Re: How to get nice with GNAT?

["Randy Brukardt" <randy@rrsoftware.com>]

<ake.ragnar.dahlgren@gmail.com> wrote in message 
news:8f203a9a-6c7c-4614-bc7d-efa65bf10776@googlegroups.com...
>Of course I always listen seriously to Jeff Carter but it's not obvious to 
>me that doing
>"C in Ada" is bad.

It's bad. :-)

> If I remember correctly Google employees are recommended to avoid using 
> exceptions
>when doing C++. The designers of Google Go has gone great lengths to avoid 
>the exception
>concept as much as possible.

Very bad advice, IMHO. With one exception (pun intended):

> In addition SPARK forbids usage of exceptions.

While I think SPARK would be better served with limited exception support, 
at least they require a proof that no exceptions can be raised.

The reason I feel so strongly about this is that exceptions (especially 
Constraint_Error and Program_Error) point out bugs in your code. Whenever 
you "eat" an exception (turning it into an error code, or simply ignoring 
it), you've put an opportunity to ignore a bug into your code. With all of 
the potential problems that entails.

To take a concrete example. My web server runs with all exceptions enabled, 
and there is very little handling of exceptions (there are a few cases where 
expected exceptions are handled, as when a TCP/IP connection is unexpectedly 
dropped). Mainly, the worker tasks handle any surprise exceptions, log them, 
and reset everything in that task to a fresh state. Doing this prevents most 
bugs from causing security problems -- while a crafted input might cause one 
worker to fail, that only causes the sender to get no response. Other 
connections (workers) are uneffected, and there is almost no chance of a 
detected bug from overwriting memory or disk or any of the other things that 
cause security problems.

Exceptions surely aren't enough to prevent all security issues, but they can 
help avoid a substantial number of them.

(As previously noted, if you could prove that no exceptions are possible - 
meaning that no low-level bugs are possible - that would be better than 
having to figure out last-chance handlers and the like, but that's still 
beyond the state of the art for general purpose code. When that changes, 
I'll reconsider my stance on exceptions, but not until then.)

                                                  Randy.