Private symbols vs property attributes

David Bruant bruant.d at
Wed Feb 13 13:20:08 PST 2013

Le 13/02/2013 21:56, Mark S. Miller a écrit :
> On Wed, Feb 13, 2013 at 11:17 AM, Tom Van Cutsem < at 
> < at>> wrote:
>     2013/2/10 Mark Miller <erights at <mailto:erights at>>
>         How does this interact with Proxies[1]? I know the answer
>         probably starts with "whitelist", but let's spell it out in
>         this context, and test it against the 8 membrane transparency
>         cases previously discussed.
>     When thinking about symbol "leaks", we must consider two cases:
>     a) leaking a symbol by having it show up in reflective query
>     methods on ordinary objects
>     b) leaking a symbol by inadvertently applying a symbol-keyed
>     operation on a proxy
>     Andreas' proposal of having a symbol's enumerability depend on a
>     property attribute makes a lot of sense and deals with problem a).
>     OTOH, it does not address leaks of type b). In order to prevent
>     those, proxies currently use the whitelist.
>     If we lose the a-priori distinction between unique and private
>     symbols and introduce only 1 type of symbol, then proxies must
>     treat all symbols like they currently treat private symbols.
>     The annoying thing about that is that well-known symbols like
>     @@create and @@iterator must be explicitly added to a proxy's
>     whitelist in order for the proxy to intercept them, but at least
>     it's doable.
>     W.r.t. membranes, AFAICT this proposal changes nothing re. the
>     interaction between private symbols and proxies. Membranes would
>     still need the "unknownPrivateSymbol" trap to stop unknown private
>     symbol access from piercing the membrane.
> AFAICT, that trap wouldn't provide transparency for the membrane 
> crossing cases. Is there anything about this new proposal that could 
> improve on that?
The trap in itself no, but it's possible to keep track of all exchanged 
symbols and add them to the whitelists as they are observed before being 
shared. It all relies on the fact that for 2 parties to exchange 
symbols, they have to share it through a "public" communication first 
(get trap, etc.).
At some point, I thought it had a runtime cost, but Tom proved me wrong [1].
It seems realistic to consider that all proxies of the same membrane can 
all share the same set instance as a whitelist making the space cost as 
small as it could be.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list