Defensive Programming in Python

1. parse_percentage(25) is invalid for which reason?

• Wrong type: the function contract asks for a string.
• Malformed value: the percent sign is missing.

  Malformed-value checks happen after the caller has supplied the right kind of value. Here the caller supplied an int, not a str.

• Out of range: 25 is too large.

  The value 25 would be in range if it came from a valid percentage string. The first problem is the type.

• Valid edge case: 25 means 25 percent.

  Accepting a bare number would silently expand the contract. This function is specifically parsing percentage strings.

2. parse_percentage("25") is invalid for which reason?

• Wrong type: the input is not a string.

  "25" is a string, so the type part of the contract is satisfied. The shape of the string is the problem.

• Malformed value: the required percent sign is missing.
• Out of range: 25 is outside 0 through 100.

  The numeric value 25 is inside the allowed range. Range checks happen after the string has the required form.

• Valid edge case: 25 is exactly on a boundary.

  The boundary values are 0 and 100. This input also lacks the percent sign the parser promises to require.

3. parse_percentage("101%") is invalid for which reason?

• Wrong type: strings cannot represent percentages.

  Strings are exactly what this parser accepts. The type is not the issue.

• Malformed value: 101 is not numeric.

  101 can be parsed as a number. The problem appears after parsing, when the value is compared with the allowed range.

• Out of range: the numeric value is above 100.
• Valid edge case: the percent sign is present.

  Having a percent sign is necessary, but not sufficient. The numeric value still has to be between 0 and 100 inclusive.

4. Which input is a valid edge case for this contract?

• "0%"
• "-1%"

  A value just below the lower boundary is useful to test, but it belongs in the rejected partition.

• "abc%"

  The percent sign is present, but the numeric part cannot be parsed as a number.

• ""

  The empty string is malformed because it has no number and no percent sign.

5. Four programmers each propose a different implementation strategy for parse_percentage. Which strategy is the most defensive — and why?

• Reject non-strings with TypeError, reject malformed/out-of-range strings with ValueError, return the value only after every check passes.
• Coerce anything that looks numeric: float(str(text).rstrip('%')) / 100.0. Always return a number.

  Coercion silently widens the contract. parse_percentage(None) would become parse_percentage("None") and then fail somewhere deeper, far from the actual mistake.

• Wrap the body in try: ... except Exception: return 0.0 so the caller never sees an exception.

  Broad exception swallowing hides the kind of failure (empty string vs malformed number vs out-of-range) behind one indistinguishable return value. The caller has no way to repair the input.

• Return None for any input that doesn’t parse cleanly; let the caller check the result.

  Sentinel returns force every caller to add a check, and they confuse ‘unparseable’ with ‘legitimately 0.0%’. Explicit exceptions are easier for callers to handle correctly.

1. repeat("ha", "3") raises TypeError rather than ValueError. Why is TypeError the right choice here?

• Because "3" is the wrong kind of object — the contract wanted an integer, not a string.
• Because the string "3" can’t be converted to an integer.

  "3" can be converted with int("3") — but the contract doesn’t ask the function to do that coercion. The kind mismatch is the violation.

• Because TypeError is always preferred over ValueError for safety.

  There’s no general rule that TypeError is safer. The split has semantic meaning: kind vs value. Both belong in defensive code at the right places.

• Because Python forces TypeError whenever string × string is attempted.

  Python would raise TypeError on "ha" * "3" eventually, but with a confusing message about strings. Catching the kind mismatch first gives the caller a clear diagnostic.

2. repeat("ha", True) raises TypeError even though True is an int in Python. What is this defending against?

• The bool-as-int trap: isinstance(True, int) returns True, so a check that accepts integers would silently accept booleans — almost never what the caller meant.
• A bug in CPython where booleans corrupt string multiplication.

  There’s no such bug. "ha" * True is well-defined Python — it returns "ha". The defense is against caller confusion, not language brokenness.

• The risk that True evaluates to 0 in arithmetic contexts.

  True evaluates to 1 in arithmetic, not 0. And that’s exactly the trap: repeat("ha", True) would silently return "ha" instead of raising — likely hiding a caller bug.

• Nothing — the test is overly strict and should be removed.

  The test is enforcing a contract distinction the language doesn’t enforce for you. That’s the whole point of defensive programming.

3. A reviewer suggests collapsing all three checks in repeat into one line: if not (isinstance(text, str) and isinstance(times, int) and times >= 0): raise ValueError("invalid input"). What does this change cost you?

• It collapses three distinct failure messages into one undifferentiated ‘invalid input’, and it raises ValueError even when the failure was a type problem.
• Nothing — it’s cleaner and behaves identically.

  Behavior is not identical — the failure message and the exception class both lose information. The caller can no longer tell whether they passed a string instead of an int, or a negative count.

• It makes the function slower because of short-circuit evaluation.

  Short-circuit evaluation makes it marginally faster, not slower. Performance isn’t the issue here.

• It breaks pytest.raises because the test framework can’t parse compound conditions.

  pytest.raises works fine. The cost is pedagogical/diagnostic, not technical.

1. Why is silently swapping reversed bounds in clamp(7, 9, 3) worse than raising ValueError?

• It hides a caller bug. The next time the caller passes (value, max, min) instead of (value, min, max), the function appears to work — but the caller’s mental model is broken, and the next bug will be harder to find.
• It violates Python’s style guide.

  PEP 8 doesn’t mention this. The harm is semantic, not stylistic — and far more serious than a lint warning.

• It costs measurable performance because of the tuple unpacking.

  Performance is irrelevant at this scale. The cost is correctness: a broken caller passes tests and ships.

• It changes the return type from float to tuple[float, float].

  The return type doesn’t change. The harm is in the caller’s invisible-to-tests confusion about argument order.

2. Postel’s Law (“be liberal in what you accept, conservative in what you send”) is a famous internet design principle. A web framework’s URL router silently strips trailing slashes from URLs before matching. Is this the same anti-pattern as clamp’s silent swap?

• No — the trailing-slash strip is at a trust boundary (untrusted user input from HTTP) where normalization is intentional and is usually logged. clamp is an internal contract between trusted code where silent repair hides programmer mistakes.
• Yes — any silent transformation of input is always bad.

  This is the canonical Postel’s Law misconception. There’s a meaningful distinction between boundary tolerance (normalize HTTP input, web forms, file encodings) and interior strictness (function arguments between trusted modules).

• No — Postel’s Law was deprecated by RFC 8546, so neither pattern is acceptable.

  RFC 8546 (2019) does push back on Postel’s Law, but the practical rule that emerged isn’t ‘never normalize’ — it’s ‘normalize at the boundary, be strict in the interior.’ Modern HTTP frameworks still strip trailing slashes.

• Yes — but only because URLs and numeric ranges are fundamentally different domains.

  The domain isn’t the point. The point is who is on the other side of the call: an untrusted HTTP client (normalize) or another part of your own program (fail loud).

3. A teammate proposes that clamp(value, lower, upper) also coerce non-numeric inputs: clamp(\"5\", 0, 10) would try float(\"5\") and continue. Is this a good defensive addition?

• No — it silently widens the contract. The next caller who passes a string by mistake will see clamp ‘work’, and the actual bug (wrong variable being passed) goes undetected.
• Yes — being more accepting makes the function more robust.

  This is the exact same anti-pattern as the silent bound-swap, just dressed up as ‘helpfulness’. Robustness ≠ accepting any input — it means responding to bad input in a way that helps the caller fix their code.

• Yes — float("5") is a cheap conversion, so the cost is negligible.

  Conversion cost isn’t the issue. The issue is the contract: clamp is documented to accept floats, and silently expanding to strings means the documentation lies.

• No — but only because float("5e1") would also succeed, which is unexpected.

  float("5e1") succeeding is a curiosity, not the main problem. The main problem is that the contract no longer matches the docstring.

1. Why does ClosedInterval validate start <= end in __post_init__ rather than inside contains?

• Because validating once at construction means every method can trust the invariant afterward; re-checking in every method would be redundant and would scale badly with more methods.
• Because Python doesn’t allow validation inside dataclass methods.

