Re: Safety of the Booch Ada 95 Components

[Simon Wright <simon@pogner.demon.co.uk>]

Simon Wright <simon@pogner.demon.co.uk> writes:

> herwin@gmu.edu (Harry Erwin) writes:
> 
> > In C++, the equate operation for a container class C<T> is preferably
> > defined as follows (Sutter, Exceptional C++, Addison-Wesley, 2000):
> > 
> > template <typename T>
> > C<T>& operator=(const C<T>& c)
> > {
> >     if(&c == this) return *this; // not required; done for efficiency
> >     C temp(c); // uses the copy constructor, may throw
> >     swap(temp, *this); // swaps the guts of this container with
> >                        // temp. May not throw.
> >     return *this; // May not throw.
> > } // the destructor for temp releases the memory originally in this
> >   // container, and destructors may not throw
> > 
> > This is strongly exception-safe and exception-neutral, since only the
> > copy constructor can throw, and that occurs before the guts are swapped.
> > Hence the container remains useable, and no objects are lost from it.
> > Now I've been looking at the Booch components for Ada 95, and have
> > noticed that the Copy function typically starts by clearing the To
> > container. That immediately implies that they are not exception-safe,
> > but I'm concerned that they may not be safe under self-assignment as
> > well. Is there something about the Ada 95 standard that guarantees that
> > there will be no aliasing of container args?
[...]
> (2) I'm not quite sure what should occur if an exception happened in
> the middle of copying a queue; it would be reasonable to expect the
> data structure to be uncorrupted, but you couldn't expect any
> particular subset of the elements in the queue to have been copied.
> 
> Nevertheless, I need to look at this one ..

.. and it seems fine to me, at least for queues. The structure is
still valid, though it's not possible to say what the contained values
are.

Harry sent me private mail to the effect that there do indeed seem to
be problems here with the BCs. Well, I don't agree; at least, not that
Harry's suggested semantics are any better in practice.

The postcondition of HA = HB; seems to be (primed names indicate
input values)

  HB == HB' and (HA == HB'
                 or an exception is raised and HA == HA')

In the last case, Harry is going to have to do something about HA,
because whatever else it means it does _not_ hold the value it should!
Perhaps it contains _last_ month's balance of his bank account,
perhaps it's the _old_ state of the helicopter's fuel supply ..

The BCs equivalent for assignment is (no warranties, remember)

  BB == BB' and (BA == BB'
                 or an exception is raised)

The above analysis with regard to exceptions holds also for the Copy
operation (between queues of the same element type but possibly with
different allocation strategies).

There is, however, a defect (OK, guys? :-) in the Copy operation,
since it fails under self-assignment. Oops. Logged.