From: "Randy Brukardt" <randy@rrsoftware.com>
Subject: Re: Contracted exceptions for Ada
Date: Tue, 11 Dec 2007 18:26:06 -0600
Date: 2007-12-11T18:26:06-06:00 [thread overview]
Message-ID: <fjrvb7$3v8$2@jacob-sparre.dk> (raw)
In-Reply-To: 185k0c8e598ko.16o5j2iv35zpn$.dlg@40tude.net
"Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> wrote in message
news:185k0c8e598ko.16o5j2iv35zpn$.dlg@40tude.net...
> On Mon, 10 Dec 2007 19:53:27 -0600, Randy Brukardt wrote:
...
> > That's not going to be useful, since virtually any code that you can
write
> > *might* raise Constraint_Error,
>
> Why is it a problem?
Because every contract would have to include Constraint_Error, and that
would add a huge amount of verbiage to programs for no benefit. Or you have
to exclude it from the contract like Java does, which would be worse.
> > and a lot of code *could* raise
> > Program_Error, and everything *could* raise Storage_Error. There is no
way
> > to write a contract that doesn't contain those exceptions.
>
> Program_Error is not my concern. Storage_Error can be fixed as I described
> earlier.
Program_Error *is* your concern. There is no way that a compiler could prove
that it would not be raised from a lot of code; as such it would have to be
included in the contract even though it isn't interesting to anyone
(presuming again static contract checking and no "unchecked" exceptions).
And your solution for Storage_Error adds a large number of new rules to the
language, and is unlikely to make it possible to eliminate the exception.
For instance, other tasks can allocate memory for the heap, so the only
possible way to tell if you are out of heap memory is to catch the
exception -- anything else is a race. And Janus/Ada at least uses heap
memory to allocate virtually everything not statically sized: pretty much
anything other than an elementary object or "null;" can raise Storage_Error
in Janus/Ada. Besides, you say you don't want to add preconditions and the
like, and then you do exactly that to handle Storage_Error. Can't have it
both ways...
> And for all, what I meant under exception contracts was not about making a
> program exception-free. It was about specifying which exception can
> propagate and which cannot.
Right, but the predefined exceptions can always propagate. The only way to
prove that they don't is to do extensive static analysis, and that isn't
happening in the language.
> >>> Another one is what to do if a contract is violated. The obvious
answer of
> >>> raising Program_Error doesn't do anything other than lose information
about
> >>> an exception, so that isn't very satisfying.
> >>
> >> Yes, in my view exception contracts have to be static. (It makes no
sense
> >> to have run-time exception contracts. As well as any other contracts,
there
> >> is no any authority body to judge contract violations at run-time.)
> >
> > OK, but that isn't going to happen in Ada. What you are looking for is a
> > static analysis tool, like SPARK. That's especially true as you'll need
> > static preconditions to have any hope of eliminating the
Constraint_Errors
> > (subtypes aren't powerful enough).
>
> This is a separate issue. You seem to imply that the exception contracts
> shall specify *when* an exception is raised or not. That is a much harder
> problem and it indeed would require pre- and postconditions and cannot be
> done in general case. What I am talking about is a much weaker framework
> which only proves whether an exception cannot propagate. We do not need
> pre-/postconditions for that.
>
> A comparable case is exact real vs. interval arithmetic. We don't need
> exact exception propagation analysis, we do a conservative *estimation*
of.
Right, but a the only possible conservative estimate is that all code can
propagate Program_Error, Constraint_Error, and Storage_Error. Even
exception
when others => null;
can raise Storage_Error and Program_Error (from finalization). And if you
replace "null" with a subprogram call, you will probably introduce
Constraint_Error. Unless you do quite a bit of static analysis, you can't
prove *anything* useful about what exceptions can propagate.
Java solves this by excluding the predefined exceptions, but all that does
is makes the contracts useless -- you don't really know what might
propagate. I hardly ever have problems with user-defined exceptions like
Windows_Error or Not_Valid_Error (from Claw, as an example) propagating: the
"comment" contracts make it pretty clear what can happen, and expected
errors are quickly handled.
Without some sort of static analysis required, all access dereferences *can*
raise Constraint_Error, all integer assignments can raise Constraint_Error,
and so on. Since we want all Ada compilers to work the same (so code is
portable), you would have to define what exact rules you are allowed to use
for determining whether an exception is raised, and which ones you are not.
That is a significant effort, and is going to be hard for some compilers to
implement -- moreover, compilers that know more would have to be prohibited
from using it. None of that seems good.
Randy.
