Non-null objects, the Null Object pattern, and T.init

Fri Jan 17 19:26:18 PST 2014

On Saturday, 18 January 2014 at 02:48:38 UTC, Walter Bright wrote:
> I didn't mention that the dual autopilots also have a 
> comparator on the output, and if they disagree they are both 
> shut down. The deadman is an additional check. The dual system 
> has proven itself, a third is not needed.

The pilot is engaged as the third.

There are situations where you cannot have a third "intelligent" 
agent take over, so you should have 3 systems, and reboot and 
resync the one that diverges, but this is rather off topic. I 
don't think D is a language that should be used for these kind of 
systems.

> Please reread what I wrote. I said it shuts itself off and 
> engages the backup, and if there is no backup, you have failed 
> at designing a safe system.

A car driver that is doing an emergency manoeuvre is not part of 
a safe system, indeed!

If you want one system to take over for another you need a safe 
spot to do it in. Just disappearing instantly isn't optimal 
because instantly changing responsiveness is a gurantee for 
failure.

In fact, being instantly disruptive is usually the wrong thing to 
do. You should spin down gracefully.

I don't see why you cannot do that with null-pointers. You 
obviously can do it with division by zero errors. I think you 
associate null-pointers with memory corruption, which truly is an 
invalid state for which you might want to instantly shut down.

> I have experience with this stuff, Ola, from my years at Boeing 
> designing flight critical systems. What I outlined is neither 
> irrational nor emotionally driven, and has the safety record to 
> prove its effectiveness.

In a very narrow field where the pilot is monitoring the system 
and can take over. The pilot is the ultimate source for failure 
(in a political sense). So you basically shut down the technology 
and blame the pilot if you end up with a crash. That only works 
if the computer has been made to replace a human being.