Don't hardwire OS features
Alaric B. Williams
alaric@abwillms.demon.co.uk
Sun, 8 Dec 1996 13:58:59 +0000
On 8 Dec 96 at 1:50, Francois-Rene Rideau wrote:
> >[limited specifications in Eiffel]
> > The extension beyond assert() is that they have an "implies" boolean
> > operator, the import of which is not clear. I have seen written:
> > "divisor /= 0 implies Valid()"
> > and things like that.
> This means that Eiffel can manage several kinds
> of possible assert() for a piece of code.
> More powerful than assert(), but not much more expressive.
> Quite far away from full specifications that would allow
> to statically check for program correctness.
What would one need to implement that, then? Giving an example....?
> No! It's even worse than if you said that a syntax for types
> could be added later to assembly or C.
> It's easier to strongly type an arbitrary assembly/C program
> than to prove an arbitrary Eiffel program correct.
Eiffel is strongly typed, anyway!
> In any case, this would mean that all Eiffel programs
> would have to be completely rewritten, and then I wonder
> why people would stay with that &@%*!$ language.
But I'm designing a new language anyway...
> > Hmmm. If the hardware is reliable, exceptions such as stack overflows
> > are handled correctly, and interrupt handlers behave correctly, then
> > surely if we make sure pointers (both code and data) always point to
> > valid places (including inside array subscripting) - and our GC works
> > - then how can anything crash?
> This is *not* enumerating all possible crashes and masking them off.
> Possible crashes are not even enumerable.
Why not? Computers are finite... If we can prove that none of the
basic programming constructs will ever crash - possible, since they
all do simple things - then no combination thereof can ever crash.
> > I'm wondering which is more useful: keys form a hierachy
> > or to have each colour cover a seperate view of the object.
> Whatever it is
> * this can needs no more HLL/OS support
> than static binding and scoping of views on objects.
It can be implemented purely as a small set of classes (Key,
ColourKey which inherits behvaiour from Key Lock,
and ColourLock which inherits behaviour from Lock)
> * to be useful, views on an object must reflect the semantic structure
> of the object, adapt to object. Building an arbitrary static hierarchy
> only leads to unadapted design (see VMS bloat).
Indeed. The standard way of implementing the security system would be
by passing a key during the opening of a channel between two
entities. The target entity only allows some channel types to be
opened if a good enough key is presented.
> * you can build all the layering you dream about,
> and much more as libraries over the modular Tunes design,
Both will be implemented as classes in the object oriented ARGON
design :-)
> whereas the converse is not securely possible.
Why not?
ABW
--
Governments are merely protection rackets with good images.
Alaric B. Williams Internet : alaric@abwillms.demon.co.uk
<A HREF="http://www.abwillms.demon.co.uk/">http://www.abwillms.demon.co.uk/</A>