Program logic bugs vs input/environmental errors

Bruno Medeiros via Digitalmars-d digitalmars-d at puremagic.com
Fri Nov 7 07:00:33 PST 2014 

On 29/10/2014 21:22, Walter Bright wrote:
> On 10/29/2014 5:37 AM, Bruno Medeiros wrote:
>> On 18/10/2014 18:40, Walter Bright wrote:
>>> As I've said before, tripping an assert by definition means the program
>>> has entered an unknown state. I don't believe it is possible for any
>>> language to make guarantees beyond that point.
>>
>> The guarantees (if any), would not be made by the language, but by the
>> programmer. The language cannot know if a program is totally broken and
>> undefined when an assert fails, but a programmer can, for each particular
>> assert, make some assumptions about which fault domains (like Sean put
>> it) can
>> be affected and which are not.
>
> Assumptions are not guarantees.
>

Let me give an example:

double sqrt(double num) {
   assert(num >= 0);
   ...

With just this, then purely from a compiler/language viewpoint, if the 
assert is triggered the *language* doesn't know if the whole program is 
corrupted (formatting the hard disk, etc.), or if the fault is localized 
there, and an error/exception can be thrown cleanly (clean in the sense 
that other parts of the program are not corrupted).

So the language doesn't know, but the *programmer* can make a reasoning 
in each particular assert of which domains/components of the program are 
affected by that assertion failure. In the sqrt() case above, the 
programmer can easily state that the math library that sqrt is part of 
is not corrupted, and its state is not totally unknown (as in, it's not 
deadlocked, nor is it formatting the hard disk!). That being the case, 
sqrt() can be made to throw an exception, and then that "assertion" 
failure can be recovered cleanly.

Which leads to what you say next:

> In any case, if the programmer knows than assert error is restricted to
> a particular domain, and is recoverable, and wants to recover from it,
> use enforce(), not assert().
>

Very well then. But then we'll get to the point where enforce() will 
become much more popular than assert to check for contract conditions. 
assert() will be relegated to niche and rare situations where the 
program cant really know how to continue/recover cleanly (memory 
corruption for example).

That idiom is fine with me actually - but then the documentation for 
assert should reflect that.

-- 
Bruno Medeiros
https://twitter.com/brunodomedeiros

More information about the Digitalmars-d mailing list