Things I might do differently

There are a few small features I would like to change about the Keykos kernel.

Perhaps the floating point state of a domain should be an option. Independently, perhaps domains should not run with access to the floating state unless floating commands are indeed encountered.

Optional General Keys Node

Current Keykos kernels provide a bit in the domain that prevents key invocations when set. It would have been cleaner to merely fault the domain when it attempts invocation with no general keys node, and not otherwise require a general keys node. The domain that obeys code designed for Unix may need no general keys node.

Shrink available state

This is perhaps not worth while but it should be noted that only a few registers are needed as an available domain begins considering a new request. Conversely when it returns only those registers need be saved. I think we considered this on the 370 but it didn’t seem important. Which registers need be saved depends on the habits of the compiler you use to make the domain code. The registers that are not restored must be cleared of garbage and probably set to zero. This is not much less expensive than loading them, at least on the machines which have run Keykos.

Resume key overhaul

Two options that are logically independent but make sense to do together:

Document the three way distinction now ascribed to resume keys as being instead a distinction of the state of a waiting domain.
Change the kernel to really move the distinction to the domain

I think this is both easier to code and easier to understand. Further, I can not now imagine why we didn’t think of doing it that way in the first place.

Blocking Send

Shap proposes that an exit block explicitly devote a bit to specifying whether, on key invocation, to tolerate being blocked by the logical state of the recipient. In the current design invoking a start key blocks the invoker until the domain is available whereas invoking a resume key is guaranteed to be prompt—i.e. require no actions beyond what the kernel can carry out. The returner was invented to give a program an easy way guard against being blocked when invoking a key that should be a resume key. An exit block bit would be explicit and generally lighter weight. I would keep the returner, I like it. Presumably invocations of resume keys would block if the bit were not set, and start key invocations would be nullified if the bit were set and the invokee were not available. In general the invoker must not be notified of a discarded message for it is a counter-flow signal. Shap’s version notified the sender and he has a use case that warrants this. More design is needed.

Limiting Process Count

We claim that all state is in pages and nodes and is thus swappable and checkpointed. The node conceptually includes a bit indicating that it has a process in it. This is a fiction. Upon checkpoint a list of node CDA’s with a process is kept in a separate table which becomes part of the checkpoint. Between checkpoints the set of processes is just those members of a certain set of queues plus those occupying some CPU. Domains on these queues cannot be swapped as there is no mechanism to remember that there is a process in them. Theoretically this can lead to RAM exhaustion that cannot be relieved by swapping. It has not been a problem in practice. It can be exploited by a hostile program however—a DOS attack.

A solution that I thought of fairly recently would be to add an architected slot in the meter that serves as a limit on the number of processes below. It would be an up-down counter just as the CPU slot is a down counter. It would be cached just as the CPU counter is cached. Upon exhaustion, fork invocations would fail and the meter keeper invoked. See “meter” here.

This might solve another problem too; a covert signal receiver might use two real CPUs to time signals. This limit could limit hostile receivers to just one CPU. This is queasy as it presumes that you can identify potentially hostile receivers.

Pushback

Objects implemented in the kernel have the option of pretending that they did not hear an order until such time that it is possible to obey the order. The orderer can be put on a kernel queue. Domain implemented objects could use this too. See Shap’s proposal and resulting mail. See too a later thread.