Program logic bugs vs input/environmental errors

Kagamin via Digitalmars-d digitalmars-d at puremagic.com
Fri Oct 3 04:27:18 PDT 2014


On Monday, 29 September 2014 at 03:04:11 UTC, Walter Bright wrote:
> You've clearly got a tough job to do, and I understand you're 
> doing the best you can with it. I know I'm hardcore and 
> uncompromising on this issue, but that's where I came from (the 
> aviation industry).
>
> I know what works (airplanes are incredibly safe) and what 
> doesn't work (Toyota's approach was in the news not too long 
> ago). Deepwater Horizon and Fukushima are also prime examples 
> of not dealing properly with modest failures that cascaded into 
> disaster.

Do you interpret airplane safety right? As I understand, 
airplanes are safe exactly because they recover from assert 
failures and continue operation. Your suggestion is when seat 2A 
creaks, shut down the whole airplane. In reality airplanes 
continue to operate until there's zero physical resource to 
operate. Fukushima caused disaster because it didn't try to 
handle failure. But this is your idea that one can do nothing 
meaningful on failure, and Fukushima did just that: nothing.

Termination of the process is the safe default, especially in the 
case of client software, but servers should probably terminate 
failed request, gracefully clean up and continue operation, like 
airplanes.


More information about the Digitalmars-d mailing list