From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: 107d55,a48e5b99425d742a X-Google-Attributes: gid107d55,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public From: jsa@alexandria (Jon S Anthony) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/19 Message-ID: #1/1 X-Deja-AN: 226802497 Distribution: world References: <332B5495.167EB0E7@eiffel.com> Organization: PSI Public Usenet Link Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada,comp.lang.java.tech Date: 1997-03-19T00:00:00+00:00 List-Id: In article <332FD608.2CDB@calfp.co.uk> Nick Leaton writes: > Jon S Anthony wrote: > > > > In article <332E8D5D.400F@calfp.co.uk> Nick Leaton writes: > > > > > > The code is going to say "I am not in my original application and may or > > > > will fail?" Assertions are only going to catch problems if there is: > > > > > > > > > > No, the code does what it is contracted to do. If you break the > > > contract, it raises an exception. > > > > Well, that's what _happened_ in this case. Since the result was not > > satisfactory, it is clear that assertions per se are _not_ sufficient. > > > > Yes you need exception handling in the client. But what other > alternative do you propose if you break the contract? I'm not proposing anything. I'm trying to point out that the conclusion of this paper, assertions on signatures would _probably_ have prevented the error, is pure unadulterated RUBBISH. First, such assertions _were_ there (though only implicitly _after_ a concious choice to _remove_ the explicit stuff). Second, the exception was raised, but the fact that there was no handler was _intentional_ and _correct_ for the semantic context that the component was written for! Third, that semantic context is vastly richer than could ever be captured in simpe minded pre and post conditions. A fact that should be _obvious_, and which in any case is directly supported by the _actual_ evidence. /Jon -- Jon Anthony Organon Motives, Inc. Belmont, MA 02178 617.484.3383 jsa@organon.com