[Squeak-e] Programming the VM

Mark S. Miller markm at caplet.com
Mon Feb 3 02:01:21 CET 2003

At 01:03 AM 2/3/2003 Monday, Avi Bryant wrote:
>Seaside requires access to the entire context stack, but opaquely - it
>just needs to copy it, not to look at or change it.  To put it another
>way, it needs access not to its caller's frame but to its own
>continuation, which seems reasonable to me from a security point of view
>(there was a brief mention earlier of a secured Scheme - did this still
>have call/cc?).

It's called W7 and is documented at http://mumble.net/jar/pubs/secureos/ . 
It's great. I strongly recommend reading it. It did have call/cc with 
indefinite extent continuations, which isn't technically incompatible with 
capability security. But indefinite extent continuations make it too hard to 
program defensively. Every caller has to worry that any callee may return to 
it multiple times. Jonathan Rees, who did W7, now agrees that default 
indefinite extent continuations are a disaster in the context of general 
caller/callee mutual suspicion. See
http://www.eros-os.org/pipermail/e-lang/2001-July/005418.html for some 
related points.

Btw, call/cc with dynamic extent continuations are fine, as with Smalltalk's 
traditional "[:result | ^result]" .

It sounds like there's a genuine conflict here with Seaside, which we need 
to understand better.

Text by me above is hereby placed in the public domain


More information about the Squeak-e mailing list