[cap-talk] Java coding rules for capability discipline

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Wed Nov 3 18:35:12 EST 2004


Stiegler, Marc D wrote:
>>>-- No static mutables (no class variables)
>>
>>How do you then guaruntee that there is only one
>>user of a single-access resource?  For example, a
>>manager of something like a database resource would
>>often use a static variable to enforce its one-ness.

There is no such thing as a single-access resource. "Global"
or "static" variables in most languages are actually per-process
variables. What makes this incompatible with capability discipline
is that these per-process variables are accessed implicitly, rather
than via capabilities or references.

There are resources that are single-access within a given context.
That context should be modelled as an object. For example, database
resources should normally be obtained from a database instance
or a database connection. This often improves the flexibility of
APIs independent of any security considerations (see
<http://c2.com/cgi/wiki?SingletonGlobalProblems>).

Cap-secure languages usually support nested lexical scoping. In that
case, it is as easy to limit the scope of any given variable to just
what is needed, as it is to use a global/static variable or singleton.

>>Do you for example mean no non-private static mutables?
> 
> Ooops. Right. Correction, no public static mutables.

No, the requirement is to avoid any mutable state that is accessed
implicitly. It doesn't matter whether it is exposed directly in a
static public field, or via other static methods, or via instance
methods that access global/static state.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>



More information about the cap-talk mailing list