[cap-talk] is defensive correctness a plausible null hypothesis?
Dean Tribble
tribble at e-dean.com
Sun May 15 18:58:35 PDT 2011
I think we (likely MarkM) originally coined the term in:
http://www.erights.org/talks/promises/paper/tgc05.pdf
<http://www.erights.org/talks/promises/paper/tgc05.pdf>Which is expanded
upon in his thesis:
http://www.erights.org/talks/thesis/index.html
On Sun, May 15, 2011 at 6:37 PM, David Barbour <dmbarbour at gmail.com> wrote:
> On Sun, May 15, 2011 at 2:30 PM, Matej Kosik <kosik at fiit.stuba.sk> wrote:
>
>> I see no way how properties such as defensive correctness
>
> and defensive consistency could be proved.
>>
>
> Perhaps you should provide your working definition of 'defensive
> correctness' and 'defensive consistency', along with your assumed
> operational context (local processes? within a process? distributed
> services?).
>
> The first reference I found, from a paper on Oz-E [1], describes,
> "Defensive correctness: is when every entity explicitly checks its
> input arguments when invoked." I imagine this is saying that
> developers at least ensure well-formed inputs, which is much
> weaker than checking invariants and postconditions and the like.
>
> If 'checking the input arguments' is the definition of 'defensive
> correctness', then what would be the problem with proving it?
> Seems like it would just take a quick inspection of each object...
>
> [1] http://www.info.ucl.ac.be/~pvr/oze.pdf
>
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20110515/1ccf4627/attachment.html
More information about the cap-talk
mailing list