DBC revision 816e576f77e2c46df3e3d97d65822aa8aded7c4b
4df55fde49134f9735f84011f23a767c75e393c7Janie LuCopyright (C) 1999, 2000 Internet Software Consortium.
4df55fde49134f9735f84011f23a767c75e393c7Janie LuSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
4df55fde49134f9735f84011f23a767c75e393c7Janie Lu$Id: DBC,v 1.4 2000/08/09 04:37:31 tale Exp $
4df55fde49134f9735f84011f23a767c75e393c7Janie LuDesign By Contract
4df55fde49134f9735f84011f23a767c75e393c7Janie LuBIND 9 uses the "Design by Contract" idea for most function calls.
4df55fde49134f9735f84011f23a767c75e393c7Janie LuA quick summary of the idea is that a function and its caller make a
4df55fde49134f9735f84011f23a767c75e393c7Janie Lucontract. If the caller meets certain preconditions, then the
4df55fde49134f9735f84011f23a767c75e393c7Janie Lufunction promises to either fulfill its contract (i.e. guarantee a set
4df55fde49134f9735f84011f23a767c75e393c7Janie Luof postconditions), or to clearly fail.
4df55fde49134f9735f84011f23a767c75e393c7Janie Lu"Clearly fail" means that if the function cannot succeed, then it will
4df55fde49134f9735f84011f23a767c75e393c7Janie Lunot silently fail and return a value which the caller might interpret
4df55fde49134f9735f84011f23a767c75e393c7Janie LuIf a caller doesn't meet the preconditions, then "further execution is
4df55fde49134f9735f84011f23a767c75e393c7Janie Luundefined". The function can crash, compute a garbage result, fail silently,
4df55fde49134f9735f84011f23a767c75e393c7Janie Luetc. Allowing the function to define preconditions greatly simplifies many
4df55fde49134f9735f84011f23a767c75e393c7Janie LuAPIs, because the API need not have a way of saying "hey caller, the values
c4c6ba57afa115b6a7e20afa6a2da6c99f521616Vivek Gavaskaryou passed in are garbage".
c4c6ba57afa115b6a7e20afa6a2da6c99f521616Vivek GavaskarTypically, preconditions are specified in the functions .h file, and encoded
4df55fde49134f9735f84011f23a767c75e393c7Janie Luin its body with REQUIRE statements. The REQUIRE statements cause the program
4df55fde49134f9735f84011f23a767c75e393c7Janie Luto dump core if they are not true, and can be used to identify callers that
4df55fde49134f9735f84011f23a767c75e393c7Janie Luare not meeting their preconditions.
4df55fde49134f9735f84011f23a767c75e393c7Janie LuPostconditions can be encoded with ENSURE statements. Within the body of
4df55fde49134f9735f84011f23a767c75e393c7Janie Lua function, INSIST is used to assert that a particular expression must be
4df55fde49134f9735f84011f23a767c75e393c7Janie Lutrue. Assertions must not have side effects that the function relies upon,
4df55fde49134f9735f84011f23a767c75e393c7Janie Lubecause assertion checking can be turned off.