESS WHICH INVOKES IT. @IN PARTICULAR, LET PROCESS .P2 BE THE RECEIVER OF THE CAPABILITY FOR .A1. @PROCESS .P2 CAN SUBSEQUENTLY USE THAT CAPABILITY TO SPY ON THE INFORMATION STORED BY .P1 INTO THE REPRESENTATION OF .A1 AS WELL AS TO PERFORM OPERATIONS ON .A1 WHICH ALTER THAT INFORMATION. @NOTE THAT THE SITUATION CAN OCCUR WITHOUT THE MALICIOUS PASSING OF THE CAPABILITY FOR .A1 TO ANOTHER PROCESS. @BY KEEPING THE CAPABILITY WITHIN ITS @I-SEG, THE OPERATOR CAN ACCESS THE OBJECT WHENEVER IT IS INVOKED BY ANY PROCESS ENTITLED TO DO SO. $P @THE IMPLICATIONS OF THE STATE OF AFFAIRS EXPOSED IN THE PREVIOUS PARAGRAPH DEPEND ON THE WAY IN WHICH .P1 REGARDS THE EXTENDED OBJECT .X1 WHICH HAS .A1 AS ITS REPRESENTATION. @IF .P1 VIEWS .X1 AS AN UNSHARED OBJECT, IT EXPECTS THE STATE OF .A1 TO REMAIN INVARIANT BETWEEN TWO SUCCESSIVE INVOCATIONS OF .R. @HOWEVER, THE OBJECT COULD HAVE BEEN MODIFIED IN THE MEANWHILE. @ALTHOUGH THIS PROBLEM CAN BE CONSIDERED SIMPLY AS A FAILURE OF THE PROGRAM WHICH IMPLEMENTS OPERATOR .R, THIS KIND OF SPURIOUS ERROR IS EXTREMELY DIFFICULT TO DETECT AND, THEREFORE, SHOULD BE PREVENTED BY THE PROTECTION MECHANISM. @ON THE OTHER HAND, IF .P2 WERE PREVENTED FROM MODIFYING THE STATE OF .A1, THE SITUATION WOULD PERMIT AN INFRINGEMENT OF @P1'S PRIVACY WHICH IS QUITE DIFFERENT FROM VIOLATING THE PROTECTION OF THE OBJECT. $P @ONE WAY OF PROVIDING THE PROTECTION MENTIONED ABOVE IS TO PREVENT OPERATORS FROM COPYING THE CAPABILITIES OF THEIR ARGUMENTS. @IN SECTION 2.5 WE MENTIONED THIS RESTRICTION IN THE CONTEXT OF REVOCATION OF ACCESS RIGHTS AND POINTED OUT THE EXTREME INFLEXIBILITY OF THE APPROACH. @RESTRICTING THE HANDLING OF ARGUMENTS IN THIS FASHION WOULD MAKE THE SYSTEM ALMOST USELESS. @THIS IS EASILY SEEN BY NOTING THAT THE ARGUMENT TO THE OPERATOR MAY BE A @C-SEG WHICH HOLDS THE CAPABLILITIES FOR THE VARIOUS COMPONENTS OF THE REPRESENTATION OF THE EXTENDED OPERAND OBJECT. @THE CONSTRAINT WOULD FORBID THE REMOVAL OF CAPABILITIES FROM THE @C-SEG. @AS A RESULT, OPERATIONS ON THE COMPONENTS OF THE REPRESENTATION OF THE EXTENDED OBJECT WOULD HAVE TO BE EXPRESSED IN TERMS OF MULTIPLE INDIRECTIONS. @ANOTHER PROBLEM IS THAT IT BECOMES EXTREMELY CUMBERSOME TO TRANSMIT CAPABILITIES BETWEEN PROCESSES. $P @AN ALTERNATIVE APPROACH IS TO ENFORCE THE CONSTRAINT THAT @I-SEG'S BE INVARIANT OBJECTS. @CONSEQUENTLY, OPERATORS BECOME INCAPABLE OF REMEMBERING THE INFORMATION PASSED TO THEM BY THE INVOKING OPERATORS. @THE PASSING OF CAPABILITIES BETWEEN PROCESSES CAN STILL BE ACCOMPLISHED SINCE ALL THE CAPABILITIES FOR THE SHARED OBJECTS REQUIRED FOR THE COMMUNICATION CAN BE INCLUDED IN THE ARGUMENTS PASSED TO THE INVOKED OPERATOR. @NEVERTHELESS, A PROCESS CAN PROTECT ITS PRECIOUS OBJECTS SIMPLY BY REFUSING TO EMPLOY OPERATORS WHICH REQUIRE SHARED AND PRIVATE OBJECTS AS ARGUMENTS. $P @IT IS IMPORTANT TO NOTE THAT, IN ADDITION TO THE ABOVE RESTRICTION, IT IS NECESSARY