You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using redirect-generics, chaperone-generics, impersonate-generics, etc., a client module can exfiltrate a server module's implementations of generic methods and apply them to arguments that break the server module's invariants. For example, consider the following program, where the definition of list-stream comes from the gen:stream documentation:
I think the argument to a method-proc-expr (i.e., in the above example, the version of stream-first passed to return) should be chaperoned to check that it is applied to a suitable argument. The contract for Self requires an argument eq? to the value to which the property accessor procedure was applied: in this case, it seems like it might be adequate to check that the values have the same generic method table, but @capfredf or @samth would have better insight into the nuances.
Some tangential observations:
As the comment next to stream-first in the above example mentions, a method-proc-expr isn't called when the chaperone is created: instead, it seems to be called each time the corresponding method is called. This surprised me, and it doesn't seem to be required by the docs, which just say, "The impersonator applies the results of the method-proc-exprs to the structure’s implementation of the corresponding method-ids, and replaces the method implementation with the result."
This expression produces an error without ever getting to the specific implementation of stream-first:
Using
redirect-generics
,chaperone-generics
,impersonate-generics
, etc., a client module can exfiltrate a server module's implementations of generic methods and apply them to arguments that break the server module's invariants. For example, consider the following program, where the definition oflist-stream
comes from thegen:stream
documentation:This seems like an instance of the problem from @capfredf and @samth's "Type Checking Extracted Methods" (related to TR's
Self
; see also the guide section). (Less directly, it also reminded me of the issue that inspiredstruct-guard/c
.)I think the argument to a
method-proc-expr
(i.e., in the above example, the version ofstream-first
passed toreturn
) should be chaperoned to check that it is applied to a suitable argument. The contract forSelf
requires an argumenteq?
to the value to which the property accessor procedure was applied: in this case, it seems like it might be adequate to check that the values have the same generic method table, but @capfredf or @samth would have better insight into the nuances.Some tangential observations:
stream-first
in the above example mentions, amethod-proc-expr
isn't called when the chaperone is created: instead, it seems to be called each time the corresponding method is called. This surprised me, and it doesn't seem to be required by the docs, which just say, "The impersonator applies the results of themethod-proc-expr
s to the structure’s implementation of the correspondingmethod-id
s, and replaces the method implementation with the result."stream-first
:The text was updated successfully, but these errors were encountered: