Split Capabilities: Making Capabilities Scale

Karp, Alan alan_karp@hp.com
Tue, 25 Jul 2000 11:46:08 -0700 

> -----Original Message-----
> From: Dan Bornstein [mailto:danfuzz@milk.com]
> Sent: Tuesday, July 25, 2000 9:35 AM
> To: e-lang@eros-os.org
> Subject: RE: Split Capabilities: Making Capabilities Scale
> 
> 
> MarkM writes:
> >Were this done is a Java-like statically typed language, 
> both increment
> >and decrement facets would be seen as being of type
> >
> >     public interface {
> >         void do();
> >     }
> >
> >with no further type information available.  
> 
> Alan Karp writes:
> >Seems like an odd programming model where I say "do your 
> thing whatever that
> >may be".  What would Werner von Braun say during a countdown, do() or
> >decrement()?  What would he say if he saw the count increase 
> as he tried to
> >count down?
> 
> The thing to keep in mind is that, in any useful system, this 
> object would
> have been received in an already-rich context. In von Braun's case,
> presumably he got it by calling the getCountdownDecrementer() 
> method on a
> particular missileControl object, the same object he uses as 
> the target of
> repeated calls to getCountdownValue(). If he saw the count go 
> up, he might
> choose to call missileControl.abort() and then do further 
> research after
> things had settled down.

My point exactly.  Had he known that the object supports increment, he'd
know that the countdown was on hold.  Seeing only the facet and thinking
it's an object, he can only assume there is an error that forces him to
abort the launch.  Strict object encapsulation says that the object state
can only be changed through the interface.  Since he sees no increment
method, he must assume that the object has a flaw.

> 
>			(snip)
> 
> The way out of the mess is to assume that one is starting 
> from a context of
> objects that one knows certain properties of, such as whether they are
> trustworthy. Assuming von Braun has reason to trust the missileControl
> object in question, then he would transitively trust the result from
> calling missileControl.getCountdownDecrementer(), whether or 
> not he's using
> a strongly-typed class-based system.

This reasoning is exactly why I don't feel comfortable treating a facet as
an object.  The facet hides part of the interface and tells me only some of
the properties.

> 
> -dan
> 

_________________________
Alan Karp
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278