Pengine & clp(r)

30 views
Skip to first unread message

Gašper Škulj

unread,
Mar 30, 2015, 7:08:35 AM3/30/15
to swi-p...@googlegroups.com
Hi,

I'm working on a Pengine application that requires the use of clp(r) library, but I'm unable to make it work.
From online examples of clp(fd) and clp(b) I assume that the call ":-use_module(library(clpr))" should be enough to include the clpr library.
Pengine server is started successfully, but then fails when application is queried, with the following error:

ERROR: No permission to call sandboxed
`itf:attr_unify_hook(t(clpr,type(_G10130),strictness(_G10132),lin([0.0,0.0,l(_G10148*1.0,_G10146)]),order(_G10146),n,n,n,n,n,n),_G10116)'


I would be very grateful for some advice about how to use clp(r) library with pengines.

Jan Wielemaker

unread,
Mar 30, 2015, 10:21:07 AM3/30/15
to Gašper Škulj, swi-p...@googlegroups.com
First of all, use 7.1.34. That probably is not enough, but it does fix
some sandbox issues, both allowing unsafe code as denying safe code.
Not sure what this is, but the sandbox does not allow cross-module
(m:g) goals, unless the called predicate is exported or declared
public. This allows modules to keep their data private.

Libraries such as clp(fd) and clp(r) are fairly complex. There are
roughly two ways out: verify (by hand) that the library is safe and
declare the interface as safe. This is done for clp(fd). The other
is to make sure there is no untracktable meta-calling, no cross-module
calling to private predicates, no calls to inherently unsafe predicates
and leave it to the sandbox library. Somtimes you can combine that:
try to reduce the unsafe part until it is small enough that you can
really understand what makes the sandbox think it is not and why this
is not a problem for this code.

Be careful before you decide that code is safe!

Cheers --- Jan

P.s. Please post your findings if you figured it all out.
Reply all
Reply to author
Forward
0 new messages