[racket-dev] syntax taints instead of syntax certificates

From: Matthew Flatt (mflatt at cs.utah.edu)
Date: Wed Jun 29 22:55:17 EDT 2011

> >> 8 minutes ago, Carl Eastlund wrote:
> >> > On Wed, Jun 29, 2011 at 9:19 PM, Matthew Flatt <mflatt at cs.utah.edu> wrote:
> >> > > Things you need to know:
> >> > >
> >> > >  * When writing a macro (without `syntax-rules', `define-syntax-rule',
> >> > >   or `syntax-id-rules'), apply `syntax-protect' to the macro's result
> >> > >   syntax object to protect it from abuse. The `syntax-rules', etc.,
> >> > >   forms use `syntax-protect' automatically.
> >> >
> >> > Does this mean we should be updating all our old macros now, and
> >> > adding syntax-protect as boilerplate to (nearly) all of our new
> >> > macros?  How often is a manual syntax-protect necessary?

I think you want to use `syntax-protect' on any exported macro.

It only actually matters if some untrusted code is going to use a
trusted instance of your library. Macros exported by `racket' are
surely in that category, but maybe it doesn't matter for most
libraries.

> >> > It's great
> >> > to have a system we can reason about, but the nice thing about
> >> > certificates was that they were invisible most of the time.  It
> >> > looks like you're suggesting that at least the use of syntax-protect
> >> > is going to become ubiquitous in this new system.

Having to decorate trustworthy libraries with `syntax-protect' is
definitely a drawback.

> On Wed, Jun 29, 2011 at 10:10 PM, Eli Barzilay <eli at barzilay.org> wrote:
> > An attempt to clarify what's unclear to me: if I'm supposed to almost
> > always "arm" the result of a transformer, then why not have the
> > expander do that for me, and add some new thing so in the exceptional
> > cases I could do
> >
> >  (define-syntax (foo stx)
> >    (dont-arm ...blah...))
> >
> > ?

Sorry --- that point was buried too deeply in my message (first
sub-bullet for the last bullet in the third set of bullets).

The problem with having the macro transformer add `syntax-protect' for

 (define-syntax bar
   (lambda (stx) ...))

is that some other transformer can say

 ((syntax-local-value #'bar) stx)

to get the transformer's result without `syntax-protect' --- which was
a gaping hole that Ryan noticed in the certificate system.

We considered ways of automating `syntax-protect' for all macros, but
the ways we found seemed to create more problems than they solved.




Posted on the dev mailing list.