418 WHEN THE CONTRACT IS BROKEN:EXCEPTION HANDLING $12.2 external event-transient hardware malfunction,temporarily busy device or communication line-which we do not control although we expect it will go away. With the other response,failure,we accept that we not only have lost the battle(the current attempt at executing the routine body)but cannot win the war(the attempt to terminate the call so as to satisfy the contract).So we give up,but we must first ensure two conditions,.explaining the use of“organized panic”as a more vivid synonym for“failure”: Making sure(unlike what happened in the sqrt counter-example)that the caller gets an exception.This is the panic aspect:the routine has failed to live up to its contract. Restoring a consistent execution state-the organized aspect. What is a "consistent"state?From our study of class correctness in the previous chapter we know the answer:a state that satisfies the invariant.We saw that in the course of its work a routine execution may temporarily violate the invariant,with the intention of restoring it before termination.But if an exception occurs in an intermediate state the invariant may be violated.The routine must restore it before returning control to its caller. The call chain To discuss the exception handling mechanism it will be useful to have a clear picture of the sequence of calls that may lead to an exception.This is the notion of call chain,already present in the explanation of the Ada mechanism. The call chain Routine call Let ro be the root creation procedure of a certain system(in Ada ro would be the main program).At any time during the execution,there is a current routine,the routine whose execution was started last;it was started by the execution of a certain routine;that routine was itself called by a routine;and so on.If we follow this called-to-caller chain all the way through we will end up at ro.The reverse chain(ro,the last routine r that it called,the last routine r2 that r called,and so on down to the current routine)is the call chain. If a routine produces an exception (as pictured at the bottom-right of the figure),it may be necessary to go up the chain until finding a routine that is equipped to handle the exception-or stop execution if we reachr not having found any applicable exception handler.This was the case in Ada when no routine in the call chain has an exception clause with a when clause that names the exception type or others.418 WHEN THE CONTRACT IS BROKEN: EXCEPTION HANDLING §12.2 external event — transient hardware malfunction, temporarily busy device or communication line — which we do not control although we expect it will go away. With the other response, failure, we accept that we not only have lost the battle (the current attempt at executing the routine body) but cannot win the war (the attempt to terminate the call so as to satisfy the contract). So we give up, but we must first ensure two conditions, explaining the use of “organized panic” as a more vivid synonym for “failure”: • Making sure (unlike what happened in the sqrt counter-example) that the caller gets an exception. This is the panic aspect: the routine has failed to live up to its contract. • Restoring a consistent execution state — the organized aspect. What is a “consistent” state? From our study of class correctness in the previous chapter we know the answer: a state that satisfies the invariant. We saw that in the course of its work a routine execution may temporarily violate the invariant, with the intention of restoring it before termination. But if an exception occurs in an intermediate state the invariant may be violated. The routine must restore it before returning control to its caller. The call chain To discuss the exception handling mechanism it will be useful to have a clear picture of the sequence of calls that may lead to an exception. This is the notion of call chain, already present in the explanation of the Ada mechanism. Let r0 be the root creation procedure of a certain system (in Ada r0 would be the main program). At any time during the execution, there is a current routine, the routine whose execution was started last; it was started by the execution of a certain routine; that routine was itself called by a routine; and so on. If we follow this called-to-caller chain all the way through we will end up at r0. The reverse chain (r0, the last routine r1 that it called, the last routine r2 that r1 called, and so on down to the current routine) is the call chain. If a routine produces an exception (as pictured at the bottom-right of the figure), it may be necessary to go up the chain until finding a routine that is equipped to handle the exception — or stop execution if we reach r0, not having found any applicable exception handler. This was the case in Ada when no routine in the call chain has an exception clause with a when clause that names the exception type or others. The call chain r0 r1 r2 r3 r4 Routine call