From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,67afd31696e08d55
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-03-26 11:34:09 PST
Path: 
 archiver1.google.com!news1.google.com!newsfeed.stanford.edu!logbridge.uoregon.edu!arclight.uoregon.edu!wn13feed!worldnet.att.net!207.217.77.102!newsfeed2.earthlink.net!newsfeed.earthlink.net!stamper.news.pas.earthlink.net!newsread1.prod.itd.earthlink.net.POSTED!not-for-mail
Message-ID: <3E8200AD.9040504@spam.com>
From: Jeffrey Carter <spam@spam.com>
Organization: jrcarter commercial-at acm [period | full stop] org
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.0) Gecko/20020530
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: comp.lang.ada
Subject: Re: Ada and Design By Contract
References: <d37844cb.0303231055.610fead@posting.google.com>
 <3E7EE470.5030807@praxis-cs.co.uk>
 <d37844cb.0303240940.13be700e@posting.google.com>
 <3E801279.80905@praxis-cs.co.uk>
 <d37844cb.0303260100.58180d8d@posting.google.com>
 <3E817504.5040806@praxis-cs.co.uk>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 26 Mar 2003 19:32:21 GMT
NNTP-Posting-Host: 63.184.16.206
X-Complaints-To: abuse@earthlink.net
X-Trace: newsread1.prod.itd.earthlink.net 1048707141 63.184.16.206 (Wed,
 26 Mar 2003 11:32:21 PST)
NNTP-Posting-Date: Wed, 26 Mar 2003 11:32:21 PST
Xref: archiver1.google.com comp.lang.ada:35739
Date: 2003-03-26T19:32:21+00:00
List-Id: <comp.lang.ada>

Peter Amey wrote:
> 
> Volkert wrote:
> 
>>> with Q;
>>> package R is
>>>   procedure AnotherOperation;
>>>   -- this calls Q.SomeOperation;
>>>   -- It's execution will involve the check not P.IsFull but P is not
>>>   -- visible here.
>>> end R;
>>
>> The check is made in the body of Q.SomeOperations. Why should
>> P.IsFull visible here?
> 
> Because it is too late to wait until Q.SomeOperation is executed in 
> breach of contract.  The real cause of the contract failure is 
> AnotherOperation's attempt to call Q.SOmeOtherOperation in a way that 
> will cause the stack to overflow.  If we want to try and deal with the 
> problem we need to know where the dangerous condition started.   In our 
> view this is better done by proof than by dynamic checks.

It seems to me that R.Anotheroperation is responsible for checking the 
precondition to Q.Someotheroperation, not the client of R.

-- 
Jeff Carter
"This school was here before you came,
and it'll be here before you go."
Horse Feathers