Your API Fails, Who is at Fault?

I decided to stay on the Design by Contract side for just a little bit.  Recently, Raymond Chen posted "If you pass invalid parameters, then all bets are off" in which he goes into parameter validation and basic defensive programming.  Many of the conversations had on the blog take me back to my C++ and early Java days of checking for null pointers, buffer lengths, etc.  This brings me back to some recent conversations I've had about how to make it explicit about what I expect.  Typical defensive behavior looks something like this:



public static void Foreach<T>(this IEnumerable<T> items, Action<T> action)

{

    if (action == null)

        throw new ArgumentNullException("action");



    foreach (var item in items)

        action(item);

}



After all, how many times have you not had any idea what the preconditions are for a given method due to lack of documentation or non-intuitive method naming?  it gets worse when they don't provide much documentation, XML comments or otherwise.  At that point, it's time to break out .NET Reflector and dig deep.  Believe me, I've done it quite a bit lately.



The Erlang Way



The Erlang crowd takes an interesting approach to the issue that I've really been intrigued by.  Joe Armstrong calls this approach "Let it crash" in which you only code to the sunny day scenario, and if the call to it does not conform to the spec, just let it crash.  You can read more about that on the Erlang mailing list here.



Some paragraphs stuck out in my mind.



Check inputs where they are "untrusted" 

    - at a human interface

    - a foreign language program




What this basically states is the only time you should do such checks is at the bounds when you have possible untrusted input, such as bounds overflows, unexpected nulls and such.  He goes on to say about letting it crash:



specifications always  say what to  do if everything works  - but never what  to do if the  input conditions are not met - the usual answer is something sensible - but what you're the programmer - In C etc. you  have to write *something* if you detect an error -  in Erlang it's  easy - don't  even bother to write  code that checks for errors - "just let it crash".




So, what Joe advocates is not checking at all, and if they don't conform to the spec, just let it crash, no need for null checks, etc.  But, how would you recover from such a thing?  Joe goes on to say:


Pete's Blog	Pete's Resume	Robbe's Blog	Robbe's Resume	ASP.NET Resources	Archive #2	Archive #3
All Categories	.NET	BizTalk	Exchange Server	IIS	IE	ISA Server	Misc
Networking	SharePoint	SQL Server	Sys Mgmt Server	Win32	Mobile Dev	MSN	WinFX
Windows 2003	Windows Media	Windows NT	Windows Vista	Windows XP	XmlPitStop	Recent	DotNetSlackers

Search Results

EggHeadCafe