TO PRECLUDE THE AUGMENTATION OF ACCESS RIGHTS OF THE CAPABILITIES CONTAINED IN AN OPERATOR'S @I-SEG. @THE PREVIOUS EXAMPLE SERVES TO ILLUSTRATE THE NEED FOR THIS ADDITIONAL REQUIREMENT. @SUPPOSE THE @I-SEG OF OPERATOR @R CONTAINS THE CAPABILITY FOR A READ-ONLY @C-SEG. @R CAN COPY THE CAPABILITY FOR THE READ-ONLY @C-SEG INTO A SUITABLE PLACE OF THE REPRESENTATION OF OBJECT .A1 AND AUGMENT ITS ACCESS RIGHTS TO READ-WRITE. @SIMILARLY, WHEN PROCESS .P2 PERFORMS: $B0 $T2 .INVOKE ( @R , .X2 ) $B0 $V0 A SECOND COPY OF THE @C-SEG'S CAPABILITY CAN BE STORED WITHIN THE REPRESENTATION OF .X2. @THE RESULTING STRUCTURE OF OBJECTS .X1 AND .X2 IS SCHEMATISED IN FIGURE 3.4-1. @CLEARLY, THE COMMON @C-SEG CAN BE USED BY @R TO TRANSFER CAPABILITIES BETWEEN THE TWO PROCESSES. @NOTE THAT IT IS DIFFICULT TO JUSTIFY THE ABOVE SEQUENCE OF EVENTS AS A BONA FIDE ERROR ON THE PART OF OPERATOR .R. $P @IN SHORT, THE CRUCIAL CONSEQUENCE OF PERMITTING THAT @I-SEGS BE VARIANT OBJECTS IS THAT IT BECOMES IMPOSSIBLE FOR THE KERNEL TO PREVENT THE VIOLATION OF THE BASIC PRINCIPLE OF OPERATORS: NAMELY, THE SET OF OBJECTS ENCLOSED IN THE ADDRESS SPACE OF AN OPERATOR SHOULD BE ACCESSIBLE BY A PROCESS ONLY WHILE THE FORMER IS EXECUTING ON BEHALF OF THE LATTER. $P @THE REINFORCED PROTECTION PROVIDED BY 'MEMORYLESS' OPERATORS [@DE72] DOES NOT PREVENT OPERATORS FROM LEAKING INFORMATION TO UNAUTHORISED PROCESSES. @THE PROBLEM OF PREVENTING PROCESES FROM CONSPIRING WITH DOMAINS (IN OUR CASE OPERATORS) FROM SPYING ON THE DATA BELONGING TO OTHER PROCESSES IS KNOWN AS THE CONFINEMENT PROBLEM [@LA73,@DE74]. @THE SUPPORT OF CONFINED SUBSYSTEMS IS COMPLICATED BY THE EXISTENCE OF 'COVERT CHANNELS' OF INFORMATION IN COMPUTER SYSTEMS. @FOR INSTANCE, AN OPERATOR EXECUTING ON BEHALF OF A GIVEN PROCESS CAN DISCLOSE PRIVATE INFORMATION TO A SPY PROCESS BY ENCODING IT IN TERMS OF THE EFFECTS OF ITS EXECUTION ON SYSTEM PERFORMANCE. @NOTE, HOWEVER, THAT THE LEAKAGE OF INFORMATION IS VERY DIFFERENT FROM THE DISTRIBUTION OF CAPABILITIES. @THE FORMER DOES NOT PROVIDE THE SPY WITH PERMISSION TO ACCESS AN OBJECT. @THE STUDY OF PRIVACY IN COMPUTER SYSTEMS IS BEYOND THE SCOPE OF THE PRESENT WORK. @ROTENBERG MAKES AN EXHAUSTIVE STUDY OF PRIVACY ISSUES FROM THE SOCIAL AND TECHNOLOGICAL STANDPOINTS [@RO73]. $P @NOTE THAT MEMORYLESS OPERATORS ARE NOT AS RESTRICTIVE AS IT WOULD APPEAR AT FIRST SIGHT. @THE REASON IS THAT THE VARIANT OBJECTS NEEDED BY THE OPERATOR TO PERFORM ITS FUNCTION CAN BE STORED WITHIN THE REPRESENTATION OF THE EXTENDED OPERANDS OF THE TYPE IT SUPPORTS. @THEREFORE, THE EQUIVALENT OF @ALGOL %OWN VARIABLES IS SUPPORTED BY THE TYPE EXTENSION MECHANISM. $P @FROM A DIFFERENT POINT OF VIEW, A SERIOUS PROBLEM ARISES IN CONNEXION WITH THE MAINTENANCE OF OPERATORS, DUE TO THE FACT THAT MODIFICATIONS OF AN OPERATOR'S @I-SEG ARE NOT POSSIBLE. @THEREFORE, IF MAJOR CHANGES BECOME INEVITABLE, THE OPERATOR MUST BE DESTROYED; IT WILL BE REPLACED BY A COMPLETELY NEW OBJECT. @NEVERTHELESS, THE CAPABILITIES FOR EXTENDED OPERATORS ARE IN FACT THE ABSOLUTE ADDRESSES OF INDEPENDENTLY COMPILED PROGRAMS. @AS A CONSEQUENCE, EVERY OPERATOR WHOSE @I-SEG CONTAINS A CAPABILITY FOR THE OPERATOR TO BE REPLACED MUST BE DESTROYED AND RECREATED. @THE RULE MUST BE APPLIED RECURSIVELY UNTIL EVERY POSSIBLE USER OF THE GUILTY OPERATOR IS UPDATED. @THIS EXPENSIVE PROCESS IS NEEDED EVEN WHEN THE BEHAVIOUR OF THE NEW OPERATOR AS OBSERVED FROM THE OUTSIDE WORLD IS IDENTICAL TO THAT OF THE ORIGINAL COPY. $P @A SCHEME FOR ENFORCING MEMORYLESS OPERATORS IS EXAMINED IN THE NEXT SECTION. $N $L1 C 3.5.- KERNEL TYPES AND OPERATORS. $P3 @THE PURPOSE OF THE PRESENT SECTION IS TO PRESENT THE SET OF OPERATORS SUPPLIED BY THE KERNEL IN ORDER TO CREATE AND MANIPULATE CAPABILITIES FOR OBJECTS OF BASIC AND EXTENDED TYPES. $P @THE SET OF BASIC TYPES OF OBJECTS SUPPLIED BY THE KERNEL MUST BE COMPLETE IN THE SENSE THAT IT MUST ALLOW THE CONSTRUCTION OF ANY OBJECT OF INTEREST FROM ARBITRARY GROUPINGS OF MEMBERS OF THE BASIC SET. $P @TWO TYPES ARE SUFFICIENT TO CONSTRUCT THE REPRESENTATIONS OF ANY TYPE OF LOGICAL RESOURCE: THE @N-SEG AND @C-SEG TYPES. @CONCRETE EXAMPLES ARE EXTENDED OPERATORS OF ANY TYPE AND THE PROCESS AND SEMAPHORE TYPES TO BE DISCUSSED IN CHAPTER 4. @FOR THIS REASON WE WILL ONLY DISCUSS KERNEL OPERATORS OF THOSE TWO TYPES. @THEY INCLUDE OPERATORS TO CREATE, ACCESS AND DESTROY OPERAND OBJECTS OF THE BASIC TYPES AS WELL AS THOSE OPERATORS NEEDED TO CREATE NEW TYPES, OPERATORS AND OPERANDS OF EXTENDED TYPES. $P @ADMITTEDLY, SOME EXTENDED TYPES ARE INDISPENSABLE SYSTEM COMPONENTS. @CONSEQUENTLY, IT MAY BE MORE APPROPRIATE TO REGARD THEM AS KERNEL TYPES. @NEVERTHELESS, THEY CAN BE DESCRIBED IN TERMS OF THE @C-SEG AND @N-SEG TYPES; HENCE, DEVIATIONS FROM THEIR CHARACTERISATIONS AS EXTENSIONS BUILT FROM THE BASIC TYPES CAN BE VIEWED AS IMPLEMENTATION SHORTCUTS. $P @THE USERS OF THE KERNEL MUST EMPLOY THE .INVOKE MECHANISM IN ORDER TO REQUEST OPERATIONS FROM THE KERNEL. @THEREFORE, THE OPERAND OF ANY KERNEL OPERATOR HAS TO BE A CAPABILITY FOR ONE OF THE TWO BASIC TYPES. @WHEN THE KERNEL OPERATOR IS ENTERED, IT WILL MANIPULATE THE ACTUAL STORAGE LOCATIONS, I. E. THE REPRESENTATION, OF THE SEGMENT WHOSE CAPABILITY WAS PRESENTED TO THE .INVOKE MECHANISM. @THUS, CONCEPTUALLY, EVERY KERNEL CALL IS OF THE FORM: $B0 $T2 .INVOKE ( .KERNEL .OPERATOR , .KERNEL OPERAND ) $B0 WHERE .KERNEL .OPERATOR AND .KERNEL .OPERAND ARE CAPABILITIES FOR OBJECTS OF EITHER THE @C-SEG OR THE @N-SEG TYPES; BOTH OBJECTS MUST BE OF THE SAME TYPE. @CAPABILITIES ARE FETCHED BY THE ADDRESSING MECHANISM FROM CAPABILITY DESIGNATORS OF THE FORM: $B0 $T2 CAPABILITY DESIGNATOR ::= S , C $B0 GENERATED BY THE PROGRAMS. @THE S COMPONENT IS USED TO SELECT BETWEEN THE @S-SEG, @I-SEG OR @P-SEG OF THE CURRENT OPERATOR AND C IS THE OFFSET, RELATIVE TO THE START OF THE SEGMENT SELECTED BY S, WHICH IDENTIFIES THE LOCATION OF THE CAPABILITY. @AN ADDITIONAL PARAMETER IS NEEDED BY CERTAIN INSTRUCTIONS: @THE DISPLACEMENT, RELATIVE TO THE START OF THE OPERAND, GIVING THE PARTICULAR SLOT (NORMAL OR CAPABILITY) WHICH THE OPERATOR WILL MANIPULATE. @THUS, A FULL PROGRAM ADDRESS TAKES THE FORM: $B0 $T2 PROGRAM ADDRESS ::= CAPABILITY DESIGNATOR , D $B0 WHERE D IS THE DISPLACEMENT MENTIONED ABOVE. $P @IN PRACTICE, .KERNEL .OPERATOR IS THE OP CODE OF A MACHINE INSTRUCTION. @IN OTHER WORDS, THE CAPABILITIES FOR THE KERNEL OPERATORS ARE NOT STORED IN THE @I-SEGS OF ANY OPERATOR. $P @FOR THE SAKE OF CLARITY WE WILL WRITE: $B0 $C+5 OPERATOR ( ARG1,ARG2, $.$.$. ,ARGN : P1,P2, $.$.$. ,PN ) $B0 WHERE ARG1, $.$.$. ARGN ARE SYMBOLIC NAMES FOR CONTIGUOUS LOCATIONS CONTAINED WITHIN THE UNIQUE ARGUMENT OF THE OPERATOR AND P1, $.$.$. PN ARE ADDITIONAL PARAMETERS PASSED TO THE OPERATOR. @IN THE CASE OF KERNEL OPERATORS, ALL ADDITIONAL PARAMETERS ARE NORMAL VALUES PASSED VIA THE PROCESSOR'S REGISTERS. @ACCORDING TO THE ABOVE NOTATION, $B0 $A INDENT=2 ARG1 = CAPABILITY DESIGNATOR , D $B0 ARG2 = CAPABILITY DESIGNATOR , D+1 $B0 $A INDENT=0 ETC. @EXCEPT FOR .LOAD, .STORE AND .FETCH .INSTRUCTION, ALL OPERATORS ARE OF TYPE @C-SEG. $P @NORMAL AND CAPABILITY SEGMENTS ARE CREATED BY MEANS OF THE OPERATORS: $B0 $T2 .CREATENSEG ( .NEW : SIZE ) $B0 $T2 .CREATECSEG ( .NEW : SIZE ) $B0 @THE KERNEL ALLOCATES STORAGE SPACE FOR THE REPRESENTATION OF THE CORRESPONDING OBJECT; CONSTRUCTS A NEW CAPABILITY ALLOWING ALL MODES OF ACCESS AND DEPOSITS IT INTO .NEW. @THE SCALAR 'SIZE' HAS THE OBVIOUS MEANING, THE VALUE WILL BE DEPOSITED BY THE KERNEL IN THE LENGTH FIELD OF THE NEW CAPABILITY. @BOTH OPERATORS EXERCISE WRITE ACCESS ON THEIR ARGUMENTS. @FROM THE EXCLUSIVE VIEWPOINT OF PROTECTION, THESE OPERATORS CAN BE PUBLICLY AVAILABLE. @IN PRACTICE, THEY ARE PERMITTED ONLY TO CERTAIN SYSTEM OPERATORS DUE TO THE FACT THAT THEY INVOLVE THE ALLOCATION OF SYSTEM RESOURCES; I. E., PRIMARY OR SECONDARY MEMORY. @THE PRECISE FORM OF THE CAPABILITIES FOR THE TWO KERNEL TYPES IS GIVEN IN FIGURE 3.5-1. @THE FIRST THREE ACCESS RIGHTS OF THE @N-SEG TYPE CORRESPOND TO THE USUAL OPERATORS: $V0 $A INDENT=2 LOAD ( .SLOT ) $B0 STORE ( .SLOT ) $B0 FETCH INSTRUCTION ( .SLOT ). $A INDENT=0 $B0 @THE DESTROY OPERATOR IS DISCUSSED BELOW. @IN THE CASE OF CAPABILITY SEGMENTS, THE FIRST TWO ACCESS RIGHTS ALLOW THE READING AND WRITING OF CAPABILITIES CONTAINED IN THE SEGMENT. @THE OPERATOR: $B0 $T2 READ CAPABILITY ( .SLOT ) $B0 PRODUCES A COPY OF THE CAPABILITY CONTAINED IN .SLOT AND STORES IT INTO THE EXECUTING OPERATOR'S @S-SEG. @THE $B0 $T2 WRITE CAPABILITY ( .SLOT ) $B0 OPERATOR PROVIDES THE INVERSE ACTION. @THE READING AND WRITING OF CAPABILITIES REQUIRES THAT THE DESTINATION SLOT BE INITIALLY EMPTY. @A CAPABILITY CAN BE ERASED FROM A @C-SEG BY MEANS OF THE OPERATOR: $B0 $T2 FORGET ( .SLOT ) $B0 WHICH STORES THE CAPABILITY FOR THE DISTINGUISHED OBJECT .NIL INTO .SLOT. @THE FORGET OPERATOR EXERCISES WRITE ACCESS. $P @THE USE ACCESS RIGHT IN THE CAPABILITY FOR A @C-SEG IS ANALOGOUS TO THE EXECUTE ACCESS OF NORMAL SEGMENTS. @CAPABILITIES CONTAINED IN A CAPABILITY SEGMENT ALLOWING USE-ONLY ACCESS CAN BE EXTRACTED FROM THE SEGMENT ONLY BY THE ADDRESSING MECHANISM. @NOTE THAT THE @S-SEG, @P-SEG AND @I-SEG ALWAYS ALLOW USE ACCESS. @READ ACCESS IMPLIES USE ACCESS. @THE REASON IS THAT A CAPABILITY WHICH CAN BE READ INTO THE @S-SEG CAN BE PRESENTED SUBSEQUENTLY TO THE .INVOKE MECHANISM. @THE NEED FOR THIS FORM OF ACCESS WILL BE DISCUSSED IN THE NEXT CHAPTER. $P @A NEW TYPE IS CREATED BY THE KERNEL OPERATOR: $B0 $T2 CREATE TYPE ( @T ) $B0 $V0 WHICH CONSTRUCTS A 'TYPE' CAPABILITY AND STORES IT INTO .T. @THE OPERATOR EXERCISES WRITE ACCESS. @THE FORM OF A TYPE CAPABILITY IS SHOWN IN FIGURE 3.5-2. @THE TYPE FIELD OF THE CAPABILITY CONTAINS THE DISTINGUISHED UNIQUE .ID 'TYPE'. @THE ADDRESS FIELD CONTAINS THE POINTER TO ( I. E. THE UNIQUE .ID OF) THE CAPABILITY FOR THE REPRESENTATION OF THE OBJECT OF TYPE 'TYPE'. @THIS UNIQUE .ID IS USED AS THE NEW, UNIQUE TYPE MARK. @IN FACT, THE UNIQUE .ID FIELD OF THE TYPE CAPABILITY COULD HAVE BEEN USED FOR THIS PURPOSE. @THE UTILITY OF THE ADDITIONAL CAPABILITY IS DISCUSSED BELOW, IN CONNEXION WITH THE DESTRUCTION OF TYPES. $P @THE TYPE CAPABILITY PROVIDES THE MEANS TO CONTROL THE CREATION OF NEW OBJECTS, OPERANDS AND OPERATORS, OF THE NEW TYPE. @THE POSSESSOR OF A TYPE CAPABILITY CAN CREATE A NEW OPERATOR FOR THAT TYPE USING THE KERNEL OPERATOR: $B0 $T2 CREATE OPERATOR ( @T , @I , @P , .NEW : AR , EP ) $B0 WHERE @T CONTAINS THE TYPE CAPABILITY AND THE CAPABILITIES FOR THE @I-SEG AND @P-SEG OF THE NEW OPERATOR ARE STORED IN @I AND .P. @THE SCALARS AR AND EP SPECIFY THE ACCESS RIGHTS AND ENTRY POINT OF THE CAPABILITY FOR THE NEW OPERATOR. @THE KERNEL CONSTRUCTS A NEW OPERATOR OF THE FORM SHOWN IN FIGURE 3.2-2 AND DEPOSITS THE NEWLY CREATED CAPABILITY IN .NEW. @THE OPERATION CAN BE SUCCESSFUL ONLY IF THE CAPABILITY CONTAINED IN @T PERMITS 'CREATE OPERATOR' ACCESS; IN ADDITION, THE KERNEL OPERATOR EXERCISES WRITE ACCESS ON ITS OPERAND. $V0 $P @IN ORDER TO ENFORCE THE RESTRICTIONS DISCUSSED IN SECTION 3.4, NAMELY MEMORYLESS OPERATORS, THE KERNEL MUST PERFORM AN EXHAUSTIVE SEARCH OF ALL THE BASIC OBJECTS REACHABLE THROUGH THE PROSPECTIVE @I-SEG AND VERIFY THE ABSENCE OF WRITEABLE CAPABILITY SEGMENTS. @IN FIGURE 3.5-3 WE DRAW A POSSIBLE @I-SEG IN ORDER TO ILLUSTRATE THE NEED FOR THIS EXPENSIVE SEARCH. @THE CAPABILITY MARKED '@C-SEG2' CAN BE READ BY THE OPERATOR, SINCE CAPABILITY '@C-SEG1' PERMITS READ ACCESS. @IF @C-SEG2 ALLOWED WRITE ACCESS, THE OPERATOR WOULD BE ABLE TO STORE ANY CAPABILITY WITHIN THE ACTUAL SEGMENT SHOWN IN THE RIGHTMOST PART OF THE FIGURE. $P @A SIMILAR ARGUMENT WOULD SHOW THAT EXTENDED OPERAND OBJECTS WHOSE CAPABILITIES ARE CONTAINED IN THE I-SEG COULD BE USED TO HIDE THE EXISTENCE OF CAPABILITY SEGMENTS ALLOWING WRITE ACCESS. $P @RECALL THAT THE ACCESS RIGHTS FIELD OF AN OBJECT IS STORED IN THE MAP ENTRY FOR THE OBJECT WHICH IS UNIQUE. @THEREFORE, THE KERNEL NEED NOT BE CONCERNED ABOUT WHETHER OR NOT THE CAPABILITY (I. E. THE UNIQUE .ID FIELD) CONTAINED WITHIN THE PROSPECTIVE @I-SEG IS UNIQUE. @THIS APPLICATION UNDERLINES THE ADVANTAGE OF ASSOCIATING THE COMPLETE CAPABILITY WITH THE REPRESENTATION OF THE OBJECT TO BE PROTECTED [@RE74] RATHER THAN WITH THE PROTECTION DOMAIN WHICH IS ENTITLED TO ACCESS THE OBJECT [@DE66,@WU74,@FE74,@LA76]. $P @WE WILL NOW DISCUSS TWO SCHEMES TO SUPPORT THE MODIFICATION OF EXTENDED OPERATORS AND YET RETAIN MOST OF THE SECURITY AFFORDED BY MEMORYLESS OPERATORS. $P @THE FIRST APPROACH CONSISTS OF A SPECIES OF LOAD-TIME CREATION OF EXTENDED OPERATORS; IT WAS MENTIONED IN CONNEXION WITH PARAMETER PASSING IN SECTION 2.3. @INSTEAD OF CREATING EXTENDED OPERATORS, USERS CONSTRUCT PROTECTED PROGRAM MODULES .(PPM). @A .PPM CONSISTS OF A @P-SEG AND A SEGMENT CONTAINING A SET OF SYMBOLIC NAMES WHICH CAN BE ASSOCIATED WITH CAPABILITIES FOR THE SET OF OBJECTS TO BE USED TO CONSTRUCT THE @I-SEG OF THE EXTENDED OPERATOR. @A SYSTEM OPERATOR, THE LOADER, IS IN CHARGE OF PERFORMING THE NECESSARY LINKING WHEN THE USER REQUESTS THE USE OF A .PPM AND HENCE THE CREATION OF AN EXTENDED OPERATOR. @OF COURSE, THE LOADER IS THE SOLE COMPONENT WHICH POSSESSES THE CAPABILITY FOR CREATE OPERATOR. @THE LOADER CAN ENFORCE ARBITRARY RESTRICTIONS ON THE CAPABILITIES USED TO CONSTRUCT THE @I-SEG. @FOR EXAMPLE, IT MAY REFUSE TO ACKNOWLEDGE THE REQUEST IF THOSE CAPABILITIES ARE CURRENTLY IN USE. $P @THE SECOND APPROACH INVOLVES THE CREATION OF TWO OBJECTS WHEN AN EXTENDED OPERATOR IS CREATED. @ONE OF THE NEW OBJECTS IS SIMPLY THE MEMORYLESS OPERATOR DESCRIBED ABOVE EXCEPT THAT THE @I-SEG ITSELF IS THE ONLY READ-WRITE ACCESSIBLE @C-SEG IN THE COMPLEX; THE KERNEL ONLY VERIFIES THAT THE CAPABILITY FOR THE @I-SEG BE UNIQUE. @THIS IS IMPLEMENTED EASILY BY PRODUCING A COPY OF THE @I-SEG AND DESTROYING THE ORIGINAL. @THE OTHER OBJECT IS AN EXTENDED OPERAND OF THE PRIVILEGED TYPE 'UPDATE'. @THE REPRESENTATION OF THE 'UPDATE' OBJECT CONTAINS THE ONLY COPY OF THE CAPABILITY FOR THE OPERATOR'S @I-SEG. (@THE OTHER COPY IS PART OF THE REPRESENTATION OF THE OPERATOR). @IN ADDITION, THE WRITE CAPABILITY OPERATOR IS DESIGNED IN SUCH A WAY THAT ITS OPERAND CANNOT REFER TO THE @I-SEG; HENCE, A PROCESS BOUND TO THE OPERATOR CANNOT MODIFY ITS STRUCTURE. @THEREAFTER, WHEN THE OWNER OF THE EXTENDED OPERATOR WISHES TO MODIFY ITS BEHAVIOUR, IT IS FORCED TO DO SO VIA AN INVOCATION OF THE SYTEM OPERATOR OF TYPE 'UPDATE'. @THUS, THE UPDATE OPERATOR CAN REFLECT ANY SYSTEM POLICY ABOUT THE MODIFICATION OF EXISTING OPERATORS. $P @THE ADVANTAGE OF THE SECOND SCHEME OVER THE FIRST IS THAT THE OVERHEAD WHICH IS NEEDED TO RETAIN BOTH FLEXIBILITY AND SECURITY COMES INTO PLAY ONLY WHEN NECESSARY. @OPERATORS ARE CREATED ONCE AND FOR ALL, JUST AS ANY OTHER SYSTEM OBJECT. @THE MAIN IMPLICATION IS THAT THE KERNEL OR OPERATING SYSTEM NEED NOT BE CONSTANTLY AWARE OF THE DIFFERENCE BETWEEN OBJECTS WHICH CONTROL THE ACTIVITIES OF PROCESSES AND OTHER OBJECTS. $P @IN VIEW OF THE COST OF IMPLEMENTING MEMORYLESS OPERATORS IT IS PERHAPS REASONABLE TO SUPPLY TWO VERSIONS OF CREATE OPERATOR, ONLY ONE OF WHICH ENFORCES THE NECESSARY RESTRICTIONS TO CREATE MEMORYLESS OPERATORS. NOTE, HOWEVER, THAT THE PARTIAL RELAXATION OF THE CONSTRAINT INTRODUCES A FURTHER COMPLICATION. @WHEN THE KERNEL CREATES A 'CERTIFIED' OPERATOR, IT MUST ALSO SCAN ALL THE OPERATORS WHICH CAN BE REACHED THROUGH CAPABILITIES CONTAINED IN THE NEW @I-SEG, BECAUSE THE @I-SEGS OF THOSE OPERATORS MIGHT BE VARIANT OBJECTS. @THE DIFFICULTY CAN BE AMELIORATED BY PLACING A SPECIAL MARK IN THE CAPABILITIES FOR CERTIFIED OPERATORS AND DISALLOWING NON-CERTIFIED OPERATORS IN THE @I-SEGS OF A NEW, CERTIFIED OPERATOR. $P @HEREAFTER, WE ASSUME THAT IN ORDER TO MODIFY AN EXTENDED OPERATOR IT IS NECESSARY TO OBEY A SERIES OF STRINGENT RULES ENFORCED BY AN 'UPDATE' SYSTEM OPERATOR AS OUTLINED ABOVE. @TO PUT IT IN ANOTHER WAY, THE ABILITY TO CREATE NON-CERTIFIED OPERATORS SHOULD BE AN EXCLUSIVE PRIVILEGE OF HIGHLY TRUSTED SYSTEM PROGRAMS. $P @THE CREATION OF EXTENDED OPERAND OBJECTS PROCEEDS IN THREE STAGES: @FIRST, THE REPRESENTATION FOR THE OPERAND IS CONSTRUCTED. @THIS RESULTS IN A SINGLE CAPABILITY. @THEN A CAPABILITY FOR A NEW OPERAND OF TYPE T IS CONSTRUCTED BY THE $B0 $T2 CREATE OPERAND ( @T , .NEW ) $B0 KERNEL OPERATOR. @LOCATION @T CONTAINS THE TYPE CAPABILITY FOR TYPE T; ITS ACCESS RIGHTS MUST PERMIT 'CREATE OPERAND' ACCESS MODE. @THE KERNEL CONSTRUCTS A NEW CAPABILITY OF TYPE T AND STORES IT IN .NEW. @THE LOCATION FIELD OF THE NEWLY CREATED CAPABILITY IS EMPTY; I. E. IT CONTAINS THE .NULL POINTER. @THE ASSOCIATION OF THE CAPABILITY FOR THE EXTENDED OPERAND WITH THE REPRESENTATION OF THE OBJECT IS ACHIEVED BY MEANS OF THE KERNEL OPERATOR: $B0 $T2 SEAL ( @T , .NEW , .REP ) $B0 @THE KERNEL VERIFIES THAT .NEW CONTAIN THE CAPABILITY FOR AN OBJECT OF TYPE T AND THAT THE LOCATION FIELD OF THE CAPABILITY BE EMPTY. @T MUST CONTAIN THE TYPE CAPABILITY FOR TYPE T AND THE CAPABILITY MUST ALLOW 'SEAL' ACCESS. @THE EFFECT OF THE OPERATOR IS TO STORE THE .ID FIELD CONTAINED IN @R INTO THE ADDRESS FIELD OF THE CAPABILITY FOR THE NEW EXTENDED OBJECT WHOSE CAPABILITY IS FOUND IN .NEW. $P @THE DESTRUCTION OF AN OBJECT OTHER THAN OBJECTS OF TYPE 'TYPE' (THE TYPE CAPABILITIES) IS REQUESTED VIA THE KERNEL OPERATOR: $B0 $T2 DESTROY ( .OBJ , @T ) $B0 WHERE @T CONTAINS THE CAPABILITY FOR TYPE T AND .OBJ CONTAINS THE CAPABILITY FOR THE OBJECT TO BE DESTROYED. @THE OPERATION SUCCEEDS ONLY IF THE OBJECT IS OF TYPE T AND THE 'DESTROY' ACCESS RIGHT IS PRESENT IN THE TYPE CAPABILITY. $P @THE EXECUTION OF THE DESTROY OPERATOR CAUSES THE KERNEL TO RECLAIM THE MAP ENTRY FOR THE CAPABILITY. @OBJECTS OF THE BASIC TYPES ARE TREATED AS A SPECIAL CASE SINCE THERE IS NO TYPE CAPABILITY FOR THOSE TYPES. @RECALL THAT THE RIGHT TO DESTROY OBJECTS OF THE BASIC TYPES IS CONTROLLED BY THE 'DESTROY' ACCESS BIT IN THE CAPABILITY FOR EVERY INSTANCE OF OBJECTS OF THOSE TYPES. @IN ADDITION, THE KERNEL MUST RECLAIM THE MEMORY RESOURCES OCCUPIED BY THE REPRESENTATION. @FOR EXTENDED OBJECTS, THE CAPABILITY FOR THE REPRESENTATION OF THE OBJECT IS RETURNED TO THE PROGRAM WHICH INVOKES THE KERNEL OPERATOR; IT IS STORED BY THE KERNEL IN LOCATION .OBJ. @THIS IS NEEDED BECAUSE, AS MENTIONED IN SECTION 2.6, THE DESTRUCTION OF THE CAPABILITY FOR AN EXTENDED OBJECT SHOULD BE FOLLOWED BY THE DESTRUCTION OF THE OBJECT'S REPRESENTATION THE STRUCTURE OF WHICH IS KNOWN ONLY TO THE INVENTOR OF THE EXTENDED TYPE. $P @TO DESTROY A TYPE IS CONSIDERABLY MORE COMPLEX, FOR IT IMPLIES THE DESTRUCTION OF EVERY OBJECT, OPERAND AND OPERATOR, OF THE TYPE IN QUESTION. @THE KERNEL OPERATOR: $B0 $T2 DESTROY TYPE ( .TYPE ) $B0 WHERE .TYPE CONTAINS THE TYPE CAPABILITY FOR THE TYPE TO BE DESTROYED SHOULD CAUSE THE DESTRUCTION OF EVERY OBJECT OF THE TYPE, SAY T. @AN EXHAUSTIVE SEARCH FOR ALL THE CAPABILITIES OF TYPE T IS A VERY EXPENSIVE IMPLEMENTATION OF THE OPERATOR. @A MORE ATTRACTIVE ALTERNATIVE IS TO MAKE EVERY OPERAND OBJECT OF TYPE T OBSOLETE BY DESTROYING EVERY OPERATOR OF TYPE T. @A SEARCH AMONGST ALL THE CAPABILITIES IN THE SYSTEM CAN BE AVOIDED BY DEFINING THE CAPABILITIES OF ALL THE OPERATORS OF TYPE T AS PART OF THE REPRESENTATION OF THE TYPE. @THIS IS THE REASON FOR EMPLOYNG A COMPLETE OBJECT AS THE REPRESENTATION OF AN EXTENDED OBJECT OF TYPE 'TYPE'. @THE REPRESENTATION OF A 'TYPE' OBJECT IS A @C-SEG; IT CONTAINS THE LIST OF CAPABILITIES FOR ALL THE OPERATORS OF TYPE T. @CONSEQUENTLY, THE ABOVE DESCRIPTION OF THE CREATION OF EXTENDED OPERATORS IS EXTENDED TO INCLUDE THE ADDITION OF THE CAPABILITY FOR THE NEW OPERATOR IN THE REPRESENTATION OF THE TYPE. $P @THE GARBAGE COLLECTOR IS IN CHARGE OF RECOVERING THE OBSOLETE CAPABILITIES. @THE IMPLEMENTATION IS STRAIGHTFORWARD SINCE THE TYPE MARK IN A CAPABILITY, I. E. THE VALUE OF THE CAPABILITY'S TYPE FIELD, IS ALSO THE UNIQUE .ID OF THE REPRESENTATION OF THE TYPE OBJECT FOR THE CORRESPONDING TYPE. @HENCE, THE GARBAGE COLLECTOR NEED ONLY TEST FOR THE EXISTENCE OF THE TYPE CAPABILITY FOR EVERY OPERAND OBJECT; IF THE TEST FAILS, THE OBJECT IS TREATED AS IF IT WERE INACCESSIBLE. $P @SEVERAL ADDITIONAL OPERATORS ARE NEEDED TO PROVIDE FUNCTIONS SUCH AS THE MODIFICATION OF THE SIZE OF AN EXISTING SEGMENT AND THE RETRIEVAL OF THE VARIOUS FIELDS OF A CAPABILITY TO ENABLE PROGRAMS TO TEST FOR THE NAME, TYPE, ETC. OF AN OBJECT. $E