Are Private name and Weak Map the same feature? and the Assoc API
Tom Van Cutsem
tomvc.be at gmail.com
Wed Dec 21 11:42:27 PST 2011
2011/12/21 Herby Vojčík <herby at mailbox.sk>
> From: Andreas Rossberg
> Unfortunately, I don't have a good suggestion for a convenient
> interface, besides introducing a sentinel value that traps can return
> (I am still puzzled how people can survive in dignity without variants
> and tuples... :) ).
> I was proposing some solutionto exactly this in "Forward proxies with
> private names" thread. Not acceptable (especially the call, if exception is
> too hard to swallow)?
Two reasons against:
1) Probably introduces a high overhead, since it implies every trap
invocation needs to be wrapped in a try-block to catch the exception. Under
no circumstances should such an exception unwind the stack any further, to
avoid confusing other trap invocations on the stack.
2) Misuse of exceptions: asking a proxy to "please forward" is not an
exceptional situation. I was taught it is bad API design to abuse
exceptions for non-exceptional situations.
The cleanest approach so far seems to be to either return a per-call unique
sentinel value or a tuple (true, realReturnValue) or false. Both introduce
extra per-call allocation, and add more complexity to an already complex
API. I would not consider either to be a big improvement over proxies not
being able to forward private names unknown to them.
Another idea: interpret "undefined" as the sentinel value for the "get"
trap, but _only when intercepting a private name_. AFAICT, the only power
we take away from a proxy p then is that for a private name n, it cannot
state that p[n] is undefined while target[n] is not undefined.
By the way, it occurred to me that from a security perspective, it is odd
that a proxy p can decide on the outcome of p[n] even if it does not know
about n: a client of p might assume that p[n] is a "reliable" value, since
it could only have been stored there by another party with knowledge of n,
and "private names don't leak through proxies". Yet the proxy might fool
its client into thinking it does know of n, since it can provide a
non-undefined value for p[n]. That's an argument if favor of not allowing
proxies to intercept private names ever, not even with .public conversion.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss