[e-lang] POLA and deserialization

[David Wagner]

Tony Finch writes:
>However POLA dictates that you must not be able to make me invoke an
>arbitrary constructor just by sending me a message - it could do anything.

I'm not sure about "do anything".  Its authority is limited by the
authority passed into its arguments (and any authority found in lexically
enclosing scope), isn't it?  So it can't do just anything it wants --
its authority can be bounded.

I'm tempted to say that a constructor for a DeepFrozen object (if passed
only DeepFrozen arguments) has no authority worth mentioning[1] -- but
you should double-check this to make sure that "DeepFrozen" is sufficient
as I have a sneaking suspicion you may need something stronger (e.g.,
PassByCopy or Data).  I often get these distinctions wrong when I try
to make them off-the-cuff without taking a minute to think them through,
and I confess I'm too lazy to do that right now.

-- David

[1] as far as integrity goes.  Availability is a different story.
Invoking a malicious constructor could enter an infinite loop or allocate
all available memory.