On exceptions, errors, and contract violations

via Digitalmars-d digitalmars-d at puremagic.com
Fri Oct 3 12:46:15 PDT 2014 

On Friday, 3 October 2014 at 17:40:43 UTC, Sean Kelly wrote:
> Setting aside exceptions for the moment, one thing I've 
> realized about errors is that in most cases, an API has no idea 
> how important its proper function is to the application writer.
>  If a programmer passes out of range arguments to a 
> mathematical function, his logic may be faulty, but *we have no 
> idea what this means to him*.  The confusion about whether the 
> parameters to a library constitute user input is ultimately the 
> result of this exact problem--since we have no idea of the 
> importance of our library in each application, we cannot 
> dictate how the application should react to failures within the 
> library.

Yes, I agree. The exceptions are serious hardware instability 
issues. Or serious errors such as a garbage collector going 
bananas with no possibility of ever reclaiming any lost memory. 
Those are not application level concerns. Those are kernel or 
foundational runtime concerns.

I don't want my website to tank just because some library author 
wrote code that is incapable of dealing with 29th of February in 
a date conversion. I don't want the website to tank because a 
validator throws a type related error. I want the validation to 
fail, but not the program. The failure should be local to what 
you are calling into.

The conversion from a local failure to a fatal error can only be 
done by the application in most cases.

> A contract has preconditions and postconditions to validate 
> different types of errors.  Preconditions validate user input 
> (caller error), and postconditions validate resulting state 
> (callee error).

Preconditions establish what input the postconditions are 
guaranteed to hold for. They don't really validate.

Preconditions say this: if you call me with other values than the 
ones in the precondition you may or may not get what you want, it 
is not my responsibility.

> A precondition error suggests a logic error in the application, 
> and a postcondition error suggests a logic error in the 
> function.

I'd rather say:

1. If you call into a function breaking the precondition, then 
the calling module is responsible for any errors that may occur 
later on. (or rather the contractor that wrote it)

2. If the postcondition fails for input that satisfies the 
precondition then the called module is responsible. (or rather 
the contractor that wrote it)

>  The function writer is in the best position to know the 
> implications of a postcondition failure, but has no idea what 
> the implications of a precondition failure might be.

If the modules are isolated then the system architect can define 
which modules are critical and which are not. So he or she can 
decide whether the module should continue, be turned off, logged 
for manual correction at later stage, reset or if the whole 
system should enter some kind of emergency mode.

> it's reasonable to assert that not only the type of contract 
> error is important to know what to fix, but also to know how to 
> react to the problem.

Yes, and maybe even know which contractor should be called to fix 
the problem.

>  But contract violations are something different and I believe 
> they deserve their own category.

The support for contracts in D is not really meaningful IMO. It 
is basically just regular asserts with syntax dressing.

> How does this sound?  It's only the beginnings of an idea so 
> far, but I think it's on the right track towards drawing 
> meaningful distinctions between error conditions in D.

I like where you are going, but think about this:

Is infinite recursion a logic error?

It should not be considered to be, because you can solve a 
problem using N strategies concurrently and choose the one that 
returns a valid result first.

Hence logic errors are not fatal errors until the application 
code says so.

It makes a lot of sense to cut down on the amount of code you 
have to write and let runtime errors happen, then catch them and 
swallow them. It makes sense to just swallow errors like typing 
issues if they should not occur for a result you want to use.

You simply turn the "logic error" into a "cannot compute this" 
result if that is suitable for the application. And the 
programming language should not make this hard.

More information about the Digitalmars-d mailing list