Sure, but reading a core file involves handling user input. Obviously that
has to be sanitized and you can't crash on user input. I don't think
there's ever been any disagreement about that. On the other hand, if you
just type an expression in the debugger and expect an answer back, after
clang says the ast is valid, the whole stack should be asserts all the way
down, because everything is validated
On Sat, Sep 9, 2017 at 6:53 PM Jim Ingham <jing...@apple.com> wrote:
> I think we are talking at cross purposes. Seems to me you are saying “If
> we can assert that the answers to questions I ask must always copacetic,
> then we can express that in software, and that will make things so much
> easier". I’m saying "my experience of the data debuggers have to deal with
> is such that assuming such assertions will lead you to over-react to such
> errors. Instead you should write your code so that if somebody gives you
> bad data you don’t fall over allowing the people who called you to decide
> how important the error was.” Every core file that was written out by OS X
> for years had a section that was ill-formed. Asserting when you get an
> ill-formed object file might seem a good way to ensure that you don’t have
> to make guesses that might lead you astray. But the people who need to
> load core files on OS X are rightly unmoved by such arguments if lldb
> disappears out from under them when reading in core files.
>
> Jim
>
>
>
> On Sep 9, 2017, at 1:31 PM, Zachary Turner <ztur...@google.com> wrote:
>
>
>
> On Sat, Sep 9, 2017 at 12:04 PM Jim Ingham <jing...@apple.com> wrote:
>
>>
>> I disagree here. If you can reasonably unwind from an error you should
>> do so even if you can’t figure out how you could have gotten an answer you
>> didn’t expect. If an API is returning a pointer to something you should
>> assume it might return nullptr unless the API explicitly states otherwise.
>>
> But that's exactly what an assert is. It's an explicit statement by the
> API about what should happen. Which is why by adding them liberally, these
> assumptions can then be propagated all the way up through many layers of
> the code, vastly simplifying the codebase.
>
> if you have
>
> void *foo(int x) {
> // do some stuff
>
> assert(x < 0 || foo != nullptr);
> }
>
> Then you're documenting that if x is greater than 0, the caller doesn't
> need to check the return value for nullptr. Now instead of this:
>
> void *bar(unsigned x) {
> void *ptr = foo(x);
> if (!ptr) {
> // log an error
> return nullptr;
> }
> return ptr;
> }
>
> You just have
>
> void *bar(unsigned x) {
> void *ptr = foo(x);
> assert(x);
> return x;
> }
>
> And now the caller of bar doesn't have to check either. The code has
> greatly reduced complexity due to the butterfly efflect of propagating
> these assumptions up.
>
> This is a simple example but the point is that building assumptions into
> your API is a good thing, because you can enforce them and it vastly
> simplifies the code.
>
>
>
_______________________________________________
lldb-commits mailing list
lldb-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
