Non-null objects, the Null Object pattern, and T.init

Ola Fosheim Grøstad" <ola.fosheim.grostad+dlang at gmail.com> Ola Fosheim Grøstad" <ola.fosheim.grostad+dlang at gmail.com>
Fri Jan 17 18:22:22 PST 2014 

On Saturday, 18 January 2014 at 01:46:55 UTC, Walter Bright wrote:
> The autopilot software was designed by someone who thought it 
> should keep operating even if it detects faults in the software.

I would not write autopilot or life-support software in D. So 
that is kind of out-of-scope for the language. But:

Keep the system simple, select a high level language and verify 
correctness by an automated proof system.

Use 3 independently implemented systems and shut down the one 
that produces deviant values. That covers more ground than the 
unlikely null-pointers in critical systems. No need to 
self-detect anything.

> Consider also the Toyota. My understanding from reading reports 
> (admittedly journalists botch up the facts) is that a single 
> computer controls the brakes, engine, throttle, ignition 
> switch, etc. Oh joy. I wouldn't want to be in that car when it 
> keeps on going despite having self-detected faults.

So you would rather have the car drive off the road because the 
anti-skid software abruptly turned itself off during an emergency 
manoeuvre?

But would you stay in a car where the driver talks in a 
cell-phone while driving, or would you tell him to stop? Probably 
much more dangerous if you measured correlation between accidents 
and system features. So you demand perfection from a computer, 
but not from a human being that is exhibiting risk-like 
behaviour. That's an emotional assessment.

The rational action would be to improve the overall safety of the 
system, rather than optimizing a single part. So spend the money 
on installing a cell-phone jammer and an accelerator limiter 
rather than investing in more computers. Clearly, the computer is 
not the weakest link, the driver is. He might not agree, but he 
is and he should be forced to exhibit low risk behaviour. Direct 
effort to where it has most effect.

(From a system analytical point of view. It might not be a good 
sales tactic, because car buyers aren't that rational.)

More information about the Digitalmars-d mailing list