DIP33: A standard exception hierarchy
Simen Kjærås
simen.kjaras at gmail.com
Mon Apr 1 14:20:21 PDT 2013
On Mon, 01 Apr 2013 22:34:39 +0200, Ali Çehreli <acehreli at yahoo.com> wrote:
> A safe program must first guarantee that that cleanup is harmless, which
> is not possible when the program is in an invalid state. Imagine sending
> almost infinite number of "cleanup" commands to a device that can harm
> people who are around it.
Of course. But the opposite is also the case - failure to turn off
dangerous
hardware, or leaving hardware in a dangerous state when the program fails
is just as bad as putting it in an unknown state. The decision must be made
on a case-by-case basis.
I am reminded of Therac-25[1]. though the situation there was slightly
different, similar situations could arise from not turning off hardware.
[1]: http://en.wikipedia.org/wiki/Therac-25
--
Simen
More information about the Digitalmars-d
mailing list