From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,af0c6ea85f3ed92d X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Received: by 10.68.136.40 with SMTP id px8mr15971986pbb.1.1329780431711; Mon, 20 Feb 2012 15:27:11 -0800 (PST) Path: wr5ni49139pbc.0!nntp.google.com!news1.google.com!newsfeed2.dallas1.level3.net!news.level3.com!newsfeed-00.mathworks.com!nntp.TheWorld.com!not-for-mail From: Robert A Duff Newsgroups: comp.lang.ada Subject: Re: Arbitrary Sandbox Date: Mon, 20 Feb 2012 18:27:10 -0500 Organization: The World Public Access UNIX, Brookline, MA Message-ID: References: <2aaee0a4-e820-4a75-bbaf-d9d09c366d2c@f5g2000yqm.googlegroups.com> <4da4bf75-e6c9-4c17-9072-ab6f533ed93f@vd8g2000pbc.googlegroups.com> <203d63cf-42a9-49ef-82cd-943d77b5e438@c21g2000yqi.googlegroups.com> <193cr8xol0ysi.14p4cp2yxnb0r$.dlg@40tude.net> <1jleu301thnd3$.s23priwn3ajb$.dlg@40tude.net> <18o3vqsl9uy2$.a3m68cg8ysro.dlg@40tude.net> NNTP-Posting-Host: shell01.theworld.com Mime-Version: 1.0 X-Trace: pcls6.std.com 1329780431 10683 192.74.137.71 (20 Feb 2012 23:27:11 GMT) X-Complaints-To: abuse@TheWorld.com NNTP-Posting-Date: Mon, 20 Feb 2012 23:27:11 +0000 (UTC) User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (irix) Cancel-Lock: sha1:Lmtq8WKM9aVzbl8cR/GdTpromxg= Content-Type: text/plain; charset=us-ascii Date: 2012-02-20T18:27:10-05:00 List-Id: "Dmitry A. Kazakov" writes: > On Sat, 18 Feb 2012 13:55:48 -0500, Robert A Duff wrote: > >> "Dmitry A. Kazakov" writes: >> >>> I wonder what kind of architecture could require a safe implementation of >>> Ada, e.g. when private parts of packages and protected objects would be >>> mapped onto the memory physically inaccessible from public contexts. >> >> The kind of architecture that is overly complicated >> and grossly inefficient. Imagine a private type with >> discriminants. The discriminant of each object is visible >> to clients; other components are not. Or imagine a private >> extension of a (visible) record extension. What about the >> fact that some portion (not all) of a child package has >> visibility on the private part (but not the body) of the >> parent package? >> >> Why do work at run time that can be done at compile time? > > Because it cannot (in presence of Unchecked_Conversion and similar stuff). If U_C etc. causes trouble, use Java. Or use a subset of Ada that doesn't allow such features. I really can't imagine a sensible way to use such features and check them at run time. It would be good to have an easy way to check whether a given Ada program uses such dangerous features, and if so, where. >> Implementing things in hardware doesn't magically make >> them free. > > It makes them incomputable. In a secure environment you wanted certain > things to become incomputable for non-trusted clients, e.g. reading user > passwords. Sure, but Ada's visibility features (private types and the like) are not designed for security. Use other means for that (like protection based on paging). >> Putting high-level support for higher-level languages in hardware >> has been tried a number of times, and it's always been a bad idea. > > Maybe so. But this is a different case, because memory protection and > segmentation support is already there. Why no high-level language uses it? You mean "already there" in 386/pentium? Languages don't use it because it's inefficient, and because whatever segmentation can do can be done better by some combination of software and paging. - Bob