浙江龙网

  1. 首页 > 生活百科 > >

《Design by Contract for Embedded Software》 翻译( 四 )

生活百科

onAssert__(), rather than the standard preprocessor macro __FILE__. This avoids proliferation of the multiple copies of the __FILE__ string but requires invoking macro DEFINE_THIS_FILE (line 25), preferably at the top of every C/C++ file.2
Defining the macro NASSERT (Listing 1, line 7) disables checking the assertions. When disabled, the assertion macros don’t generate any code (lines 10 and 35-37); in particular, they don’t test the expressions passed as arguments, so you should be careful to avoid any side effects (required for normal program operation) inside the expressions tested in assertions. The notable exception is the ALLEGE() macro (lines 11 and 31), which always tests the expression, although when assertions are disabled, it does not invoke the onAssert__() callback. ALLEGE() is useful in situations where avoiding side effects of the test would require introducing temporaries, which involves pushing additional registers onto the stack—something you often want to minimize in embedded systems.

以上比较简单 , 不翻译了
The DbC PhilosophyDbC的哲学/理念
The most important point to understand about software contracts (assertions in C/C++) is that they neither handle nor prevent errors, in the same way as contracts between people do not prevent fraud. For example, asserting successful memory allocation: ALLEGE((foo = new Foo) != NULL), might give you a warm and fuzzy feeling that you have handled or prevented a bug, when in fact, you haven’t. You did establish a contract, however, in which you spelled out that the inability to dynamically allocate object Foo at this spot in the code is an error. From that point on, the contract will be checked automatically and sure enough, the program will brutally abort if the contract fails. At first, you might think that this must be backwards. Contracts not only do nothing to handle (let alone fix) bugs, but they actually make things worse by turning every asserted condition, however benign, into a fatal error! However, recall from the previous discussion that the first priority when dealing with bugs is to detect them, not to handle them. To this end, a bug that causes a loud crash (and identifies exactly which contract was violated) is much easier to find than a subtle one that manifests itself intermittently millions of machine instructions downstream from the spot where you could have easily detected it.
关于软件契约(C/C++中的断言) , 最重要的一点是,它们既不能处理也不能防止错误,就像人与人之间的契约不能防止欺诈一样 。例如 , 断言成功的内存分配 。ALLEGE ((foo = new Foo) != NULL),可能会给你一种温暖和模糊的感觉,你已经处理或防止了一个错误,而事实上 , 你没有 。然而,你确实建立了一个契约 , 在这个契约中,你阐明了在代码中的这个位置无法动态分配对象 Foo 是一个错误 。从那时起 , 契约将被自动检查,当然,如果契约失败 , 程序将被粗暴地中止 。起初,你可能认为这一定是倒退 。契约不仅对处理(更不用说修复)错误毫无帮助,而且它们实际上使事情变得更糟 , 因为它们把每一个断言条件,无论多么良性,都变成了一个致命的错误然而,回顾前面的讨论,在处理 bug 时,首要任务是检测它们,而不是处理它们 。为此,一个导致大声崩溃的 bug(并准确地识别出哪个契约被违反)要比一个微妙的 bug 更容易被发现,这个 bug 断断续续地表现在离你可以轻易发现它的地方几百万条机器指令的下游 。
Assertions in software are in many respects like fuses in electrical circuits. Electrical engineers insert fuses in various places of their circuits to instill a controlled damage (burning a fuse) in case the circuit fails or is mishandled. Any nontrivial circuit, such as the electrical system of a car, has a multitude of differently rated fuses (a 20A fuse is appropriate for the headlights, but it’s way too big for the turn signals) to better help localize problems and to more effectively prevent expensive damage. On the other hand, a fuse can neither prevent nor fix a problem, so replacing a burned fuse doesn’t help until the root cause of the problem is removed. Just like with assertions, the main power of fuses derives from their simplicity.
软件中的断言在很多方面都像电路中的保险丝 。电子工程师在电路的各个地方安装保险丝,以便在电路发生故障或处理不当的情况下灌输一种可控的损害(熔断保险丝) 。任何非微不足道的电路,如汽车的电气系统,都有许多不同额定值的保险丝(20A 的保险丝适用于大灯 , 但对于转向灯来说就太大了),以更好地帮助定位问题,更有效地防止昂贵的损害 。另一方面,保险丝既不能防止也不能解决问题 , 所以在问题的根源被消除之前,更换熔断的保险丝并没有帮助 。就像断言一样,保险丝的主要力量来自于其简单性 。

推荐阅读


上一篇:Azure Devops Create ProjectTF400711问题分析解决

下一篇:.Net SemaphoreSlim