Bad array indexing is considered deadly

Ola Fosheim Grøstad via Digitalmars-d digitalmars-d at puremagic.com
Sat Jun 3 04:40:28 PDT 2017 

On Saturday, 3 June 2017 at 11:18:16 UTC, Paolo Invernizzi wrote:
> Sorry Ola, I can't support that way of working.
>
> Don't take it wrong, Walter is doing a lot on @safe, but 
> compilers are built from a codebase, and the codebase has, 
> anyway, bugs.
>
> I can't approve a "ok, do whatever you want in the 
> validate_input and I try to *safely* throw"

If the compiler is broken then anything could happen, at any 
time. So that merely suggests that you consider the current 
version to be of beta-quality.

Would you make the same argument for Python?


> IMHO you can only do that if the validator is totally 
> segregated, and to me that means in a separate process, neither 
> in another thread.

Well, that would be very tedious.

The crux is:

The best way to write at good validator is to make the code in 
the validator as simple as possible so that you can reduce the 
probability of making mistakes in the implementation of the spec.

If you have to add code for things like division-by-zero logic 
flaws or out of bounds checks then you make it harder to catch 
mistakes in validator and increase the probability of a much 
worse situation: letting illegal input pass.

So for a validator I want to focus my energy on writing simple 
crystal clear code that only allows legal input to pass. That 
makes the overall system robust, as long as the language is 
capable of trapping all the logic flaws and classify them as a 
validation-error.

So there is a trade off here. What is more important?

1. Increasing the probability of correctly implementing the 
validation spec to keep the database consistent.

2. Reduce the chance of the unlikely event that the 
compiler/unsafe code could cause the validator to pass when it 
shouldn't.

If the programmer knows that the validator was written in this 
way, it also isn't a big deal to catch all Errors from it. 
Probabilistically speaking, the compiler being the cause here 
would be a highly unlikely event (power failure would be much 
more likely).

> To me, pragmatic means that the B2B website has to be organised 
> in a way that the impact is minimum if one of the processes 
> that are handling the requests are restarted, for a bug or not. 
> See Laeeth [1]. Just handle "insignificant requests" to a 
> cheeper, less robust, less costly, web stack.

Then we land on the conclusion that development and running cost 
would increase by choosing D over some of the competing 
alternatives for this particular use case.

That's ok.

More information about the Digitalmars-d mailing list