full isolation
Lex Spoon
lex at cc.gatech.edu
Thu Mar 3 00:50:27 UTC 2005
There has been some murmering about full isolation, both pro and
against. The idea is that modules will be totally insulated from each
other and thus unable to cause each other any harm.
It's a nice idea but terrible if you take it to the extreme. Instead, a
module system should *allow* modules to hold stuff private without
interfering with other modules. On the other hand, modules systems
should also provide convenient ways for modules to interact with each
other. After all, the whole point of loading a module into your image
is to enhance what the image is already capable of.
Besides, full isolation is a royal pain if you really try it. As a few
examples of what it would mean:
1. Every module must have its own thread. Otherwise,
2. Modules must interact by passing messages or events, and not by
simple call and return. Otherwise, when you call, the other module can
simply choose not to ever respond.
3. Classes need to be modified. In particular, you can't let people
send #class to get a real class object, and then use #superclass and
#subclasses to browse around the class hierarchy. You also probably
don't want modules calling #compiledMethodAt:put:.
I am not sure this extremity is a good idea for a module system even if
we had loads of time to implement it. If you start with full isolation,
then it requires extra work to get modules talking to each other again --
and I am not sure that the benefits of isolation are always worth this
extra effort.
Regardless, it's not something that is achievable in 6 months, and also,
it's something that will break most existing Squeak code.
Thus, we all need to deeply accept that, when a module is loaded, it may
well cause some damage to the image it is loaded into. Hopefully such
breakage is unusual, but it cannot be avoided entirely.
Instead, focus on trying to prevent common accidents, and to allow common
desired interactions. Two modules accidentally defining a "Server" class is
a common kind of accident, as are two modules trying to add a ">>" method to
class Behavior. What should happen, in such a situation?
-Lex
More information about the Modules
mailing list