Null references (oh no, not again!)

Walter Bright newshound1 at digitalmars.com
Wed Mar 4 02:55:57 PST 2009


Nick Sabalausky wrote:
> "Walter Bright" <newshound1 at digitalmars.com> wrote in message 
> news:gole1d$23v4$1 at digitalmars.com...
>> Rainer Deyke wrote:
>>> Writing an assertion for every non-nullable reference argument for every
>>> function is tedious.
>> It's also quite unnecessary. The hardware will do it for you, and the 
>> debugger will tell you where it is.
>>
> 
> Yes...at run-time.

Asserts only fire at run-time, too. This is why I said the asserts are 
pointless.

> And even then only if you're lucky enough to hit all of 
> the code paths that lead to a null-reference during testing. It might not 
> cause data-corruption, but it does cause a crash.

It's not *remotely* as bad as data corruption. Back in the bad old DOS 
days, a data corruption problem could, and often *did*, completely 
scramble your hard disk. Having protection against this in hardware was 
an enormous improvement.

Things were so bad on DOS with this I'd develop code on a different 
system entirely that had memory protection, then only afterwards port it 
to DOS as a last step.


> A crash might not 
> typically be as bad as data-corruption, but both are still unnaceptable in 
> professional software. Plus, a crash *can* be nearly as bad, if not equally 
> bad, as data-corruption when it occurs in something mission-critical. This 
> is not a problem to be taken lightly.

I've worked with mission-critical software. You absolutely do NOT rely 
on it never failing. You design it so that when it fails, and it WILL 
fail, it does not bring down your critical system.

I started my career doing flight critical mechanical designs for Boeing 
airliners. I had it pounded into me that no matter how perfect you 
designed the parts, the next step is "assume it fails. Now what?" That 
is why Boeing airliners have incredible safety records.

Assume the parts break. Assume the hydraulics are connected backwards. 
Assume all the fluid runs out of the hydraulics. Assume it is struck by 
lightning. Assume it is encased in ice and frozen solid. Assume the 
cables break. Assume a stray wrench jams the mechanism. Assume it rusts 
away. Assume nobody lubricates it for years. Assume it was assembled 
with a bad batch of bolts. Etc.

If software is in your flight critical systems, the way one proceeds is 
to *assume skynet takes it over* and will attempt to do everything 
possible to crash the airplane.



More information about the Digitalmars-d mailing list