From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Thread: 103376,7d3cb5920e882220
X-Google-Attributes: gid103376,public,usenet
X-Google-Language: ENGLISH,ASCII-7-bit
Path: 
 g2news1.google.com!news1.google.com!newsfeed2.dallas1.level3.net!news.level3.com!newsfeed-00.mathworks.com!nntp.TheWorld.com!not-for-mail
From: Robert A Duff <bobduff@shell01.TheWorld.com>
Newsgroups: comp.lang.ada
Subject: Re: Contracted exceptions for Ada
Date: Mon, 10 Dec 2007 11:57:14 -0500
Organization: The World Public Access UNIX, Brookline, MA
Message-ID: <wccejduwkr9.fsf@shell01.TheWorld.com>
References: 
 <5947aa62-2547-4fbb-bc46-1111b4a0dcc9@x69g2000hsx.googlegroups.com>
 <KoSdnYQKWIUB9cXanZ2dnUVZ_oytnZ2d@comcast.com>
 <uvkiadiwrfh2.wi288ebeq18y.dlg@40tude.net> <fjd2t9$hkg$1@jacob-sparre.dk>
 <7m9wkymyi5h7.1235e72is9mp9.dlg@40tude.net>
 <wcck5nn1pvy.fsf@shell01.TheWorld.com>
 <Pine.LNX.4.64.0712100801180.20238@th.informatik.uni-mannheim.de>
NNTP-Posting-Host: shell01.theworld.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: pcls4.std.com 1197305834 11142 192.74.137.71 (10 Dec 2007 16:57:14
 GMT)
X-Complaints-To: abuse@TheWorld.com
NNTP-Posting-Date: Mon, 10 Dec 2007 16:57:14 +0000 (UTC)
User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (irix)
Cancel-Lock: sha1:b56OWpP0PdJrXaCXJd0HYISYPtY=
Xref: g2news1.google.com comp.lang.ada:18859
Date: 2007-12-10T11:57:14-05:00
List-Id: <comp.lang.ada>

Stefan Lucks <lucks@th.informatik.uni-mannheim.de> writes:

>> no need for a handler.  Unfortunately, there's no Non_Zero subtype.
>
> I am afraid, a non-zero subtype would move the problem around, rather
> than solve it. The exception not raised by X/Y might then be raised
> before, when you compute Y:=A-B.
>
> On a second look, this might actually be useful better diagnostics. The
> exception is raised closer to the point where the faulty value (the zero
> Y) is created, rather than, perhaps, much later.

Exactly.  Pushing the check to the caller makes it more likely that you
can prove it's true statically.

E.g. suppose you read a number from the keyboard, and pass it around,
store it in a data structure, retrieve it from the data structure, and
then divide by it.  The "read" part should do input validation, or else
there's a bug.  If all the subtypes of those parameters and data
structures had a "cannot equal zero" invariant, then the bug is isolated
to the "read" part.  And if that part says "if Value /= 0 ..." then
it's easy to prove that the bug is not there.

- Bob