We've two big issues to deal with here--safety and security. While related they aren't the same and there are different things that need doing. As far as I can see it, we need four things:
1) An oploop that checks branch destinations for validity
2) Opcodes that check their parameters for basic sanity--valid register numbers (0-31) and basically correct (ie non-NULL) register contents
3) An oploop that checks basic quotas, mainly run time
4) Opcodes that check to see if you can actually do the thing you've requested
#s 1&2 are safety issues. #2, specifically, can be dealt with by the opcode preprocessor, generating op bodies that do validity checking. #1 needs a bounds-checking runloop, which we mostly have already. I'm comfortable getting this done now, and this is what the framework that's going in should be able to handle OK.
#s 3&4 deal with security. This... this is a dodgier issue. Security's easy to get wrong and hard to get right. (Though quotas are straightforward enough. Mostly) And once the framework's in place, there's the issue of performance--how do we get good performance in the common (insecure) case without sacrificing security in the secure case?
At any rate, perl 5's Safe module is a good example of the Wrong Way to do security, and as such we're going to take it as a cautionary tale rather than a template. For security I want to go with an explicit privilege model with privilege checking in parrot's internals, rather than counting on op functions to Do The Right Thing. That means that IO restrictions are imposed by the IO code, not the IO ops, and suchlike stuff. Generally speaking, we're going to emulate the VMS quota and privilege system, as it's reasonably good as these things go.
If we're going to tackle this, though, we need to pull in some folks who're actually competent at it before we do more than handwave about the design.
--
Dan
--------------------------------------"it's like this"-------------------
Dan Sugalski even samurai
[EMAIL PROTECTED] have teddy bears and even
teddy bears get drunk