  Dataclasses can validate anywhere; nothing in Python forces the check into __post_init__. The reason is pedagogical: the invariant only needs to be established once.

• Because __post_init__ runs slightly faster than method calls.

  Performance isn’t relevant at this scale. The reason is structural: avoiding redundant checks across many methods.

• Because dataclasses can’t have method bodies that raise.

  Dataclasses can absolutely raise inside methods. The reason for the constructor check is about where the invariant is established.

2. The contains(value) method still validates that value is a non-bool integer, even though the interval itself is already a valid object. Why?

• Because value is a new caller input — it’s not part of the interval’s invariant. Method arguments need their own validation; the object’s invariant only protects the object’s own state.
• Because Python’s type hints aren’t checked at runtime, so validation must run twice.

  Type hints not being runtime-checked is true, but unrelated. The distinction is between object invariants (state of self) and method preconditions (incoming arguments).

• Because contains could be called before __post_init__ finishes.

  __post_init__ runs as part of __init__, before the constructor returns. contains can’t be called before that finishes.

• Because frozen=True doesn’t protect against attribute changes via reflection.

  frozen=True is bypassable, yes — but that’s not why contains validates value. value is a fresh argument from the caller and has no relationship to the existing invariant.

3. ClosedInterval(True, 5) raises TypeError even though True is technically an int. This is the same trap as Step 2’s repeat(\"ha\", True). What is being defended against in both cases?

• The bool-as-int subclass trap: passing a boolean where the contract documents an integer is almost certainly a caller mistake — likely a confused conditional or a return value from == used in the wrong place.
• A CPython implementation bug in isinstance.

  There’s no such bug. isinstance(True, int) returns True by design — that’s exactly the trap.

• An ambiguity in True * 5 vs 5 * True.

  Both operations are well-defined and return 5. The harm is semantic, not arithmetic.

• The risk that booleans take up more memory than integers.

  bool and int use the same memory representation. Memory isn’t the concern.

1. The original buggy load_json_config did except Exception: return {}. What is the worst long-term harm of this pattern in production?

• Every caller now thinks ‘empty config’ and ‘unreadable file’ look identical, so failure modes that should be fatal (missing config) get silently treated as benign (no overrides). The bug surfaces as wrong behavior, far from the cause.
• It catches KeyboardInterrupt, which can crash the interpreter.

  Exception does not catch KeyboardInterrupt (that’s BaseException and not a subclass of Exception). The real harm is information loss, not interpreter safety.

• It returns the wrong type — dict instead of list.

  The return type is correct (dict). The harm is semantic — the dict is empty because of a failure, indistinguishable from an empty dict that legitimately had no entries.

• It causes a memory leak because the exception traceback is never freed.

  Python’s garbage collector handles exception tracebacks fine. The harm is informational: the cause is gone.

2. What does raise ConfigError(...) from exc give callers that raise ConfigError(...) alone does not?

• It preserves the original OSError or JSONDecodeError in ConfigError.__cause__, so the full chain shows up in tracebacks and tools like pytest and Sentry can drill into the real root cause.
• It makes the exception faster to raise.

  Both forms have the same raise cost. The difference is informational — what shows up in the traceback.

• It changes the exception class to a subclass of the original.

  The class is still ConfigError. from exc only sets the __cause__ attribute; it doesn’t change the class hierarchy.

• It allows the exception to be caught by except OSError: blocks.

  ConfigError is its own class. from exc doesn’t make it polymorphic with OSError. The chain is purely diagnostic.

3. The solution checks if not isinstance(data, dict): raise ConfigError(...). Why is this validation step necessary even after json.load succeeded?

• Because valid JSON can be a list, number, string, boolean, or null at the top level — not just an object. The function’s contract specifically promises a dict config, and json.load returning a JSON array is a contract violation, not a parse error.
• Because json.load can return None if the file is empty.

  An empty JSON file would be a JSONDecodeError, not None. The issue isn’t empty files — it’s valid JSON of the wrong shape.

• Because isinstance(data, dict) defends against the bool-subclass-of-int trap.

  The bool trap is about integer arguments, not JSON parsing. This check is about top-level JSON shape.

• Because Python’s json module is unreliable on Windows.

  The json module is cross-platform stable. The issue is the JSON spec itself: any JSON value (array, number, string, boolean, null, object) is a valid top-level value.

1. A student implementation turns "9000-8000" into (8000, 9000) so the returned tuple is ordered. What is the main problem?

• It hides a caller bug by silently repairing a reversed range.
• It should return a list instead of a tuple.

  The contract promises a tuple, and the tuple shape is not the failure. The issue is accepting an invalid relationship between the two endpoints.

• It should raise TypeError because the values are strings.

  The function receives a string specification by design. Wrong type would be something like None or an integer argument.

• It fails only because 9000 is outside the valid port range.

  Both 8000 and 9000 are valid port numbers. The invalid part is their order in a range.

2. Which assertion best captures the postcondition of a successful parse_port_range call?

• result is not None and both tuple slots can be indexed

  A non-None result could still be malformed, reversed, or out of range. That oracle is too weak.

• result is a 2-item tuple and 0 <= start <= end <= 65535
• str(result).startswith('(') and the string contains a comma

  String formatting is not the contract. A list or invalid tuple could still produce a parenthesized-looking string.

• result[0] < result[1] so endpoints are strictly ordered

  A single port such as "8080" should return (8080, 8080), where equality is valid.

3. Which failure should be a TypeError rather than a ValueError?

• parse_port_range(None)
• parse_port_range("abc")

  "abc" has the right type but cannot be parsed as the required string form, so it is a value problem.

• parse_port_range("65536")

  "65536" has the right type and shape but is outside the valid port range, so it is a value problem.

• parse_port_range("9000-8000")

  "9000-8000" has the right type and numeric parts, but the endpoint relationship is invalid, so it is a value problem.

4. Retrieval from Step 3: a teammate proposes that parse_port_range(\"9000-8000\") should silently swap to (8000, 9000) because "the user obviously meant the lower port first." What principle from clamp (Step 3) applies here?

• Silent repair hides caller bugs. The next time someone writes parse_port_range(f"{max_port}-{min_port}") because they confused the variable order, the function appears to work — and the actual bug surfaces somewhere far away, much later.
• Silent repair is fine because the result is mathematically equivalent.

  Mathematical equivalence isn’t the question. The question is whether the caller knows they passed the arguments wrong. Silent repair means they don’t.

• Silent repair is fine here because port ranges are commutative.

  Port ranges are not commutative — "9000-8000" is malformed by the contract, regardless of whether the resulting set of ports would be the same.

• Silent repair is acceptable as long as the function logs a warning.

  Logging is a partial mitigation, but at the internal contract boundary, raising is still the right move. (Logging-and-continuing is sometimes acceptable at the system boundary — see Step 3’s Postel’s Law question.)

5. Retrieval from Step 5: imagine parse_port_range was extended to read its input from a config file — port_range = json.load(...)\\[\"ports\"\\]. Which defensive pattern from load_json_config (Step 5) should re-enter the picture?

• Catch only the specific failures you can translate (OSError, json.JSONDecodeError), use raise ConfigError(...) from exc to preserve the cause, then validate the loaded shape before handing it to the parser.
• Wrap the whole flow in except Exception: return None so the program never crashes.

  Broad except + sentinel return is the exact anti-pattern Step 5 trained you to avoid. It would convert ‘missing config file’ and ‘malformed JSON’ and ‘wrong shape’ into one indistinguishable None.

• Skip JSON validation — parse_port_range will validate anyway.

  Defense in depth: validating shape at the JSON boundary catches problems earlier and with better diagnostics than letting them surface inside parse_port_range. A JSON list arriving where a string was expected gives a much more confusing error from the parser than from an explicit type check at the boundary.

• Disable the AST check from Step 5, since this is a different file.

  The AST check is a tool for the tutorial autograder, not a runtime constraint. The defensive pattern (no broad except) applies to every place you read external data, not just load_json_config.