From: "G.B." <bauhaus@notmyhomepage.invalid>
Subject: Re: Tests in a software release
Date: Thu, 16 Nov 2017 22:44:21 +0100
Date: 2017-11-16T22:44:21+01:00 [thread overview]
Message-ID: <oul0ra$jee$1@dont-email.me> (raw)
In-Reply-To: <ouiedt$gd1$1@franka.jacob-sparre.dk>
On 15.11.17 23:17, Randy Brukardt wrote:
> ...
>> The most important thing is, designing by contract
>> is *not* programming defensively. By definition.
>
> One *always* programs defensively.
Why would that be?
FTR, and for what the definitions are,
http://se.ethz.ch/~meyer/publications/computer/contract.pdf
Referring to some notes from your blog, you cannot always
- compute things at compile time, hoping to optimize;
- perform run-time checks in a timely fashion, without
checks causing timeouts:
function Binary_Search (X : List_of_Things) return Thing;
-- ... provided that elements of X are ordered by "<=".
procedure Foo (X : Graph; P : Node_Process);
-- ... provided that X is a DAG.
Is_Sorted can be expressed in Ada, but the compiler cannot
prove this at run-time, foreseeing data that are becoming
available only then. It has no say, at that point.
Similarly, Is_Dag cannot be computed at compile time.
Checking Is_Dag at run-time will be prohibitively
expensive at Foo's end. Still checking is Bad Design, as
Dmitry might possibly put it, I guess, because a DAG is
a DAG by construction. At run-time.
So, what needs to be done and what is usually done
is that clients will be sure to call subprograms
passing sorted lists and passing DAGs, resp. No checks,
no defenses, just doing what the contract says we should.
So, while no compiler can eliminate the computations for
the reasons stated ("optimize"), we can if our code abides,
by *not* having Binary_Search *check* proper ordering.
Thus, your future compiler could not "demonstrate likely
bugs" for these contracts, but if the optimizer fails at
predicting all run-time values in X and therefore adds checks,
it likely prevents efficient real-time computation for the
contracts outlined above.
> In any case, this is the exact opposite of the sort of approach that you are
> championing.
On the contrary: you write the contract's clauses of
all parties to your compiler and then, once you
know your code meets the requirements of the contracts,
you drop checking code accordingly ("optimize") and in
good conscience.
if X /= X or else X /= X then
-- what, at compile time,
-- for which which kind of X?
next prev parent reply other threads:[~2017-11-16 21:44 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-25 19:30 Tests in a software release Victor Porton
2017-10-26 7:20 ` Dmitry A. Kazakov
2017-10-27 18:06 ` G. B.
2017-10-27 18:54 ` Dmitry A. Kazakov
2017-10-28 6:53 ` G.B.
2017-10-28 7:35 ` Dmitry A. Kazakov
2017-10-30 20:44 ` G. B.
2017-10-30 20:56 ` Dmitry A. Kazakov
2017-10-31 7:17 ` G.B.
2017-10-31 8:32 ` Dmitry A. Kazakov
2017-11-03 7:24 ` G.B.
2017-11-03 8:16 ` Dmitry A. Kazakov
2017-11-03 12:49 ` Shark8
2017-11-04 10:15 ` G.B.
2017-11-15 0:11 ` Randy Brukardt
2017-11-15 17:57 ` G. B.
2017-11-15 20:46 ` Dmitry A. Kazakov
2017-11-17 15:36 ` Shark8
2017-11-15 22:17 ` Randy Brukardt
2017-11-16 21:44 ` G.B. [this message]
2017-11-17 0:15 ` Randy Brukardt
2017-11-17 15:45 ` Shark8
2017-11-18 1:07 ` Randy Brukardt
2017-11-15 0:06 ` Randy Brukardt
2017-11-15 8:47 ` Dmitry A. Kazakov
2017-11-15 21:53 ` Randy Brukardt
2017-11-15 16:47 ` Jeffrey R. Carter
2017-11-15 16:59 ` J-P. Rosen
2017-11-15 20:45 ` Dmitry A. Kazakov
2017-11-15 21:58 ` Randy Brukardt
2017-11-16 5:50 ` J-P. Rosen
2017-11-16 23:53 ` Randy Brukardt
2017-11-15 0:01 ` Randy Brukardt
2017-11-16 17:02 ` Robert Eachus
2017-11-17 0:20 ` Randy Brukardt
2017-11-22 20:40 ` Robert Eachus
2017-11-14 23:55 ` Randy Brukardt
2017-10-26 8:09 ` Stefan.Lucks
2017-10-26 17:30 ` Simon Clubley
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox