[e-lang] What is defensive consistency?
Toby Murray
toby.murray at comlab.ox.ac.uk
Fri Nov 2 12:31:01 EDT 2007
On Fri, 2007-11-02 at 15:48 +0000, Karp, Alan H wrote:
> David Wagner wrote:
> >
> > Suppose we construct a caretaker that wraps access to the server Sam,
> > and we hand that caretaker to Alice. Then, we construct a second
> > caretaker that provides independently revokable access to the
> > same Sam,
> > and hand the second caretaker to Bob. Now both Alice and Bob
> > can invoke
> > Sam (until their corresponding caretaker is revoked). But when Sam is
> > invoked, he cannot tell whether he has been invoked by Alice
> > or by Bob.
>
> As I see it, you have three choices.
>
> 1. You are defensively consistent for each invocation in isolation,
> which seems too restrictive to me.
Why so? To remain defensively consistent, an object needs to ensure
that, when invoked, the invoked method's preconditions are satisfied and
bail if not without violating its internal invariants.
Assuming that the only means a caller has of violating the preconditions
are in the arguments it passes with the invocation, which I believe is
guaranteed by the ocap model, then ensuring defensive consistency relies
upon checking only the arguments passed with the invocation. When
invoked, the object has all of the information it needs to maintain
defensive consistency. Hence, I do not see how maintaining defensive
consistency for individual method calls is difficult.
On the contrary, given that the /only/ information the object has
available is the same information needed to ensure defensive consistency
in this way (i.e. the arguments with the invocation), I can't see how
one could sanely ensure defensive consistency in any other way.
Cheers
Toby
More information about the e-lang
mailing list