assume, assert, enforce, @safe

Dicebot via Digitalmars-d digitalmars-d at puremagic.com
Fri Aug 1 17:57:25 PDT 2014 

On Friday, 1 August 2014 at 19:10:34 UTC, Walter Bright wrote:
> On 8/1/2014 6:12 AM, Dicebot wrote:
>> ok, can this be considered a good summary of using 
>> assertions/contracts for
>> services where risk of entering undefined state is 
>> unacceptable?
>>
>> 1) never use `assert` or contracts in actual application code, 
>> use `enforce`
>> instead
>> 2) never use `enforce` in library code unless it does actual 
>> I/O, use contracts
>> instead
>> 3) always distribute both release and debug builds of 
>> libraries and always run
>> tests in both debug and release mode
>>
>> Does it make sense? Your actual recommendation contradict each 
>> other but it is
>> best what I was able to combine them into.
>
> What makes me hesitate about use of enforce() is its high 
> runtime cost. It's not just the computation, but the call stack 
> above it is affected by enforce() being throwable and 
> allocating via the GC.

`enforce` does have overload which allows to use pre-allocated 
exception instance. Or, alternatively, we may need a similar 
helper wich does `if (!condition) abort()` with no interaction 
with -release or optimizer.

Whatever is chosen it does seem that contracts can't be used in 
application code because it is too affected by user input and is 
too likely to expose hidden bugs in production.

> Secondly, enforce() is about recoverable errors. Program bugs 
> are simply NOT recoverable errors, and I cannot recommend using 
> them for that purpose. I've argued for decades with people who 
> insist that they can write code that recovers from unknown 
> programming bugs.

1) one can always `enforce` with a pre-allocated Error, will 
druntime handle that as expected?

2) There is certain class of applications where even programming 
bugs can (and must be) considered recoverable. Network services 
that don't yet have full scale high availability infrastructure 
(and thus can't afford downtime of restarting the app) are quite 
likely to only terminate connection fibers when programming bug 
is found - it does not affect serving any other connections. It 
may be fundamentally wrong but is is pragmatical working approach.

These questions are not theoretical - we regularly have 
discussion about how contracts may / should be used at work with 
no clear understanding / agreement so far. I am interested in 
simple set of guidelines that won't turn writing every single 
function in a guessing game (does a contract fit here?)

More information about the Digitalmars-d mailing list