From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,6394e5e171f847d1
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2001-09-07 01:13:18 PST
Path: 
 archiver1.google.com!newsfeed.google.com!newsfeed.stanford.edu!news.tele.dk!small.news.tele.dk!130.133.1.3!fu-berlin.de!uni-berlin.de!ailinel.cbb-automation.DE!not-for-mail
From: dmitry@elros.cbb-automation.de (Dmitry Kazakov)
Newsgroups: comp.lang.ada
Subject: Re: Ada OS Kernel features
Date: Fri, 07 Sep 2001 08:13:17 GMT
Message-ID: <3b988016.2692359@news.cis.dfn.de>
References: <9n4euv$t9m$1@slb6.atl.mindspring.net>
 <3B964C7A.BC04374E@icn.siemens.de> <9n5o9n$37a$1@slb7.atl.mindspring.net>
 <3B977D35.B3B7581B@icn.siemens.de>
NNTP-Posting-Host: ailinel.cbb-automation.de (212.79.194.99)
X-Trace: fu-berlin.de 999850397 6469828 212.79.194.99 (16 [77047])
X-Newsreader: Forte Free Agent 1.21/32.243
Xref: archiver1.google.com comp.lang.ada:12865
Date: 2001-09-07T08:13:17+00:00
List-Id: <comp.lang.ada>

On Thu, 06 Sep 2001 15:42:13 +0200, Alfred Hilscher
<Alfred.Hilscher@icn.siemens.de> wrote:

>I don't think that every driver _must_ have write access to system
>internal data. An graphic driver for example does not need to write in
>the process-table (please correct me if I'm wrong). If there are drivers
>that need to do so, they should not access these data structures
>directly, but via access procedures (which could do checks). And even if
>a driver corrupts system internal data, then hopefully they belong only
>to one process and not to the inner kernel. In this case I think it
>would be more acceptable to kill one process instead of killing the
>whole system.
>
>So if there are a few drivers where this can not be done, then do it for
>the rest. 50% failure tolerance is even better than 0%.

I believe it is a goal of new OO OS design to get rid of
all-or-nothing strategy. A driver should have access to only the
system objects it should. No more and no less. An unhandled exception
in the driver should be caught an handled by the driver's "owner". If
this handling means "to kill a process", fine.

Regards,
Dmitry Kazakov