Lecture overview:

• Total time: ~50 minutes
• Prerequisites: Students understand specs, interfaces, and basic OO from L1-L5
• Connects to: Assignment design decisions, future lectures on design patterns

Structure:

• Why changeability matters (~10 min)
• Modularity and its benefits (~5 min)
• Information hiding mechanisms (~35 min): access modifiers, immutability, sealed classes, modules

Key theme: The majority of software cost is in maintenance—designing for change from the start is essential.

→ Transition: Let's start with the title slide...

CS 3100: Program Design and Implementation II

Lecture 6: Changeability I — Modularity and Information Hiding

©2025 Jonathan Bell & Ellen Spertus, CC-BY-SA

Context from L4-L5:

• Students learned about specifications and contracts
• They've seen interfaces as a way to abstract behavior
• Now we zoom in on why those abstractions matter for real software

Key message: We're shifting from "how to write correct code" to "how to write code that stays correct as requirements change."

→ Transition: Here's what you'll learn today...

Poll: What are your goals for CS 3100 (revised, anonymous)?

A. Learning as much as possible

B. Getting a high grade

C. Getting a strong letter of recommendation

D. Having time for other projects

E. Being ready for co-op

F. Behaving with integrity

Text espertus to 22333 if the
URL isn't working for you.

https://pollev.com/espertus

This slide is totally anonymous. Feel free to use incognito mode.

Purpose: Quick check-in on student motivations

• Discuss results briefly
• All of these are valid goals!

Poll: What should you do if you are having trouble with an assignment?

A. Give up

B. Keep grinding away

C. Go to office hours

D. Ask a friend for help

E. View Pawtograder posts

F. Ask AI for help with your problem

G. Ask AI how to download the autograder code

Text espertus to 22333 if the
URL isn't working for you.

https://pollev.com/espertus

Discussion points:

• Office hours and Pawtograder are great resources
• AI can help understand concepts, but not to bypass learning
• The last option is an academic integrity violation

→ Transition: Now let's look at today's learning objectives...

Learning Objectives

After this lecture, you will be able to:

1. Describe the importance of changeability as a goal of program design and implementation
2. Describe the relevance of modularity to changeability
3. Describe the role of information hiding and immutability in enabling effective modularity
4. Apply Java language features to achieve information hiding and immutability

Time allocation:

• Objective 1: Why changeability matters (~10 min)
• Objective 2: Modularity basics (~5 min)
• Objective 3-4: Java features for information hiding (~35 min)
  • Access modifiers (~7 min)
  • Immutability (~10 min)
  • Sealed classes (~10 min)
  • Java Module System (~10 min)

Why this matters: Students need to understand that good design isn't just about making code work—it's about making code that can evolve.

→ Transition: Let's start by reviewing where we are in the design process...

The Tire Swing Meme

See: History of the Tree Swing

Show the classic image (from A Pattern Language or online versions):

• "What the customer described"
• "What the analyst heard"
• "What was designed"
• "What was implemented"
• "What the customer actually needed" (a tire swing)

The lesson:

• Each step introduces interpretation
• Perfect requirements are impossible to write
• Even if we could, they'd change
• So we must design for change

→ Transition: Let's make this concrete with an example...

Example: A "Simple" Requirement

"The Pawtograder platform should allow graders to annotate student submissions with feedback on the quality of the code."

Questions we'll have to answer:

• Do annotations directly affect the score? Positive or negative scoring?
• Is there a rubric? How detailed? Structured with categories and levels?
• Are annotations associated with part of a line, or the whole line?
• How does the grader specify which lines to annotate?
• ...

Discussion prompt:

• Ask students: "What other questions would you ask?"
• Let them brainstorm for 1-2 minutes

The point:

• A single sentence spawns dozens of design decisions
• We can't answer all of them upfront
• We'll make choices that we may need to reverse

→ Transition: How do we handle this uncertainty?

The Response: Design for Changeability

A core principle of modern software design:

Favor rapid prototyping and iteration over getting requirements perfect.

But throwing away a design and starting over is expensive...

So our goal is to instill a sense of changeability in our designs.

Define changeability:

• One design is more changeable than another if it is easier to make changes to it
• This is relative to specific kinds of changes
• We can't anticipate ALL changes—that would be over-engineering

The balance:

• Don't try to predict everything (YAGNI: You Ain't Gonna Need It)
• But DO structure code so that likely changes are easy
• This takes judgment and experience

→ Transition: How do we achieve changeability? Through modularity...

What is Modularity?

The core idea: design systems as relatively independent modules.

A module is a self-contained unit of code:

• Has a well-defined interface that specifies behavior
• Implementation is hidden and can be independently compiled
• Does not depend on implementation details of other modules

A module could be a class, a package, or even a whole program.

Levels of modularity:

• Class: smallest unit of modularity in Java
• Package: groups of related classes
• Library/Module: groups of packages
• Service: independent program

The pattern is fractal:

• Same principles apply at each level
• Interfaces hide implementations
• Changes don't ripple across boundaries

→ Transition: This applies at every scale...

Modules Exist at Every Scale

A module is any unit of code with a well-defined interface. The same principles apply at every scale:

Scale	Module	Interface
Method	A single function	Its signature and Javadoc
Class	A single type	Its public methods
Package	A group of related classes	Its public classes
Library	A group of packages	Its exported packages
Service	A whole program	Its API

Today's challenge: Why modules, and how to enforce their boundaries? Next lecture's challenge: How do we decide what belongs in a module? Where are the boundaries?

The fractal nature:

• Same principles at every level
• Interface hides implementation
• Changes don't ripple across boundaries

The hard questions (coming in L7):

• How do we decide module boundaries?
• What should be in the same module vs separate modules?
• How much should modules know about each other?

Vocabulary preview (L7):

• Coupling: How much modules depend on each other
• Cohesion: How related things within a module are
• Goal: Low coupling, high cohesion

→ Transition: So what are the benefits of getting this right?

Benefits of Modularity

Why break systems into independent modules?

Efficiency

Teams work in parallel without coordination (Brooks' Law)

Readability

Easier to understand when modules are independent

Changeability

Change one module without affecting others

Testability

Test modules in isolation; easier to debug failures

Note: All benefits require that modules are truly independent.

Discuss each benefit:

• Efficiency: Without independence, teams block each other. This is the lesson of Brooks' "Mythical Man-Month."
• Readability: You can understand one module without understanding all others.
• Changeability: The whole point of today's lecture.
• Testability: Unit tests work because modules are isolated.

The catch:

• These benefits only work if modules are actually independent
• Leaky abstractions undermine modularity
• That's why we need information hiding

→ Transition: But what happens when modularity breaks down?

What Happens Without Modularity: The Big Ball of Mud

The most common software architecture in practice is... no architecture at all.

"A Big Ball of Mud is a haphazardly structured, sprawling, sloppy, duct-tape-and-baling-wire, spaghetti-code jungle."

Brian Foote and Joseph Yoder, 1997

It happens gradually: shortcuts, tight deadlines, "temporary" hacks that become permanent.

The Big Ball of Mud paper (1997):

• Foote and Yoder documented a pattern they saw everywhere
• Not a good pattern—an anti-pattern
• But extremely common in real codebases

How it happens:

• "We'll refactor later" (later never comes)
• One "quick fix" that bypasses the interface
• Copy-paste instead of creating abstractions
• No time for design reviews

The result:

• Everything depends on everything
• No clear boundaries
• Changes are terrifying because you don't know what will break

→ Transition: Let's see what this looks like in practice...

"Life of a Software Engineer" by Manu Cornet

The comic:

• Software grows organically, often chaotically
• Without discipline, we end up with the Big Ball of Mud
• The cure: enforce boundaries with language features

→ Transition: Let's look at how information hiding evolved as a concept...

A Brief History of Information Hiding

David Parnas proposed information hiding in 1972 — before most programming languages supported it.

Back then:

• You could organize code into modules...
• ...but nothing prevented access to internal details
• Discipline was the only enforcement

Historical context:

• 1972: Before C even had structs
• Parnas was arguing for something languages didn't support
• His paper became foundational for OO design

→ Transition: Before we see examples, let's define some key terms...

Important Terminology

• invariant: a property that always holds
• precondition: a property that must hold before an action is performed
• postcondition: a property guaranteed to hold after an action is completed

Quick definitions:

• These terms come from Design by Contract (Bertrand Meyer)
• Invariants are what information hiding protects
• Without enforcement, clients can violate invariants directly

→ Transition: Let's see what happens without information hiding...

