Re: Ada OS Kernel features

["Brian Catlin" <briancatlin@mindspring.com>]

"chris.danx" <chris.danx@ntlworld.com> wrote in message
news:3%ul7.3362$9z1.440040@news6-win.server.ntlworld.com...
>
> > > You should be able to "overload" a driver. What I mean ?  Lets assume
> > > you have a simple grafic driver on bootup, then you load a "better"
> > > (more complex, higher resolution, 3D excelerator ...) one. If this one
> > > crashes, then it should simply be unloaded and the system should
> > > continue work with the (simple) default driver - instead of showing a
> > > "blue screen" ;-)
> >
> > My first reaction to this was "Not Possible".  However, that isn't
> > entirely true; it is just *VERY VERY* difficult.
>
> Only in the "drivers in supervisor mode" model.
>
> > A driver runs in kernel mode,
>
> Why?  Why not just have it in user mode?  It makes more sense to have them
> in user mode, at least to me.  They can only corrupt themselves then, etc.
>
> > and has access to system data structures.
>
> Why should it?  In your model a driver can screw a system up good and
> proper, but if you put the driver in user mode then the associated problems
> go away.  New ones do crop up, but there's ways and means to deal with them.

 This has been well studied and the reasons will show up in just about any
search of the relevant literature (in case my explanation does not make sense,
or are not complete enough for you).  A driver typically runs in two contexts,
the context of the requesting process, because it needs to access the user's
buffers, and "system" context (strictly, arbitrary process context) where the
driver does not need access to the requesting process' address space.  If a
driver is running in its own process, how can it gain efficient access to the
requesting process' buffers?  Also, drivers spend most of their time running at
elevated IPL (interrupt priority level), which can only be done in kernel mode.

 It is possible to build a general purpose operating system as you suggest, but
the performance would suck.  You would lose a lot of time doing translation
buffer invalidates and switching between modes.

> > If a driver corrupts a system data structure, how do you detect this,
> repair it, and continue?
>
> I really don't get why a driver must have access to system structures or
> atleast those in kernel space, can you explain this?

 A driver needs to access privileged APIs and data structures in the normal
course of its work; for example, mapping DMA transfers, sending I/O requests to
other drivers, etc.  These APIs and data structures are specifically put in
kernel mode to prevent user's from accessing them.

 -Brian