From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: contracted exceptions
Date: Sun, 10 Jun 2007 11:21:25 +0200
Date: 2007-06-10T11:21:04+02:00 [thread overview]
Message-ID: <kyiyvo7rv97m$.vy3bfrwvqfem$.dlg@40tude.net> (raw)
In-Reply-To: m23b1096w7.fsf@mac.com
On Sat, 09 Jun 2007 22:04:24 +0100, Simon Wright wrote:
> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>
>> On Sat, 09 Jun 2007 13:32:59 +0100, Simon Wright wrote:
>
> I was trying to make the point that some restraints on program
> legality can be made in the language by defining constrained types,
> others you're stuck with hand-coded checks:
>
> pragma Assert ({correct calling sequence}, "bad calling sequence");
>
> or if you prefer
>
> if not {correct calling sequence} then
> raise Use_Error;
> end if;
>
> All much of a muchness in terms of trying to make sure that the
> program is correct and is used correctly.
That's OK. My point is that raising Use_Error is a correct behavior of the
program. It is not a bug. Therefore it has to be documented:
"when the sequence is not this and that, then Use_Error is propagated."
Such sequences are legal sequences, like an illegal Ada program is a legal
input for an Ada compiler. Therefore the caller has to have a handler for
Use_Error or else document it, etc. This is why exceptions should be
contracted and not considered as "oops, we didn't think about this."
> Also, this check is about a precondition, if the caller violates the
> precondition she has no right to expect me not to raise unheralded
> exceptions!
Oh my. "If you don't do that, then I ..." (:-))
No, if the precondition was violated by the caller, then how this caller is
supposed to handle the exception it does not know? And why would you rely
on this handling, provided that it is exactly one who first violated the
contract?
If I designed pre-/postcondition/invariant stuff for Ada, then I would
consider implementation of all run-time checks in an independent task with
own stack. A violation would immediately about the monitored task, and the
exception would be propagated in the monitor task.
>> The contract would be a lie. Another reason is that you could not
>> handle Baz, because that would change the program behavior with and
>> without assertions checked. IMO run-time assertions is an utterly
>> wrong idea.
>
> As I said before, I see little difference between assertions &
> predefined language checks in terms of where they should be
> used. Clearly you shouldn't use an assertion where the thing being
> checked is legitimate failure behaviour!
>
> pragma Assert (not Vessel_On_Firing_Range);
> Start_Test_Missile_Firing;
Wasn't it an anti-vessel missile?... (:-))
Yes this is what I meant. The above would be legal, and people would use
it, no matter what guidelines say.
> Of course you can suppress (some) language-defined checks, but then
> you get undefined bahaviour at run time if the error condition
> happens. Is it worse to get unexpected exceptions or to compute with
> out-of-range data?
It is same, without any assumptions about the nature of the error. These
assumptions cannot be reasonably made for unknown in advance errors.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2007-06-10 9:21 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-06 21:33 Reconsidering assignment Maciej Sobczak
2007-06-06 22:52 ` Ray Blaak
2007-06-07 7:15 ` Maciej Sobczak
2007-06-07 16:34 ` Ray Blaak
2007-06-07 7:10 ` Stefan Lucks
2007-06-07 7:32 ` Maciej Sobczak
2007-06-07 11:11 ` Stefan Lucks
2007-06-07 16:28 ` Ray Blaak
2007-06-07 9:27 ` Dmitry A. Kazakov
2007-06-07 16:54 ` contracted exceptions (was Re: Reconsidering assignment) Ray Blaak
2007-06-07 20:04 ` contracted exceptions Robert A Duff
2007-06-07 21:11 ` Ray Blaak
2007-06-07 23:44 ` Robert A Duff
2007-06-08 2:19 ` Randy Brukardt
2007-06-08 7:39 ` Dmitry A. Kazakov
2007-06-08 8:53 ` Ray Blaak
2007-06-08 12:08 ` Dmitry A. Kazakov
2007-06-08 17:31 ` Ray Blaak
2007-06-08 18:00 ` Dmitry A. Kazakov
2007-06-08 18:20 ` Georg Bauhaus
2007-06-08 18:56 ` Dmitry A. Kazakov
2007-06-08 19:15 ` Simon Wright
2007-06-09 0:14 ` Randy Brukardt
2007-06-09 2:44 ` Larry Kilgallen
2007-06-09 8:21 ` Dmitry A. Kazakov
2007-06-09 12:32 ` Simon Wright
2007-06-09 18:38 ` Dmitry A. Kazakov
2007-06-09 21:04 ` Simon Wright
2007-06-10 9:21 ` Dmitry A. Kazakov [this message]
2007-06-10 11:49 ` Simon Wright
2007-06-10 15:20 ` Dmitry A. Kazakov
2007-06-11 4:13 ` Ray Blaak
2007-06-11 7:58 ` Dmitry A. Kazakov
2007-06-11 17:06 ` Ray Blaak
2007-06-11 19:57 ` Dmitry A. Kazakov
2007-06-10 18:14 ` Georg Bauhaus
2007-06-10 18:12 ` Georg Bauhaus
2007-06-11 7:55 ` Dmitry A. Kazakov
2007-06-11 14:15 ` Bob Spooner
2007-06-11 15:14 ` Georg Bauhaus
2007-06-11 15:20 ` (see below)
2007-06-11 16:39 ` Georg Bauhaus
2007-06-11 19:50 ` Simon Wright
2007-06-08 11:26 ` Martin Krischik
2007-06-08 12:02 ` Robert A Duff
2007-06-08 11:22 ` contracted exceptions (was Re: Reconsidering assignment) Martin Krischik
2007-06-08 17:44 ` Ray Blaak
2007-06-08 12:10 ` contracted exceptions Robert A Duff
2007-06-08 15:56 ` Stefan Lucks
2007-06-08 20:27 ` Pascal Obry
2007-06-09 0:19 ` Randy Brukardt
2007-06-09 18:04 ` Robert A Duff
2007-06-09 18:37 ` Dmitry A. Kazakov
2007-06-09 20:43 ` Robert A Duff
2007-06-10 9:21 ` Dmitry A. Kazakov
2007-06-11 19:18 ` Randy Brukardt
2007-06-12 6:55 ` Jean-Pierre Rosen
2007-06-08 17:40 ` Ray Blaak
2007-06-09 18:14 ` Robert A Duff
2007-06-08 19:18 ` Simon Wright
2007-06-09 22:37 ` Reconsidering assignment Maciej Sobczak
2007-06-10 9:21 ` Dmitry A. Kazakov
2007-06-11 9:04 ` Maciej Sobczak
2007-06-11 13:09 ` Dmitry A. Kazakov
2007-06-11 18:57 ` Randy Brukardt
2007-06-11 21:12 ` Maciej Sobczak
2007-06-12 8:31 ` Dmitry A. Kazakov
2007-06-12 9:31 ` Georg Bauhaus
2007-06-12 10:03 ` Dmitry A. Kazakov
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox