Are Private name and Weak Map the same feature? and the Assoc API

Andreas Rossberg rossberg at google.com
Wed Dec 21 04:47:36 PST 2011


On 21 December 2011 12:41, Sam Tobin-Hochstadt <samth at ccs.neu.edu> wrote:
> On Wed, Dec 21, 2011 at 5:25 AM, Andreas Rossberg <rossberg at google.com> wrote:
>>
>>>> Hm, isn't this example rather demonstrating that the ability to do
>>>> self stealing -- i.e., the lack of lexical `this' -- is violating
>>>> basic abstraction principles (as we all know)?
>>> This particular example used 'this', but similar examples may not.
>>> -----
>>> let marker = (function(){
>>>    let n = new Name();
>>>    let counter = 0;
>>>
>>>    return {
>>>        mark: function(o){
>>>            o[n] = counter++;
>>>        }
>>>        readMark: function(o){
>>>            return o[n];
>>>        }
>>>    };
>>> })();
>>>
>>> marker.mark(maliciousProxy);
>>> -----
>>>
>>> ...and the name just leaked allowing a malicious proxy to mess with the
>>> marking.
>>
>> Sure, but o here is just a random argument, and you can never make any
>> assumptions about what gets passed as an argument (unless you have
>> some kind of nominal type or branding mechanism).
>
> In the absence of proxies, David's example is actually safe,
> regardless of what object `o' is.  And you really need David's example
> to work to make private names as useful as they can be -- otherwise,
> it's just re-enabling |private| from Java, and not adding anything
> more.

In fact, I mainly view it like that. Any additional expressiveness is
perhaps nice, but not essential. In particular, I don't consider the
above example a good idea in real code, with or sans proxies. You
shouldn't go off mutating arbitrary objects, and it won't work with
non-extensible objects anyway (at least that's what I gather as the
current state of discussion regarding private names and freezing). A
map seems far more adequate for that.

/Andreas


More information about the es-discuss mailing list