Re: Building blocks (Was: Design By Contract)

["Mark L. Fussell" <mark.fussell@chimu.com>]

Stephen Leake wrote:
> Paul Johnson wrote:
> > Ada allows the programmer to quietly ignore an exception and pretend
> > that a routine succeeded when in fact it failed.  This is wrong.
> 
> I assume you are talking about:
> begin
>    ... some code
> exception
> when others =>
>    null;
> end;
[SNIP]
> How does Eiffel handle this situation?

A close equivalent in Eiffel is the following example.  This is actually
a variation from the discussion in Section 12.5 of OOSC-2.

is
    -- The Eiffel version of the above
local
    attempts : INTEGER  -- FYI: initializes attempts to 0
do
    if attempts = 0 then
        -- do main stuff
    else
        -- do nothing
    end
rescue
    attempts := attempts + 1
    retry
end

The functionality is identical to the Ada version, so it likewise
"pretends to succeed when in fact it failed".  The important thing to
Bertrand Meyer [from my understanding] is that ONLY the main body can
exit a routine without exception, so we have isolated bad contract
specification and fulfillment (the body) from bad error recovery (the
rescue).  Quoting two relevant paragraphs:

"This example [similar to above] is typical of the use of retry.  The
rescue clause never attempts to reach the original goal using a
substitute implementation; reaching this goal, as expressed by the
postcondition if there is one, is the privelege of the normal body...."
    
"This mechanism strictly adheres to the Disciplined Exception Handling
principle: either a routine succeeds, that is to say its body executes
to the end and satisfies the postcondition, or it fails.  When
interrupted by an exception, you may either report failure or try your
normal body again; in no way can you exit through the rescue clause and
pretend to your caller that you succeeded."
 
Most of the difference between the Eiffel and Ada approach is really
"what it feels like" in the exception handler.  Eiffel's exception
handler give you a chance to retry the main body which can than do what
ever it wants (within its contract), but in so doing returns you to
thinking about how to satisfy the routine call.  The Ada (and many other
languages) approach allows you to try to both recover from the exception
and satisfy the routine call in one place.  This may lead you to forget
to do one or both of these responsibilities.

Certainly Eiffel calls out the 'do nothing' behavior more strongly by
having it be in the main body:
    if attempts = 0 then
        -- do main stuff
    else
        -- do nothing
    end
This looks much stranger and more suspicious than the equivalent:
   begin
      ... some code
   exception
   when others =>
       null;

In the quotes above, the following remark implies more than it means:
"in no way can you exit through the rescue clause and pretend to your
caller that you succeeded".  Since the caller only sees the routine
return, it would not know whether you 'pretended to succeed' via the
rescue/exception clause or through the main body of the routine. 
Pretending to succeed is possible one way or the other.  In either case,
your exiting normally implies you fulfilled your contract
(post-condition) and if Ada had post-conditions then:
   when others => null;
should have to satisfy them or throw a new exception.  To be fair, the
sentence before BM defined 'succeed' more restrictively as the execution
of the body, but that definition is Eiffel specific and the word
'success' has a more general connotation.

--Mark
mark.fussell@chimu.com

  i   ChiMu Corporation      Architectures for Information
 h M   info@chimu.com         Object-Oriented Information Systems
C   u    www.chimu.com         Architecture, Frameworks, and Mentoring