Split Capabilities: Making Capabilities Scale

[Karp, Alan]

> -----Original Message-----
> From: Ken Kahn [mailto:kenkahn@toontalk.com]
> Sent: Wednesday, July 26, 2000 2:34 PM
> To: Karp, Alan; Norman Hardy; Mark S. Miller
> Cc: 'Dan Bornstein'; e-lang@eros-os.org
> Subject: Re: Split Capabilities: Making Capabilities Scale
> 
> 
> Alan wrote:
> >
> > I don't really care if it's objects as long as I can reason 
> about the
> > system.  Hidden side effects make reasoning difficult if 
> not impossible.
> I
> > have a problem with facets in that interfaces not in the 
> facet appear to
> me
> > to be hidden side effects.  Objects, at least pure objects, 
> don't have
> side
> > effects, but any other such system would do as well for me.
> >
> 
> Given the entire source code in E or some concurrent logic programming
> language, I doubt that this facet style of programming prevents formal
> reasoning about the behavior of the entire system. But in an 
> open system
> where programs communicate over trust boundaries there are inherent
> limitations about how much you can reason about the system 
> behavior. Whether
> it uses facets or not.

We have a similar problem in e-speak which we resolved by providing the full
interface on request if authorized.  I recently decided that all that's
really needed is a formal description of behavior.  Of course, I don't know
how to write such a description, but that's OK.  Smart people can figure it
out.

> 
> I suspect there are some unspoken assumptions about the 
> overall context in
> this discussion of facets. Who is hiding side effects from who?

No one.  Whoever decides that I get to see only a facet that reveals less
than the full behavior of the object is hiding from me state transitions
that I interpret as side effects.

> 
> Best,
> 
> -ken
> 

_________________________
Alan Karp
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278