[cap-talk] Lua, Javascript, and the Object Capability Model

Matej Kosik kosik at fiit.stuba.sk
Mon Jul 27 05:30:25 EDT 2009 

Mike Samuel wrote:
> 
> That might be useful if the limiting mechanism was fundamentally
> sound, but it does nothing to guarantee the soundness of the limiting
> mechanism.
> 
> What happens when an instruction limit is reached?  Is the entire
> context marked invalid so no further side-effecting computations can
> occur on a possibly inconsistent object-graph?
> 
> And that kind of drastic action -- throwing away the entire program
> state -- is awfully harsh when a programmer has no way to compute a
> reasonable upper limit on the number of instructions a complex
> operation might take.  Consider the case where a you have two mutually
> referencing modules that communicate by passing functions to one
> another -- neither module author can compute a limit since every time
> control crosses a module boundary, they have to treat it as a black
> box, and there is no clear way to determine against whom the cost of
> an operation should be debited, since these calls might be
> co-recursive.
> 
> Without some kind of transactional semantics to limit the scope of
> what you have to throw away when a limit is reached, you are
> sacrificing either a lot of correctness/security or a lot of one kind
> of availability for a little bit of another kind of availability.

What kind of transactions do you have in mind? Consider the following
scenario:
- there is a client and a server that offers some service
- the client requests the service
- handling the request at the server's side involves (let us suppose)
sending some mails to the internet.
- during handling client's request, the server sends three mails
- then the limit is exceeded

How would you "unsend" those mails?

Similar scenarios can be invented also for local-computation. If a
handling of a request involves interaction with a hardware (as a result
some internal (sub-)registers in the hardware might be overriden) how
could you (automatically) restore those original values?

I guess that by transactions you do not mean something automatic as
transactions in SQL or transactional memory. Or yes?
-- 
Matej Kosik

More information about the cap-talk mailing list