[plt-scheme] Serializable continuations?

From: Jim Blandy (jimb at red-bean.com)
Date: Thu Feb 9 18:03:59 EST 2006

On 2/9/06, pedro pinto <pedro.e.pinto at gmail.com> wrote:
> I was wondering if there is any work being done on making continuations
> serializable? Is it conceivable that continuations could be embedded  in
> URLs or hidden fields?
> Seems like small, serializable continuations would pretty much eliminate
> some of the standard objections to continuation based web programming
> (timeout based GC, no load balancing).

I was thinking about this, and was a bit discouraged.

The serialized form of a continuation either includes the code along
with the environents and store locations or it doesn't.

If it does, then you're effectively stashing entire scripts,
environments, and heaps in your hidden fields (or URLs!).  That's a
lot of info.  And a pretty big security hole, since resuming the
continuation entails basically loading a program state from an
untrusted source and resuming it.

If it doesn't include them, then even minor changes to the code
running on the server --- adding a local variable somewhere, say ---
could introduce a mismatch between the continuations stored in
people's browsers and the code that would resume under their guidance.
 Serialized continuations are, in effect, a data format that is
extremely sensitive to the exact code the server is running.

This is a problem that applies to all sorts of automatic persistence
tactics.  You're taking the states your program can occupy and making
a file format that can represent them.  But since you're not exerting
any judgement over what goes in the file and what doesn't, minor
changes in your program's code result in, effectively, incompatible
file formats.

Posted on the users mailing list.