World: r3wp

ctr1/read
== 2
>> ctr1/bump
== 3
bl: [c]
== [c]
>> f: get in ctr1 'read
>> o: third tenth second :f
>> bind bl first second get in o 'read
== [c]
>> set first bl 12
== 12
>> ctr1/read
== 12

:-)


But how you want to prevent this ? I mean what property you talked 
about would get lost ?

Good job. The property lost will be the ability  to change a class 
method and propagating the new behaviour to all instances at the 
same time.

Just saw - a little bit easier would have been to do it with *-private-*.

Now you got it completely. That is the backdoor.

I have access to global context, can patch functions there (which 
you use - or?) and traverse everything. Hmm, could clone all meazines 
and never return. then the only reference is from the stack, which 
is not traversable.

behavior change: you mean by copying the code and hiding it in a 
'use ?

or something like that ?

Yes.

That's my problem with Rebol, on the one side I hate this vulnerability, 
on the other side it's so nice to be able to bind around like wished.

Well ObjC allows you to bind to anything and instrospect anything. 
So I think is all is good.

Here is the safe version:

CounterClass: context [
	c: 0
	bump: does [c: c + 1]
	read: does [c]
	bump-by: func [inc][c: c + inc]
]

make-instance: func [
	class
	/local class-vars instance-data class-methods v
][
	class-vars: copy [*-private-*]
	class-methods: copy []
	instance-data: copy []
	foreach w next first class [
		either function! = type? v: get in class :w [
			append class-methods compose/deep [
				(to set-word! :w) func [(third :v)] [

     (bind copy second get in class (to lit-word! :w) '*-private-*)
				]
			]
		][	
			append class-vars :w
			append instance-data reduce [to set-word! :w :v]
		]
	]
	use class-vars compose/deep  [
		(instance-data)
		context [(class-methods)]
	]
]

ctr1: make-instance CounterClass
ctr2: make-instance CounterClass

ctr1/bump ctr1/bump ctr1/read
ctr2/bump ctr2/read

I didn't know this - thought always only a highly dynamic language 
would allow this - but never watched ObjC - thought it's also kind 
of C++ - just that they went into a different direction at some point, 
more pure OO.

The object-part is quite smalltalk afaik. Only they skip the bytecode-interpreter 
and "inline" the calls to c.

Correct.

unfortunately easier: :-(  so my thoughts seamed to be wrong as well

f: get in ctr1 'read
>> ctr1/read
== 2
>> set first second :f 12
== 12
>> ctr1/read
== 12

If the interpreter can find a way from the console to the access, 
a selfmade "interpreter" can find it too.

I think the problem is simply that one can't really prevent the use 
of the words in the code of the functions in the object.

Jep.

MichaelB. I thought I have done it. Ok. It was a good try. I like 
the first version though. I enables for some neat stuff. Even when 
having some holes.

Volker: actually you explanation sounds almost like a proof to forget 
it completely. Too simple - but Rebol is all about words getting 
interpreted.

I think that is no big problem. If you give code-control, you are 
doomed anyway. Hmm, could be used to have a password to login and 
destroy it reliable.

The secure way is to launch an external process to run user-code 
IMHO. Add 'secure unset 'struct! and hope there are no overflowes. 
Should be pretty save.

Jaime: I saved you code - it's nice nevertheless. :-)

Not completely - the code still needs access to the global context. 
if you bind every word in an own context and put selected functions 
there, it would work. Still tricky, for example 'second can not be 
exposed, else you get the functions body. I may forget other issues.

BTW would be nice if secure would support ulimit-calls.

That's one of my problems if I would like to have capability security 
in Rebol - all these omnipotent (is this the right word?) words, 
shouldn't be allowed - eg. only if my code gives out the right to 
introspect itself something like 'second should be calleable.

what does that mean ? the secure thing ?

something like
 secure [file quit %./public allow memory 2000 timeout 2]

There are cals for such restrictions in linux AFAIK, could be used 
on osses whith such features.

Ah. MichaelB, You want E.

Can E restrict runtime too? To kill infinite loops?

Don't know E. Only know that E offers the capability model. BTW, 
Infinite loops are only a worry if they consume resources. You could 
in theory always have lazy loops (which are infinite by default).

I want to run user-code for a request. Would prefer if that finishes 
after a while. Or, to resrict cpu-usage at least. Hmm, i guess e 
has threads, so could use a guard-thread maybe. if killing that is 
secure.

Is there a web-server in e? To use rebol thru cgi-style api?

lazy infinity loops == threads, almost.

Do you know how to do cgi-style-calls in c? where c and rebol communicate 
thru kind of bidirectional pipeline?

I'm no E expert - just know it from reading - but I like the capability 
model. So I guess E has nothing to restrict the runtime - I thought 
due to the fact that it can't be predicted, whether a computation 
stops, there will be anyway always some "hole". But I would like 
to have some restrictions on CPU usage say for windows (as Solaris 
seams to have it) - can't stand that copying some files can kill 
the whole system. But maybe this is something what doesn't belong 
to the language but to the OS offering the foundation ?

But language can help here.

Jaime as you talked about Haskell lately: if I remember correctly 
it has lazy evaluation, so would this help in the general case ? 
Was this what you were pointing to ?

Yes. I think that anyone will benefit from reading this: http://mitpress.mit.edu/books/chapters/0262220695chap1.pdf
(It inspired me to write make-instance).

BTW I just changed make instance to use closures. I like it better.

make-instance: closure [
	class [object!]
	/local class-vars instance-data class-methods v
][
	class-vars: copy [*-private-*]
	class-methods: copy []
	instance-data: copy []
	foreach w next first class [
		either function! = type? v: get in class :w [
			append class-methods compose/deep [
				(to set-word! :w) func [(first :v)] [
					bind second get in class (to lit-word! :w) '*-private-*
					do reduce [get in class (to lit-word! :w) (first :v)]
				]
			]
		][	
			append class-vars :w
			append instance-data reduce [to set-word! :w :v]
		]
	]
	use class-vars compose/deep  [
		(instance-data)
		context [(class-methods)]
	]
]

maybe a stupid question, but is this chapter out of that book http://www.amazon.com/gp/product/0262220695/qid=1136588064/sr=8-1/ref=pd_bbs_1/102-4260152-7911319?n=507846&s=books&v=glance
??

Another thing that would interest me, is how is the speed impact 
when using your above function, now even with closures - I mean the 
closure function copies everything on invocation and also make-instance 
itself binds everytime anew?

It is going to be slower, but not that bad.

>> time-block [CounterClass/bump] 0.05
== 4.234619140625E-6
>> time-block [ctr1/bump] 0.05        
== 1.17197799682617E-5
>> a: 4.234619140625E-6 
== 4.234619140625E-6
>> b: 1.17197799682617E-5
== 1.17197799682617E-5
>> a / b
== 0.361322409814242
>> b / a
== 2.7676113433266

It is slower because of binding

But not that much, given all the stuff that happends.

do reduce [get in class (to lit-word! :w) (first :v)]
->
do get in class (to lit-word! :w) (first :v) ; should work too

either function! = type? v: get in class :w [
->
either function? v: get in class :w [