Retrofitting objcaps (was: Capabilities in Squeak)

Mark S. Miller markm at
Tue Oct 17 16:47:38 UTC 2006

Lex Spoon wrote:
> Michael van der Gulik <squeakml at> writes:
>> Does anybody have code (particularly VM modifications) which allow
>> Capabilities in Squeak?
>> In particular, I'm referring to code that implements stuff described
>> on this page:
> This is my old "Islands" project, [...] 
> Full information about Islands is available at this page:
 > [...]
> I still think the basic approach is good.  The next thing I would do,
> were I to continue, would be to get rid of the dynamically bound
> global variables, and instead to have separate, static namespaces.

That does sound good.

> The reason for the current approach--i.e. all global references are
> bound indirectly through the currently active island--is that compiled
> code can be reused across multiple islands.  In retrospect, it would
> be better to maintain conceptual pruity and simply recompile any
> reused code.

A different compilation strategy would still allow compiled code to be shared 
-- by treating these the way other languages treat captured outer lexical 

> More broadly, I still think the object capabilities approach is
> important and worth giving a good look in any new language.  It is a
> feature you cannot very well add late.

It has indeed been hard to add objcaps to Squeak after the fact, or rather to 
subtract out the non-objcap parts of the language. (Motto: "Don't add 
security, remove insecurity.") Other efforts have yielded varying results. 
Securing Java to create Joe-E[1] looks quite good, and we have recently been 
using this successfully within HP. Although Java is much more 
"object-oriented" than Scheme or OCaml, W7[2] and Emily[3] were much easier 
than Joe-E, whereas securing Common Lisp[4] was hard enough that the effort 
seems to have been abandoned. The effort to secure Mozart/Oz is proceeding 
slowly, but has yielded one of the best documents[5] about the issues in 
retrofitting objcaps into an existing language. I am also hopeful about a new 
effort to secure Python[6].

All these efforts have freshly encountered many of the same issues. It would 
be good if they could learn more from each other. A secure Squeak-like 
language would still be awesome. Perhaps we should have a workshop about 
retrofitting objcaps into existing languages?


Text by me above is hereby placed in the public domain


More information about the Squeak-dev mailing list