From: "Randy Brukardt" <randy@rrsoftware.com>
Subject: Re: Contract checking in Ada
Date: Fri, 1 Apr 2005 17:17:28 -0600
Date: 2005-04-01T17:17:28-06:00 [thread overview]
Message-ID: <JN2dnYrImuZmSNDfRVn-ow@megapath.net> (raw)
In-Reply-To: Oe73e.6358$qc.2422@reader1.news.jippii.net
"Tapio Kelloniemi" <spam17@thack.org> wrote in message
news:Oe73e.6358$qc.2422@reader1.news.jippii.net...
...
> Programming by contract features are IMHO disabled (speaking in free
> software terminology) when a stable version is released, or in other
> words, when a final product goes out.
That's a horrible idea. That's like wearing a life-preserver when training
on land, and then discarding it when you go to sea!
The problem is that assertions of all stripes (like runtime checks) detect
unanticipated conditions before much damage is done. And no one antipicates
(and thus tests) every possible issue.
Yes, sometimes you have to suppress checks (and conditions), but you want to
do that only in the most performance critical parts of your application. A
feature that makes your whole application like that is a feature that will
be rarely used.
> Xconditions are certainly a huge
> performance hit, but not as much as inserting a break point at the
> beginning and end of every subprogram in a debugger and then manually
> examining parameter and result values, if program behaves oddly. All other
> run-time checks are also expensive and that is why Ada provides a way to
> disable them. Xconditions could actually speed up code that is considered
> to be stable. This is because subprograms' parameters' validity checking
> can be written as a precondition and does not need to be executed, when
> the caller knows that a bad value cannot be passed in any situation.
> For example subprograms of Ada.Strings's child packages have many checks
for
> their parameters' validity and as some of the subprograms are implemented
> (in GNAT) in terms of others, the checks are doubled.
That's also a bad idea. Indeed, we had something like that in pragma Assert
and eventually dropped it because of the objections. Again, the issue is
that you need to be checking for the unanticipated. You shouldn't be
assuming that the asserts will pass without checking.
OTOH, the compiler may be able to optimize out checks and preconditions on
calls given the preconditions on the arguments. That's fine (its the reason
for the null exclusion, for instance); but doing so by assumption, rather
than by checking, is bad news.
Randy.
next prev parent reply other threads:[~2005-04-01 23:17 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-30 10:46 Contract checking in Ada Tapio Kelloniemi
2005-03-30 11:18 ` Vinzent 'Gadget' Hoefler
2005-03-30 11:45 ` Georg Bauhaus
2005-03-30 12:49 ` Martin Dowie
2005-03-30 13:05 ` Tapio Kelloniemi
2005-03-30 13:42 ` Georg Bauhaus
2005-03-31 1:57 ` Randy Brukardt
2005-03-31 3:04 ` Ed Falis
2005-03-31 6:12 ` Martin Dowie
2005-03-31 7:22 ` Martin Dowie
2005-03-31 13:35 ` Tapio Kelloniemi
2005-03-31 17:38 ` Martin Dowie
2005-03-31 17:42 ` Martin Dowie
2005-04-01 2:30 ` Randy Brukardt
2005-04-01 8:02 ` Tapio Kelloniemi
2005-04-01 8:55 ` Dmitry A. Kazakov
2005-04-01 23:17 ` Randy Brukardt [this message]
2005-04-03 20:19 ` Hyman Rosen
2005-04-04 5:31 ` Randy Brukardt
2005-04-01 7:34 ` Peter Amey
2005-04-09 16:56 ` adaworks
2005-04-12 6:51 ` Duncan Sands
2005-04-12 19:29 ` Martin Dowie
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox