Glossary

Address Space Identifier. A hardware tag (16-bit on aarch64) stored in TTBR0 that distinguishes TLB entries belonging to different VSpaces. Avoids full TLB flushes on context switch. Not used on x86_64.

A 64-bit value embedded in a capability via the mint operation. Delivered to the receiver during IPC to identify the sender. Only endpoints and notifications can be badged.

A notification linked to a TCB via TCB_BIND_NOTIFICATION. Signals on the bound notification wake the TCB even if it is blocked on an endpoint Recv. See Bound Notifications.

An unforgeable 32-byte token that names a kernel object and carries rights to perform operations on it. The sole mechanism for accessing kernel resources.

A 4-byte index (u32) into the global slot array. Stored in CNode entries. CapRef::null() uses INVALID_SLOT = 0xFFFF_FFFF.

A tree structure tracking parent-child relationships between capability slots. Stored as linked-list pointers in CapSlotMeta. Enables revocation of all capabilities derived from a given slot.

A kernel object that stores an array of CapRef entries. CNodes form a tree that constitutes a thread’s CSpace. Size: 16 to 65,536 slots (4 to 16 bits).

A per-MemoryObject spinlock that serializes all reads and writes to the MO’s radix tree (pages) and the cow_parent field. Disjoint with rmap_lock (never hold both). Ordering: commit_lock -> ut.alloc_lock -> FRAME_LOCK. See Lock Ordering.

A memory optimization where parent and child MemoryObjects share physical pages until a write occurs. The write triggers a page fault, and the kernel copies the page to the writer’s private MO.

A VSpace method that atomically installs a COW-resolved page across three domains: (1) radix tree BUSY reservation, (2) PTE + TLB + PMM mapping-ref publish, (3) radix finalize, (4) pmm_set_owner(MoData) commit point. All under MO.commit_lock. See Page Fault Handling.

A ring-buffer of pre-donated physical frames attached to a VSpace for fast COW fault resolution. Frames are retagged to KernelPrivate\{CowPool} on donation and returned to PMM on VSpace cleanup if unconsumed. See Physical Memory.

The namespace through which a thread addresses capabilities. A tree of CNodes rooted at the thread’s CSpace root (slot 2).

A page fault resolution strategy where physical frames are allocated on first access rather than at map time. Marked in PTEs with PRESENT=0, DEMAND=1.

A permanent kernel mapping of all physical memory at offset PHYS_MAP_OFFSET (0xFFFF_8000_0000_0000). Established during boot. See Memory Layout.

The scheduling algorithm used by kernite. The thread with the earliest absolute deadline runs first. Combined with budget enforcement for temporal isolation.

A synchronous IPC channel. Sender and receiver rendezvous: one blocks until the other arrives. See Endpoints.

An assembly-optimized dispatch path for Call (syscall 2) and ReplyRecv (syscall 3) that handles short messages without capability transfer. See IPC Fastpath.

A 4 KB physical memory page. The unit of allocation in the PMM.

An enum tag on each physical frame in the PMM that identifies the frame’s current purpose: Free, UntypedReserved, MoData, MoMeta, KernelPrivate (sub-kinds: PageTable, KernelStack, MapleNode, General, CowPool), PageCache, or EmergencyReserve.

A boot-time allocated array storing all live capabilities and their metadata (CDT links, untyped links, state). Sized by clamp(free_frames / 4, 768, 131_072).

A 4,096-byte (one page) structure mapped into each thread’s address space. Carries overflow message registers (MR4-MR19), capability transfer slots, and receiver configuration. See Endpoints.

A software-generated interrupt sent between CPUs. Used for reschedule, TLB shootdown, and shutdown. SGI on aarch64; APIC IPI on x86_64.

Any resource managed by the kernel: endpoint, notification, TCB, CNode, VSpace, frame, IRQ handler, I/O port, SchedContext, MemoryObject, or untyped memory. See Object Model.

A B-tree variant used by VSpace to track virtual address regions (VmAreas). Supports efficient range queries.

A page-granular memory abstraction that manages physical pages via a 4-level radix tree. Supports commit, decommit, COW clone, and reverse mappings.

A capability operation that creates a badged copy of an endpoint or notification capability. The minted capability cannot have GRANT right — it is a delegation dead-end.

An asynchronous signaling primitive. Stores a 64-bit bitmap of pending signal bits. Never blocks the signaler. See Notifications.

A mechanism that temporarily boosts a low-priority thread’s effective deadline when a higher-priority thread blocks waiting for it. Prevents priority inversion. See Threads.

The kernel’s bitmap-based frame allocator. Sole owner of all physical frames. See Physical Memory.

A 4-level tree (512 entries per node, 9 bits per level) used by MemoryObjects to map page indices to physical addresses. Capacity: 256 TB.

The operation that carves typed kernel objects from untyped memory. Invoke label 0x20.

The startup structure (TronaCapTableV1) that binds role IDs to resolved capabilities in a spawned process’s CSpace. Delivered to the child through the AT_TRONA_CAP_TABLE (0x101C) auxv tag. Child processes look up service endpoints by role — there are no hardcoded CSpace slot numbers. See Role-Based Capability Table.

A 16-bit identifier used as the key into the role capability table. System roles occupy 0x0001-0x00FF; process-local roles occupy 0x0100-0x0FFF (LOCAL_ROLE_BASE..LOCAL_ROLE_END).

A capability operation that recursively destroys all capabilities derived from a given slot (depth-first CDT traversal). The only operation that tears down an authority subtree.

A kernel object that encapsulates scheduling parameters: budget, period, deadline, priority. Bound to a TCB via SC_BIND.

A personality layer that provides a specific API surface to userspace processes. SaltyOS supports POSIX (ID 0) and Win32 (ID 1). Each subsystem has dedicated servers (e.g., posix_ttysrv for POSIX, win32_csrss for Win32). See Architecture.

A kernel object representing a schedulable thread. Contains register save area, VSpace/CSpace pointers, IPC buffer address, FPU state, and scheduling state. See Threads.

The process of invalidating stale TLB entries on remote CPUs after a page table modification. Uses IPI to notify affected CPUs. See Virtual Address Spaces.

Raw physical memory from which all kernel objects are created via retype. The kernel has no general-purpose heap — all object allocation is explicit.

A 24-byte descriptor in the Maple tree that records a mapping: which MO pages are visible at which virtual addresses with which permissions.

A kernel object wrapping a hardware page table root. Tracks mappings via a Maple tree. Observer layer — owns no frames.

The allocation cursor in an untyped memory region. Advances forward on each retype. Only resets via explicit reset() when no children exist.