Open sudo-jaa opened 3 months ago
This may be a bug in the compiler. A type is opaque if its signature appears in the .aui
file as type Foo;
rather than explicitly as a record
or union
. It shouldn't be possible to call the constructor for such types outside the module that defines them.
I've been learning a lot reading through the specification and tutorial for Austral. It's a great project!
Specifically i've been looking at the tutorial page for capability-based security and i'm having a little trouble wrapping my head around something and was hoping somebody may be able to help clarify (what I assume) is a misconception of mine.
Regarding:
The tutorial explains that creating an
EnvCap
capability as a Linear Type is a way of ensuring a consumer of a module has access to the Root Capability. It mentions that:This concept of the opaque type is where i'm getting stuck, as it's not obvious to me how the
EnvCap
type is marked asopaque
. Copying this.aui
file from the tutorial and creating a basic module body for it still allows me to importEnvCap
and, more importantly, create an instance of the record type usinglet env_cap: EnvCap := EnvCap();
, bypassing the requirement for theacquire
function at all, letting me forge anEnvCap
capability which as I understand should not be possible.I thought that maybe i'd done something silly in my implementation of the module body, so I found a similar capability pattern in standard IO.aum and IO.aui for the
TerminalCapability
and copied it to my test project and found the same issue.The following program is accepted by the compiler - creating a TerminalCapability without needing to call the
acquireTerminal
function, nor pass it aRootCapability
The most obvious explanation here is that my interpretation of opaque types is incorrect. Any help in figuring out where my understanding has gone wrong would be appreciated.
Thanks!