[cap-talk] What sustained interest in capabilities
David Wagner
daw at cs.berkeley.edu
Thu Jan 8 02:14:50 EST 2009
David-Sarah Hopwood writes:
>The context of my original objection was the case of one or more
>legacy clients actually using your layered system by a non-capability
>interface. Therefore, the layered system cannot be analysed as a
>(pure) capability system.
The system as a whole cannot be analyzed that way (unless you have
some other independent way of proving that the legacy code won't
invalidate capability-style reasoning), but the applications written
to the capability interface can be analyzed using capability reasoning.
That can be valuable.
Generally, if you have capability code interacting with non-capability
code, you can no longer analyze the combination as a pure capability
system. It becomes a hybrid. You definitely lose some ability to
reason about the system, with a hybrid system, but you still gain the
ability to perform some kinds of reasoning about the capability code,
and that can be useful, despite its limitations.
For instance, Tyler's Waterken is implemented as a hybrid system,
combining capability code written in Joe-E and some other code written
in Java. The ability to perform capability-style reasoning about the
Joe-E code was useful despite the fact that this reasoning doesn't
necessarily carry over to the system as a whole.
More information about the cap-talk
mailing list