Without Information Hiding: Everything is Accessible

Imagine Java without private — all fields are accessible:

// Counter "module" — intended to only increment
class Counter {
    int count = 0;  // count will never be negative

    void increment() { count++; }
    int getCount() { return count; }
}

// Client code in another file...
Counter c = new Counter();
c.increment();     // Intended use
c.count = -999;    // Nothing stops this!
c.count = c.count * 2;  // Or this!

The "module" can't enforce its own invariants. Any client can break it.

The problem:

• Counter is SUPPOSED to only increment
• But without private, anyone can directly modify count
• The module author has NO control
• Invariants (count >= 0, monotonically increasing) can't be enforced

In 1972:

• This was how ALL code worked
• Parnas argued we NEED language support for hiding
• "Please don't touch this field" doesn't scale

→ Transition: How do other languages handle this?

The Python Approach

Python's philosophy:

• Single underscore _field: "treat this as internal"
• Double underscore __field: name mangling to _ClassName__field
• But nothing actually stops you from accessing it
• "We're all consenting adults here"

The Java Approach

Java's philosophy:

• The compiler enforces the rules
• No "consenting adults" exception
• If it's private, you cannot access it (without reflection)

→ Transition: Let's compare the two approaches side-by-side...

Information Hiding: Python vs Java

Python: Convention-Based

    class GradeBook:
        def __init__(self):
            self._grades = []  # "please don't"
            self.__secret = [] # name-mangled

    book._GradeBook__secret  # still works!

"We're all consenting adults here."

Java: Compiler-Enforced

    public class GradeBook {
        private List<Double> grades;
        // Compiler error if accessed
        // from outside the class
    }

The language prevents violations.

The tradeoff:

• Java: compiler catches violations immediately
• Python: relies on social contract and code review
• Python's view: if you bypass the underscore convention and something breaks, that's on you

Discussion question:

• Which approach do you prefer? Why?
• What happens on a team with mixed experience levels?

The Cure: Language-Enforced Boundaries

This course focuses on Java's approach. Why?

• Conventions don't scale — "please don't" becomes "someone did"
• Deadlines happen — under pressure, developers take shortcuts
• Teams change — new members don't know the unwritten rules

Java's enforcement tools: private, final, sealed, modules

The compiler is your boundary guard. Invariants become enforceable.

Benefits of enforcement:

• Can add logging — all changes go through methods
• Can add validation — reject invalid states
• Can change internal representation — clients don't know or care

→ Transition: But even with enforcement, there's a catch...

Hyrum's Law: Why Information Hiding Matters

Even with good design, developers will find unintended ways to use your module...

"With a sufficient number of users of an API, it does not matter what you promise in the contract: all observable behaviors of a system will be depended on by somebody."

Hyrum Wright

Explain Hyrum's Law:

• Named after Hyrum Wright at Google
• If behavior is observable, someone will depend on it
• Even bugs become "features" that people rely on

The solution:

• Information hiding = make internal behaviors unobservable
• If users can't see it, they can't depend on it
• Then you're free to change it

→ Transition: XKCD illustrates this perfectly...

Hyrum's Law in Action (XKCD)

XKCD 1172 — "Every change breaks someone's workflow"

This is Hyrum's Law in action:

• Developer fixes a bug
• User was RELYING on the bug behavior
• Observable behavior becomes de facto API
• Information hiding prevents this by making internals unobservable

→ Transition: Let's look at all the Java features for information hiding...

Hyrum's Law in Action (LED traffic lights)

Source: CBC

• The XKCD cartoon is surprisingly close to a real incident.
• When incandescent bulbs in stoplights were replaced with LED lights, they became less visible, since they did not melt snow blocking the light.
• This caused at least one accident when a bus driver ran a red light allegedly obscured by snow.

Java Language Features for Information Hiding

In OO design, these features enable encapsulation:

1. Access modifiers — control who can see what
2. Immutable classes — prevent state changes after construction
3. Sealed classes — control who can extend a type
4. The module system — hide entire packages from library consumers

Roadmap for the rest of the lecture:

• ~7 min on access modifiers
• ~10 min on immutability
• ~10 min on sealed classes
• ~10 min on modules

The progression:

• Each mechanism hides information at a larger scale
• Access modifiers: hide fields within a class
• Immutability: hide ability to change state
• Sealed classes: hide ability to extend
• Modules: hide entire packages

→ Transition: Let's start with access modifiers...

