'Re: [XOM-interest] design principles'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xom-interest
Subject:    Re: [XOM-interest] design principles
From:       Elliotte Rusty Harold <elharo () metalab ! unc ! edu>
Date:       2002-09-20 21:39:31
Message-ID: p04330106b9b13fd410dd () [192 ! 168 ! 254 ! 4]
[Download RAW message or body]

At 8:19 PM -0500 9/18/02, Michael McEniry wrote:
In "XOM Design Principles" 
(<http://www.cafeconleche.org/XOM/designprinciples.xhtml>http://www.cafeconleche.org/XOM/designprinciples.xhtml), \
 what do these two statements mean?

I just tossed that document up by copying and pasting bullet points 
from my slides. At the talk I elaborated one each one of course. My 
goal is to expand on each one, but it does take time. Might as well 
begin with these two.

  "Problems detectable in testing throw runtime exceptions"

I got this idea from Bruce Eckel (Does Java need Checked Exceptions?, 
http://www.mindview.net/Etc/Discussions/CheckedExceptions) and Joshua 
Bloch  (Effective Java, particularly Item 40--Use checked exceptions 
for recoverable conditions and runtime exceptions for programming 
errors--and 41--Avoid unnecessary use of checked exceptions). Bloch 
is especially clear that precondition violations should cause runtime 
exceptions should be used for. (Think IllegalArgumenteException). 
Most of the time this indicates a programming error. Thus rather than 
putting in a try-catch block to handle the exception, the programmer 
should fix the mistake that led to the programming error in the first 
place. Assuming the programmer has fixed the mistake, there's no 
reason to catch the exception because it won't be thrown. And if the 
programmer's wrong, and they haven't fixed their mistake, then they 
should learn about it as soon as possible rather than having the 
exception get lost in an empty catch block added just to make the 
compiler shut up about an uncaught exception.

Most of the runtime exceptions in XOM occur as a result of 
precondition violations, for instance passing a string to setName() 
that is not a legal XML name. This will likely happen every time the 
program is run, or every time the program executes a particular 
section of code, rather than depending on input or temporary 
conditions. This isn't always true. For instance, a GUI might ask a 
user to type in an element name and then pass that string to setName. 
Whether or not the exception is thrown would then depend on what the 
user typed. However, I think more often than not such a precondition 
violation is internal to the program, and thus should be caught by 
testing.

On the other hand, not all problems are like this. For instance, a 
ParseException is thrown when an external document is discovered to 
be malformed. There is no way to predict this in advance because the 
document is not part of the program itself (unlike the string passed 
to setName). Whether or not the exception is thrown depends 
completely on which document you're parsing, and the document may not 
even exist at compile time. There's no way to tell if it's 
well-formed or not until run time. Hence ParseException is a checked 
exception.

  "Assertions that can be turned off are pointless"

In Java 1.4 you can use a command line flag to disable assertion 
checking. However, if an assertion is violated, it's still an error, 
just one you no longer notice. Turning off assertions at runtime is 
like including airbags in a new car model during design and street 
testing, then removing them before you begin selling the cars to 
consumers. No matter how rigorously you test, the users of your 
library will encounter situations and uncover bugs you did not find 
in testing. As Rolf Howarth wrote on the on the java-dev mailing list 
back in February:

programmers love the concept of assertions so much because it's like 
having your cake and eating it. On the one hand you can kid yourself 
you're protecting yourself by testing for error conditions that you 
know you should, but on the other you're absolved from any 
responsibility if the extra checks have a performance impact because 
they won't be there in production code. Except of course people 
usually leave assertions turned on in practice, certainly once 
they've been through the loop of puzzling over obscure bug reports 
from the field and muttering "that can't happen, that assertion check 
should have picked that case up", just before their face turns white 
and they realise assertions are compiled out!

Consequently, I decided not to rely on Java's new assertion mechanism 
for precondition checking in XOM. Instead, each method that sets or 
changes some value verifies all preconditions explicitly and throws a 
runtime exception (normally a subclass of XOMException) if it detects 
a problem.

Furthermore, many methods are declared final to prevent subclasses 
from turning off this checking. Subclasses can override the various 
protected check() methods to add assertions of their own, but they 
cannot remove the assertions in the core classes.


-- 

+-----------------------+------------------------+-------------------+
> Elliotte Rusty Harold | elharo@metalab.unc.edu | Writer/Programmer |
+-----------------------+------------------------+-------------------+
> XML in a  Nutshell, 2nd Edition (O'Reilly, 2002)          |
> http://www.cafeconleche.org/books/xian2/              |
> http://www.amazon.com/exec/obidos/ISBN%3D0596002920/cafeaulaitA/  |
+----------------------------------+---------------------------------+
> Read Cafe au Lait for Java News:  http://www.cafeaulait.org/      |
> Read Cafe con Leche for XML News: http://www.cafeconleche.org/    |
+----------------------------------+---------------------------------+


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic