[plt-scheme] contracts.ss: Can you disable them at runtime?

From: Anton van Straaten (anton at appsolutions.com)
Date: Thu May 17 15:07:41 EDT 2007

Matthias Felleisen wrote:
> Long:  Tony Hoare once said that assertions are like life vests. Why  
> use them on land during practice and leave them back when you go to sea?

All due respect to Hoare, but this analogy is terrible, because it 
relies on a comparison which doesn't hold to exclude the exact situation 
in which disabling assertions could make sense.  So it appears to make 
its case, but it does so by misdirection.

Some level of bugs in live systems is acceptable (in real life, some 
level of drownings is also acceptable, otherwise we'd never go swimming 
or boating).  If life vests could assure us that we had reduced our risk 
of drowning to below the acceptable level, even when swimming without a 
life vest, then leaving the life vests behind could indeed make sense, 
especially since we can swim faster without them.

To beat the dead seahorse using (from now on) metaphor-free language: 
having established a degree of confidence that a program works as 
expected, it seems quite likely that the performance benefits of 
disabling assertions/contracts, at least in some cases, could outweigh 
the risks of runtime errors, or the costs of runtime errors that are 
missing contract information.

These risks and costs are going to vary by project, so the designers of 
a contract system should be careful about second-guessing their users 
about this.  As the experience with static type systems shows, people 
will just avoid something entirely if it doesn't give them what they're 
looking for.  Particularly in this sort of situation, it is better to 
give users the freedom to do what they think they want, but educate them 
on how to use it responsibly.


Posted on the users mailing list.