From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!news.unit0.net!news.uni-stuttgart.de!news-1.dfn.de!news.dfn.de!news.uni-weimar.de!medsec1.medien.uni-weimar.de!lucks From: Stefan.Lucks@uni-weimar.de Newsgroups: comp.lang.ada Subject: Re: Ada 2012 Constraints (WRT an Ada IR) Date: Mon, 5 Dec 2016 09:41:41 +0100 Organization: Bauhaus-Universitaet Weimar Message-ID: References: <92ed75e9-baae-455c-9e34-53348dc6eaef@googlegroups.com> <03847fd7-5699-48de-bb3c-ef5512398f26@googlegroups.com> <3ef819e8-55f7-4ef7-9f37-77e6abc33f98@googlegroups.com> <47366b42-c0a3-41bf-a44a-5241c109d60f@googlegroups.com> NNTP-Posting-Host: medsec1.medien.uni-weimar.de Mime-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="8323329-1576677823-1480927178=:22845" X-Trace: pinkpiglet.scc.uni-weimar.de 1480927304 1515 141.54.178.228 (5 Dec 2016 08:41:44 GMT) X-Complaints-To: news@pinkpiglet.scc.uni-weimar.de NNTP-Posting-Date: Mon, 5 Dec 2016 08:41:44 +0000 (UTC) X-X-Sender: lucks@debian In-Reply-To: <47366b42-c0a3-41bf-a44a-5241c109d60f@googlegroups.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) Content-ID: Xref: news.eternal-september.org comp.lang.ada:32611 Date: 2016-12-05T09:41:41+01:00 List-Id: --8323329-1576677823-1480927178=:22845 Content-Type: text/plain; CHARSET=ISO-8859-15; FORMAT=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: On Sun, 4 Dec 2016, Robert Eachus wrote: > If there are Booleans which do need to be checked at run time, for=20 > example when validating inputs, those checks often should have a tightly= =20 > wrapped exception handler, and certainly should not use pragma Assert. Agreed! > I would consider it a major bug to have a pragma Assert that could fail= =20 > at run-time absent a hardware failure or some such. (Even though it=20 > would be turned off in production code.) I don't quite think so. A failed Assert (or a failed pre- or=20 postcondition, which are essentially a nice way to put Asserts in=20 specifications) *may* be checked even in the productin system. What is=20 important is to always shut down when upon Assert-failure -- preferably=20 after writing diagnostic information to wherever digagnostics goe. On one hand, there are systems that must not shut down (maybe an autopilot= =20 at flight time). If that is the case, Assert-checking in production=20 executables is plain wrong. On the other hand, there are systems, where a malfunction is worse than no= =20 function (e.g., a secure router -- better no communication than allowing=20 attackers to pass through the security perimeter). In such cases, it may be wise do perform Assert-checking even in production executables. In either case, it is always wrong to handle Assertion_Error and then=20 tring to continue. Which may easily happen with sloppily written software= =20 using "when others" exception handlers, unfortunately. -------- I love the taste of Cryptanalysis in the morning! -------= - www.uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-luck= s ----Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universit=E4t Weimar, Germany-= --- --8323329-1576677823-1480927178=:22845--