Program logic bugs vs input/environmental errors

Sean Kelly via Digitalmars-d digitalmars-d at puremagic.com
Sun Sep 28 18:39:55 PDT 2014 

On Monday, 29 September 2014 at 00:09:59 UTC, Walter Bright wrote:
> On 9/28/2014 3:51 PM, Joseph Rushton Wakeling via Digitalmars-d 
> wrote:
>> However, it's clearly very desirable in this use-case for the 
>> application to
>> keep going if at all possible and for any problem, even an 
>> Error, to be
>> contained in its local context if we can do so.  (By "local 
>> context", in
>> practice this probably means a thread or fiber or some other 
>> similar programming
>> construct.)
>
> If the program has entered an unknown state, its behavior from 
> then on cannot be predictable. There's nothing I or D can do 
> about that. D cannot officially endorse such a practice, though 
> D being a systems programming language it will let you do what 
> you want.
>
> I would not even consider such a practice for a program that is 
> in charge of anything that could result in injury, death, 
> property damage, security breaches, etc.

Well... suppose you design a system with redundancy such that an 
error in a specific process isn't enough to bring down the 
system.  Say it's a quorum method or whatever.  In the instance 
that a process goes crazy, I would argue that the system is in an 
undefined state but a state that it's designed specifically to 
handle, even if that state can't be explicitly defined at design 
time.  Now if enough things go wrong at once the whole system 
will still fail, but it's about building systems with the 
expectation that errors will occur.  They may even be logic 
errors--I think it's kind of irrelevant at that point.

Even a network of communicating processes, one getting in a bad 
state can theoretically poison the entire system and you're often 
not in a position to simply shut down the whole thing and wait 
for a repairman.  And simply rebooting the system if it's a bad 
sensor that's causing the problem just means a pause before 
another failure cascade.  I think any modern program designed to 
run continuously (increasingly the typical case) must be designed 
with some degree of resiliency or self-healing in mind.  And that 
means planning for and limiting the scope of undefined behavior.

More information about the Digitalmars-d mailing list