Page 373 -
P. 373
356 Chapter 13 Dependability engineering
Dependable programming guidelines
1. Limit the visibility of information in a program
2. Check all inputs for validity
3. Provide a handler for all exceptions
4. Minimize the use of error-prone constructs
5. Provide restart capabilities
6. Check array bounds
7. Include timeouts when calling external components
8. Name all constants that represent real-world values
When programming, you should adopt an analogous principle to control access to
Figure 13.8 Good
practice guidelines the variables and data structures that you use. Program components should only be
for dependable allowed access to data that they need for their implementation. Other program data
programming
should be inaccessible, and hidden from them. If you hide information, it cannot be
corrupted by program components that are not supposed to use it. If the interface
remains the same, the data representation may be changed without affecting other
components in the system.
You can achieve this by implementing data structures in your program as abstract
data types. An abstract data type is a data type in which the internal structure and
representation of a variable of that type is hidden. The structure and attributes of the
type are not externally visible and all access to the data is through operations. For
example, you might have an abstract data type that represents a queue of requests for
service. Operations should include get and put, which add and remove items from
the queue, and an operation that returns the number of items in the queue. You might
initially implement the queue as an array but subsequently decide to change the
implementation to a linked list. This can be achieved without any changes to code
using the queue, because the queue representation is never directly accessed.
You can also use abstract data types to implement checks that an assigned value is
within range. For example, say you wish to represent the temperature of a chemical
process, where allowed temperatures are within the range 20–200 degrees Celsius.
By including a check on the value being assigned within the abstract data type opera-
tion, you can ensure that the value of the temperature is never outside the required range.
In some object-oriented languages, you can implement abstract data types using
interface definitions, where you declare the interface to an object without reference
to its implementation. For example, you can define an interface Queue, which sup-
ports methods to place objects onto the queue, remove them from the queue, and
query the size of the queue. In the object class that implements this interface, the
attributes and methods should be private to that class.
Guideline 2: Check all inputs for validity
All programs take inputs from their environment and process them. The specifica-
tion makes assumptions about these inputs that reflect their real-world use. For
example, it may be assumed that a bank account number is always an eight digit
