Well it's certainly a bug in the provider.Roland said:Is a contract violation a bug or an expected runtime scenario? IMO,
the latter.
Is a contract violation a bug or an expected runtime scenario? IMO,
the latter.
How do you engineer a reliable product if you expect third party
components (software or hardware) not to adhere to their interface
specifications? If you expect them to do that you need to change
supplier.
Why are they not appropriate to 'enforce' them in release mode? IfRoland said:You are right. The caller must rely on the contracts (specifications)
of third party components. I misinterpreted Ian Collins' remark that
he's "using asserts to enforce the contract between the application
and its operating environment". asserts may check some aspects of
contracts in non-release settings but are not appropriate to 'enforce'
them in release mode.
Why are they not appropriate to 'enforce' them in release mode? If
something you trust breaks that trust, would you rather experience a
random, possibly damaging, failure or a controlled one?
Roland said:assert is a means of finding bugs in your code. What you check at
runtime in your released program is something different (though
necessary and useful).
I'm not sure I like Hoare's analogy. Consider this one: When you are
learning to ride a bicycle you attach training wheels to catch you when
you make a mistake. When you are competing in the Tour de France you no
longer use the training wheels. Analogously, when you are writing code
you use asserts to catch when your invariants stop being invariant.
After you are satisfied the code is correct you disable them for
performance.
That said, I do find the rest of the arguments compelling.
So you do use asserts, you just give them a different name!Old said:I never use assert(), mostly for the reasons already listed. In C++ I
throw a logic_error exception and in C I call an error function that
prints out what happened and suspends the program. There have been
one or two instances over the years where one of the supposed
'impossible asserts' has happened in the field and I am very glad I
had the printout of what happened, instead of a vague report of a
malfunctioning device.
Roland said:assert is a means of finding bugs in your code.
Are we arguing over a name, or a technique? Do you include anyWhat you check at
runtime in your released program is something different (though
necessary and useful).
So you do use asserts, you just give them a different name!
It aborts by default, but there is nothing stopping you changing theOld said:Please learn to read. I said "I never use assert()". assert() is
a C++ (and C) feature that aborts the program at runtime when its
argument is false , unless the macro NDEBUG is defined, in which
case it is a no-op. You can look it up in the C standard or in
various other references.
How do you engineer a reliable product if you expect third party
components (software or hardware) not to adhere to their interface
specifications? If you expect them to do that you need to change
supplier.
You can't defend against all possible invalid input form third partyKirit said:Isn't the ability to do just that what we strive to do? To write
reliable software even in the face of the unexpected?
I'm sure we all do, but the are situations where the only safe thing toI always looked at everything that I've done to try to engineer better
software as being able to cope with every more error cases and faulty
systems (and users) with the minimum of problems.
You can't defend against all possible invalid input form third party
components. You should be able to defend against all possible invalid
input from users.
I'm sure we all do, but the are situations where the only safe thing to
do is bail out as soon as possible.
I worded my response badly, I should have said we can't *handle* allKirit said:Can't we? In the sense of analysing whether we have defended against
them all I suspect this is probably the same as solving the halting
problems. That doesn't mean we can't do it in specific circumstances
though. To turn the original question around:
Assuming unexpected input is by deffinition input we are unable toI completely agree, but this is a measure of last resort and should
really only be undertaken as a response when to not do so would cause
an even worse eventuality.
Says who?
All the standard has to say is "The assert macro puts
diagnostic tests into programs".
Are we arguing over a name, or a technique? Do you include any
diagnostic tests for internal (rather user generated) state in your
released code?
I see. So why don't you consider asserts to be appropriate for theseRoland said:The criterion is whether the diagnostic test checks a programmer error
or an expected (probably rare) incident.
I see. So why don't you consider asserts to be appropriate for these
non-programmer errors?
Isn't the ability to do just that what we strive to do? To write
reliable software even in the face of the unexpected?
I always looked at everything that I've done to try to engineer better
software as being able to cope with every more error cases and faulty
systems (and users) with the minimum of problems.
I guess that all depends whether you define NDEBUG or not.Roland said:Because asserts are not available in the relased program and you most
probably want these non-programmer errors to be detected also in the
released program.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.