[e-lang] What is defensive consistency?
Karp, Alan H
alan.karp at hp.com
Fri Nov 2 11:48:58 EDT 2007
David Wagner wrote:
>
> Suppose we construct a caretaker that wraps access to the server Sam,
> and we hand that caretaker to Alice. Then, we construct a second
> caretaker that provides independently revokable access to the
> same Sam,
> and hand the second caretaker to Bob. Now both Alice and Bob
> can invoke
> Sam (until their corresponding caretaker is revoked). But when Sam is
> invoked, he cannot tell whether he has been invoked by Alice
> or by Bob.
As I see it, you have three choices.
1. You are defensively consistent for each invocation in isolation,
which seems too restrictive to me.
2. The method call includes a client identifier, which violates the
spirit of ocaps.
3. The caretaker holds, or provides to the object the information it
needs to keep separate, any per client state that might result in bad
service to other clients. That's not adequate either because shared
state is often necessary, e.g., the incrementer.
Are there other options?
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the e-lang
mailing list