Imposed guards

Overview

The right to handle an event may not imply the right to handle all occurrences of that event. SPIN provides dynamic access control over event delivery that ensures that only legitimate handlers receive an instance of an event raise. SPIN allows arbitrary predicates to be imposed on a handler which can be used to restrict when that handler may execute. For example, the virtual memory system may impose a guard that restricts an extension to handling page fault events only within its own address space. A predicate applied for the purpose of limiting access to an event is called an imposed guard. Imposed guards enable an event occurrence to be dynamically checked before it is delivered to a handler. There may be more than one imposed guard installed for a binding and the set of imposed guards for a binding can change in time.

The binding descriptor is passed only to the authorizer of the event for which the binding is created and to the caller of binding creation procedure. As a result only the module that creates the binding and the module that control the event (and modules to which they pass the descriptor) have the capability of installing an imposed guard.

Interface

PROCEDURE ImposeGuard(binding    : Binding; 
                      guard      : PROCANY;
                      closure    : REFANY := NIL
                     ): ImposedGuard
	             RAISES { Error };

PROCEDURE UnimposeGuard(guard: ImposedGuard)
                       RAISES { Error };

Usage

ImposeGuard is used to add a guard to the set of imposed guard for a binding. The guard can take a closure.

UnimposeGuard is used to remove a guard from the set of imposed guards for a binding.

Typing rules

The dispatcher dynamically checks the type of the imposed guard at the time it is associated with a binding according to the following rules:

Procedure types:
- imposed guard must be procedures (be of type PROCANY),
- imposed guard must be legal procedures.
Taking closure:
- an imposed guard must take a closure is the closure argument is not NIL,
- an imposed guard can take a closure if the corresponding closure argument is NIL,
No closure:
- an imposed guard that does not take a closure must have the same number and types of arguments as the event for which the binding was created but must return result of type BOOLEAN,
With closure:
- if an imposed guard takes a closure than it must have an additional argument (first, before all event arguments) of the type which is a subtype of REFANY,
Closure:
- a closure argument must be a subtype of the type of the first argument of the corresponding procedure argument.

Example

See the discussion of authorization for an example of use of imposed guards.

Przemek Pardyak, May 20th, 1996