From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,64f0fb07a88662b1 X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news4.google.com!newsfeed.stanford.edu!headwall.stanford.edu!newsfeed.news2me.com!newsfeed.icl.net!newsfeed.fjserv.net!feed.news.tiscali.de!news.belwue.de!newsfeed.arcor.de!news.arcor.de!not-for-mail From: "Dmitry A. Kazakov" Subject: Re: Contract checking in Ada Newsgroups: comp.lang.ada User-Agent: 40tude_Dialog/2.0.14.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Reply-To: mailbox@dmitry-kazakov.de Organization: cbb software GmbH References: Date: Fri, 1 Apr 2005 10:55:22 +0200 Message-ID: <134cic39vcvgd.1c3ccsxl3k3wq.dlg@40tude.net> NNTP-Posting-Date: 01 Apr 2005 10:55:18 MEST NNTP-Posting-Host: 4a8c55f7.newsread4.arcor-online.net X-Trace: DXC=bI5hLRAjhoXgQ;OFXR3=FU:ejgIfPPldTjW\KbG]kaMXFYk:AnJB[C]c8V`T3a\f^S[6LHn;2LCV^VVa[ZlQni_QEEiJ8 On Fri, 01 Apr 2005 08:02:54 GMT, Tapio Kelloniemi wrote: > Randy Brukardt wrote: >>For instance, Postconditions required a mechanism to get at the original >>values of parameters. Which meant that those values had to be saved >>somewhere. That would be a huge performance hit unless it is possible to >>tell in advance whether or not the original value would be required. We >>never had a proposal with that property (it really needs to be visible on a >>purely syntax basis; otherwise it can be too complex to figure out, as it >>would depend on name resolution and visibility). > > Programming by contract features are IMHO disabled (speaking in free > software terminology) when a stable version is released, or in other > words, when a final product goes out. Xconditions are certainly a huge > performance hit, but not as much as inserting a break point at the > beginning and end of every subprogram in a debugger and then manually > examining parameter and result values, if program behaves oddly. All other > run-time checks are also expensive and that is why Ada provides a way to > disable them. Xconditions could actually speed up code that is considered > to be stable. This is because subprograms' parameters' validity checking > can be written as a precondition and does not need to be executed, when > the caller knows that a bad value cannot be passed in any situation. > For example subprograms of Ada.Strings's child packages have many checks for > their parameters' validity and as some of the subprograms are implemented > (in GNAT) in terms of others, the checks are doubled. That is the problem. Basically the question is: can a contract violation be handled at run-time? I would say no. Theoretically, a contract violation should kill the program, reboot the computer (and all other computers of world (:-)). If so, then the validity checks cannot be turned into contract checks. Compare: begin Do_One_Thing (X); exception when Constraint_Error => Do_Other_Thing (X); -- This is OK end; Compare with: begin Do_One_Thing (X); exception when Contract_Error => Do_Other_Thing (X); -- Nonsense end; Validity, constraint checks /= contract checks. -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de