Re: invariant checking in exception case

>> So who is responsible for preventing these crashes ?

>Consider a list built in the usual way with LINKABLE cells, each referencing a
>cell to the right (if not the last cell) and an item.

>Let us assume it is possible to have a cell with no item reference. For example,
>"put" in LINKED_LIST does not have a precondition that the item being added is
>not Void. So, it is possible to add a Void item, and have a void reference to
>it. Suppose, though, that the application used lists with the property that no
>element was Void.

>With invariant checking enabled in which this property could be evaluated, such
>a fault would be detected at the time a list was modified with such a Void item.

>With invariant checking turned off, this fault would not be detected unless an
>attempt was made to use the Void item in the belief it was not Void. Hence, the
>crash some time after the fault condition was created.

>Of course, in other circumstances, it may be that you want to allow lists with
>Void elements.

>Now, how is the compiler to know which case is which (in the absence of invariants)?

>> programmer or compiler ?

>At present, the programmer.

My English is not so good, sorry. Thus I do not always spell my
questions precise. I would liked to underscore that fact that if there
would be check for invariant in rescue clause then it would be
compiler`s responsibilty to prevent errors(of course if that check
would not be switched off). If there would not be such check then as in
your example it would be programmers responsibilty to prevent these
errors.

So from my point of view not having check for invariant in rescue
clause - is avoiding compiler`s check and shifting responsibilty to
programmer(Though sometime these errors can be later detected by other
contracts in places of usages).

>> Does it correct that not restoring invariants not increase amount of
>> lost data ?

>I am not sure exactly your meaning, because of the two negatives. I think you
>mean to say "Is it correct that not restoring invariants increases the loss of
>data".

The confusion occured because of this question sounds opposide of what
I described. But I formulated that question in the same direction as
original one.

Nevertheless you understood me correct.

>I think it depends on the exact situation. If computation has been done after
>the point of rescue before the crash, then, yes, the results of those
>computations may be lost. But, it is also possible for those computations to be
>incomplete and leave the system in an inconsistent state because of the crash.
>It can also be that rescuing does not completely remove all inconsistency.

>If working in a situation where integrity is required in the face of possible
>crashes, then means must be adopted to handle this, such as isolation of the
>computation until it is complete (and can be checked for integrity if
>necessary), or check pointing methods.

>A simple example explains what I mean by isolation. Rather than working with a
>"live" object, create or clone a new one and work with that until the
>computation is complete. Then, you can replace the old with the new. Rescuing
>involves retaining the original and discarding the new object. This idea can be
>generalized to a system of objects, of course.

I also agree that it is not always possible in rescue clause to remove
inconsistensy. And in such cases it is necessary to use various
practices like you describe(working with the new object and replace old
with that new in success case).

But restoring invariants in rescue clause is one more chance to create
program which would lose less data in case an exception. If discard
this principle then recovery ability of program in general would be
worse.

Thank you, Alexey.

.

Relevant Pages

  • Re: Generic linked list with internal storage?
    ... there are some *major advantages* to using a void* in a generic linked ... it allows you to store a void pointer as data. ... prohibits arbitrary lists to be sorted according to arbitrary ordering ... But what we get here is genericity via pointer casts, ...
    (comp.lang.c)
  • Re: [PATCH] PM: Acquire device locks on suspend
    ... destroy_suspended_device() from a .suspendroutine and then the device ... +static inline void pm_sleep_unlock ... * All the other lists are kept in the same order, ... +static void dpm_power_up ...
    (Linux-Kernel)
  • Re: Array dependencies in c?
    ... forces at each cell. ... void *ctx, ... long unsigned lno ... "struct hdr". ...
    (comp.lang.c)
  • Re: [PATCH] PM: Acquire device locks on suspend
    ... This patch reorganizes the way suspend and resume notifications are ... +static inline void pm_sleep_unlock ... * All the other lists are kept in the same order, ... +static void dpm_power_up ...
    (Linux-Kernel)
  • Re: void and this
    ... > standard of the use of 'void' to indicate a null argument list. ... I don't think it's likely to disappear is it? ... > then used his bool type in argument lists or structures, ... The new C++ casts are preferred for two reasons. ...
    (comp.lang.cpp)