Access Modifiers in Java

Every class, method, and field has an access modifier:

Modifier	Visibility
public	Accessible from anywhere
protected	Accessible from package and subclasses
(default)	Package-private: same package only
private	Accessible only within the class

Rule: Minimize accessibility of classes and members.

Effective Java Item 15:

• "Minimize the accessibility of classes and members"
• Everything public is part of your API
• Once public, hard to take back

Order of preference:

1. Private (strongest encapsulation)
2. Package-private (default—useful for implementation helpers)
3. Protected (needed for inheritance)
4. Public (only for genuine API)

→ Transition: Access modifiers control who can access. But what about controlling whether something can change?

Immutable Classes

Immutable classes: instances cannot be changed after construction.

• Simpler to reason about—behavior determined by constructor
• Safe to pass between modules—no surprise mutations
• Thread-safe by default

Default to immutable. Only make mutable if there's a good reason.

Effective Java Item 17:

• "Minimize mutability"
• Make classes immutable unless there's a compelling reason not to

Why immutability helps:

• No defensive copying needed
• Can share instances freely
• Easier to test (no state changes to track)
• Thread-safe without synchronization

When to allow mutability:

• Objects with identity (not just value)
• Performance-critical accumulation
• Domain truly requires it

→ Transition: Let's see how to make a class immutable...

Example: An Immutable PhoneNumber Class

public final class PhoneNumber {
    private final short areaCode;
    private final short centralOfficeCode;
    private final short number;

    public PhoneNumber(short areaCode, short centralOfficeCode, short number) {
        this.areaCode = areaCode;
        this.centralOfficeCode = centralOfficeCode;
        this.number = number;
    }

    public short getAreaCode() { return areaCode; }
    public short getCentralOfficeCode() { return centralOfficeCode; }
    public short getNumber() { return number; }
}

This looks a lot like a record from L5! And indeed, record PhoneNumber(short areaCode, short centralOfficeCode, short number) {} would give us the same immutability guarantees with less boilerplate.

The recipe so far:

1. final class — prevents subclasses from adding mutability
2. private final fields — can't be changed after construction
3. No setters — only getters

Connection to records:

• Records are Java's shorthand for exactly this pattern
• Records are implicitly final with final fields
• But understanding the manual version helps you see why records work

Why final class?

• A subclass could override methods
• That subclass could add mutable behavior
• Users of the parent type wouldn't know

For primitives, this is enough. But what about reference types?

→ Transition: There's a subtle trap with reference fields...

Can you break the invariant from a client? 1

/**
 * A phone number consisting of 10 digits in the range 0-9 inclusive.
 */
public class PhoneNumber {
  private final int[] digits;

  public PhoneNumber(int[] digits) {
    Objects.requireNonNull(digits);
    if (digits.length != 10) {
      throw new IllegalArgumentException("numbers length must be 10");
    }
    for (int i = 0; i < digits.length; i++) {
      if (digits[i] < 0 || digits[i] > 9) {
        throw new IllegalArgumentException("digits must be between 0 and 9");
      }
    }
    this.digits = digits;
  }
}

  public static void main(String[] args) {
    int[] digits = {5, 1, 0, 4, 3, 0, 5, 5, 5, 5};
    PhoneNumber phoneNumber = new PhoneNumber(digits);
    digits[0] = -20; // breaks invariant
  }

Ask the class: Can you break the invariant?

• The field is private final — looks safe!
• But wait... arrays are reference types
• The constructor stores the SAME array, not a copy
• Client still has a reference to the internal array

→ Transition: Let's visualize what's happening in memory...

Shared References Let Clients Break Invariants

int[] digits = {5, 1, 0, 4, 3, 0, 5, 5, 5, 5};
PhoneNumber phoneNumber = new PhoneNumber(digits);

digits[0] = -20; // breaks invariant

Walk through the diagram:

• Both digits (local) and phoneNumber.digits (field) point to the SAME array
• Mutating through either reference changes the shared data
• The private final doesn't help — we're not reassigning the field, we're mutating the array contents

→ Transition: Can we fix it with a defensive copy in the constructor?

Can you break the invariant from a client? 2

/**
 * A phone number consisting of 10 digits in the range 0-9 inclusive.
 */
public class PhoneNumber {
  private final int[] digits;

  public PhoneNumber(int[] digits) {
    // validation code hidden
    this.digits = digits.clone(); // make a defensive copy
  }

  public int[] getDigits() {
    return digits;
  }
}

  public static void main(String[] args) {
    int[] digits = {5, 1, 0, 4, 3, 0, 5, 5, 5, 5};
    PhoneNumber phoneNumber = new PhoneNumber(digits);
    digits[0] = -20; // does not affect phoneNumber.digits
    phoneNumber.getDigits()[0] = -20; // breaks invariant
  }

Progress:

• Constructor now clones the array — input is safe!
• But getDigits() returns the actual internal array
• Client can mutate through the returned reference

→ Transition: Let's visualize this partial fix...

Defensive Copy Protects Input—But Getter Still Leaks

int[] digits = {5, 1, 0, 4, 3, 0, 5, 5, 5, 5};
PhoneNumber phoneNumber = new PhoneNumber(digits);

phoneNumber.getDigits()[0] = -20

Walk through the diagram:

• Now there are TWO arrays — the defensive copy worked for input
• Green array is the internal state (protected from input mutation)
• But getDigits() returns the internal array directly
• Client can mutate through the returned reference

→ Transition: The fix: defensive copy on the way OUT too...

Correct Implementation

/**
 * A phone number consisting of 10 digits in the range 0-9 inclusive.
 */
public class PhoneNumber {
  private final int[] digits;

  public PhoneNumber(int[] digits) {
    Objects.requireNonNull(digits);
    if (digits.length != 10) {
      throw new IllegalArgumentException("numbers length must be 10");
    }
    for (int i = 0; i < digits.length; i++) {
      if (digits[i] < 0 || digits[i] > 9) {
        throw new IllegalArgumentException("digits must be between 0 and 9");
      }
    }
    this.digits = digits.clone(); // make a defensive copy
  }

  public int[] getDigits() {
    return digits.clone(); // make a defensive copy
  }
}

The complete solution:

• Clone on the way IN (constructor)
• Clone on the way OUT (getter)
• Now no external reference can reach the internal array

Key insight: private final alone isn't enough for reference types!

→ Transition: Let's generalize this pattern...

Defensive Copies Protect Reference Fields

For reference types, make copies on the way in and out:

public final class PhoneNumber {
    private final short[] number;

    public PhoneNumber(short[] number) {
        // Defensive copy on the way in
        this.number = new short[number.length];
        System.arraycopy(number, 0, this.number, 0, number.length);
    }

    public short[] getNumber() {
        // Defensive copy on the way out
        short[] copy = new short[number.length];
        System.arraycopy(number, 0, copy, 0, number.length);
        return copy;
    }
}

"But isn't copying slow?" — Choose safety. Hardware gets faster; bugs from aliased references don't fix themselves.

Effective Java Item 50:

• "Make defensive copies when needed"
• Copy mutable parameters on entry
• Copy mutable fields on exit

System.arraycopy:

• More efficient than a loop
• Same effect as copying element by element

Alternative: Use immutable types:

• List.of() returns an immutable list
• Collections.unmodifiableList() wraps existing list
• Prefer immutable types over defensive copying when possible

The performance vs safety tradeoff:

• Yes, copying costs memory and CPU cycles
• Wisdom from generations of developers: choose safety
• By the time performance matters, we'll have more memory, faster CPUs
• But we'll also have MORE CODE to maintain!
• Remember Moore's Law and the software crisis: hardware improves exponentially, but code complexity grows too
• A bug from aliased references costs far more than a few extra copies

→ Transition: Let's summarize the recipe...

Poll: Can a Client Break the Invariant?

/**
 * A Northeastern student whose entrance year is no earlier than
 * NU's founding and no later than the current year.
 */
public class NortheasternStudent {
  private static final int FOUNDING_YEAR = 1898;
  private String name;
  private int entranceYear;

  public NortheasternStudent(String name, int entranceYear) {
    this.name = name;
    if (entranceYear < FOUNDING_YEAR || entranceYear > Year.now().getValue()) {
      throw new IllegalArgumentException("entranceYear " + entranceYear +
          " is out of range " + FOUNDING_YEAR + "..." + Year.now().getValue());
    }
    this.entranceYear = entranceYear;
  }
}

A. yes, both fields are vulnerable

B. yes, name is vulnerable

C. yes, entranceYear is vulnerable

D. no, it's safe

E. I don't know

Text espertus to 22333 if the
URL isn't working for you.

https://pollev.com/espertus

Answer: No, it's safe!

• String is immutable — no defensive copy needed
• int is a primitive — copied by value automatically
• Fields are private — no external access
• The only issue: fields aren't final, so the class itself could mutate them (but clients can't)

→ Transition: Let's summarize the recipe for making classes safe...

Recipe for Safety

• Do not provide any mutators (methods that change state)
• Make the class final to prevent subclasses
• Make all fields final
• Make all fields private
• For reference fields, make defensive copies of mutable objects in constructors and getters
• Copies are automatically made with primitive assignment (this.year = year;)
• There's no need to make copies of immutable object types, such as String

Even without a specific invariant to protect, prefer immutability. It makes code easier to understand and maintain.

The five steps:

1. No setters, no mutating methods
2. final class — no sneaky subclasses
3. final fields — set once in constructor
4. private fields — controlled access
5. Defensive copies — isolate from external mutation

Java Records (Java 16+):

• Records are a shorthand for immutable data classes
• record PhoneNumber(short areaCode, short centralOffice, short number) {}
• Automatically final, with final fields and getters
• But still need defensive copies for reference types!

→ Transition: What about controlling who can extend a class?

Uncontrolled Subtyping

The visual:

• Left: Type hierarchy where anyone can extend IoTDevice
• Right: A trusting method that accepts all IoTDevices
• Problem: MaliciousDevice gets in because it IS-A IoTDevice

→ Transition: Let's see this in code...

The Problem: Uncontrolled Inheritance

Imagine you're building a smart home system with different device types:

public class IoTDevice {
    public void sendCommand(String cmd) { /* ... */ }
}

public class DimmableLight extends IoTDevice { /* ... */ }
public class Thermostat extends IoTDevice { /* ... */ }

But someone else adds this their deployment of your code:

public class MaliciousDevice extends IoTDevice {
    @Override
    public void sendCommand(String cmd) {
        uploadToHackerServer(cmd);  // Oops!
        super.sendCommand(cmd);
    }
}

final on IoTDevice would prevent this—but then you can't have any subclasses!

The dilemma:

• You want DimmableLight, Thermostat, etc. to extend IoTDevice
• But you don't want arbitrary code to create new subclasses
• final is too restrictive—prevents ALL inheritance
• Without final, anyone can subclass and break your invariants

Real-world examples:

• Security-sensitive code where you need to control the type hierarchy
• Domain models where only certain subtypes make sense
• APIs where you want to add subtypes later but control what exists now

→ Transition: Java 17 introduced sealed classes to solve this...

Sealed Classes: Controlled Inheritance

Sealed classes let you specify exactly which classes can extend:

public sealed class IoTDevice
    permits DimmableLight, SwitchedLight, Thermostat {
    // ...
}

The middle ground:

• final = no subclasses
• sealed = controlled subclasses
• (default) = anyone can subclass

Why this matters:

• You can add new permitted subclasses later
• But you prevent unexpected subclasses from appearing
• Control over your type hierarchy

→ Transition: What must the permitted subclasses declare?

Subclasses of Sealed Classes

Classes extending a sealed class must declare themselves as one of:

final	Cannot be extended further
sealed	Must specify its own permitted subclasses
non-sealed	Reopens the hierarchy—anyone can extend

public sealed class IoTDevice permits DimmableLight, SwitchedLight, Thermostat { }

public final class DimmableLight extends IoTDevice { }  // Cannot be extended

public final class SwitchedLight extends IoTDevice { }  // Cannot be extended

public non-sealed class Thermostat extends IoTDevice { }  // Open for extension

The three options:

• final: This branch of the hierarchy is closed
• sealed: Continue controlled extension
• non-sealed: Open this branch to anyone

Flexibility:

• Can mix and match in a hierarchy
• Some branches closed, others open
• Fine-grained control

→ Transition: Why do sealed classes matter for changeability?

Why Sealed Classes Matter

1. Controlled evolution

Add new permitted subclasses in future versions without breaking existing code.

2. Exhaustive pattern matching

The compiler knows all possible subtypes:

public String describe(IoTDevice device) {
    if (device instanceof DimmableLight d) {
        return "Dimmable light at " + d.getBrightness() + "%";
    } else if (device instanceof SwitchedLight s) {
        return "Switched light: " + (s.isOn() ? "on" : "off");
    } else if (device instanceof Thermostat t) {
        return "Thermostat set to " + t.getTargetTemp() + "°";
    }
    // Compiler warns if we miss a case (unless non-sealed in hierarchy)
    return "Unknown device";
}

Exhaustiveness checking:

• Compiler knows all possible types
• Can warn about missing cases
• Safer refactoring when adding new subtypes

Note about non-sealed:

• Thermostat is non-sealed, so there could be unknown subtypes
• That's why we need the default case here
• If all were final, compiler would know we covered everything

→ Transition: Third benefit...

Sealed Classes for Domain Modeling

Sealed classes model domains with a closed set of possibilities:

public sealed interface PaymentMethod
    permits CreditCard, BankTransfer, DigitalWallet { }

public final class CreditCard implements PaymentMethod { ... }
public final class BankTransfer implements PaymentMethod { ... }
public final class DigitalWallet implements PaymentMethod { ... }

The type system now enforces that a PaymentMethod is one of exactly three things. Adding a new subtype requires a change to PaymentMethod

Domain modeling:

• Some domains have enumerated possibilities
• Not just "any implementation"—a specific set
• Sealed types make this explicit

Works with interfaces too:

• sealed interface permits specific implementations
• Combines interface benefits with controlled hierarchy

Compare to enums:

• Enums: fixed set of singleton values
• Sealed: fixed set of types (with different instances)

→ Transition: Now let's scale up to the library level...

Scaling Up: The Java Module System

Access modifiers work at the class level. But what about library level?

The problem:

• Internal classes must be public for your packages to use them
• But that makes them visible to library consumers too!
• "Internal API - do not use" doesn't stop determined developers

This is Hyrum's Law at the library scale.

The real-world problem:

• You have utility classes shared across packages
• They must be public so your packages can see them
• But consumers see them too
• Consumers depend on them
• Now you can't change them!

Before Java 9:

• No solution except discipline
• "Please don't use this" in Javadoc
• Doesn't work

→ Transition: Java 9 introduced the module system to solve this...

The module-info.java File

Declare which packages are part of your public API:

// module-info.java for a hypothetical grading library
module com.pawtograder.grading {
    // These packages are our public API - consumers can use them
    exports com.pawtograder.grading.api;
    exports com.pawtograder.grading.model;

    // com.pawtograder.grading.impl is NOT exported
    // Classes there can be public but invisible to consumers
}

Unexported packages are module-private—even public classes are hidden!

How it works:

• exports declares packages that consumers can access
• Unexported packages are hidden
• Public classes in unexported packages are invisible outside the module

This is a new level of encapsulation:

• At class level: private fields
• At package level: package-private classes
• At module level: unexported packages

→ Transition: Let's visualize this...

Encapsulation at Every Level

Scope	Mechanism	What it hides
Field	private keyword	Implementation state within a class
Class	Package-private (default)	Helper classes within a package
Library	Module system (exports)	Internal packages within a library

Same principle at different scales:

• Reduced coupling
• Clearer contracts
• Safer evolution

The fractal nature:

• Private fields → can change class internals
• Package-private classes → can change package internals
• Unexported packages → can change library internals

The consistent theme:

• Hide implementation details
• Expose only what's needed
• Preserve freedom to change

→ Transition: Let's wrap up...

Key Takeaways

1. Changeability is essential — most software cost is maintenance
2. Modularity enables change — independent modules evolve independently
3. Information hiding protects modularity — Hyrum's Law warns us
4. Java provides tools at every scale: Access modifiers, immutability, sealed classes, modules

Summary:

1. Requirements change; code must adapt
2. Modularity is the strategy
3. Information hiding is the tactic
4. Java gives us language-level enforcement

Looking ahead:

• Next lectures: More design principles for changeability
• Design patterns for flexible designs
• Later: Architecture and system-level modularity

→ Transition: Any questions?

Looking Ahead

The module system is our first glimpse of how design principles scale beyond individual classes.

Later in the course:

• Software Architecture (Lecture 19) — System-level modularity
• Open Source Ecosystems (Lecture 23) — Library boundaries
• Sustainability (Lecture 36) — Long-term technical health

Information hiding is fractal.
The same principle that makes a well-designed class easier to change also makes a well-designed system easier to change.

Preview:

• Today: Class and package level
• Later: Service and organization level
• Same principles apply throughout

The big picture:

• Good design is about managing complexity
• Information hiding is the core technique
• It works at every scale

Questions?