davidchisnall
commented
4 weeks ago I misunderstood David's comment about revocation. Zero-permission capabilities could be used as liveness indicators of revocable objects.
To expand slightly: You can give another compartment a zero-permission capability to an object. The target compartment can then use cgettag to observe whether the object has been freed. This may be useful for watchdogs and other similar things.
Working on a paper about CHERI C semantics has made me recall (again) how annoying certain degenerate forms of capabilities are. Specifically, at present, we can encode tagged capabilities with zero length and/or zero permissions. These tokens are architecturally useless, useful to software only in likely confusing ways, and complicate nice stories about revocation in particular. Can we get rid of them?
Perhaps tagged-and-zero-permission is a useful indicator of "this has been revoked", but we don't use it for that now and I think our semanticist friends would prefer that revocation sticks to its current behavior of tag-clearing (but I may be misunderstanding their position). Perhaps it should also clobber some bits of the data portion, to ensure that we do not introduce non-pointer data type confusion in software doing clever things with union types.
ETA: I misunderstood David's comment about revocation. Zero-permission capabilities could be used as liveness indicators of revocable objects.