Re: Modular Protection vs Assertions ...

> - Shall I leave my potential client modules on their own? they will
> have to figure out what my precondition violations are. This is the
> case when using assertions.

They have to learn your library, yes. If you pass invalid input to
some internal classes then it is a failure of your program (the
calling client class) you have to assure that this will not happen.

If your library is buggy then an exception is not a real surprise for
your client.

> - Shall I provide a strict defensive layer i.e. filter modules as
> Bertrand calls it so that whenever my library gets in control I know
> for sure that the input is valid?

In reality, yes you have to add defensive layer. I often write my code
like this

function foo(x: INTEGER) is
require
   x > 0
do
   if x > 0 then
      ... do something
   end
end

Of couse you can't do this always, you need to design your code in
this way. The reason is simple and very pragmatic. You can't find all
the problems during development and testing. Crashing your app will
hurt your sales, catching defensive (and praying to the black Lord
that it will not be too serious) is okay.

This is for MY PROBLEM DOMAIN, which has nothing to do with air
traffic or nuclear power plants.

In fact for my software i do a A:B test (not 50%:50% but more 10%:90%
where 10% of customers get precondition checking versions and 90% are
getting much faster definensive ones). Remember all Eiffel compilers
have a slowdown of 5-8x times when precondition are checked. The only
hope you have is that you can drop the defensive layer some day.

And there is another very pragmatic problem. In an ACE file you define
on a class level what should be checked which is of course really
stupid. Eiffel should define levels of security on subsystems not on
classes. For example i only have the option to check the precondition
of STRING.item or not. But what i want is that if i think i have a
correct subsystem i want that eiffel does not check the preconditions
of STRING.item in my subsystem but everywhere else. AFAIK no compiler
offers this at the moment.

As you can see with ISE/Eiffel Studio frequent crashs and problems as
an example (since version 3.6) there is a gap between what Mr. Meyer
was teaching us and reality.