[e-lang] [Caja] Functional auditor for Cajita

David-Sarah Hopwood david-sarah at jacaranda.org
Tue Dec 8 21:40:47 PST 2009


Mike Samuel wrote:
> 2009/12/8 David-Sarah Hopwood <david-sarah at jacaranda.org>:
>>  var f = /*@functional*/ function (evil, s) {
>>    evil(s);
>>  };
>>
>> f is now copacetic.
>>
>>> If passed the arguments (freeze(eval), 'a = 0') it will modify the
>>> lexical environment, and I think both arguments are copacetic
>>> according to the frozen functions definition,
>> In
>>
>>  f(cajita.freeze(eval), 'a = 0;');
>>
>> there is a free variable reference 'eval', and the global eval is
>> not accessible to Cajita code. So this program is not valid Cajita.
> 
> So it is not a goal for a copacetic program to maintain its properties
> when functions defined in it are called by non-strict non-cajita code.
> So it is the copacetic program parsers responsibility to make sure
> that such functions do not escape to where they could be called that
> way?

Non-Cajita ECMAScript code would not be able to mutate copacetic values,
because copacetic would imply deep-frozen using ES5 Object.freeze.
Also, non-global eval can only mutate variables in the lexical scope
in which 'eval' is referenced. So non-Cajita code could only manipulate
its own scope this way, not Cajita scopes.

This assumes that non-Cajita code can't diddle with the copacetic
marker tags, or otherwise interfere with the security of the Cajita
runtime. Note that any implementation of a marker tag using a property
on the marked object would not work here, because non-Cajita code would
be able to set that property on a new object in the same way (and with
the same attributes) as the Cajita runtime.

However, a Name or Trademark mechanism (which can be implemented in
terms of weak hashtables), could work.
See <http://wiki.ecmascript.org/doku.php?id=strawman:weak_references>,
subsection 'Trademarking', for instance.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
Url : http://www.eros-os.org/pipermail/e-lang/attachments/20091209/bd011895/attachment.bin 


More information about the e-lang mailing list