Comments on: Using defence in depth to produce high quality software

By: The case for Test-Driven Development « The Art of Software Development

The case for Test-Driven Development « The Art of Software Development — Sat, 03 Apr 2010 00:17:37 +0000

[...] doesn’t mean a design review isn’t valuable, just that it’s not enough. We need defense in depth all the way [...]

By: Outsourcing software testing « Successful Software

Outsourcing software testing « Successful Software — Wed, 09 Dec 2009 23:09:31 +0000

[...] it isn’t sufficient to do all your own testing on software you wrote, no matter how hard you try. You will tend to see what you intended to program, not what you actually programmed. Furthermore [...]

By: Anna-Jayne Metcalfe

Anna-Jayne Metcalfe — Sun, 24 Aug 2008 18:01:25 +0000

“I would try to convince myself, through testing using the assert, that the assertion can never be violated. If I think it could be, then I wouldn’t bother with an assert. I would add proper error handling instead.”

That’s always been my understanding too. I use asserts liberally to test whether my initial assumptions about “things which should never go wrong” are correct. That includes checking virtually all method/function call return values using ATLVERIFY() or equivalent (which keeps PC-Lint warning 534 out of my hair ;) ).

Any assumptions which turn out to be invalid (or could be influenced by user or system behaviour) are then looked at in more detail and release build error checking added if necessary.

If a failed assumption would cause a crash (e.g. an unguarded pointer or a divide by zero) I will also usually back up the assert with a following conditional – call me paranoid, if you like, but I’d rather be sure that an unguarded pointer etc. I’ve missed isn’t going to cause a crash at runtime.

FWIW I’m hoping to do a session on PC-Lint at next year’s ACCU Conference. :)

By: S. Tanna

S. Tanna — Thu, 10 Jul 2008 11:39:43 +0000

Yes that’s the argument against putting in the extra code – it should never be needed if you do everything right.

The argument for putting in extra code is – we don’t always do everything right, and a reasonable (but incorrect in some minor way perhaps) result or recovery may be better than a crash or a wild result.

Obviously circumstances vary.

If the circle function is in a screensaver or a game background graphic, drawing a million circles, the consequences of an incorrect radius circle are minor, and a badly drawn circle is better than a crash.

If the circle function is calculating something your life depends on, maybe a recovery to an incorrect result is worse than a crash.

And so on…

By: Andy Brice

Andy Brice — Thu, 10 Jul 2008 11:32:35 +0000

I would try to convince myself, through testing using the assert, that the assertion can never be violated. If I think it could be, then I wouldn’t bother with an assert. I would add proper error handling instead.

I watched a very moving documentary a while back about the battle of Prokhorovka (part of Kursk). I think it was a BBC ‘Timewatch’ documentary. Well worth watching. Especially when the bits where they interviewed the veterans.

By: S. Tanna

S. Tanna — Thu, 10 Jul 2008 10:59:43 +0000

One of the interesting questions, is whether you should put in code in the release-version to handle the kind of thing that fails an assert.

e.g.

void Circle::setRadius( double radius )
{
assert( radius > 0.0 );

// if radius <= 0.0 then program must be badly fubar’ed
// should I try to recover, or just continue in release?
if ( radius <= 0.0 )
{
m_radius = 1.0 ; // reasonable value that won’t crash the program
Log( “Bad Radius…”, etc… ) ;
return ;
}

m_radius = radius;
}

BTW, I have a site about the Battle of Kursk. Only has a couple of real pages on it, because I never got round to adding more, but if interested it’s

http://www.operationcitadel.com/

By: Andy Brice

Andy Brice — Wed, 09 Jul 2008 13:40:22 +0000

I definitely wouldn’t recommend asserts instead of proper error/exception handling. But I find them very useful for finding problems during testing.

By: Tony Edgecombe

Tony Edgecombe — Wed, 09 Jul 2008 13:18:55 +0000

I stopped using asserts, I’d rather throw an exception then if that unexpected condition does occur in the field I stand a good chance of finding out about it.