Making alloca more safe

[Adam D. Ruppe]

On Mon, Nov 16, 2009 at 03:19:06PM -0500, bearophile wrote:
> One Ariane missile has self-destroyed (and destroyed an extremely important scientific satellite it was carrying whose mission I miss still) because of this silly behaviour united with the inflexibility of the Ada language.

Would you have preferred it to just randomly do its own thing and potentially
end up landing on people? Blowing it up over the ocean or the launch site
is something they would be prepared for anyway, so it is relatively safe to
people, which is what ultimately matters. Even expensive, important pieces
of equipment can always be replaced.

> A program that stops working in a random moment because of a null is not safe.

What would you have it do? Carry on in the error state, doing Lord knows
what? That's clearly unsafe.

Terminating it is a completely predictable situation - one you can design
the safe system as a whole around.

The rocket scientists know their rocket might blow up at launch, so they
build the launch pad out far enough from people and schedule lift off on a
day with favourable weather, so if it does explode, the odds of someone
getting hurt are low.

Hospitals know their medical machines might screw up, so they keep a nurse
on duty at all times who can handle the situation - restart the failed
machine, or bring in a replacement before it kills someone.


Similarly, if your program simply must not fail, null pointer problems don't
preclude this. You can predict the eventuality of termination, and set up
an external process to restart the dead program:

	while [ true ] ; do ./buggy-program ; done

It might not be convenient all the time, but it is safe. Certainly safer than
the alternative of carrying on in an unknown state.

> A safer program is a program that avoids null pointer exception because the type system has formally verified the program has no nulls.

I wouldn't say safer, though I will concede that it is easier to debug.


-- 
Adam D. Ruppe
http://arsdnet.net