From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,FORGED_GMAIL_RCVD,
	FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4
X-Google-Thread: a07f3367d7,c80e6f742e73478f
X-Google-Attributes: gida07f3367d7,public,usenet
X-Google-NewGroupId: yes
X-Google-Language: ENGLISH,ASCII
Path: 
 g2news1.google.com!postnews.google.com!c16g2000yqd.googlegroups.com!not-for-mail
From: Alex Mentis <asmentis@gmail.com>
Newsgroups: comp.lang.ada
Subject: Re: Ensuring postconditions in the face of exceptions
Date: Sun, 14 Mar 2010 08:12:44 -0700 (PDT)
Organization: http://groups.google.com
Message-ID: 
 <5f3f45c6-0202-4a67-8517-182afaf7dceb@c16g2000yqd.googlegroups.com>
References: 
 <820d96c0-5d67-4b8c-8c5b-811ca4f1127e@g26g2000yqn.googlegroups.com>
	<8990d686-f703-4e9c-91b7-32410289983d@g11g2000yqe.googlegroups.com>
	<87ljdv56gy.fsf@ludovic-brenta.org>
NNTP-Posting-Host: 12.175.13.34
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Trace: posting.google.com 1268579565 10093 127.0.0.1 (14 Mar 2010 15:12:45
 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sun, 14 Mar 2010 15:12:45 +0000 (UTC)
Complaints-To: groups-abuse@google.com
Injection-Info: c16g2000yqd.googlegroups.com; posting-host=12.175.13.34;
	posting-account=CedHywoAAAAcVQwJt5x8TeyAwJA5ElaR
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2)
	Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729),gzip(gfe),gzip(gfe)
Xref: g2news1.google.com comp.lang.ada:9562
Date: 2010-03-14T08:12:44-07:00
List-Id: <comp.lang.ada>

On Mar 14, 10:21=A0am, Ludovic Brenta <ludo...@ludovic-brenta.org>
wrote:
> Alex Mentis writes:
> > On Mar 12, 4:13=A0am, Ludovic Brenta <ludo...@ludovic-brenta.org> wrote=
:
> >> Consider the procedure:
>
> >> type T is private; -- completion elided
>
> >> generic
> >> =A0 =A0with procedure Visit (Object : in out T);
> >> procedure Refresh (Object : in out T; Dirty : in out T) is
> >> begin
> >> =A0 =A0if Dirty then
> >> =A0 =A0 =A0 Visit (Object);
> >> =A0 =A0 =A0 Dirty :=3D False;
> >> =A0 =A0end if;
> >> exception
> >> =A0 =A0when others =3D>
> >> =A0 =A0 =A0 Dirty :=3D True; -- warnings here
> >> =A0 =A0 =A0 raise;
> >> end Refresh;
>
> >> GNAT says:
> >> warning: assignment to pass-by-copy formal may have no effect
> >> warning: "raise" statement may result in abnormal return (RM
> >> 6.4.1(17))
>
> >> The reason for the exception handler is to enforce a postcondition
> >> that Dirty must be True if Visit raises an exception. However the
> >> warnings suggest that the postcondition cannot be enforced this way.
> >> How should I rewrite my code?
>
> >> --
> >> Ludovic Brenta.
>
> > I think trying to "force" the parameter passing mode to a certain mode
> > is making this more complicated than necessary. =A0One of the nice
> > things about Ada over other languages is that you generally shouldn't
> > have to worry about whether a parameter is copy-by-value or copy-by-
> > reference.
>
> > In this case, you are trying to use the exception handler to assign a
> > value to the local parameter Dirty so that it can get passed back to
> > the calling subprogram. =A0This implies the calling subprogram has a
> > parameter in its scope that keeps track of dirtiness, too. =A0Instead o=
f
> > trying to set Dirty to True in Refresh, why not just raise a user-
> > defined exception (such as Dirty_Error) and have an exception handler
> > in the calling subprogram that catches this exception and sets the
> > *calling subprogram's* variable tracking dirtiness to True?
>
> That's an interesting suggestion but we've patched the run-time library
> so that it dumps core on every exception; we use exceptions only for
> exceptional situations and dumping core freezes the system for 30
> seconds to produce a file roughly 300 MiB in size. =A0So I would rather
> not raise exceptions that are do not detect a bug.
>
> --
> Ludovic Brenta.

Well, I'm not sure I'm suggesting you raise extra exceptions, just
handle them in the calling subprogram instead of the called
subprogram.  You're already re-raising the exception with the called
subprogram exception handler:

> >> exception
> >>    when others =3D>
> >>       Dirty :=3D True; -- warnings here
> >>       raise;

You don't have to create a user-defined exception.  Consider the
following code:

type T is private; -- completion elided

generic
   with procedure Visit (Object : in out T);
procedure Refresh (Object : in out T; Dirty : in out T) is
begin
   if Dirty then
      Visit (Object);
      Dirty :=3D False;
   end if;

-- This handler isn't necessary, but I put it here to help illustrate
-- the changes I'm recommending.
exception
   when others =3D>
      raise;
end Refresh;

*****

procedure Calls_Refresh is

   Obj : T;
   Calling_Scope_Dirty : Boolean;

begin

   -- potentially other code here

   Dirty_Handler_Block :
   begin

      Refresh(Obj, Calling_Scope_Dirty);

   exception
      when others =3D>
         Calling_Scope_Dirty : True;
         -- potentially other handler code here

   end Dirty_Handler_Block;

   -- potentially other code here

end Calls_Refresh;