From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,7d3cb5920e882220 X-Google-Attributes: gid103376,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news3.google.com!news.germany.com!news.teledata-fn.de!newsfeed.arcor.de!newsspool4.arcor-online.net!news.arcor.de.POSTED!not-for-mail From: "Dmitry A. Kazakov" Subject: Re: Contracted exceptions for Ada Newsgroups: comp.lang.ada User-Agent: 40tude_Dialog/2.0.15.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Reply-To: mailbox@dmitry-kazakov.de Organization: cbb software GmbH References: <5947aa62-2547-4fbb-bc46-1111b4a0dcc9@x69g2000hsx.googlegroups.com> <7m9wkymyi5h7.1235e72is9mp9.dlg@40tude.net> Date: Tue, 11 Dec 2007 10:16:09 +0100 Message-ID: <185k0c8e598ko.16o5j2iv35zpn$.dlg@40tude.net> NNTP-Posting-Date: 11 Dec 2007 10:08:24 CET NNTP-Posting-Host: cb49d5cd.newsspool1.arcor-online.net X-Trace: DXC=N`K4j]QFgd9^cW`WBF>WQ4Fo<]lROoR14nDHegD_]R5kLU__ZK7gF6DNcfSJ;bb[5FCTGGVUmh?4LK[5LiR>kg2]Rj[8fF8fE; X-Complaints-To: usenet-abuse@arcor.de Xref: g2news1.google.com comp.lang.ada:18892 Date: 2007-12-11T10:08:24+01:00 List-Id: On Mon, 10 Dec 2007 19:53:27 -0600, Randy Brukardt wrote: > "Dmitry A. Kazakov" wrote in message > news:7m9wkymyi5h7.1235e72is9mp9.dlg@40tude.net... >> On Fri, 7 Dec 2007 21:30:05 -0600, Randy Brukardt wrote: > ... >>> The ARG has discussed "exception contracts" a couple of times, but there >>> didn't seem that there was enough interest. The problem was mainly that they >>> simply don't look very valuable >> >> My observation is that a big deal of debugging Ada code is about tracing >> down unexpected exceptions. I cannot give any figures, but it is extremely >> frequent that a bug manifests itself as an exception propagation. Typically >> Constraint_Error propagates where you didn't expect it. So the temptation >> is to catch most of such things at compile time. > > That's not going to be useful, since virtually any code that you can write > *might* raise Constraint_Error, Why is it a problem? > and a lot of code *could* raise > Program_Error, and everything *could* raise Storage_Error. There is no way > to write a contract that doesn't contain those exceptions. Program_Error is not my concern. Storage_Error can be fixed as I described earlier. And for all, what I meant under exception contracts was not about making a program exception-free. It was about specifying which exception can propagate and which cannot. >>> Another one is what to do if a contract is violated. The obvious answer of >>> raising Program_Error doesn't do anything other than lose information about >>> an exception, so that isn't very satisfying. >> >> Yes, in my view exception contracts have to be static. (It makes no sense >> to have run-time exception contracts. As well as any other contracts, there >> is no any authority body to judge contract violations at run-time.) > > OK, but that isn't going to happen in Ada. What you are looking for is a > static analysis tool, like SPARK. That's especially true as you'll need > static preconditions to have any hope of eliminating the Constraint_Errors > (subtypes aren't powerful enough). This is a separate issue. You seem to imply that the exception contracts shall specify *when* an exception is raised or not. That is a much harder problem and it indeed would require pre- and postconditions and cannot be done in general case. What I am talking about is a much weaker framework which only proves whether an exception cannot propagate. We do not need pre-/postconditions for that. A comparable case is exact real vs. interval arithmetic. We don't need exact exception propagation analysis, we do a conservative *estimation* of. -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de