[e-lang] Non-local Exits vs Defensive Consistency - David Hopwood
Mark Miller
erights at gmail.com
Sun Jan 28 22:53:03 CST 2007
On 1/28/07, Mark Miller <erights at gmail.com> wrote:
> MarkM's thesis discusses this problem, but in my opinion the fixes
> suggested there
> are not likely to work well enough to allow sufficient confidence in
> the defensive
> consistency of large bodies of code, or are too inefficient to be practical.
The discussion David refers to is in my section 5.7:
# In order to regard [Figure 5.2] as defensively consistent, we regard
# exceptional control flow and process termination as forms of
# non-progress rather than incorrect service. This perspective places a
# consistency burden on callers: If they make a call while their own
# state invariants are violated, they must ensure that exceptions thrown
# by the callee leave reachable state in a consistent form. They can do
# so either by abandoning or repairing bad state.
#
# Much bad state will automatically be abandoned by becoming unreachable
# as the exception propagates. For the remainder, the caller either
# can repair bad state (for example, using a try/finally block) or,
# (when this is too dangerous or di±cult) can convert exceptional
# control flow into process termination, forcibly abandoning bad
# state. In E, the appropriate unit of termination is the vat
# incarnation rather than the process. As we will see in Section 17.4,
# terminating an incarnation of a persistent vat is similar to a
# transaction abort---it causes the vat to roll back to a previous
# assumed-good state.
--
Cheers,
--MarkM
More information about the e-lang
mailing list