§7.2 Confined roles
Subclassing Team.Confined
with a protected class
yields a role class to which no object outside the team will
ever have a reference.
The point here is that instances of a role class with a regular super class
can be widened to this super class.
Widening can occur either in an assignment or when invoking a method which the role
inherits from the regular super class, where the this
reference is widened.
In both cases the widened reference is no longer protected by the team and can leak out.
This would break encapsulation of a role object that should only be accessible within the enclosing team.
Subclasses of Team.Confined
are not compatible to any class outside their enclosing team (including java.lang.Object
) and do not inherit any methods
that have the danger of leaking this
.
(a) Inhibition of overriding
The types ITeam.IConfined
and Team.Confined
cannot be overridden (cf. §1.3.1.(c)).
(b) Arrays of Confined
For any confined type C
, i.e., a type which is not compatible to Object
, an array of C
is not compatible to an array of Object
nor to Object
itself. This rule ensures that confinement cannot be bypassed by a sequence of compatible assignments and casts.
Upcoming:
Only by widening to a non-role super-type, a role instance can
be accessed from outside the team. In the future this can be inhibited by
restricted inheritance.
Example code (Role Encapsulation):
1 |
public team class Company { |
2 |
private HashMap<String,Employee> employees; |
3 |
... |
4 |
protected class Employee implements IConfined { |
5 |
void pay(int amount) { ... } |
6 |
... |
7 |
} |
8 |
public IConfined getEmployee(String ID) { |
9 |
return employees.get(ID); |
10 |
} |
11 |
public void payBonus(IConfined emp, int amount) { |
12 |
((Employee)emp).pay(amount); |
13 |
} |
14 |
} |
15 |
public class Main { |
16 |
public static void main(String[] args) { |
17 |
final Company comp = new Company(); |
18 |
IConfined<@comp> emp = comp.getEmployee("emp1"); |
19 |
|
20 |
comp.payBonus(emp, 100); |
21 |
} |
22 |
} |
Effects:
protected
roleEmployee
implements the above described interfaceIConfined
and therefore becomes opaque (line 4).IConfined
(line 8, line 11).IConfined
(line 18).toString()
, will cause a compilation error (line 19).IConfined
and the intrinsic role typeEmployee
may be necessary (line 9 and 12).