[e-lang] What is defensive consistency?
Dean Tribble
tribble at e-dean.com
Fri Nov 2 22:05:41 EDT 2007
On 11/2/07, Toby Murray <toby.murray at comlab.ox.ac.uk> wrote:
> On Fri, 2007-11-02 at 00:36 -0700, David Wagner wrote:
> > In the case of a single object that is intended to be defensively
> > consistent, I can think of three kinds of defensive consistency:
> >
> > a) Every method call stands on its own. The server will always presume
> > that any pair of method calls might have been made by two clients with
> > independent interests. Consequently, if one caller fails to establish
> > documented preconditions in one method call, the server can provide
> > incorrect service during that method call, but the server is not released
> > from its obligations regarding other method calls.
>
> I like this answer the best.
Ah, but as I showed with the Logger example, the requirement is
dictated by the spec, not the convenience of our analysis :)
> ... If I make a third call that meets the
> preconditions and I am still guaranteed correct service, then the odds
> that another client whose interests are independent of mine will
> continue to get good service when it meets the preconditions are
> highest.
It certainly is easier to make individual calls robust to certain
things on their own. That provides better support for "best efforts"
reliability and simplifies analysis.
> Taking the focus off distinguishing clients means that a programmer need
> only ensure that:
> - no case in which a method's preconditions are violated goes undetected
This may be impossible, depending on the specification and
preconditions. Easier-validate-preconditions makes APIs easier to
implement reliably, of course.
More information about the e-lang
mailing list