From: "Randy Brukardt" <randy@rrsoftware.com>
Subject: Re: Exception contracts for Ada? Was: Re: Press Release - Ada 2012 Language Standard Approved by ISO
Date: Wed, 26 Dec 2012 20:16:27 -0600
Date: 2012-12-26T20:16:27-06:00 [thread overview]
Message-ID: <kbgb1u$eoc$1@munin.nbi.dk> (raw)
In-Reply-To: 46idnVdMEr8J5EXN4p2dnAA@giganews.com
"Peter C. Chapin" <pcc482719@gmail.com> wrote in message
news:46idnVdMEr8J5EXN4p2dnAA@giganews.com...
...
> Exception contracts are a huge, HUGE topic and one that shouldn't be
> treated too lightly.
We've had this discussion within the ARG. It's pretty clear to me what the
answers are (but others may not agree). See AI12-0017-1 for my take on this.
(The ARG has not yet discussed this AI.)
The problem in other languages is requiring them everywhere -- I'm pretty
certain that will never work. They're critical for properly defining
reusable code, but I'm dubious that they have much value in "top-level" code
(the stuff that is created to use those reusable libraries). Good reusuable
libraries are very hard work, and the more help the compiler can give the
better...
...
Consider:
> + Should exception contracts be enforced statically or dynamically?
Statically. Dynamic enforcement is a total can of worms with no real value.
The real question is whether the enforcement can depend on
implementation-properties (that is, if the implementation can optimize away
a check, can that be used in enforcing the contract), or whether it has to
remain portable.
> + Should exception contracts be enforced at all or only produce warnings
> or logs?
That's worthless from an language perspective; pretty much the only value
beyond the comments that we already use is static checking. Personally, I'm
not interested in adding features to Ada that can't be used by an Ada
compiler (but only be separate tools).
> + What about backward compatibility with the existing code base? We don't
> want to force people to decorate all code with exception contracts before
> it will compile again with Ada 2020 (or whatever). Do we?
Clearly, the default has to be "raises anything", we can't make everything
incompatible. As best as we can tell, the root problem in C++ and Java is
that the default is more restrictive. (Stupid coding policies probably don't
help, either.)
> + Should exception contracts distinguish between "impossible" exceptions
> that shouldn't occur in a correct program (like Constraint_Error) and
> "normal" exceptions that pertain to environmental problems such as invalid
> input data?
IMHO, no. The biggest value to these contracts is proving that
language-defined exceptions don't occur (the compiler knows far more about
this than any tool can figure out, as only it knows whether or not a check
is generated for a particular operation in the code). The only exception
that defies most such proofs is Storage_Error (and it can be eliminated in
specialized circumstances). So I think everything should be specified. In
order to cut down the size of such contracts, I've proposed allowing
creating "sets of exceptions", so that only the single name of the set need
be mentioned.
> + How should exception contracts interact with generic code?
I don't see any real problem here; a formal subprogram has to have an
optional contract, and if it does, it has to "match".
> + Should exception contracts be a part of a subprogram's type? Consider
> access to subprogram values and their usage.
Access-to-subprograms are probably going to always be "raises anything".
This is very similar to the way preconditions work; one might expect that
access-to-subprograms should allow preconditions and require some sort of
matching, but that's just too complicated so it's purely dynamic.
This will mean that access-to-subprograms won't be able to be called from
inside of exception contracted subprograms. But the only effect of that will
be to encourage avoiding access-to-subprogram completely (a very positive
result, IMHO, you can't prove anything about a call to an
access-to-subprogram in Ada 2012 and I doubt that will change).
> + How should exception contracts interact with other static analysis
> techniques? For example if a subprogram has a contract that says it might
> raise exception E, but if static analysis can prove that a particular
> usage will not actually raise E, does the programmer have to declare a
> contract on the calling subprogram about E? One objection I've heard about
> exception specifications in Java is that they require programmers to
> either specify (or handle) exceptions that "clearly" can never actually
> arise at that particular program point.
See my answer to the first question. I strongly lean toward the
implementation-defined static check (I'd be against adding the contracts at
all if that isn't the case), but I'm pretty certain that is going to be a
tough sell (it will harm portability, as a compiler that isn't as "smart"
may not be able to tell that the exception isn't raised).
The alternative of mandating what Ada compilers are required to be able to
deduce is unlikely to work; it would be fiendishly complex and would add a
great burden to at least some implementations. (Which would cause a lot of
resistance, I think.)
> Now that Ada has preconditions the last point is particularly acute. The
> precondition on a procedure P might guarantee that a called subprogram
> won't raise an exception that it might nevertheless declare in its
> exception contract.
That would be wrong; the exception contract should not cover things included
in the precondition. And if the precondition is necessary to prevent an
exception from being raised by the body, then the subprogram specification
should be declared so that the precondition cannot be ignored. (That
shouldn't prevent the compiler from eliminating it if it is redundant, just
that it should never be unchecked.)
> It would be really unpleasant if the programmer had to also add an
> exception contract to P stating that it might raise an exception that the
> programmer knows the precondition will prevent!
As above, that's not how I envision these things working. (But please keep
in mind, most of this is my feverish musing and it hasn't been vetted by
others yet.)
> This is just a sample of some of the issues involved in the subject. There
> are those who have answers for all of these issues.
That would be me, editor of the ARG and the Ada Standard. ;-)
> That's great. But again I sincerely hope that if exception contracts are
> ever seriously considered for Ada that the matter be given the deep
> consideration it deserves.
I hope you don't think that I just wrote this up based on absolutely
nothing -- I've been thinking about how this would work since we started
working on Claw...and I've taken input from many members of the ARG. (As
well as discussions on these topics that the ARG had for Ada 2005, and a
lengthy e-mail thread that we had specifically on the topic of what Java did
wrong here). We have not yet had a formal discussion on this particular
proposal, and I'm certain that it isn't 100% correct at this point (I must
have forgotten something!). But it's rather insulting to have someone claim
that it hasn't been given proper consideration before making a proposal (or
to imply that the ARG would simply adopt something without thinking about
it).
Randy.
next prev parent reply other threads:[~2012-12-27 2:16 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-18 7:45 Press Release - Ada 2012 Language Standard Approved by ISO Dirk Craeynest
2012-12-18 16:57 ` Robert A Duff
2012-12-18 21:12 ` Bill Findlay
2012-12-18 21:36 ` Jeffrey Carter
2012-12-18 21:57 ` Bill Findlay
2012-12-19 8:33 ` Dmitry A. Kazakov
2012-12-19 9:00 ` Georg Bauhaus
2012-12-19 9:19 ` Dmitry A. Kazakov
2012-12-19 9:21 ` Georg Bauhaus
2012-12-19 9:38 ` Dmitry A. Kazakov
2012-12-19 12:23 ` Georg Bauhaus
2012-12-19 14:34 ` Bill Findlay
2012-12-20 1:52 ` Randy Brukardt
2012-12-21 9:01 ` Dmitry A. Kazakov
2012-12-21 10:13 ` Georg Bauhaus
2012-12-21 10:34 ` Georg Bauhaus
2012-12-21 13:38 ` Dmitry A. Kazakov
2012-12-22 1:40 ` Randy Brukardt
2012-12-22 9:02 ` Dmitry A. Kazakov
2012-12-22 22:38 ` Georg Bauhaus
2012-12-23 8:08 ` Dmitry A. Kazakov
2012-12-23 23:38 ` Shark8
2012-12-24 2:44 ` sbelmont700
2012-12-24 5:29 ` Shark8
2012-12-25 21:51 ` Florian Weimer
2012-12-27 1:00 ` sbelmont700
2012-12-27 1:47 ` Randy Brukardt
2012-12-27 14:29 ` sbelmont700
2012-12-27 15:30 ` Dmitry A. Kazakov
2012-12-27 18:48 ` Jeffrey Carter
2012-12-27 21:54 ` Randy Brukardt
2012-12-27 22:09 ` J-P. Rosen
2013-01-11 11:41 ` Yannick Duchêne (Hibou57)
2013-01-11 11:35 ` Yannick Duchêne (Hibou57)
2013-01-11 16:13 ` Jacob Sparre Andersen
2013-01-12 2:06 ` Randy Brukardt
2013-01-11 11:33 ` Yannick Duchêne (Hibou57)
2013-01-11 14:15 ` Dmitry A. Kazakov
2013-01-11 16:19 ` File_Exists (Was: Press Release - Ada 2012 Language Standard Approved by ISO) Jacob Sparre Andersen
2013-01-11 19:36 ` Yannick Duchêne (Hibou57)
2013-01-14 5:09 ` File_Exists Jacob Sparre Andersen
2013-01-12 7:55 ` File_Exists (Was: Press Release - Ada 2012 Language Standard Approved by ISO) Georg Bauhaus
2012-12-27 20:12 ` compilers, was Re: Press Release - Ada 2012 Language Standard Approved by ISO tmoran
2012-12-27 20:54 ` Shark8
2012-12-27 22:00 ` Randy Brukardt
2012-12-27 10:05 ` Dmitry A. Kazakov
2013-01-11 11:28 ` Yannick Duchêne (Hibou57)
2013-01-11 14:21 ` Dmitry A. Kazakov
2013-01-11 14:23 ` Yannick Duchêne (Hibou57)
2012-12-24 6:44 ` Yannick Duchêne (Hibou57)
2012-12-24 9:02 ` Dmitry A. Kazakov
2012-12-24 11:13 ` Yannick Duchêne (Hibou57)
2012-12-24 15:49 ` Exception contracts for Ada? Was: " Peter C. Chapin
2012-12-24 16:34 ` Dmitry A. Kazakov
2012-12-24 19:45 ` Exception contracts for Ada? Peter C. Chapin
2012-12-25 11:09 ` Dmitry A. Kazakov
2012-12-27 2:38 ` Randy Brukardt
2012-12-27 2:16 ` Randy Brukardt [this message]
2012-12-27 15:03 ` Exception contracts for Ada? Was: Re: Press Release - Ada 2012 Language Standard Approved by ISO Peter C. Chapin
2012-12-27 1:17 ` Randy Brukardt
2013-01-11 17:10 ` Marius Amado-Alves
2012-12-20 21:55 ` Anh Vo
2012-12-21 1:04 ` Bill Findlay
2012-12-18 23:24 ` Randy Brukardt
2012-12-19 8:35 ` Georg Bauhaus
2012-12-19 9:03 ` Dmitry A. Kazakov
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox