Side-effect free containers for E
Mark S. Miller
markm@caplet.com
Thu, 10 Aug 2000 20:35:18 -0700
At 11:50 AM 8/10/00 , Marc Stiegler wrote:
>This is an important point, and forces me to back slightly away from my
>earlier proposal of "make immutables stronger and mutables weaker". To
>encourage confidence in stability, you want to maintain upward compatibility
>unless the reasons are overwhelmingly compelling, so I now recommend leaving
>mutables alone.
I believe the "principle of least authority" / "minefield" argument Tyler
makes is compelling. The problem is not created simply by the existence of
mutable containers. I pushed us over the cliff when I designed the mutable
and immutable containers to share so much protocol, and therefore, to be so
interchangeable with each other. As a result, if a mutable container is
accidentally used where an immutable one should have been used, the program
will often still work under benign and common conditions -- as when neither
side mutates the container.
This mistake is easy to make and hard to detect. As Tyler says,
(paraphrasing) much of the point of E is to avoid being accident prone
regarding security accidents.
Cheers,
--MarkM