From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=BAYES_00,INVALID_DATE autolearn=no autolearn_force=no version=3.4.4 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!bu.edu!inmet!stt From: stt@inmet.inmet.com Newsgroups: comp.lang.ada Subject: Re: Pre-condition vs. Post-condition Message-ID: <20600091@inmet> Date: 24 Mar 91 21:23:00 GMT Nf-ID: #R:<9103181658.AA10945@ajpo.sei.cmu:-37:inmet:20600091:000:3387 Nf-From: inmet.inmet.com!stt Mar 24 16:23:00 1991 List-Id: Re: Should documentation on exception be preconditions or postconditions This is pretty much of a style issue in my view, but I much prefer Norm Cohen's approach for general readability. That is, document the preconditions for normal action, and then document the result of violating the preconditions. I don't see why it really matters whether the exception is raised explicitly or implicitly, or whether it is a predefined or user-defined exception, for in Ada, the nearly universal result of violating preconditions is an exception, whether you state it or not. Seeing exceptions as the result of violating preconditions emphasizes their "exceptional" nature, and properly discourages using exceptions as a kind of "status code." A good rule (subject to the usual exceptions that prove it!) is that any exception raised at run-time represents a program bug or an external failure, and the only reason to have user-defined exceptions is to provide better diagnostics in post-mortem debugging of what are essentially unrecoverable errors. Exceptions might trigger recovery, but probably only at a high level (e.g., in an interactive program, they would flush the current activity and reprompt the human operator; in a fault-tolerant system they might cause the failing task to be decommissioned, or reset and reelaborated.) I realize this is a pretty extreme view of exceptions, namely that they are primarily a debugging tool, not a programming tool, but it is consistent with the "extreme prejudice" for efficient non-exceptional execution speed over exception-handling speed. Another implication of this view of exceptions is that surrounding a single subprogram call with an exception handler is generally a bad idea, since it implies that an exceptional condition is in fact expected to happen! Further, it implies that design rules stating that undocumented exceptions should never be propagated are possibly misguided, since handling "others" and raising some catch-all exception is throwing away information which may be critical to post-mortem debugging. Of course, once a subsystem gets to the point of being "fully" debugged, and is being reused more and more, all exceptions which can be propagated should be documented, though it may still be more appropriate to document certain exceptions on a subsystem-wide basis, rather than trying to identify each individual subprogram which could propagate them. The exception handler attempting the recovery (if any), probably does not "know" which particular subprogram call failed anyway, and it may be more useful to know what is a reasonable recovery strategy (e.g., how to "reset" the subsystem so as to allow clients to continue to use it), than to know exactly which subprograms can cause the subsystem to enter its exceptional state. Therefore, if an exception is intended to be used for recovery rather than simply debugging, the most important thing is that the particular exception raised identifies which subsystem failed, in what error state (if any) it is now, and what sort of reset operation is appropriate. If the exception simply indicates that a bad parameter was passed in somewhere, there is probably no obvious recovery strategy other than to take two aspirin and fire up the source-level debugger in the morning... S. Tucker Taft stt@inmet.inmet.com Intermetrics, Inc. Cambridge, MA 02138