[erlang-questions] Capability model?

Mark S. Miller <>
Thu Oct 26 21:43:58 CEST 2006

Jim Larson wrote:
> I find registered processes useful for two reasons.
> First, it increases modularity by allowing deeply-nested code to
> send a message without passing the target Pid as an explicit parameter
> through each and every intermediate function.  A standard situation
> is error logging.  Other functional languages handle this through
> monads or other fanciness, but the Erlang way is to be simple and
> functional at a micro-level, and work around any problems through
> impure message-passing and other environmental services at the
> macro-level.

Regarding named access to a given pid from various functions within a process,
isn't this what lexical scoping is for? Why not simply bind a variable to this 
pid, in just the way you bind a variable to any other value?

If the intent is to escape the discipline imposed by lexical scoping, then you 
are likely also escaping the discipline needed for secure object-capability 
programming. Could you provide some motivating examples?

> Second, since the communication endpoint is also the unit of failure,
> you need *something* to use as a stable address in case the target
> process crashes and gets restarted.  This suggests that if we
> re-interpret process registration as syntactic sugar plus an OTP
> service, the supervisory tree might be the right place to implement
> the process registry too.  It could mean a lot of extra steps in
> message sending, but as with the capa-safe RPC transformation
> mentioned earlier, any optimizations to soften the impact would
> have a general benefit to the system.

See section 17.3 of <http://www.erights.org/talks/thesis/>.

Text by me above is hereby placed in the public domain


More information about the erlang-questions mailing list