[1133] in java-interest
Re: Java implementations should be tail recursive
daemon@ATHENA.MIT.EDU (James C Deikun)
Wed Aug 23 18:12:55 1995
Date: Wed, 23 Aug 1995 02:41:13 -0400 (EDT)
From: James C Deikun <jcdst10+@pitt.edu>
Reply-To: James C Deikun <jcdst10+@pitt.edu>
To: "John D. Ramsdell" <ramsdell@linus.mitre.org>
cc: java-interest@java.sun.com, ramsdell@mitre.org
In-Reply-To: <199508151946.PAA05087@goblin.mitre.org>
(Sorry about the delayed response on this.)
On Tue, 15 Aug 1995, John D. Ramsdell wrote:
> Thank you sending a thoughful response to my query on tail recursive
> implementations. I have not looked into the security methods used in
> Java, so I cannot address the issues specific to Sun's implementation.
To be honest, I haven't looked at the source myself--I don't like the
license. I was mainly responding based on the mechanisms it seemed as if
it were using, or would be likely to use in the future, based on my
experience with other systems.
> I have trouble understanding how security mechanisms eliminate the
> possibility of tail recursive for applications that execute within one
> security domain. Consider the following example of a state machine.
>
[example deleted]
>
> In this example, the call to state2 from state1 is a call to a
> statically known method. The lexical structure of the program ensures
> the caller and the callee are in the same security domain. There is
> no need to check stack frames or perform any other check to see if
> there is a change in the security domain. A goto is all that is needed.
Hm. In Java, yes, this seems to make sense, since a class is the
smallest cleanly separable piece of code, and the example takes place
between static class methods. So, in this case, a goto would likely be
all that was needed. Is this example, though, enough to justify the
complication in the runtime and debugger?
> Java, of course, is a dynamically linked language. In the general
> case, no compiler can know if a method invocation crosses a security
> domain. At run time, a tail recursive implementation would have to
> record transfers between security domains. A tail recursive
> implementation could push a special security frame on the control
> stack when a method is invoked across a security domain, but push
> nothing when the invocation stays within a security domain. The
> result would be that programmers could assume the implementation is
> tail recursive for single domain units of code.
This is a possible solution. Perhaps a reasonable definition of a
security domain for this purpose would be 'the set of methods defined in
a single class file'. Maybe it would be possible to come up with an even
broader definition, which would be likely to be more useful, but this is
somewhat uncertain.
> For security reasons, is it required that the callee's stack frame be
> on top of the stack, or is all that is required is that some stack
> frame from the callee's security domain be on top of the stack?
The latter, although in some languages the only adequate definition of a
security domain is a single method.
--
James "raise your hand if you're secure" Deikun
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
