Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!mailrus!cornell!trumpet!mshappe From: mshappe@trumpet.cit.cornell.edu Newsgroups: comp.sys.mac.system Subject: Re: Protected-mode snake oil Message-ID: <1990Aug10.150722.16958@trumpet.cit.cornell.edu> Date: 10 Aug 90 15:07:22 GMT References: <1204.26c2fb48@waikato.ac.nz> Organization: Cornell Information Technologies, Workstation Resources, Ithaca, NY Lines: 122 In <1204.26c2fb48@waikato.ac.nz> ccc_ldo@waikato.ac.nz (Lawrence D'Oliveiro, Waikato University) writes: }Frankly, I'm a little skeptical. As a regular user of both a Mac and }a VAX/VMS cluster, I'd have to say that the relative frequency of }crashes of the two systems, leaving aside the times I crash either }one while debugging my own software, is something in the region of }10:1. That is, it's not as much as 100:1. } }Now, if it were 100:1, you could claim that a protected system is }truly wonderful, and would effect a great improvement in the reliability }of the system. But 10:1 is probably comparable to the ratio of crashes }that you would get between different Mac users running different }applications, or using the same applications in different ways. ... } }In other words, I don't think protected mode is worth it. }Even if you disagree with my numbers (feel free to come up ones }with some real evidence behind them, by all means), there are more }fundamental problems. Whew. I don't disagree with your numbers. You're probably correct--a more-or-less stable Mac system (ie. one with a limited number of inits, and those tried and tested) is not all that liable to crash. I disagree, however, with your characterization that this makes it not worth the effort of putting protected mode in. As a Unix-universe hacker as well as a Mac enthusiast, I can tell you that working with a system with the kernal running separately is an incredible boon--especially when reboot of a large system like Unix (or even init-heavy Mac systems) can take several minutes--minutes lost to productivity. Not to mention the fact that a crash that takes out everything is likely to scramble disk and data if the timing is wrong... }Consider a couple of Mac applications that I have installed on }my machine right now: After Dark and Adobe Type Manager. In a }protected system, would they be ordinary user-mode code, or would }they need to run in privileged mode? If they can run in user mode }without any special privileges, then any other user-level code }could use the same hooks, run amuck, and render my screen display }totally unusable. The kernel may still be running undamaged, but }as far as I'm concerned, my system has crashed. In answer to the primary question--I would say that any system "patch" such as ATM or After Dark--that is, anything with an INIT 31 in it, would become a part of the Kernel and therefore run in Protected/Priviledged mode. The reason for this is that the effect the ENTIRE system--not just one application. They are part of the "global environment", if you will, just as the OS and Toolbox are. If they ran as just another process--even one that other apps could get at (and with IAC, that would not be all that difficult)--then a crash of one of those processes would, as you have already said, hook into them and crash the screen. Background processes would run on, but the user interface would be useless, and ultimately, you'd have to reboot anyway. }On the other hand, if these two applications would need to run }privileged, then I would argue that a significant number of other }applications out there would also have reason to run privileged. }What good is a protection system with lots of exceptions to it? But are they exceptions? INITs, cdevs, rdevs, and the like are really a part of the system, once they run, even now. They are hooks and patches into and over what the OS and Toolbox normally do. For example, the WDEF INIT/cdev (not to be confused with the virus of the same name) patches the WDEF resource of the System, such that EVERY window that is opened in a MacStandard manner will adopt the "new" look (controlled by the cdev), rather than the MacStandard look. Why should this not run protected, then, when it is essentially becoming a part of the Toolbox? }Our VAXcluster runs several applications requiring some level }of privilege. For example, the TCP/IP product that we use, }called Multinet, loads itself into system memory as an extension }to the VMS kernel (analogous to TSRs under DOS, or INITs on the }Mac). A couple of months ago it hung; the rest of VMS kept running, }but all TCP/IP services became unusable. The only way to clear }the problem was to restart the system, which would have annoyed }about 100 people who were trying to use the machine at the time. But a program such as this HAS to run in Protected mode on a machine that supports such things in order to run properly. It is, as you said, a part of the kernel, once it's loaded (in much the same way that MacTCP can be considered part of the system once it's loaded). On a single-mode system like a Mac, a crash of the TCP drivers would have CRASHED THE MACHINE--and your 100 users would be VERY annoyed. At least in your case, a sysadmin can send a message announcing that the machine needs to be rebooted in 20 minutes so please save your work--because it was protected. If everything ran at the same level, a lot of people would have LOST THEIR WORK because of such a crash. (And yes, in the case of MacTCP bombing, I speak from experience) }In short, the protection system on a typical multi-user machine }is there to protect users from one another; it affords *some* }protection to users against bugs in programs, but it would appear }that the commercial software for the big machines is just as }unreliable as the products for the little beasties we all know and love. Granted. Which is exactly an arguement for protection. It doesn't just protect USERS from one another, but PROCESSES. Under MultiFinder (which will become the One and Only Way under System Seven), every app you launch is analogous to a UNIX or VMS Process. Without protection, if any one of those processes crash, you run the risk of the entire machine going Boom (true--it doesn't always happen. I would say a simple "Application Foobar Unexpectedly Quit (2)" is as frequent as a system crash). With protection, this would not occur. As MultiFinder becomes more and more a part of the Mac users's life, process protection will become vital to the stability of even a single user's environment. Or, at least, so I believe :-) }Lawrence D'Oliveiro fone: +64-71-562-889 }Computer Services Dept fax: +64-71-384-066 }University of Waikato electric mail: ldo@waikato.ac.nz }Hamilton, New Zealand 37^ 47' 26" S, 175^ 19' 7" E, GMT+12:00 }The meek shall inherit the Earth--if that's OK with the rest of you chaps. -- Mike Shappe (Uncle Mikey) Cornell Office of Information Technologies mshappe@{heights,oitnext}.cit.cornell.edu,mshappe@biar.uucp,mikey@amnesia.uucp "And so it goes, And so it goes. And so will you soon, I suppose" -- B. Joel