[cap-talk] controversial article
Mark Miller
erights at gmail.com
Thu Jul 2 16:21:47 EDT 2009
On Thu, Jul 2, 2009 at 1:07 PM, Toby Murray <toby.murray at comlab.ox.ac.uk>wrote:
> I had thought that the point of E was to allow one to ensure defensive
> correctness between vats (although not within vats).
>
Not "ensure", but to defend to an often practical degree. The approximations
to defensive correctness I enumerated earlier in this thread derive from
thinking about such practical defenses.
My section 5.7 "A Practical Standard for Defensive Programming" includes:
Defensive progress up to resource exhaustion, where we include
>> non-termination,
>> such as an infinite loop, as a form of resource exhaustion. Protocols that
>> achieve
>> only defensive progress up to resource exhaustion are normally regarded as
>> satisfying
>> a meaningful liveness requirement. Whether this standard is *usefully*stricter than
>> cooperative progress we leave to the judgement of the reader.
>>
>
While it is true that the infinite loop example only applies within a vat,
E's distributed semantics require unbounded message buffering in the same
sense in which its local semantics requires unbounded heap and stack.
Unbounded buffering requirements do not normally prevent a protocol from
claiming "liveness", FWIW.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20090702/8f0bcf06/attachment.html
More information about the cap-talk
mailing list