[e-lang] An attack on a mint
David Wagner
daw at cs.berkeley.edu
Tue Mar 4 18:24:07 EST 2008
Tyler Close writes:
>Suppose a rewrite like:
>
> int take(final PurseX src) {
> if (dead) { throw new NullPointerException(); }
> if (src.dead) { throw new NullPointerException(); }
>
> // subtract the credits from the source
> final int r = src.balance;
> src.balance = 0;
>
> // add the credits to the destination
> balance += r;
>
> return r;
> }
>
>Is such a layout sufficient to discourage reversion to the previous state?
Well, I don't quite see how this helps. I doubt it would be enough to
save me from myself. Those comments wouldn't cue me in on the security
implications of aliasing src to this.
Frankly, when I read those comments, my brain skips across them, because
my first reaction is to interpret them as akin to the canonical example:
i = i+1; // increment i
My reaction was that the comments tell me what the code is doing (which
I can already tell just by looking at the code) rather than why it is done
that way and mustn't be done some other way. I tend to push those kinds
of comments out of mind, because (a) they don't tell me anything new,
and (b) I can't trust them anyway.
I don't have a better solution. To protect me from myself, I suspect
the comments would either have to provide something to wake me up to
force me to think separately about the case src==this, or would have
to say something like "Don't change this code, you dummy -- it's more
subtle than you think!".
More information about the e-lang
mailing list