From: ncohen@watson.ibm.com (Norman H. Cohen)
Subject: Re: Help with Exceptions!
Date: 1996/05/15
Date: 1996-05-15T00:00:00+00:00 [thread overview]
Message-ID: <4nd7cm$fnp@watnews1.watson.ibm.com> (raw)
In-Reply-To: DrEB77.Kwu@world.std.com
In article <DrEB77.Kwu@world.std.com>, bobduff@world.std.com
(Robert A Duff) writes:
|> In article <gauthier-1405960958270001@164.81.60.62>,
|> Michel Gauthier <gauthier@unilim.fr> wrote:
|> >...So, I
|> >teach the
|> >rule : for a label, a program end or an exception handler, always establish a
|> >complete list of all gotos or raises and attach the corresponding assertion.
|>
|> This makes good sense for labels/goto's, but I don't think it is
|> reasonable for exception handlers. The whole point of exception
|> handling is that the code detecting the error, and the code handling the
|> error are separated from each other, and need not know about each other.
A formal approach to a program with exception handlers is to establish a
postcondition for the block statement (or other frame) containing the
handlers. One then proves that
(1) the postcondition is satisfied if the handled sequence of statements
completes normally; and
(2) the postcondition is satisfied if the frame completes by invoking one
of the handlers.
A naive view is that proving (2) entails proving, for each statement in
the handled sequence of statements, that if that statement raises some
exception handled in the frame, then the execution of the handled
sequence of statements up to that point, followed by execution of the
handler for that exception, establishes the precondition. In fact,
because of RM 11.6, such an intricate approach is futile: Just because
some subexpression within a statement can raise an exception does not
mean that all the preceding statements have been executed when it does
so! One can prove very little about the state of the computation at the
moment an exception arises.
Because of RM 11.6, one should not write handlers that depend too heavily
on the state of the computation when the handler is entered. Taken to
its extreme, this principle means that a handler should be written so
that it is possible to prove that it establishes the required
postcondition >>>regardless of the state of the computation upon entry to
the handler<<<.
In fact, one need not be so extreme: One can rely on the values of
variables upon entry to the handled sequence of statements if those
variables are never altered within the handled sequence.
--
Norman H. Cohen ncohen@watson.ibm.com
next prev parent reply other threads:[~1996-05-15 0:00 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
1996-05-07 0:00 Help with Exceptions! Robert Gelb
1996-05-07 0:00 ` Vincent Smeets
1996-05-07 0:00 ` Steve Howard
1996-05-07 0:00 ` Robert Dewar
[not found] ` <4mqio5$a8b@news.sanders.lockheed.com>
1996-05-09 0:00 ` Robert L. Spooner, AD3K
1996-05-10 0:00 ` Jon S Anthony
1996-05-10 0:00 ` Robert A Duff
1996-05-07 0:00 ` John Herro
[not found] ` <318F94D9.35AB@io.com>
1996-05-10 0:00 ` George F.Rice
1996-05-13 0:00 ` Dave Jones
1996-05-13 0:00 ` Robert I. Eachus
1996-05-14 0:00 ` John Herro
1996-05-14 0:00 ` Robert I. Eachus
1996-05-14 0:00 ` Theodore E. Dennison
1996-05-14 0:00 ` Robert A Duff
1996-05-14 0:00 ` Michel Gauthier
1996-05-14 0:00 ` Robert A Duff
1996-05-15 0:00 ` Norman H. Cohen [this message]
1996-05-15 0:00 ` Robert A Duff
1996-05-15 0:00 ` Michel Gauthier
1996-05-16 0:00 ` Jon S Anthony
1996-05-16 0:00 ` Jon S Anthony
1996-05-16 0:00 ` Robert A Duff
-- strict thread matches above, loose matches on Subject: below --
1996-05-09 0:00 tmoran
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox