assume, assert, enforce, @safe
Joseph Rushton Wakeling via Digitalmars-d
digitalmars-d at puremagic.com
Wed Jul 30 15:39:52 PDT 2014
On 31/07/14 00:01, Walter Bright via Digitalmars-d wrote:
> 3. Use of assert to validate input is utterly wrong and will not be supported.
> Use such constructs at your own risk.
>
> ...
>
> 6. enforce() is meant to check for input errors (environmental errors are
> considered input).
>
> 7. using enforce() to check for program bugs is utterly wrong. enforce() is a
> library creation, the core language does not recognize it.
A question on that.
There are various places in Phobos where enforce() statements are used to
validate function input or class constructor parameters. For example, in
std.random.LinearCongruentialEngine, we have:
void seed(UIntType x0 = 1) @safe pure
{
static if (c == 0)
{
enforce(x0, "Invalid (zero) seed for "
~ LinearCongruentialEngine.stringof);
}
_x = modulus ? (x0 % modulus) : x0;
popFront();
}
while in RandomSample we have this method which is called inside the constructor:
private void initialize(size_t howMany, size_t total)
{
_available = total;
_toSelect = howMany;
enforce(_toSelect <= _available,
text("RandomSample: cannot sample ", _toSelect,
" items when only ", _available, " are available"));
static if (hasLength!Range)
{
enforce(_available <= _input.length,
text("RandomSample: specified ", _available,
" items as available when input contains only ",
_input.length));
}
}
The point is that using these enforce() statements means that these methods
cannot be nothrow, which doesn't seem particularly nice if it can be avoided.
Now, on the one hand, one could say that, quite obviously, these methods cannot
control their input. But on the other hand, it's reasonable to say that these
methods' input can and should never be anything other than 100% controlled by
the programmer.
My take is that, for this reason, these should be asserts and not enforce()
statements. What are your thoughts on the matter?
More information about the Digitalmars-d
mailing list