[E-Lang] Authority -- what is its dual?
Mark S. Miller
markm@caplet.com
Sun, 21 Oct 2001 12:58:00 -0700
At 12:27 PM 10/21/2001 Sunday, Jonathan S. Shapiro wrote:
>In our conversation, the proposal that came out is:
>
> frozen: the object cannot be modified (by anyone), but
> it may contain references to objects that are in turn
> mutable.
> deep frozen: the object and all objects that it references
> (transitively) are immutable.
>
>The proposal here is that all objects in the universal E environment should
>be deep frozen.
Yes, I'm very happy with this terminology. Even better, I'm very happy with
"deep X" being used to mean "transitive X". Thanks! Jonathan also points
out that this has a precedent: the traditional oo programmer's use of the
term "deep copy".
I had been using the prefix "trans" as in
"dir readOnly()" vs "dir transReadOnly()" (see
http://www.erights.org/javadoc/org/erights/e/meta/java/io/FileSugar.html ).
I'm going to deprecate transReadOnly() and substitute deepReadOnly().
I'm also thinking of changing the name of the 'confined' auditor to
'DeepFrozen', since that's what it's really auditing for. (A stronger
condition that implies confinement.)
Using this terminology, I can propose another constraint: The only things
that may be thrown must be DeepPassByCopy. This is currently unenforced,
but is already satisfied by all the code I know of. I'm thinking of imposing
this strong safety rule since a even a mildly rigorous code review may
fail to take into account what capabilities may be communicated through the
exceptional pathway. E's conventional call-return notation obscures the
exceptional pathway. This motivates that things that may be thrown be
DeepFrozen. Since thrown things must be passed by copy between machines --
they may be your only forensics prior to a partition -- and since far
references to Frozen things are not themselves Frozen, the sensible
constraint to impose would seem to be DeepPassByCopy.
Cheers,
--MarkM