[Squeak-e] Programming the VM
Mark S. Miller
markm at caplet.com
Mon Feb 3 02:01:21 CET 2003
At 01:03 AM 2/3/2003 Monday, Avi Bryant wrote:
>Seaside requires access to the entire context stack, but opaquely - it
>just needs to copy it, not to look at or change it. To put it another
>way, it needs access not to its caller's frame but to its own
>continuation, which seems reasonable to me from a security point of view
>(there was a brief mention earlier of a secured Scheme - did this still
>have call/cc?).
It's called W7 and is documented at http://mumble.net/jar/pubs/secureos/ .
It's great. I strongly recommend reading it. It did have call/cc with
indefinite extent continuations, which isn't technically incompatible with
capability security. But indefinite extent continuations make it too hard to
program defensively. Every caller has to worry that any callee may return to
it multiple times. Jonathan Rees, who did W7, now agrees that default
indefinite extent continuations are a disaster in the context of general
caller/callee mutual suspicion. See
http://www.eros-os.org/pipermail/e-lang/2001-July/005418.html for some
related points.
Btw, call/cc with dynamic extent continuations are fine, as with Smalltalk's
traditional "[:result | ^result]" .
It sounds like there's a genuine conflict here with Seaside, which we need
to understand better.
----------------------------------------
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the Squeak-e
mailing list