[e-lang] What is defensive consistency?

Wed Oct 31 22:12:15 EDT 2007

Can anyone help me pin down the definition of defensive consistency in
an object-capability language (such as E, Joe-E, etc.)?  I've lately come
to realize that I don't understand the concept as well as I thought I did.

I think I get the basic gist.  An object Sammy that offers some service
to its clients promulgates a contract that spells out preconditions
that clients must follow if they can expect correct and useful behavior
from Sammy.  If Xavier and Yolanda are two clients of Sammy, and Xavier
follows the contract (establishes the contract) but Yolanda does not,
then Sammy must provide correct and consistent service to Xavier but
is under no obligations about what service is provided to Yolanda.
Ok so far, I think, but what's the definition of a client?  I used the
names Xavier and Yolanda to refer to some unspecified entity(entities),
but who/what are those entities and what is the granularity of a client
entity?  How do I tell when an object or pair of objects should count as
two different clients as opposed to a single client?  Put another way,
what is the granularity of the failure domain?

Perhaps I should be more specific.  Let's try an example.  Suppose we
have an instance of a Hashtable, where the Hashtable is constructed to
be defensively consistent.  (I don't know whether a Hashtable is a good
example of a defensively consistent subsystem.  Feel free to suggest a
better example, if you like.)  We have two different objects, X and Y.
Here are some scenarios:

1) X has a reference to the Hashtable instance.  Y has a reference to a
different Hashtable instance.  I assume in this case X and Y count as
different clients, so failures of X to establish preconditions should
not affect Y's ability to receive correct service from her Hashtable.
(Right?)

2) X has a reference to the Hashtable instance.  Y has also independently
acquired a reference to the same Hashtable object.  X makes a method
call to his reference, meeting the Hashtable's preconditions.  Y makes a
method call to her reference, but violates the preconditions.  Do X and
Y count as two separate clients?  Is it correct to say that the Hashtable
instance must provide correct and consistent service to X but not to Y?

3) X has a reference to the Hashtable instance as well as a reference
to Y.  X makes some method call to this Hashtable reference.  X passes
the Hashtable reference to Y.  Y takes this Hashtable reference and then
makes a method call to it.  Should X and Y count as separate clients?
Is it correct to say that even if Y fails to respect the Hashtable's
preconditions when calling the Hashtable, X should still receive correct
and consistent service from the Hashtable as long as he respects the
Hashtable's preconditions?

4) X has a reference to the Hashtable instance.  X makes two method
calls to the Hashtable.  At one of these method calls, X violates the
Hashtable's preconditions.  At the other call site, X correctly ensures
that those preconditions are met.  Do these count as two separate
clients?  Is it correct to say that the Hashtable must provide correct
and consistent service to the latter method call, but not to the former
method call?

If your answers to 2), 3), and 4) are not identical, how can the Hashtable
distinguish between these three cases?

5) Suppose X calls the Hashtable instance.  While executing that method,
the Hashtable invokes object Y (some kind of callback, say).  Object Y
then invokes the same Hashtable object.  Are X and Y two different
clients, for purposes of defensive consistency?  If X violates the
Hashtable's preconditions but Y respects them, does the Hashtable need to
provide correct and consistent service to Y?  (Does your answer to this
question depend upon whether the reference to Y was passed in by X?)
I assume that if X meets the Hashtable's preconditions but Y violates
them, does the Hashtable need to provide correct and consistent service
to X -- right?  Does your answer to any of these questions change if X
and Y are actually the same object?

I hope these aren't stupid questions.  I read back through MarkM's PhD
thesis, which is my standard reference for capability concepts like this,
but I couldn't figure out how to infer the answer to these questions.

Last question: Can anyone suggest an example of a defensively consistent
component that helps illustrate the concept?  MarkM's gives an example
of a Counter that has an increment() method and nothing else, but I
yearned for something that exposed some non-trivial challenges/issues.
Can anyone give a slightly less trivial example that might help me to
understand the concept of defensive consistency with a concrete example?

Thanks for your help!