[racket-dev] syntax taints instead of syntax certificates

From: Carl Eastlund (cce at ccs.neu.edu)
Date: Wed Jun 29 23:01:45 EDT 2011

On Wed, Jun 29, 2011 at 10:55 PM, Matthew Flatt <mflatt at cs.utah.edu> wrote:
>> >> 8 minutes ago, Carl Eastlund wrote:
>> >> > On Wed, Jun 29, 2011 at 9:19 PM, Matthew Flatt <mflatt at cs.utah.edu> wrote:
>> >> > > Things you need to know:
>> >> > >
>> >> > >  * When writing a macro (without `syntax-rules', `define-syntax-rule',
>> >> > >   or `syntax-id-rules'), apply `syntax-protect' to the macro's result
>> >> > >   syntax object to protect it from abuse. The `syntax-rules', etc.,
>> >> > >   forms use `syntax-protect' automatically.
>> >> >
>> >> > Does this mean we should be updating all our old macros now, and
>> >> > adding syntax-protect as boilerplate to (nearly) all of our new
>> >> > macros?  How often is a manual syntax-protect necessary?
>
> I think you want to use `syntax-protect' on any exported macro.
>
> It only actually matters if some untrusted code is going to use a
> trusted instance of your library. Macros exported by `racket' are
> surely in that category, but maybe it doesn't matter for most
> libraries.
>
>> >> > It's great
>> >> > to have a system we can reason about, but the nice thing about
>> >> > certificates was that they were invisible most of the time.  It
>> >> > looks like you're suggesting that at least the use of syntax-protect
>> >> > is going to become ubiquitous in this new system.
>
> Having to decorate trustworthy libraries with `syntax-protect' is
> definitely a drawback.
>
>> On Wed, Jun 29, 2011 at 10:10 PM, Eli Barzilay <eli at barzilay.org> wrote:
>> > An attempt to clarify what's unclear to me: if I'm supposed to almost
>> > always "arm" the result of a transformer, then why not have the
>> > expander do that for me, and add some new thing so in the exceptional
>> > cases I could do
>> >
>> >  (define-syntax (foo stx)
>> >    (dont-arm ...blah...))
>> >
>> > ?
>
> Sorry --- that point was buried too deeply in my message (first
> sub-bullet for the last bullet in the third set of bullets).
>
> The problem with having the macro transformer add `syntax-protect' for
>
>  (define-syntax bar
>   (lambda (stx) ...))
>
> is that some other transformer can say
>
>  ((syntax-local-value #'bar) stx)
>
> to get the transformer's result without `syntax-protect' --- which was
> a gaping hole that Ryan noticed in the certificate system.
>
> We considered ways of automating `syntax-protect' for all macros, but
> the ways we found seemed to create more problems than they solved.

Thank you, that greatly clarifies the issue for me.  Of course I would
like to see syntax-case and syntax-parse have options to automatically
syntax-protect as well; that will cover a lot more common cases for
me.  But now I can see where the trade-offs are that resulted in this
design.

--Carl



Posted on the dev mailing list.