SERVING THE QUANTITATIVE FINANCE COMMUNITY

Cuchulainn
Topic Author
Posts: 62410
Joined: July 16th, 2004, 7:38 am
Location: Amsterdam
Contact:

### Simpl Black Code that is not robust: quiz and structural solution

We has this discussion here a few years. This code is not the most advanced (esp for n(), N()) but's that not the point really. The point is that for certain input you can get nasty resuts.1. What are the issues?2. How to define a correct and robust contract between client (e.g. in main()) and supplier?hint: no ruies/contract have been defined anywhere.... what can we expect ...
Last edited by Cuchulainn on March 24th, 2015, 11:00 pm, edited 1 time in total.

Posts: 23951
Joined: September 20th, 2002, 8:30 pm

### Simpl Black Code that is not robust: quiz and structural solution

N() assumes the negation of x is a positive number which is untrue for NaN-like values -- N() can go into an infinite loop (recursion is dangerous!).Perhaps the simplest solution is a more restrictive datatype on y that explicitly constrains y to non-negative values.Perhaps the better solution is a development environment that back-traces all functions that are not valid on ALL possible values of each input datatype and ensures that either the client or the supplier does the requisite range checking.

Cuchulainn
Topic Author
Posts: 62410
Joined: July 16th, 2004, 7:38 am
Location: Amsterdam
Contact:

### Simpl Black Code that is not robust: quiz and structural solution

QuoteOriginally posted by: Traden4AlphaN() assumes the negation of x is a positive number which is untrue for NaN-like values -- N() can go into an infinite loop (recursion is dangerous!).Perhaps the simplest solution is a more restrictive datatype on y that explicitly constrains y to non-negative values.Perhaps the better solution is a development environment that back-traces all functions that are not valid on ALL possible values of each input datatype and ensures that either the client or the supplier does the requisite range checking.Indeed! That's what happened and it was a silent NaN (an incorrect answer, no run-time crash...)Quiz: solve in C++, really Again, what is the contract? Quoteensures that either the client or the supplier does the requisite range checkingIndeed. How? 2 scenarios. The infinite recursion is not caused by N() but by its input up the chain?
Last edited by Cuchulainn on March 24th, 2015, 11:00 pm, edited 1 time in total.

Posts: 23951
Joined: September 20th, 2002, 8:30 pm

### Simpl Black Code that is not robust: quiz and structural solution

Regrettably, I'm not a C++ expert. But I do remember working on a system in which we created two versions of frequently-called functions, one that did input-checking inside the function and the other that assumed/required the caller to ensure the inputs were valid.The bigger issue is in defining the boundaries around the system and the interface between the unreliable value-unsafe part of the world (those idiot clients that call stuff with bad inputs) and the value-safe internals in which the inputs have been pre-validated. Of course, if one moves input checking outside of the function, then it becomes a nasty maintenance issue in which changes in a function that change the valid range of inputs necessitate changes to all the calling code to propagate the change in input range to the pre-call checking/validation code.

Cuchulainn
Topic Author
Posts: 62410
Joined: July 16th, 2004, 7:38 am
Location: Amsterdam
Contact:

### Simpl Black Code that is not robust: quiz and structural solution

QuoteOriginally posted by: Traden4AlphaRegrettably, I'm not a C++ expert. But I do remember working on a system in which we created two versions of frequently-called functions, one that did input-checking inside the function and the other that assumed/required the caller to ensure the inputs were valid.The bigger issue is in defining the boundaries around the system and the interface between the unreliable value-unsafe part of the world (those idiot clients that call stuff with bad inputs) and the value-safe internals in which the inputs have been pre-validated. Of course, if one moves input checking outside of the function, then it becomes a nasty maintenance issue in which changes in a function that change the valid range of inputs necessitate changes to all the calling code to propagate the change in input range to the pre-call checking/validation code.No problem. I'll take these specs and get back.

Posts: 23951
Joined: September 20th, 2002, 8:30 pm

### Simpl Black Code that is not robust: quiz and structural solution

QuoteOriginally posted by: CuchulainnQuoteOriginally posted by: Traden4AlphaRegrettably, I'm not a C++ expert. But I do remember working on a system in which we created two versions of frequently-called functions, one that did input-checking inside the function and the other that assumed/required the caller to ensure the inputs were valid.The bigger issue is in defining the boundaries around the system and the interface between the unreliable value-unsafe part of the world (those idiot clients that call stuff with bad inputs) and the value-safe internals in which the inputs have been pre-validated. Of course, if one moves input checking outside of the function, then it becomes a nasty maintenance issue in which changes in a function that change the valid range of inputs necessitate changes to all the calling code to propagate the change in input range to the pre-call checking/validation code.No problem. I'll take these specs and get back.P.S. You'll need to check the validity of these inputs!

Cuchulainn
Topic Author
Posts: 62410
Joined: July 16th, 2004, 7:38 am
Location: Amsterdam
Contact:

### Simpl Black Code that is not robust: quiz and structural solution

QuoteP.S. You'll need to check the validity of these inputs! ;-)Who is 'you'? Supplier or client.

Cuchulainn
Topic Author
Posts: 62410
Joined: July 16th, 2004, 7:38 am
Location: Amsterdam
Contact:

### Simpl Black Code that is not robust: quiz and structural solution

QuoteThis is a type of C++ policy version that Polter mentioned, .. the user can pick which version he wants -there is no truth-... you can forward the validator reference to sub-calls.That is a way. But you have modified the signature of my function. So a solution to a slightly different problem.. The specifications have been changed.Specifically, BS returns a double and your code returns essentially two values. Don't CS call that side-effects? What happens if the user 1) no validation policy checks and 2) calls BS(y) with y < 0? Crash, _yes_? (1)I think you are saying "Customers is always right" and that is not always (never!) so.But I think the validators are the preconditions that should be defined by the supplier. Supplier cannot take risks. Conclusion: code is not clear on the contract, it has errors leading to defects and faults based on assumption/case (1) above. If your code example is representative you are saying that clients may choose policies? _yes_?Maybe I misunderstand the intent of the example.
Last edited by Cuchulainn on March 24th, 2015, 11:00 pm, edited 1 time in total.

Polter
Posts: 2526
Joined: April 29th, 2008, 4:55 pm

### Simpl Black Code that is not robust: quiz and structural solution

QuoteBS returns a doubleOne could arguably interpret the above as the shall-never-fail guarantee in the implicit contract.One could weaken this stated guarantee by changing the signature to return an optional<double>: "Class template optional is a wrapper for representing 'optional' (or 'nullable') objects who may not (yet) contain a valid value. Optional objects offer full value semantics; they are good for passing by value and usage inside STL containers. This is a header-only library." // http://boost.org/libs/optionalIn this way, we're explicitly documenting the fact that the returned value may not be valid.// Separate TS: http://en.cppreference.com/w/cpp/experi ... tionalThis is akin to Haskell's Maybe; for instance, consider the safeLog example in the following: http://en.wikibooks.org/wiki/Haskell/Un ... nads/Maybe Edit: see also the "Maybe and safety" section of the above.
Last edited by Polter on March 24th, 2015, 11:00 pm, edited 1 time in total.

Cuchulainn
Topic Author
Posts: 62410
Joined: July 16th, 2004, 7:38 am
Location: Amsterdam
Contact:

### Simpl Black Code that is not robust: quiz and structural solution

Of course, Polter but we are talking about another related problem, not the original one.

Polter
Posts: 2526
Joined: April 29th, 2008, 4:55 pm

### Simpl Black Code that is not robust: quiz and structural solution

Looking at When to use Optional, class template expected seems like another interesting solution (more specific: returns the reason of failure).Examples from the proposal:
Last edited by Polter on March 24th, 2015, 11:00 pm, edited 1 time in total.

Cuchulainn
Topic Author
Posts: 62410
Joined: July 16th, 2004, 7:38 am
Location: Amsterdam
Contact:

### Simpl Black Code that is not robust: quiz and structural solution

QuoteOriginally posted by: PolterLooking at When to use Optional, class template expected seems like another interesting solution (more specific: returns the reason of failure).Examples from the proposal:It is interesting indeed!What about std::tuple<double, errno> as return type (and no side effects)?

Posts: 23951
Joined: September 20th, 2002, 8:30 pm

### Simpl Black Code that is not robust: quiz and structural solution

QuoteOriginally posted by: CuchulainnQuoteThis is a type of C++ policy version that Polter mentioned, .. the user can pick which version he wants -there is no truth-... you can forward the validator reference to sub-calls.That is a way. But you have modified the signature of my function. So a solution to a slightly different problem.. The specifications have been changed.Specifically, BS returns a double and your code returns essentially two values. Don't CS call that side-effects? What happens if the user 1) no validation policy checks and 2) calls BS(y) with y < 0? Crash, _yes_? (1)I think you are saying "Customers is always right" and that is not always (never!) so.But I think the validators are the preconditions that should be defined by the supplier. Supplier cannot take risks. Conclusion: code is not clear on the contract, it has errors leading to defects and faults based on assumption/case (1) above. If your code example is representative you are saying that clients may choose policies? _yes_?Maybe I misunderstand the intent of the example.Perhaps the signature of your code SHOULD be changed. One general policy would be that any code that accepts a double MUST gracefully accept all possible values of double. If the code presumes pre-validated inputs (i.e., a subset of doubles), then the signature would reflect that.The other issue is whether "safety" should be handled at run-time or compile-time. Perhaps some versions of the code should be idiot-proof with all the requisite validation built in albeit with some runtime performance penalty. But other bare-bones versions of the code are for "professionals only" and assume that that the caller has prevalidated any inputs either by prechecking the input or by proving that the calling code can never generate an out-of-range value.Does one give a Husqvarna to a child?

Cuchulainn
Topic Author
Posts: 62410
Joined: July 16th, 2004, 7:38 am
Location: Amsterdam
Contact:

### Simpl Black Code that is not robust: quiz and structural solution

QuoteDoes one give a Husqvarna to a child?Trust no one.What happens if the user 1) no validation policy checks and 2) calls BS(y) with y < 0? Crash, _yes_? (1) QuotePerhaps the signature of your code SHOULD be changed.No. You're kidding. Think of the consequences of your statement. You are changing the problem to fit your solution.
Last edited by Cuchulainn on March 24th, 2015, 11:00 pm, edited 1 time in total.