[e-lang] What is defensive consistency?
Toby Murray
toby.murray at comlab.ox.ac.uk
Fri Nov 2 04:54:46 EDT 2007
On Fri, 2007-11-02 at 00:36 -0700, David Wagner wrote:
> In the case of a single object that is intended to be defensively
> consistent, I can think of three kinds of defensive consistency:
>
> a) Every method call stands on its own. The server will always presume
> that any pair of method calls might have been made by two clients with
> independent interests. Consequently, if one caller fails to establish
> documented preconditions in one method call, the server can provide
> incorrect service during that method call, but the server is not released
> from its obligations regarding other method calls.
I like this answer the best. The distinction between clients is, I
think, a possible distraction. If I make one method call to object o,
meeting the preconditions I should expect correct service. If I make a
second call that doesn't respect the preconditions, I have no right to
expect correct service. If I make a third call that meets the
preconditions and I am still guaranteed correct service, then the odds
that another client whose interests are independent of mine will
continue to get good service when it meets the preconditions are
highest.
Taking the focus off distinguishing clients means that a programmer need
only ensure that:
- no case in which a method's preconditions are violated goes
undetected
- in all other cases, the object meets its contract
If the programmer follows the above, then they give, what I see as, the
best chance for their object to be defensively consistent. (Although I
believe this is what you were getting at with the "Strong Exception
Guarantee" message, so I may be reiterating your own comments here.)
More information about the e-lang
mailing list