From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Contract checking in Ada
Date: Fri, 1 Apr 2005 10:55:22 +0200
Date: 2005-04-01T10:55:18+02:00 [thread overview]
Message-ID: <134cic39vcvgd.1c3ccsxl3k3wq.dlg@40tude.net> (raw)
In-Reply-To: Oe73e.6358$qc.2422@reader1.news.jippii.net
On Fri, 01 Apr 2005 08:02:54 GMT, Tapio Kelloniemi wrote:
> Randy Brukardt <randy@rrsoftware.com> wrote:
>>For instance, Postconditions required a mechanism to get at the original
>>values of parameters. Which meant that those values had to be saved
>>somewhere. That would be a huge performance hit unless it is possible to
>>tell in advance whether or not the original value would be required. We
>>never had a proposal with that property (it really needs to be visible on a
>>purely syntax basis; otherwise it can be too complex to figure out, as it
>>would depend on name resolution and visibility).
>
> Programming by contract features are IMHO disabled (speaking in free
> software terminology) when a stable version is released, or in other
> words, when a final product goes out. Xconditions are certainly a huge
> performance hit, but not as much as inserting a break point at the
> beginning and end of every subprogram in a debugger and then manually
> examining parameter and result values, if program behaves oddly. All other
> run-time checks are also expensive and that is why Ada provides a way to
> disable them. Xconditions could actually speed up code that is considered
> to be stable. This is because subprograms' parameters' validity checking
> can be written as a precondition and does not need to be executed, when
> the caller knows that a bad value cannot be passed in any situation.
> For example subprograms of Ada.Strings's child packages have many checks for
> their parameters' validity and as some of the subprograms are implemented
> (in GNAT) in terms of others, the checks are doubled.
That is the problem. Basically the question is: can a contract violation be
handled at run-time? I would say no. Theoretically, a contract violation
should kill the program, reboot the computer (and all other computers of
world (:-)).
If so, then the validity checks cannot be turned into contract checks.
Compare:
begin
Do_One_Thing (X);
exception
when Constraint_Error =>
Do_Other_Thing (X); -- This is OK
end;
Compare with:
begin
Do_One_Thing (X);
exception
when Contract_Error =>
Do_Other_Thing (X); -- Nonsense
end;
Validity, constraint checks /= contract checks.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2005-04-01 8:55 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-30 10:46 Contract checking in Ada Tapio Kelloniemi
2005-03-30 11:18 ` Vinzent 'Gadget' Hoefler
2005-03-30 11:45 ` Georg Bauhaus
2005-03-30 12:49 ` Martin Dowie
2005-03-30 13:05 ` Tapio Kelloniemi
2005-03-30 13:42 ` Georg Bauhaus
2005-03-31 1:57 ` Randy Brukardt
2005-03-31 3:04 ` Ed Falis
2005-03-31 6:12 ` Martin Dowie
2005-03-31 7:22 ` Martin Dowie
2005-03-31 13:35 ` Tapio Kelloniemi
2005-03-31 17:38 ` Martin Dowie
2005-03-31 17:42 ` Martin Dowie
2005-04-01 2:30 ` Randy Brukardt
2005-04-01 8:02 ` Tapio Kelloniemi
2005-04-01 8:55 ` Dmitry A. Kazakov [this message]
2005-04-01 23:17 ` Randy Brukardt
2005-04-03 20:19 ` Hyman Rosen
2005-04-04 5:31 ` Randy Brukardt
2005-04-01 7:34 ` Peter Amey
2005-04-09 16:56 ` adaworks
2005-04-12 6:51 ` Duncan Sands
2005-04-12 19:29 ` Martin Dowie
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox