On Sun, 4 Dec 2016, Robert Eachus wrote:

> If there are Booleans which do need to be checked at run time, for 
> example when validating inputs, those checks often should have a tightly 
> wrapped exception handler, and certainly should not use pragma Assert.

Agreed!

> I would consider it a major bug to have a pragma Assert that could fail 
> at run-time absent a hardware failure or some such. (Even though it 
> would be turned off in production code.)

I don't quite think so. A failed Assert (or a failed pre- or 
postcondition, which are essentially a nice way to put Asserts in 
specifications) *may* be checked even in the productin system. What is 
important is to always shut down when upon Assert-failure -- preferably 
after writing diagnostic information to wherever digagnostics goe.

On one hand, there are systems that must not shut down (maybe an autopilot 
at flight time). If that is the case, Assert-checking in production 
executables is plain wrong.

On the other hand, there are systems, where a malfunction is worse than no 
function (e.g., a secure router -- better no communication than allowing 
attackers to pass through the security perimeter). In such cases, it may
be wise do perform Assert-checking even in production executables.

In either case, it is always wrong to handle Assertion_Error and then 
tring to continue. Which may easily happen with sloppily written software 
using "when others" exception handlers, unfortunately.


--------  I  love  the  taste  of  Cryptanalysis  in  the morning!  --------
www.uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-lucks
----Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany----