On 11/18/2013 2:45 PM, Andrei Alexandrescu wrote:
There are two possible takes on this:
1. The standard library is considered part of the user's program, and the whole
thing is a unit. In that case, passing the wrong int to std.gun is an PROGRAM
error and 100% blame goes to the programmer who wrote the caller code. In that
case, assert/assert(0)/contracts are the appropriate constructs to be used
inside std.gun.
This is the approach taken by the C standard library, which is free to do
whatever it wants (including crashing the program) upon calls such as
strlen(NULL) etc.
2. The standard library is a separate entity from the PROGRAM, and as far as it
cares, any data from the user is INPUT. So the standard library with SCRUB the
input, in which case enforce() and throwing exceptions are appropriate.
This is the approach taken by the Windows API, Java, C#, and to a good extent
the newer parts of C++'s standard library.
To claim that one approach is exactly right and the other is exactly wrong would
miss important insights.
Or:
3. Input validation and data processing should have separate functions in the
library.
(The Windows API is a special case - it must regard all input as untrusted,
unvalidated input, and it must protect Windows itself from malicious input. This
is not true of Phobos.)
