[e-lang] The Donnelley Dynamic Revocation Pattern

Toby Murray toby.murray at comlab.ox.ac.uk
Mon Aug 13 05:38:22 EDT 2007 

Just to clarify, the purpose of this pattern is to allow one to be able
to delegate references to (possibly) untrustworthy code, such that the
code is prevented from hanging on to these references for any longer
than is necessary for it to perform its function.

If so, I think it would be worth stating something to this effect in the
comments of the code. Not just stating /what/ it does, but /why/, would
be pretty useful. It wasn't apparent to me what the end result that the
code was achieving, given the description in the comments, until I read
the code and the updoc example.

Nice stuff. Looks like a pretty useful pattern to me to solve a problem
that I'm sure many of us have run thought experiments about before.

Cheers

Toby

On Sun, 2007-08-12 at 23:29 -0400, Mark Miller wrote:
> Jed suggested the following pattern during a discussion between Jed,
> Adrian Mettler, and I at Usenix.
> 
> ---------------------------
> def makeMembrane := <import:org.erights.e.facet.makeMembrane>
> 
> /**
>  * The Donnelley Dynamic Revocation Pattern.
>  * <p>
>  * Given a target object, dynamic(target) returns a reference
>  * providing temporally deeply-attenuated authority to target. Any
>  * non-Miranda invocation of this reference forwards this invocation to
>  * a newly constructed membrane around target. Once this invocation
>  * exits, whether normally or abruptly, the membrane is revoked.
>  *
>  * @author Jed Donnelley
>  * @author Mark S. Miller
>  */
> def dynamic(target) {
>     def dynamicWrapper {
>         match [verb, args] {
>             def [t, gate] := makeMembrane(target)
>             try {
>                 E.call(t, verb, args)
>             } finally {
>                 gate.disable()
>             }
>         }
>     }
>     return dynamicWrapper
> }
> 
> ? pragma.syntax("0.9")
> 
> ? def dynamic := <import:org.erights.e.facet.dynamic>
> # value: <dynamic>
> 
> ? var loot := null
> ? def stealer {
> >     /** Note: not the Miranda __printOn */
> >     to printOn(out) {
> >         loot := out
> >         out.print("<stealer>")
> >     }
> > }
> # <stealer>
> 
> ? stealer.printOn(stdout)
> # stdout: <stealer>
> 
> ? loot
> # value: <a TextWriter>
> 
> ? loot := null
> ? dynamic(stealer).printOn(stdout)
> # stdout: <stealer>
> 
> ? loot
> # value: <caretaker>
> 
> ? loot.print("foo")
> # problem: disabled
>

More information about the e-lang mailing list