Re: assert_handler?
Bob Bell wrote:
John Nagle wrote:
Bob Bell wrote:
So to answer your question, yes, what you've got is good enough,
because the only way a non-friend can get back into A is through an
operation that will check invariants.
The Spec# people have an explicit "invariants valid" flag,
which is set false at entry to a public method and set back to
true at exit. At entry to a public method, if that flag is
false, it's an error. If you want to temporarily exit the
object, you have to explicitly perform an operation that checks the invariant
and sets the flag.
How do they deal with friendship? A friend can reach into a class and
mess with private member variables. I don't see how the integrity of an
"invariants valid" flag can be maintained when friendship exists.
A friend can indeed change the internal state of an object - and if a
friend does so and leaves the object in such a state that one of its
clients can observe the object with a false invariant - then the
contract has been broken. And finding broken contracts - that is,
likely errors in the program is the actual goal of this feature. The
goal is not to ensure the "integrity" of a particular flag, the goal is
to find bugs in the program - and bugs that should be fixed.
Toward the end, I do not see that maintaining an "invariants flag" as
really likely to be all that helpful. The effectiveness of this feature
is not that it would impose a series of rigid constraints on how a
programmer designs and implements an interface. On the contrary, to be
both useful and to be used, design-by-contract has to afford the
programmer the maximum latitude in specifying the scope of a particular
contract. And it only makes sense for this feature to do so, because
the programmer is the one who drew up the contract, and the one who
best understands it. So any contract violations detected have to be
clear-cut: and - most importantly - be violations from the programmer's
point of view - and not just from the feature's point of view.
In particular, there is no reason to check invariants whenever a method
under contract remains in scope but calls out to another method. It is
not necessarily a bug if the invariants of the object do not hold for
the duration of the outside call. Now, were the object to acquire
another client who then calls back as a result of that outside call -
or is otherwise able to observe the object with a false invariant -
then a clear contract violation would have occurred. And at the point -
and no sooner - should the violation be reported.
Reporting violations prematurely and without sufficient grounds is
likely to be counterproductive. Logically, the programmer could simply
wish to stipulate that the called routine has been subsumed into the
method's own implementation. Or to put it another way, the object
should be able to call, say, std::strlen() without having first to
ensure that its invariants are true. Granted, the programmer may decide
upon a more stringent contract - and that possibility should be
available - but such an inflexible requirement should not be mindlessly
forced upon the programmer. The entire rationale for adding
design-by-contract support to C++ is to assist the programmer in
writing a coherent set of interfaces for an implementation - and the
goal is not find as many faults - whether irrelevant or not - with the
programmer's work as possible.
Greg
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ]