[e-lang] An attack on a mint

Kevin Reid kpreid at mac.com
Tue Mar 4 19:02:55 EST 2008

On Mar 4, 2008, at 18:29, David Wagner wrote:

> Testing seems good when you want to ensure that desired  
> functionality is indeed present (that the code does do the good  
> things you want it to do) but not so good when you want to ensure  
> that undesired behavior is absent (that the code doesn't do bad  
> things you don't want it ever to do).

Indeed. I noticed this just recently: in my CapTP implementation, I  
could not think of any way to test that SturdyRefs are opaque to  
unprivileged clients. (On further thought, it /might/ be possibe with  
an information-flow-examining auditor.)

There's another form of testing that might help more though:  
Haskell's QuickCheck and its descendants. They check that an  
arbitrary predicate is true for a randomly selected subset of all  
possible inputs to it.

Since the test cases are machine-generated, they are not limited to  
the programmer's consideration of what needs to be tested. However,  
they might well check many simple cases and miss the edge cases where  
failures occur, since they ignore the structure of the algorithm  
being tested.


Kevin Reid                            <http://homepage.mac.com/kpreid/>

More information about the e-lang mailing list