[e-lang] Surprising consequences of pipelining?

Mark Miller markm at cs.jhu.edu
Sat Jul 2 11:49:16 EDT 2005 

Kevin Reid wrote:
> Consider this code:
> 
>   def coerced := 
 >     (def guard := thing <- __getAllegedType()) <- coerce(thing)

Yes. E already does your option #3a:

>   3a. Make available in the safeScope an operation for responding to the 
> eventual sends to a promise before that promise is resolved. This 
> restores the property that "a malicious vat hosting one set of objects 
> can only cause external effects equivalent to a correct vat hosting some 
> different (maliciously coded) set of objects" (from 
> <http://www.erights.org/elib/capability/ode/ode-protocol.html>).

The object in question is only available from the privileged scope, not the 
safe scope, since its gc notification provides access to non-determinism. The 
following is untested:



def makeEPR := <unsafe:org.erights.e.elib.ref.makeEProxyResolver>

def [p,r] := Ref.promise()

def eProxyHandler {
     to unwrap() :any { return eProxyHandler }
     to handleOptSealedDispatch(brand) :any { return null }
     to handleSendAllOnly(verb, args) :void {
         E.sendOnly(p, verb, args)
     }
     to handleSendAll(verb, args) :any {
         if ([verb, args] =~ [`coerce`, [arg]]) {
             return 3
             r.resolve(String)
         } else {
             return E.send(p, verb, args)
         }
     }
     to handleResolution(newTarget) :void {}
     to reactToGC() :void {}
     to isFresh() :boolean { return true }
     to sameConnection(other) :boolean { return false }
     to mustBeDisposable() :void {}
}

def epr := makeEPR(eProxyHandler, null)

when (p) -> { epr.resolve(p) }

def thing {
     to __getAllegedType() :any { return epr.getProxy() }
}

def coerced := (def guard := thing <- __getAllegedType()) <- coerce(thing)


If this untested code actually works (ha!), then 'coerced' will be 3 and 
'guard' will be String.


>   3b. Add support for unprivileged comm systems.
> 
>   3. 3a and 3b are different descriptions of approximately the same 
> change. Ideally, having 3b, specifically documented as being a means for 
> 3a, would remind the programmer that they cannot rely on pre-resolution 
> behavior to correspond to post-resolution identity.

makeEProxyResolver was created exactly to support the creation of unprivileged 
(or not very privileged) comm systems.

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the e-lang mailing list