[e-lang] What is defensive consistency?
Karp, Alan H
alan.karp at hp.com
Fri Nov 2 12:53:39 EDT 2007
Toby Murray wrote:
>
> Assuming that the only means a caller has of violating the
> preconditions
> are in the arguments it passes with the invocation, which I believe is
> guaranteed by the ocap model, then ensuring defensive
> consistency relies
> upon checking only the arguments passed with the invocation. When
> invoked, the object has all of the information it needs to maintain
> defensive consistency. Hence, I do not see how maintaining defensive
> consistency for individual method calls is difficult.
>
The problem I see with that approach is identifying all the possible
preconditions that need testing. There may well be a particular
sequence of operations that leads to an incorrect result even though
each individual operation is valid. Consider an incrementer that
guarantees to return a positive sum. Alice makes a call that increments
the state to the largest integer value. Bob adds one and gets a bad
result. Neither one violated the contract. The answer here is to use
infinite precision arithmetic, but you get my point.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the e-lang
mailing list