27

Could Designing by Contract (DbC) be a way to program defensively?

Is one way of programming better in some cases than the other?

Gabriel Fair
  • 373
  • 1
  • 3
  • 8

2 Answers2

33

Design by Contract and defensive programming are in some sense opposites of each other: in DbC, you define contracts between collaborators and you program under the assumption that the collaborators honor their contracts. In defensive programming, you program under the assumption that your collaborators violate their contracts.

A real square root routine written in DbC style would state in its contract that you aren't allowed to pass in a negative number and then simply assume that it can never encounter a negative number. A real square root routine written defensively would assume that it is passed a negative number and take appropriate precautions.

Note: it is of course possible that in DbC someone else will check the contract. In Eiffel, for example, the contract system would check for a negative number at runtime and throw an appropriate exception. In Spec#, the theorem prover would check for negative numbers at compile time and fail the build, if it can't prove that the routine will never get passed a negative number. The difference is that the programmer doesn't make this check.

Martin Geisler
  • 893
  • 5
  • 16
Jörg W Mittag
  • 101,921
  • 24
  • 218
  • 318
8

Could Designing by Contract (DbC) be a way to program defensively?

Yes.

"Defensive Programming" is often an excuse to waste time. It often wastes time checking for things that will cause ordinary exceptions. Instead of the exceptions, extra IF statements are written instead of exception-handling clauses.

Define the contract and be done with it.

When someone violates the contract, the program will -- in the normal course of events -- break and raise normal exceptions which can be normally handled.

"Defensive programming" and "Error prevention" can be shown to add errors (because the error prevention checks are themselves erroneous) rather than prevent errors.

Exception handling can silence, log and handle an exception far better than "Defensive Programming".

S.Lott
  • 45,264
  • 6
  • 90
  • 154
  • 7
    Defensive programming is moe than just if statements. It includes code reviews, static analysis, security audits, secure coding guidelines, and more. In addition, the use of exceptions and exception handling (as opposed to simply letting the program crash and burn) is considered a defensive programming technique. – Thomas Owens Dec 15 '11 at 16:05
  • 2
    @ThomasOwens: That sounds like "Good Software Development". I've only ever seen defensive programming used as an excuse to write lots of IF statements (or assertions) that fail before exceptions are normally raised. I wouldn't call your long list of really good ideas "Defensive Programming". I'd call your list of good ideas "Programming". That way we can separate time-wasting from all the smart things you list. – S.Lott Dec 15 '11 at 16:08
  • 2
    I prefer to call those "good ideas when writing code" myself, but when I was taught about defensive programming, I was taught that it referred to any and all techniques with the express purpose of ensuring the safety, security, and reliability of a system. Maybe that's an overly broad definition, or perhaps it's a wrong definition, but it is what I was taught. I have seen people call if statements and assertions "defensive programming", but based on the definition I was taught, I wouldn't call it such (except in cases where you don't necessarily have better options, like exceptions). – Thomas Owens Dec 15 '11 at 16:11
  • @ThomasOwens: "Maybe that's an overly broad definition". Agree. It seems like a great checklist of good ideas. – S.Lott Dec 15 '11 at 16:12
  • 3
    -1: I don't see how DbC is a way to program defensively, they're basically opposites. I doubt it's common to do defensive programming just to waste time. And 'can be shown to add errors' needs a citation because it's not at all obvious. – Mark Nov 24 '17 at 15:10
  • - "When someone violates the contract, the program will -- in the normal course of events -- break and raise normal exceptions which can be normally handled." This means it is not defensive... And of course, it is a waste of time if you write your Hello World program in Java. But it is not a waste of time if you're writing code in the anti-lock braking system of a new car model. – Denis.Sabolotni Nov 24 '19 at 20:53
  • Per [separation of concerns](https://en.wikipedia.org/wiki/Separation_of_concerns#Origin) we might look at a program from different angles. In that vein, it pays to distinguish "defensive programming" from just "programming". – ArtemGr Sep 13 '22 at 07:45