implementing sandboxes with capabilities

Lex Spoon lex at cc.gatech.edu
Tue Apr 11 10:08:36 UTC 2000


Thanks for your feedback!

You're right, I've largely ducked the issue of what exact proxies will
be needed.  I've been focussing on how one would get the system set up
to begin with, but figuring out what exactly the proxies will be is
critical.  Your ideas about a capability-distributing factory, along
with some way to send a request to the user for more capabilities, sound
very interesting.


At the least, though, a SandCastle will need capabilities like the
following:

	- block and class proxies, just because direct access to these can
break the basic model

	- a display to  draw on.  The proxy probably draws to a form, and the
form is periodically posted to the real Display by a morph in a separate
thread.

	- a queue of input events.  Probably this is just a queue that is fed
to by an outside morph.

	- compiling code.  For Player's to work, I've been informed that it's
necessary to compile code as you go along.  Probably, though, there will
be a "player compiler" or somesuch, which can only compile things for
players defined along with the sandcastle it is acting for.  I'm not
sure what the exact definition will be, but at least with a capabilities
architecture, we get to play around with what exactly the definition
should be.  :)



On your other query, the reason I made the shared immutable space
explicit, is to eventually work towards an a formal description of the
system works.  If this wasn't project #3 on my priorities at the moment,
it would get done faster.  :| 


Anyway, the core invariant of the formalization will be that a sandbox
remains completely separated from the main image.  Integers, characters,
and symbols break that invariant.  It's okay, though, so long as you put
restrictions on these objects.  Notably, in the current system,
Characters and Symbols do *not* meet those restrictions, so there is
some work to do.  Also notably, something needs to be done about floats.
 I think in this case it's easiest to not make them sharable.  Proxies
can just make a copy of any float they wish to pass to the other side.


Lex





More information about the Squeak-dev mailing list