Re: [Caml-list] Marshall.from_channel and segmentation fault

[Romain Bardou <romain.bardou@inria.fr>]

On 12/06/2015 07:27, Kenichi Asai wrote:
> The OCaml manual for the Marshall module says:
>
>> (Marshal.from_channel chan : type).  Anything can happen at run-time
>> if the object in the file does not belong to the given type.
>
> and this "Anything" contains segmentation fault.  Is it difficult to
> avoid this segmentation fault and, e.g., raise an exception instead?
>
> Sincerely,
>

You have to check that you will not dereference invalid pointers. 
Basically you need to type-check the value at runtime before using it. 
If you have a runtime representation of the type of your value, you may 
be able to do so using Obj. But if you have a runtime representation of 
the type, Marshal suddenly becomes less interesting as you can use this 
representation to guide serialization anyway.

Because of this, Marshal is mostly used when one knows through other 
means that only values of the right type are deserialized. This means 
that Marshal should not be used for network applications where the 
remote peer cannot be trusted to always send values of the right type. 
An attacker could send an ill-formed value to crash the server, for 
instance. Or, the remote peer may simply not be up-to-date and use other 
types for its values.

Marshal is better suited to saving data locally. It will still fail if 
one tries to use values from another application or another version of 
the same application with incompatible types. In other words it will not 
be backward compatible when types change, so Marshal is better suited 
for temporary files. For instance, .cmi files are marshaled values, if 
I'm not mistaken.

To sum up: yes, it is difficult.

Cheers,

-- 
Romain Bardou