From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,ad06d2d7cb045687 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Received: by 10.68.238.198 with SMTP id vm6mr14647078pbc.3.1328635484738; Tue, 07 Feb 2012 09:24:44 -0800 (PST) Path: lh20ni271181pbb.0!nntp.google.com!news1.google.com!newsfeed2.dallas1.level3.net!news.level3.com!bloom-beacon.mit.edu!newsswitch.lcs.mit.edu!nntp.TheWorld.com!not-for-mail From: Robert A Duff Newsgroups: comp.lang.ada Subject: Re: Silly and stupid post-condition or not ? Date: Tue, 07 Feb 2012 12:24:44 -0500 Organization: The World Public Access UNIX, Brookline, MA Message-ID: References: <82wr86fzos.fsf@stephe-leake.org> <5af407fc-2868-44ca-84d2-c51a2a64104d@o4g2000pbc.googlegroups.com> <82k445fu9n.fsf@stephe-leake.org> <82ty36urik.fsf@stephe-leake.org> NNTP-Posting-Host: shell01.theworld.com Mime-Version: 1.0 X-Trace: pcls6.std.com 1328635484 32198 192.74.137.71 (7 Feb 2012 17:24:44 GMT) X-Complaints-To: abuse@TheWorld.com NNTP-Posting-Date: Tue, 7 Feb 2012 17:24:44 +0000 (UTC) User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (irix) Cancel-Lock: sha1:VwBiPiHZcSup6ZE8OawczvBYscE= Content-Type: text/plain; charset=us-ascii Date: 2012-02-07T12:24:44-05:00 List-Id: "Randy Brukardt" writes: > I've done this in my programs by simply commenting them out; ... Well, that's one way to "turn off" assertions. I agree it would be good to have more control over super-expensive assertions. GNAT has some features like that. >>>...(as always, it's like taking off the seatbelts >>> when you leave the garage...). >> >> I don't buy this analogy (nor the similar one about life jackets and >> sailboats). Seatbelts often save lives and reduce injuries >> when something goes wrong. Preconditions (etc) don't cause >> programs to give correct answers when something goes wrong >> -- they just detect the wrongness. > > Turning off constraint checks make a program erroneous, and thus the program > can return wrong answers without any notice. Yes, of course. But that's got nothing to do with seatbelts! > Today, this sort of thing is a security problem... Yes, for programs that accept untrusted inputs. A compiler, for example, doesn't have that problem (unless you hook it up to the internet!). >... - constraint checks at least > bound the problem to at worse a denial-of-service problem, much less of a > problem than allowing a buffer overflow that allows anything to be executed. Yes, DoS are less of a problem than stealing the credit-card database. So I suppose I must admit this has a bit of "seatbelt" flavor to it (analogous to "reduce injuries"). > I admit that is less of a problem for preconditions and the like, but I > think the same holds true -- particular if the correctness checks were > removed from the code in favor of the preconditions. > >> By the way, I find that when I (at first) think I want a >> pre/post, it's usually better expressed as a subtype predicate. >> My favorite new feature of Ada 2012. > > I agree. I originally thought that predicates were a better solution to the > problem than pre/post/invariants. I still do for most uses, but of course > whenever multiple parameters are involved you have to use a precondition > instead. Right. - Bob