[seL4] Re: Uses and description for seL4_CNode_Mutate?

On 23 Aug 2021, at 18:16, Branden Robinson wrote:

I'm glad you mentioned Rotate. Last I checked the only place it was used in any seL4 project was in the kernel's test suite.

Similar to Mutate ;-)

And it's good that it's there, since it is an exposed interface and absolutely should be tested, but the bad news is that we have no demonstrable use cases for it. When I asked around about it, there were some recollections that it was thought necessary, either for logical completeness or to avoid a wasteful context switch (much as seL4 has many more than just the "fundamental" three system calls[1], but also fused calls like ReplyRecv to cut down on round trips through the kernel). But I was unable to pin down anything authoritative enough to put in writing from the authorities available to me.

As far as I remember, the use case was (in a dynamic system) a CSpace manager for another thread T wanting to change a sub-space of T's CSpace. That is, replacing an existing CNode cap in T's space with another CNode cap, to a different (previously prepared) CNode. With Rotate you can do that while T is running, because the replacement is atomic within one syscall. Without Rotate, you need at least to Move operations, and in between those two operations, T might be looking up caps and fail because of it. We haven't built any larger such systems, so Rotate is definitely currently underused. The (remaining) use case for Mutate is to change the guard of an existing cap. My argument was that you can do this with Mint + Move, and this time there does not seem to be a scenario for atomicity. It has been pointed out on the RFC in the meantime that there is one thing that removal of Mutate would take away: after Mutate you can still revocably copy, after Mint + Move you cannot. Cheers, Gerwin