We present a capability format which improves upon prior capability formats by simultaneously providing four key features. First, address and bounds information are embedded directly in the capability representation. Second, a capability may point to an arbitrary word in its segment. Third, internal fragmentation due to segment/object size mismatch is less than 6%; with a simple, high-locality allocation scheme, total fragmentation is less than 12%. Fourth, objects of 32 or fewer words, e.g. most class instances in object-oriented systems, may be allocated with no fragmentation and will thus have precise hardware bounds-checking. These features make it entirely practical to use a capability-guarded segment per allocated object, thus ensuring robust inter- and intra-program memory protection. Additionally, we describe the implementation and application of increment-only pointers which enable precise hardware-only bounds-checking for Javastyle objects/arrays. Finally, we also demonstrate how to generate capabilities for sub-segments from which the enclosing segment can be recovered by system routines.
[1]
Jonathan M. Smith,et al.
Eros: a capability system
,
1999
.
[2]
Peter Boehler Bishop,et al.
Computer systems with a very large address space and garbage collection
,
1977
.
[3]
David A. Moon,et al.
Architecture of the Symbolics 3600
,
1985,
ISCA '85.
[4]
Robert S. Fabry,et al.
Capability-based addressing
,
1974,
CACM.
[5]
Henry M. Levy,et al.
Capability-Based Computer Systems
,
1984
.
[6]
William J. Dally,et al.
Hardware support for fast capability-based addressing
,
1994,
ASPLOS VI.