[e-lang] Bug (0.8.33o): interface{} without a separate guard leaks itself

Kevin Reid kpreid at attglobal.net
Sat May 14 18:20:53 EDT 2005 

On May 14, 2005, at 17:43, Mark Miller wrote:

> Kevin Reid wrote:
>> ? wantsFoos(def _ { to __conformTo(g) { bind capture := g; return x }  
>> })
>> # value: "Thanks for <x>!"
>> ? capture
>> # value: Foo
>> ? def z implements capture { to __printOn(t) { t.print("*BANG!*") } }
>> # value: *BANG!*
>> ? wantsFoos(z)
>> # value: "Thanks for *BANG!*!"
>
> It's not clear to me whether or not this should be considered a bug.  
> If we decide it's not a bug, then we should certainly document it  
> clearly, and warn people of the hazard you demonstrate above.
>
> By saying 'interface Foo {...' rather than
> 'interface Foo guards FooStamp {...', the type's definer was choosing  
> not to separate the ability to know the type from the ability to claim  
> to implement the type. By defining the type using 'interface', rather  
> than doing something more manual, the definer was choosing to inherit  
> the standard coercion behavior, which asks an otherwise-failing  
> specimen to provide something that will pass the check. Given that the  
> definer understood that he was making these choices (a big if), it's  
> unclear that the above behavior violates any sensible policy objective  
> that this definer had.

Yes, sorry, I'd realized this after reporting this 'bug' but forgot to  
mention it. I agree.

> OTOH, if we decide this is a bug, how would you suggest fixing it?

When I had decided it was a bug, I fixed it in E-on-CL by not  
performing any coercion. See revision 75 of

    
<svn://slimy.com/cl-e/cl-e/trunk/lib/org/erights/e/elang/interp/ 
makeProtocolDesc.emaker>

(I expect to change this shortly, so revisions later than 75 may  
differ.)

I now suggest:

   * In the documentation for 'interface', state that 'interface'  
without the 'guards' clause has has no security properties when used as  
a guard.

   * Document ProtocolDesc similarly and prominently. Remove or qualify  
the analogy to "single key authentication".

   * Modify ProtocolDesc such that non-'guards' ProtocolDescs label  
themselves obviously when printed.

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>

More information about the e-lang mailing list