From: Jeffrey Carter <spam@spam.com>
Subject: Re: Ada and Design By Contract
Date: Wed, 26 Mar 2003 19:32:21 GMT
Date: 2003-03-26T19:32:21+00:00 [thread overview]
Message-ID: <3E8200AD.9040504@spam.com> (raw)
In-Reply-To: 3E817504.5040806@praxis-cs.co.uk
Peter Amey wrote:
>
> Volkert wrote:
>
>>> with Q;
>>> package R is
>>> procedure AnotherOperation;
>>> -- this calls Q.SomeOperation;
>>> -- It's execution will involve the check not P.IsFull but P is not
>>> -- visible here.
>>> end R;
>>
>> The check is made in the body of Q.SomeOperations. Why should
>> P.IsFull visible here?
>
> Because it is too late to wait until Q.SomeOperation is executed in
> breach of contract. The real cause of the contract failure is
> AnotherOperation's attempt to call Q.SOmeOtherOperation in a way that
> will cause the stack to overflow. If we want to try and deal with the
> problem we need to know where the dangerous condition started. In our
> view this is better done by proof than by dynamic checks.
It seems to me that R.Anotheroperation is responsible for checking the
precondition to Q.Someotheroperation, not the client of R.
--
Jeff Carter
"This school was here before you came,
and it'll be here before you go."
Horse Feathers
next prev parent reply other threads:[~2003-03-26 19:32 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-23 18:55 Ada and Design By Contract Volkert
2003-03-24 9:41 ` Lutz Donnerhacke
2003-03-24 10:56 ` Peter Amey
2003-03-24 17:40 ` Volkert
2003-03-24 20:11 ` Lutz Donnerhacke
2003-03-25 8:04 ` Volkert
2003-03-25 8:25 ` Peter Amey
2003-03-25 9:55 ` Colin Paul Gloster
2003-03-25 10:09 ` Peter Amey
2003-03-26 9:00 ` Volkert
2003-03-26 9:00 ` Volkert
2003-03-26 9:38 ` Peter Amey
2003-03-26 19:00 ` Randy Brukardt
2003-03-26 19:32 ` Jeffrey Carter [this message]
2003-03-27 6:59 ` Volkert
2003-03-25 10:44 `
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox