[cap-talk] controversial article
toby.murray at comlab.ox.ac.uk
Thu Jul 2 16:07:31 EDT 2009
On Thu, 2009-07-02 at 14:03 +0200, Matej Kosik wrote:
> I hope that it is correct to say that all object-capability programming
> languages can be used for creating software systems that are defensively
> consistent but none of these languages (or platforms) can be used for
> creating defensively correct software systems. (?)
I think it's important to define carefully what is meant by a
defensively correct software system.
(I'm yet to read your paper but want to be clear about what we're
talking about here first. Expect comments on the paper tomorrow
The traditional definitions of defensive correctness and consistency (if
I remember right) are framed in terms of servers and clients. A server
is defensively consistent if none of its clients can cause it to provide
incorrect service to any other client. A service is defensively correct
if it is defensively consistent and none of its clients can prevent it
from giving correct service to any other.
With these definitions, suppose I implement a server in E whose clients
communicate with it from separate vats. Then I'd argue that it is quite
possible that this server could be defensively correct. In particular,
if the server is Functionally Pure, I fail to see how it cannot be
If the clients are part of the same vat, then I'd argue that yes there
is no way to ensure defensive correctness (one client can always exhaust
all of the available memory or enter an infinite loop or whatever).
I had thought that the point of E was to allow one to ensure defensive
correctness between vats (although not within vats).
More information about the cap-talk