"Taint" and (internal) copy constructors

Ruby IronRuby
1

Currently, the copy constructors for the MutableString class will “lose”
the
taint flag on the string being copied. One practical consequence of
this is
that any builtins that store local copies of the MutableString would
have to
manually fix the taint flag. Wouldn’t it be better if the default
behavior
were to preserve this information?

Under CRuby,
a = “123” => “123”
a.taint => “123”
a.clone.tainted? => true a[1,1].tainted? => true

Under IronRuby,
a = “123” => “123”
a.taint => “123”
a.clone.tainted? => true
a[1,1].tainted? => false

It appears that RubyUtils.TryCopyObject is the only place where this
flag is
preserved, and this function is called by both Object.clone and
Object.dup.

2

Freezing and tainting are not supported yet. We have only “stubs” for
them today.

Tomas

From: [email protected]
[mailto:[email protected]] On Behalf Of Curt
Hagenlocher
Sent: Wednesday, October 24, 2007 11:06 PM
To: [email protected]
Subject: [Ironruby-core] “Taint” and (internal) copy constructors

Currently, the copy constructors for the MutableString class will “lose”
the taint flag on the string being copied. One practical consequence of
this is that any builtins that store local copies of the MutableString
would have to manually fix the taint flag. Wouldn’t it be better if the
default behavior were to preserve this information?

Under CRuby,
a = “123” => “123”
a.taint => “123”
a.clone.tainted? => true
a[1,1].tainted? => true

Under IronRuby,
a = “123” => “123”
a.taint => “123”
a.clone.tainted? => true
a[1,1].tainted? => false

It appears that RubyUtils.TryCopyObject is the only place where this
flag is preserved, and this function is called by both Object.clone and
Object.dup.

3

Curt H. wrote:

Currently, the copy constructors for the MutableString class will “lose”
the taint flag on the string being copied. One practical consequence of
this is that any builtins that store local copies of the MutableString
would have to manually fix the taint flag. Wouldn’t it be better if the
default behavior were to preserve this information?

JRuby mimics this behavior, but we’ve debated just kicking taint and
SAFE out the window. They’re not provably safe (even in MRI), so they’re
almost certainly unsafe…and woah, the overhead.

Most folks using JRuby now just assume neither work.

  • Charlie
4

On 10/25/07, Charles Oliver N. [email protected] wrote:

JRuby mimics this behavior, but we’ve debated just kicking taint and
SAFE out the window. They’re not provably safe (even in MRI), so they’re
almost certainly unsafe…and woah, the overhead.

Most folks using JRuby now just assume neither work.

Both taint and frozen have a very 90s Perl feel to them :). Being new
to
Ruby, I have absolutely no feel for how often they’re used (with CRuby).

5

On 10/25/07, Charles Oliver N. [email protected] wrote:

frozen is another thing entirely, and it has good uses (locking down
strings and arrays so they can’t be modified, for example).

Are extensions not able to ignore “frozen”, then?

Other than strings and arrays, it’s hard for me to see a compelling
reason
for this feature. But then, my thinking is undoubtedly influenced by
Python, where strings are immutable and “frozen arrays” are called
tuples. :slight_smile:

More to the point of this list, though, how can you decide which
features of
CRuby to ignore? It can’t just be a matter of overhead, because the
overhead for “taint” seems to be almost exactly the same as that for
“frozen” – both features require you to keep external bookkeeping
information for objects defined outside of Ruby when the feature is
used.

6

Curt H. wrote:

Both taint and frozen have a very 90s Perl feel to them :). Being new
to Ruby, I have absolutely no feel for how often they’re used (with CRuby).

frozen is another thing entirely, and it has good uses (locking down
strings and arrays so they can’t be modified, for example). But
taint/SAFE are (IMHO) ugly, dated mechanisms for handling security, by
sprinkling security checks all over high-level method calls and hoping
you don’t miss any. Not to mention extensions can ignore tainting
completely. Yucko.

  • Charlie
7

Curt H. wrote:

On 10/25/07, Charles Oliver N. <[email protected]
mailto:[email protected]> wrote:

frozen is another thing entirely, and it has good uses (locking down
strings and arrays so they can't be modified, for example).

Are extensions not able to ignore “frozen”, then?

No, extensions can pretty much do anything they want, which is why they
suck and why it’s nearly impossible for any non-C-based implementation
to ever support them.

Other than strings and arrays, it’s hard for me to see a compelling
reason for this feature. But then, my thinking is undoubtedly
influenced by Python, where strings are immutable and “frozen arrays”
are called tuples. :slight_smile:

Even .NET and Java collection libraries provide ways to get immutable
collections; it’s similar to this. But regardless of whether you think
it’s useful, the important point is below…

More to the point of this list, though, how can you decide which
features of CRuby to ignore? It can’t just be a matter of overhead,
because the overhead for “taint” seems to be almost exactly the same as
that for “frozen” – both features require you to keep external
bookkeeping information for objects defined outside of Ruby when the
feature is used.

You can decide what features to ignore once you know what features are
needed for existing apps to run. For example…JRuby can run Rails and
just about anything else that’s pure Ruby, so we’ve been able to
determine that certain optimizations are safe and certain features can
be safely “unsupported”. It’s really, really hard to make that
determination before you can run nontrivial apps, but you can learn from
others.

I’d say the only feature we gave up on early was continuations, and I
actually made a serious effort to support them until we discovered how
infrequently they were used in the real world. I shall miss my stackless
interpreter, slow though it was.

  • Charlie