[e-lang] Surprising consequences of pipelining?

Mark Miller markm at cs.jhu.edu
Sat Jul 2 11:49:16 EDT 2005

Kevin Reid wrote:
> Consider this code:
>   def coerced := 
 >     (def guard := thing <- __getAllegedType()) <- coerce(thing)

Yes. E already does your option #3a:

>   3a. Make available in the safeScope an operation for responding to the 
> eventual sends to a promise before that promise is resolved. This 
> restores the property that "a malicious vat hosting one set of objects 
> can only cause external effects equivalent to a correct vat hosting some 
> different (maliciously coded) set of objects" (from 
> <http://www.erights.org/elib/capability/ode/ode-protocol.html>).

The object in question is only available from the privileged scope, not the 
safe scope, since its gc notification provides access to non-determinism. The 
following is untested:

def makeEPR := <unsafe:org.erights.e.elib.ref.makeEProxyResolver>

def [p,r] := Ref.promise()

def eProxyHandler {
     to unwrap() :any { return eProxyHandler }
     to handleOptSealedDispatch(brand) :any { return null }
     to handleSendAllOnly(verb, args) :void {
         E.sendOnly(p, verb, args)
     to handleSendAll(verb, args) :any {
         if ([verb, args] =~ [`coerce`, [arg]]) {
             return 3
         } else {
             return E.send(p, verb, args)
     to handleResolution(newTarget) :void {}
     to reactToGC() :void {}
     to isFresh() :boolean { return true }
     to sameConnection(other) :boolean { return false }
     to mustBeDisposable() :void {}

def epr := makeEPR(eProxyHandler, null)

when (p) -> { epr.resolve(p) }

def thing {
     to __getAllegedType() :any { return epr.getProxy() }

def coerced := (def guard := thing <- __getAllegedType()) <- coerce(thing)

If this untested code actually works (ha!), then 'coerced' will be 3 and 
'guard' will be String.

>   3b. Add support for unprivileged comm systems.
>   3. 3a and 3b are different descriptions of approximately the same 
> change. Ideally, having 3b, specifically documented as being a means for 
> 3a, would remind the programmer that they cannot rely on pre-resolution 
> behavior to correspond to post-resolution identity.

makeEProxyResolver was created exactly to support the creation of unprivileged 
(or not very privileged) comm systems.

Text by me above is hereby placed in the public domain


More information about the e-lang mailing list