0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsCopyright (C) 1999-2001, 2004, 2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsThis Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsLicense, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrewsfile, You can obtain one at http://mozilla.org/MPL/2.0/.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews$Id: DBC,v 1.6 2004/03/05 05:04:49 marka Exp $
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob HalleyDesign By Contract
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob HalleyBIND 9 uses the "Design by Contract" idea for most function calls.
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob HalleyA quick summary of the idea is that a function and its caller make a
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleycontract. If the caller meets certain preconditions, then the
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleyfunction promises to either fulfill its contract (i.e. guarantee a set
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleyof postconditions), or to clearly fail.
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halley"Clearly fail" means that if the function cannot succeed, then it will
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleynot silently fail and return a value which the caller might interpret
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob HalleyIf a caller doesn't meet the preconditions, then "further execution is
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleyundefined". The function can crash, compute a garbage result, fail silently,
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleyetc. Allowing the function to define preconditions greatly simplifies many
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob HalleyAPIs, because the API need not have a way of saying "hey caller, the values
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleyyou passed in are garbage".
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob HalleyTypically, preconditions are specified in the functions .h file, and encoded
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleyin its body with REQUIRE statements. The REQUIRE statements cause the program
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleyto dump core if they are not true, and can be used to identify callers that
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleyare not meeting their preconditions.
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob HalleyPostconditions can be encoded with ENSURE statements. Within the body of
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleya function, INSIST is used to assert that a particular expression must be
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleytrue. Assertions must not have side effects that the function relies upon,
767d29c43d98bae8ea95f0ccd2b9653cbcd43310Bob Halleybecause assertion checking can be turned off.