On 21/11/2011 5:20 PM, Jeff Schultz wrote:
I may not be understanding this correctly, but it seems to have
security implications by breaking encapsulation. The caller-supplied
handler will have access to values at the exception site that the
caller would not normally be able to see.
Couple comments on this:
- Security and encapsulation are not the same concept. And security
systems have (imo) no business in language design. It's the wrong
level to try to defend against an attacker. If your threat model is
"turing complete attack code mixed into my call chain", imo you've
already lost. I've never seen a language that can credibly defend
against an attacker running in-process with the target; the attack
surface between same-process language abstractions is just way too
big.
- Encapsulation is a worthy goal, but encapsulation does not mean
"the encapsulated part exposes zero information". It means the
encapsulated part exposes a well-defined signature that is rich
enough to use the subsystem but not expose pointless detail. The
signature of any signals the encapsulated part might need help
handling is part of the subsystem signature, the same way the set
of unwinding exceptions thrown by a function is.
(Like exceptions, could be "checked" or "unchecked", statically;
I'd go with unchecked for a variety of other reasons, but that
is not relevant to this discussion, I'd say the same for exns.)
Further, code has no way to prevent this from happening. It can
define its own handlers for all known conditions to dynamically shadow
any defined by its caller, but it can't anticipate new conditions
defined in later versions of functions it calls.
I don't see how this is any different form the set of encapsulation
concerns that arise with unwinding exceptions. Any sort of nonlocal
handler introduces, by definition, some sort of additional "distant"
coupling between the reporting site and the handling site. Whether it's
done by a handler-call or an unwinding. It's a detail through which
extra information leaks out from the reporting site, sure; but if
properly documented, this information can be seen as "part of the
subsystem's invocation interface", and modeled as such (restricted to
only the information necessary for recovery, say).
-Graydon
_______________________________________________
Rust-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/rust-dev
