struct contracts do not protect reflective operations through struct-info #2359

lexi-lambda · 2018-11-06T17:17:08Z

As reported by @LiberalArtist on the mailing list, struct contracts can be subverted if you have a sufficiently powerful inspector:

#lang racket

(module s racket
  (provide (contract-out [struct must-be-integer ([v integer?])]))
  (struct must-be-integer (v)))

(require racket/runtime-path)

(define-runtime-module-path-index s-mpi '(submod "." s))

(define-values [struct:must-be-integer must-be-integer must-be-integer-v]
  (parameterize ([current-inspector (make-inspector)])
    (values (dynamic-require s-mpi 'struct:must-be-integer)
            (dynamic-require s-mpi 'must-be-integer)
            (dynamic-require s-mpi 'must-be-integer-v))))

; Succeeds, but shouldn’t!
((struct-type-make-constructor struct:must-be-integer) "not an integer")

; Also succeeds, but shouldn’t!
(define-values [struct:must-be-integer* skipped?] (struct-info (must-be-integer 1)))
((struct-type-make-constructor struct:must-be-integer*) "not an integer")

This could be a source of unsoundness in Typed Racket, as reported in racket/typed-racket#787.

lexi-lambda mentioned this issue Nov 6, 2018

Typed/untyped interop is unsound for structs, given a sufficiently powerful inspector racket/typed-racket#787

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

struct contracts do not protect reflective operations through struct-info #2359

struct contracts do not protect reflective operations through struct-info #2359

lexi-lambda commented Nov 6, 2018 •

edited

struct contracts do not protect reflective operations through struct-info #2359

struct contracts do not protect reflective operations through struct-info #2359

Comments

lexi-lambda commented Nov 6, 2018 • edited

lexi-lambda commented Nov 6, 2018 •

edited