Software is assembled from components mainly by patterns of calling subroutines. Keykos must and does support these patterns. In general operating systems extend these patterns so that the caller and callee may be in separate protection domains. Keykos must and does support these extended patterns as well but with variations on the conventional techniques. Keykos does not intrude on the calling conventions (patterns) that modern hardware provides for non privileged code. Compilers produce such code naturally and that code works in Keykos as planned by the CPU architects. These conventions allow for both data and pointers to data to be passed and returned from routines. Values identifying subroutines may also be passed and returned. The return key serves as a continuation for most purposes.

Conventional operating systems generally provide limited functionality for calling between different non privileged protection domains; the functionality may be limited to sending explicitly constructed and buffered messages. These messages typically include only data and provide no analog for pointers to data or subroutines.

The Keykos message unifies the calling of primitive privileged function and the calling of cross (protection) domain routines. The caller is thus not generally aware of the difference of calling kernel objects (objects define by code in the kernel) and domain code (objects defined by code obeyed by domains).

Messages may include keys (‘capabilities’ in the greater computer science literature) and in particular segments keys can be passed in messages that allow the recipient access to memory designated thereby. The sender of such a message must hold the segment key in order to produce the message and this may require extra planning. A domain program does not automatically have access to a key to its address space and then such access does not afford creation of segment keys to arbitrary portions of its address space. There is extra hair in arranging for such keys but seldom security issues. The recipient must also plan it own address space so that there are available addresses in its own space at which to install the received segment. A RISC implementation of Keykos might require approximately 1000 clock cycles in the combined overhead of passing and installing a segment so that the recipient can access storage provided by the sender, (which is presumably also in the sender’s space). On most CPU architectures page tables are shared between sender and recipient. Somewhat more overhead is required if the caller limits the duration of access by revoking the supplied access upon return.

Gates can be passed in messages which is the proper analog of passing routine identifiers in conventional languages. Few conventional systems allow passing analogous values across protection domains. Continuations can be passed as well in the form of resume keys.

This note locates Keykos in a wider set of plans for order of execution.