From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public From: jsa@alexandria (Jon S Anthony) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/19 Message-ID: #1/1 X-Deja-AN: 226924245 Distribution: world References: <332B5495.167EB0E7@eiffel.com> Organization: PSI Public Usenet Link Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-19T00:00:00+00:00 List-Id: In article <5gp3hd$i0l@mulga.cs.mu.OZ.AU> fjh@murlibobo.cs.mu.OZ.AU (Fergus Henderson) writes: > rkaiser@dimensional.com (Richard Kaiser) writes: > > >Why is Eiffel saying assertions are a new tool? C (and now C++) have been > >using #include for years? Software engineers have been using > >assert macros to verify program limits are not exceeded. > > The major difference between C/C++/Ada assertions and Eiffel style > design-by-contract is that in the latter, the assertions are part of > the interface, not just embedded in the implementation. Well, in this particular sort of case, your claim here is not correct for Ada: subtype Bias_Constraint is Integer range Min_Bias..Max_Bias; function Convert ( High_Bias : Bias_Constraint ) return Integer; The asserstion is part of the interface, NOT the implementation. Further, to answer a point of Jean's, it will be inherited in any appropriate derivation case. And certainly we could do the same for the post condition (the return subtype). Now, as John McCabe, Ken Garlington, myself and others have pointed out, none of this was (or is in any sense likely to be) sufficient to prevent the type of error exhibited by this example. The required semantic context (scope of use, intended behavior, presumed environment, etc) is far to rich and complex to be dealt with by such rudimentary simple minded stuff as pre and post conditions on signatures. *THE* most alarming aspect of this entire discussion is that many, including folks the caliber of Meyer and Jezequel, don't seem to understand this. Now that is damn _scary_. /Jon -- Jon Anthony Organon Motives, Inc. Belmont, MA 02178 617.484.3383 jsa@organon.com