[E-Lang] New in 0.8.9k: Locally Untrusted Code & Confinement! (Part 1)

Mark S. Miller markm@caplet.com
Wed, 29 Nov 2000 15:02:27 -0800 

At 02:20 PM 11/29/00, Dan Bornstein wrote:
>Mark writes:
>>Therefore, since we wish to eventually have a ":confined" guard that 
>>actually checks something, we define BobProgFactory as being "checkably 
>>confined" or just "confined", and we define Bob as being "indirectly 
>>confined".  I don't love these terms, and better ones are welcome.
>
>The term I learned to use for the concept I believe you're describing is
>"pure function." [...] Additionally, if the
>arguments to a pure function are all pure constants (that is, transitively
>immutable values that are incapable of granting authority), then the result
>of calling that function is also guaranteed to be pure, [...]

An intriguing starting point for generating a name.  However, your 
"Additionally" observation above is explicitly violated by my 
transitively-immutable/checkably-confined  objects. A transitively immutable 
object can make a new stateful object even in response to a message with no 
arguments:

define CellMaker ::confined {
    to new() :any {
        define myValue := null
        define Cell {
            to getValue() :any { myValue }
            to setValue(newValue) { myValue := newValue }
        }
    }
}

CellMaker is transitively immutable and, once we have auditors, will be 
checkably confined.  However, the Cells it makes are stateful, even though 
they are made in response to a no-argument message.  (The above "::confined" 
is an auditor annotation, and will not be understood by current releases of 
E.  Notice that an object that can be used as an auditor (after a "::") can 
normally also be used as a guard (after a ":") to check that the object in 
question is an instance of an expression it audited.)

Also, I'd like a name for the distinction between BobProgFactory's checkable 
confinement and Bob's implied or indirect confinement in the more general 
KeyKOS and EROS contexts as well, where checkable confinement doesn't imply 
transitive immutability or transitive lack of authority.


        Cheers,
        --MarkM