DIP33: A standard exception hierarchy

Simen Kjærås simen.kjaras at gmail.com
Mon Apr 1 14:20:21 PDT 2013


On Mon, 01 Apr 2013 22:34:39 +0200, Ali Çehreli <acehreli at yahoo.com> wrote:

> A safe program must first guarantee that that cleanup is harmless, which  
> is not possible when the program is in an invalid state. Imagine sending  
> almost infinite number of "cleanup" commands to a device that can harm  
> people who are around it.

Of course. But the opposite is also the case - failure to turn off  
dangerous
hardware, or leaving hardware in a dangerous state when the program fails
is just as bad as putting it in an unknown state. The decision must be made
on a case-by-case basis.

I am reminded of Therac-25[1]. though the situation there was slightly
different, similar situations could arise from not turning off hardware.


[1]: http://en.wikipedia.org/wiki/Therac-25
-- 
Simen


More information about the Digitalmars-d mailing list