[Exceptional C++ Style] Re: Unit tests and assertions
Kevlin Henney
kevlin at curbralan.com
Mon Jan 10 14:59:26 EST 2005
In message <41E2C14F.2010403 at jaggersoft.com>, Jon Jagger
<jon at jaggersoft.com> writes
>
>So, turning the discussion on its head a little, a natural question is
>when should a contract specify only the behaviour when the
>preconditions are met, and when should it also specify (to some degree)
>the behaviour when the preconditions are not met?
>Failed preconditions are not "functional" but they can be
>"operational". For example, it would be a bad move to not test
>preconditions only to find that failed preconditions somehow opended a
>security hole....
This is one of those questions that has come up before on accu-general.
There is not necessarily a single fixed answer and -- inevitably enough
-- it is somewhat context dependent. One of the factors that need to be
taken into account is what is the worst-case scenario if a failed
precondition is not arrested. Your example of a security hole is such an
example, eg buffer overruns. Denial of service is a particularly common
and simple one to effect when undefined behaviour is actually realised
to the advantage of an attacker. I often talk about boundaries of trust
when considering whether an interface should guarantee a minimum quality
of failure. This notion of trust combined with satisfaction of some
other constraints (performance, acceptable worse-case scenario, etc) is
probably the start of an answer.
Kevlin
--
____________________________________________________________
Kevlin Henney phone: +44 117 942 2990
mailto:kevlin at curbralan.com mobile: +44 7801 073 508
http://www.curbralan.com fax: +44 870 052 2289
Curbralan: Consultancy + Training + Development + Review
____________________________________________________________
More information about the Effective-cpp
mailing list