From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,c59f452174bd555 X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,c59f452174bd555 X-Google-Attributes: gid103376,public From: Al Christians Subject: Re: Use of DBC as "executable SRS": scaling problems Date: 1997/07/31 Message-ID: <33E133C8.65BF@easystreet.com>#1/1 X-Deja-AN: 261046078 References: <870209420.19031@dejanews.com> <33E1089C.6A72@pseserv3.fw.hac.com> Reply-To: achrist@easystreet.com Organization: Trillium Resources Corporation Newsgroups: comp.lang.ada,comp.lang.eiffel Date: 1997-07-31T00:00:00+00:00 List-Id: Meyer's book seems to allow two kinds of preconditions, those that are explicitly included in the Require clause, and those that must be omitted, usually either for reasons of prohibitive redundancy with the mainline logic or impossiblity of evaluation before the requested service is actually attempted. So he does see some use for return codes (for example from external database access attempts) and for exceptions thrown from the middle of a method when the method finally figures out that it can't do what was requested. So despite any suggestions or optimism, putting everything into explicit preconditions, postconditions, and invariants is not a 100% solution. There will often be a buried implicit precondition somewhere. If DBC is 99% effective, does that make the hidden precondition much more dangerous because of an illusion of explicitness and reliability supported by DBC? Al W. Wesley Groleau x4923 wrote: > > card@syr.lmco.com wrote: > > I do not think that using DBC as an "executable SRS" (SRS == Software > > (1) In a large and complex system, the number of preconditions and > > post-conditions in a complex class hierarchy could get extremely large. > > Although they didn't demand that it be "in the code", the inquiry board > did note > " that the systems specification of the SRI does not indicate > operational restrictions that emerge from the chosen > implementation. Such a declaration of limitation, which should > be mandatory for every mission-critical device, would have > served to identify any non-compliance with the trajectory > of Ariane 5. "