From: "Randy Brukardt" <randy@rrsoftware.com>
Subject: Re: Contract checking in Ada
Date: Mon, 4 Apr 2005 00:31:07 -0500
Date: 2005-04-04T00:31:07-05:00 [thread overview]
Message-ID: <2cadnfoO4eMTTc3fRVn-hA@megapath.net> (raw)
In-Reply-To: XcY3e.953$7b.886@trndny02
"Hyman Rosen" <hyrosen@mail.com> wrote in message
news:XcY3e.953$7b.886@trndny02...
> Randy Brukardt wrote:
> > The problem is that assertions of all stripes (like runtime checks)
detect
> > unanticipated conditions before much damage is done. And no one
antipicates
> > (and thus tests) every possible issue.
>
> But in detecting those unanticipated conditions, they do maximum damage.
> We've had this discussion before. If some operation raises Constraint
> Error or Program Error, or fails some other assertion, the action usually
> taken is to abort the program. That can mean losing unsaved work, or just
> rendering a program unusable where it might otherwise muddle through and
> continue working even thiugh it has done something illegal.
Only if the program designer hasn't taken steps to do something useful on
unanticipated conditions. And if they haven't done so, that usually suggests
shoddy design.
Our web and mail programs trap unexpected exceptions, log them, and reset
the program to continue running. Our spam filter traps the message for
hand-analysis. None of them "abort the program".
OTOH, our Ada compiler does let unhandled exceptions abort the program. That
seems like a better choice than generating garbage code. There have been a
couple instances of failures happening because of broken assertions, but the
vast majority have been real problems. Had the compiler gone ahead and
generated something, it might has worked -- for a while. Or it might have
done something weird that would have cost everyone lots of debugging time.
I'd rather get my errors up front.
There might be some programs that "muddle through" OK, but I haven't seen or
used many of them. The muddling through in the bookeeping software I used
probably caused the data file to get corrupted, which made me spend most of
a day reentering stuff. I would rather have had a clean crash...
It is necessary to decide what to do with unantipated conditions, but that's
an important part of application design. When it is not done, you get
security holes and corrupted data files that could easily have been
prevented.
Randy.
next prev parent reply other threads:[~2005-04-04 5:31 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-30 10:46 Contract checking in Ada Tapio Kelloniemi
2005-03-30 11:18 ` Vinzent 'Gadget' Hoefler
2005-03-30 11:45 ` Georg Bauhaus
2005-03-30 12:49 ` Martin Dowie
2005-03-30 13:05 ` Tapio Kelloniemi
2005-03-30 13:42 ` Georg Bauhaus
2005-03-31 1:57 ` Randy Brukardt
2005-03-31 3:04 ` Ed Falis
2005-03-31 6:12 ` Martin Dowie
2005-03-31 7:22 ` Martin Dowie
2005-03-31 13:35 ` Tapio Kelloniemi
2005-03-31 17:38 ` Martin Dowie
2005-03-31 17:42 ` Martin Dowie
2005-04-01 2:30 ` Randy Brukardt
2005-04-01 8:02 ` Tapio Kelloniemi
2005-04-01 8:55 ` Dmitry A. Kazakov
2005-04-01 23:17 ` Randy Brukardt
2005-04-03 20:19 ` Hyman Rosen
2005-04-04 5:31 ` Randy Brukardt [this message]
2005-04-01 7:34 ` Peter Amey
2005-04-09 16:56 ` adaworks
2005-04-12 6:51 ` Duncan Sands
2005-04-12 19:29 ` Martin Dowie
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox