On coding defensively

February 2012

When writing code that will be used by others (and we do that 100% of the time, even if the other user is ourselves in a few weeks time), there’s a tricky balance to strike between being generous to the users of our code, and ensuring that they get the information they want to ensure they’re calling our code correctly. There are two coding maxims: “Be generous on input, and strict on output”, and “fail fast”, which we need to hold in tension. This post explores the trade-offs between the two.

“Be generous on input, and strict on output”

This is another way of saying code defensively: we should allow the user to use our code a number of different ways, yet be careful about what we return to them to ensure they can’t be easily confused.

For example, consider this method:

    def calculate_total(products)
      total = 0
      products.each do |product|
        total += product.price
      end
      return total
    end

    calculate_total([product1, product2])

If we accept an array as an argument, we could code defensively and allow a single product to be passed as well:

    def calculate_total(products)
      products = [products] unless.products.respond_to?(:each)
      total = 0
      products.each do |product|
        total += product.price
      end
      return total
    end

    calculate_total(product) # also works now

This is a nice feature and potentially allows our code to be used more flexibly.

Let’s take this further. What happens when our user decides to pass in an invalid value, such as a string? Should we code defensively for that situation?

    def calculate_total(products)
      return 0 if product.is_a?(String)
      products = [products] unless.products.respond_to?(:each)
      total = 0
      products.each do |product|
        total += product.price
      end
      return total
    end

    calculate_total("product") # return 0

In this case, we could argue our code is being defensive: it avoided the crash that would have happened when we tried to call the non-existent price method on the passed in string. Is this desirable?

“If we’re going to fail, we should fail quickly.”

The programmer using our code probably made a mistake here. If we fail immediately, it’s very easy for them to see where the error is. If we accept pretty much anything, and return ‘0’ (or much worse, ‘-999’ or some other abomination) we’re just going to get incorrect prices: we’re going to hide and propagate the error down the call stack and make it much harder to debug.

This is a tricky balance and it depends on the situation, but in general I think these principles are helpful to deciding what to do:

Fail if we cannot be strict with our output. Coding defensively has two sides: generous with input, but also strict with output. If the output is changed by the way we recieve our argument, we’re not being specific enough. In the above example, we’re effectively giving a string a price of zero, which is extra behaviour we probably don’t want. Likewise, make sure that if there’s no way we can return a sensible result, then we should not accept the argument passed and fail instead.
Is our method doing too much? In the case of the above method our user might be wanting to pass the name of the product as a string, and look up the product to work out the price. We could support that, but this will encourage duplication: if we persist with keeping methods that do “A and B”, we’ll find over time we code will spring up additional methods which do “A” and “B” separately. Our method is now too complex and needs to be split into two.
Be generous with types. We have some advantages working in a dynamically typed language such as Ruby. Use the power of Duck Typing: don’t check if objects are certain types: check if they respond to the methods that we need to call on them.
Be generous at the edges of our code. Being generous with private APIs and methods only used by ourselves in constrained circumstances is a waste of time: we should just ensure we’re calling our own code correctly.
When we fail, we should fail hard. Really hard. In its laudable determination to follow the Principle of Least Astonishment, Ruby has a weakness for over-generosity. It tends to return nil when it encounters an error in cases where in my opinion it should throw an exception. Programmers don’t always check for the nils they receive correctly, which means they get passed around our codebase, eventually causing a crash when we least expect it. We should not return nil: that’s not being specific enough with our outputs. We should throw an exception or terminate the program if we really need to get their attention.

What do you think? Do you tend to learn more towards coding defensively, or failing early?

(Thanks to Alex Tomlins at Unboxed for the conversation that led to this post.)

BlueSky

How to Build a Robust LLM Application

December 2024

Meal Generator

Last month at Cherrypick we launched a brand new meal generator that uses LLMs to create personalized meal plans.

It has been a great success and we are pleased with the results. Customers are changing their plans 30% less and using their plans in their baskets 14% more.

However, getting to this point was not straightforward, and we learned many things that can go wrong when building these types of systems.

Here is what we learned about building an LLM-based product that actually works, and ends up in production rather than languishing in an investor deck as a cool tech demo.

Your Code Is A Liability

Updated: November 2024

Every chunk of code you commit is more for someone else to read, digest and understand.

Every complex “clever” expression requires another few minutes of effort for each of your team. They must now interpret what you wrote and why you wrote it.

Every line you add limits your project’s responsiveness to change.

Your code is a liability. Never forget this.

The Sol Trader Christmas Eve update: moddable missions

December 2015

The relative radio silence from Sol Trader Towers is for a reason: I’ve been working hard on a flexible and moddable mission structure, that allows players to take a variety of interesting quests in-game.

This build is now available on the forums should you have access (there’s still time if you don’t.)

kill mission

I’ve built a few missions to start with, including delivering parcels for business or personal reasons, taking characters on business trips and making other characters disappear. It’s great fun to have a variety of things to do for characters now and adds yet more colour to the game. Because it’s completely moddable, I’m also excited to see what storylines other people come up with!

Under the hood

The full details of how to create your own missions are available as a lengthy forum post, which will be kept up to date with changes and clarifications. Here’s an overview:

The missions are organised into packs, which exists under the data/missions subfolder. If you have access to the beta builds, you’ll see there’s one pack there already: these are the missions that are built in to the game.

There are several csv files in each mission folder:

requirements.csv: This file details the cases in which this mission might be triggered. Each character in the game has a chance of picking this mission (and becoming the ‘giver’ of the mission), based on the conditions imposed by this file.
conversation_player.csv: The extra conversation options available to the player because of this mission.
conversation_ai_response.csv: The extra options the AI can choose from as conversation responses.
opinions.csv: The extra opinion triggers, used for reactions to the generation and completion of these missions.
strings.csv: The new strings needed for the previous CSV files.

The possibilities for you to build your own missions are expanding all the time, as I add new missions triggers and possible goals for the AI.

business trip

What’s next?

At the moment it’s possible to take on any mission from any person, which isn’t very realistic. I need to allow players to gain other character’s trust, so that they will only give you sensitive missions in certain cases. Additionally it will soon be possible to start a career with an organisation, which will give you a rank, a certain amount of built in trust, and access to more senior characters.

I’m also going to be working on the in-space AI very soon. At the moment only freelance traders fly around between planets: it’s time we had passenger ships, military guards and pirates thrown into the mix.

Have a fantastic Christmas and I’ll see you all in the new year with some more updates.

New Sol Trader beta: the science of blame and unforgiveness

December 2015

Previously I wrote about how I’m modelling opinions and prejudice in Sol Trader. It’s time to put some of that information to use.

The opinions a character has of other people, based on the partial events that they know about them, will now directly affect the things that happen in the history generation. This creates new events, which will in turn feed more character opinions.

There’s a new beta available on the forums if you have insider access.

Dudley and Meredith

In the example on the left, we can see that an acrimonious divorce of Meredith’s parents has left an indelible mark on her childhood. She now has a very low opinion of her father, Dudley.

When characters are adults, they can then generate a series of ‘favours’ (or ‘missions’) that they want completed. This is a source of work for the players, although completing certain missions does have real consequences on your relationships with the target of the mission. If they find out you’ve taken a mission against them, then they won’t be happy with you.

To continue our example, Meredith, whom we are now married to, wants us to find out some potentially incriminating information about our own father-in-law, Dudley. It’s up to us whether we take it or not. If he finds out, we’ll make an enemy of him.

Is it worth getting involved in this feud?

As the game goes on, the player will get embroiled in these relationships between the various characters and be able to directly affect their stories. Choosing what to take on and who to ally yourself with forms a major part of Sol Trader’s gameplay.

Sarina’s spiral of doom

Another example: the sad tale of Sarina, our older half sister. I picked Dagny and Warren in history generation to be my character’s parents, knowing that Dagny was cheating on her husband Hayden, mostly to see what happened. Little did I know how much it would affect Sarina, Dagny and Hayden’s eight year old daughter. When she found out about my birth, she got very upset.

She didn’t blame me, thankfully, although she never thought much of me. However, she never really spoke to our mother again, especially since her beloved father Hayden died soon after we were born.

She left home at a young age, and became a political assistant, but she didn’t make too many friends. She was doing ok for a time, only to find out that the love of her life, Richard Ruhr, had been having an affair behind her back all along.

She divorced him, got depressed, quit her job and by the time I grew to adulthood at the start of the game, she was living in a hippie commune somewhere on Mercury, trying desperately to get some gossip on her ex-husband.

New beta out now

This new beta is now available from the forum if you have purchased insider access (if you haven’t there’s still time.) Let me know if you find any other interesting stories such as these!

Modelling opinions and prejudices in Sol Trader

November 2015

I’ve been working hard on the Sol Trader core gameplay mechanics in the last two weeks. High up on my list was a way of generating more interesting missions for the characters to complete.

In order to have a reason to gather dirt, find locations or desire an early end for an enemy, our characters need to feel strongly about other people they know. This is where their opinions and prejudices come in.

So why is he so interested in where Terrilyn is? What does he know about her?

Characters already keep track of the events they know about for each other character in the game. Now they can form an opinion of a character based on the partial set of info they know about someone else’s past.

The plan is to use these thoughts about each other to make decisions about who they’re friends with, deal with relationship breakdown, blame and prejudice.

Characters can hold a wide variety of opinions about each other

Here’s an example of how we configure this under the hood for an occasion where a character is caught and reported for taking bribes:

    event,         opinion,    impact, I caught them, I was caught
    PRISON_BRIBES, PITIABLE,    -0.4,   0,             0
    PRISON_BRIBES, MORAL,       -0.4,   0,             0
    PRISON_BRIBES, INFLUENTIAL, -0.4,   1,             0
    PRISON_BRIBES, MY_FRIEND,   -1.0,   0,             1

Anyone knowing about this event will think the character is less deserving of sympathy and assume the character is less moral. If we’re the one catching them take the bribes, then the briber becomes much less influential over us. If we’re the one being caught, then the one catching us is definitely no longer our friend. Depending on our profession, we will brief against them or possibly try to take them out.

Now characters have opinions about others, we can use these to guide their conversation choices, who they’re likely to target, give us gossip on, etc. It’s all game design fuel for other behaviours in the game, and will combine to form interesting unexpected effects and tell original stories each time.

Next time I’ll discuss about the new events that get created in the history generation because of these new opinions. Our stylised formulaic view of history is about to become, well, a lot more messed up. Rather like real history…