Robert Withers wrote:
> 
> On Oct 14, 2006, at 9:45 PM, Michael van der Gulik wrote:
> 
>> In the past there have been a couple of ambitious projects that  allow 
>> security in Squeak such as Squeak-E. What became of these? Is  there 
>> code floating around somewhere? I'm only seeing Squeak-ELib  on 
>> squeakmap.
> 
> 
> Squeak-Elib is the only result from Squeak-E.  I also implement a  
> Future class (called a Promise) which accepts messages and forwards  
> them prior to resolving to a value.   It fails in 2 senses.
> 
> First of all there are bugs when resolving the result of a  computation 
> to a promise, particularly when going inter-vat, which is  handled 
> differently than an intra-vat promise.
> 
> Secondly, FarRefs and promises don't understand all the base protocol  
> that a normal object understands so many of the tools in the image  
> don't deal well with eventual objects.  

Yea, I've discovered that. My next project will be modifying the 
debugger to not send *any* messages to the objects it's debugging, but 
rather use a capability with primitives to peek at each object's state.

 > Ultimately, this is your  issue
> with needing VM changes, I believe.  Primitives cannot handle  eventual 
> arguments.  One example is when sending a #printString to an  eventual 
> object returns a promise then is used as the argument for  rendering in 
> Morphic.   Another example is an eventual ref to true is  sent the 
> message #ifTrue:.  What I think you would want to have is to  protect 
> the primitives.   In a primitive, if an argument is eventual,  send an 
> "invokePrimitive" message to that ref, such that the  primitive will be 
> invoked eventually.  That changes all primitives,  unfortunately.

I've solved this (with many bugs and instabilities) by making Futures 
block on any message sends until the result returns.

The way I've done it is that MessageCapture is a subclass of ProtoObject 
that overrides #doesNotUnderstand. I added a few methods like 
#printString to make it work with the debugger and added a 
MethodCaptureInspecter that will let you inspect a MessageCapture.

The Future itself is a normal object which uses MessageCapture.

This works for primitive methods, but there are issues with some sends 
which I think I can solve. I think Craig Latta's approach in Spoon is 
the best: create a special class (MessageCapture) which the VM checks 
for on every message send, including #== and #class. If it is that 
class, package up a Message and send it to a method on that class.

> I have a vm changes file that changes #== and #class out there.

Here?: http://minnow.cc.gatech.edu/squeak/2410

I'll be making changes to the VM eventually, so this code is much 
appreciated. Do you mind if I consider it released under the MIT license?

Michael.