[e-lang] A broken brand?
Toby Murray
toby.murray at comlab.ox.ac.uk
Thu Aug 20 13:42:14 EDT 2009
2009/8/20 Dave Chizmadia - Gmail <davechiz at gmail.com>:
> Toby,
>
> Trying to have more testable and unambiguous statements of
> requirement...
>
>> Actually, more simply, that should be:
>>
>> "An object that does not possess both u and a proxy to b, or b
>> itself, cannot have c returned to it by u."
>
> This is a constraint on u and should be stated that way...
>
> "u shall return the c iff an invoking object o satisfies the
> following preconditions:
> a) o invokes u using a valid capability, and
> b) the message from o invoking u provides a valid capability
> to either b or a proxy to b"
Exactly. Or, even stronger:
"u shall return c in response to an invocation by an object o iff:
a. o has passed a valid capability 'd' that is either b or, when
invoked by u, proxies to b.
where "d proxies to b" iff when invoked, d invokes b or d invokes an
object that proxies to b.
This condition has the disadvantage that it requires some knowledge of
how this pattern works. However, it doesn't require us to determine
wich objects may proxy to b a-priori since this is captured now in the
property being tested.
Thanks for you comments.
Toby
More information about the e-lang
mailing list