[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Translucency counterexample -- term error
|
From: |
Jonathan S. Shapiro |
|
Subject: |
Re: Translucency counterexample -- term error |
|
Date: |
Thu, 11 Jan 2007 23:41:59 -0500 |
On Thu, 2007-01-11 at 22:41 -0500, Jonathan S. Shapiro wrote:
> A non-forgeable isInstanceOf() ...
The name isInstanceOf() was very bad, and I need to update the document
to remove it.
The operation I want is hasInstance(). The difference is:
isInstanceOf() is a method on an object taking the type or class as
the argument. The argument is compared for EQ, but is not invoked.
hasInstance() is a method on the *class* taking an instance capability
as the argument. It tests an instance. The instance is inspected
using the sealer/unseal pattern. The argument capability is not
invoked.
The reason this matters has to do with the direction of trust. I cannot
trust an unknown instance to tell the truth about its type. I *can*
trust a known-good type to tell the truth about who its instances are.
Sorry for the confusion this may cause. Wherever I wrote isInstanceOf()
in my previous mail, please substitute hasInstance().
shap