next prev parent reply other threads:[~2007-12-12 0:26 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-06 15:00 Exceptions shaunpatterson
2007-12-06 21:24 ` Exceptions tmoran
2007-12-07 8:54 ` Exceptions Dmitry A. Kazakov
2007-12-07 10:21 ` Exceptions Georg Bauhaus
2007-12-07 15:11 ` Exceptions shaunpatterson
2007-12-07 16:08 ` Exceptions Gautier
2007-12-07 18:56 ` Exceptions Simon Wright
2007-12-08 10:04 ` Exceptions Stephen Leake
2007-12-08 3:30 ` Exceptions Randy Brukardt
2007-12-08 10:09 ` Contracted exceptions for Ada (was: Exceptions) Dmitry A. Kazakov
2007-12-09 10:22 ` Contracted exceptions for Ada Stephen Leake
2007-12-09 11:02 ` Dmitry A. Kazakov
2007-12-11 8:10 ` Stephen Leake
2007-12-11 10:36 ` Dmitry A. Kazakov
2007-12-09 15:11 ` Contracted exceptions for Ada (was: Exceptions) Martin Krischik
2007-12-09 17:36 ` Contracted exceptions for Ada Dmitry A. Kazakov
2007-12-09 18:39 ` Simon Wright
2007-12-10 8:19 ` Dmitry A. Kazakov
2007-12-10 20:25 ` Simon Wright
2007-12-11 8:50 ` Dmitry A. Kazakov
2007-12-11 20:50 ` Simon Wright
2007-12-12 10:20 ` Dmitry A. Kazakov
2007-12-09 19:04 ` Martin Krischik
2007-12-10 8:20 ` Dmitry A. Kazakov
2007-12-09 22:09 ` Robert A Duff
2007-12-10 7:09 ` Stefan Lucks
2007-12-10 16:57 ` Robert A Duff
2007-12-11 1:53 ` Contracted exceptions for Ada (was: Exceptions) Randy Brukardt
2007-12-11 9:16 ` Contracted exceptions for Ada Dmitry A. Kazakov
2007-12-12 0:26 ` Randy Brukardt [this message]
2007-12-08 12:26 ` Exceptions Peter C. Chapin
2007-12-08 14:01 ` Exceptions Dmitry A. Kazakov
2007-12-08 18:01 ` Exceptions Peter C. Chapin
2007-12-09 10:06 ` Exceptions Dmitry A. Kazakov
2007-12-09 12:40 ` Exceptions Peter C. Chapin
2007-12-09 14:31 ` Exceptions Dmitry A. Kazakov
2007-12-09 16:38 ` Exceptions Peter C. Chapin
2007-12-10 8:31 ` Exceptions Dmitry A. Kazakov
2007-12-09 21:56 ` Exceptions Robert A Duff
2007-12-09 10:24 ` Exceptions Stephen Leake
2007-12-09 12:46 ` Exceptions Peter C. Chapin
2007-12-09 21:39 ` Exceptions Robert A Duff
2007-12-09 22:13 ` Exceptions Georg Bauhaus
2007-12-11 8:07 ` Exceptions Stephen Leake
2007-12-11 20:28 ` Exceptions Simon Wright
2007-12-12 22:10 ` Exceptions Maciej Sobczak
2007-12-13 13:40 ` Exceptions Robert A Duff
2007-12-13 14:00 ` Exceptions Maciej Sobczak
2007-12-13 14:44 ` Exceptions Robert A Duff
2007-12-14 0:46 ` Exceptions Ray Blaak
2007-12-14 2:36 ` Exceptions Randy Brukardt
2007-12-14 6:21 ` Exceptions Ray Blaak
2007-12-14 12:40 ` Exceptions Georg Bauhaus
2007-12-14 17:29 ` Exceptions Robert A Duff
2007-12-14 19:32 ` Exceptions Dmitry A. Kazakov
2007-12-15 5:29 ` Exceptions Ray Blaak
2007-12-13 19:29 ` Exceptions Randy Brukardt
2007-12-12 19:18 ` Exceptions Martin Krischik
2007-12-13 13:27 ` Exceptions Robert A Duff
2007-12-13 23:25 ` Exceptions Ray Blaak
2007-12-06 21:25 ` Exceptions Gautier
2007-12-07 4:29 ` Exceptions anon
2007-12-07 4:43 ` Exceptions, part 2 anon
2007-12-07 16:55 ` Exceptions Adam Beneschan
2007-12-07 18:59 ` Exceptions Simon Wright
2007-12-08 0:38 ` Exceptions Adam Beneschan
2007-12-09 21:45 ` Exceptions Robert A Duff
2007-12-09 22:40 ` Exceptions Georg Bauhaus
2007-12-10 8:22 ` Exceptions Dmitry A. Kazakov
2007-12-10 9:20 ` Exceptions Georg Bauhaus
2007-12-10 9:30 ` Exceptions Georg Bauhaus
2007-12-10 10:56 ` Exceptions Dmitry A. Kazakov
2007-12-11 2:18 ` Exceptions Randy Brukardt
2007-12-11 8:19 ` Exceptions Georg Bauhaus
2007-12-11 11:55 ` Exceptions Dmitry A. Kazakov
2007-12-11 16:13 ` Exceptions Georg Bauhaus
2007-12-12 11:18 ` Exceptions Dmitry A. Kazakov
2007-12-10 12:09 ` Exceptions Niklas Holsti
2007-12-10 13:08 ` Exceptions Dmitry A. Kazakov
2007-12-10 20:02 ` Exceptions Niklas Holsti
2007-12-11 12:31 ` Exceptions Dmitry A. Kazakov
2007-12-11 13:21 ` Exceptions Niklas Holsti
2007-12-12 0:01 ` Exceptions Randy Brukardt
2007-12-12 11:37 ` Exceptions Niklas Holsti
2007-12-12 13:14 ` Exceptions Dmitry A. Kazakov
2007-12-12 14:37 ` Exceptions Robert A Duff
2007-12-13 19:20 ` Exceptions Randy Brukardt
2007-12-13 20:15 ` Exceptions Robert A Duff
2007-12-12 11:00 ` Exceptions Dmitry A. Kazakov
2007-12-11 2:12 ` Exceptions Randy Brukardt
2007-12-11 15:17 ` Exceptions Robert A Duff
2007-12-12 0:10 ` Exceptions Randy Brukardt
2007-12-13 19:58 ` Exceptions Robert A Duff
2007-12-14 0:53 ` Exceptions Ray Blaak
2007-12-14 2:48 ` Exceptions Randy Brukardt
2007-12-14 6:33 ` Exceptions Ray Blaak
2007-12-08 10:03 ` Exceptions Stephen Leake
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox