Bad array indexing is considered deadly
Timon Gehr via Digitalmars-d
digitalmars-d at puremagic.com
Sat Jun 3 05:02:18 PDT 2017
On 03.06.2017 12:44, Paolo Invernizzi wrote:
> On Saturday, 3 June 2017 at 09:48:05 UTC, Timon Gehr wrote:
>> On 03.06.2017 08:55, Paolo Invernizzi wrote:
>>> On Friday, 2 June 2017 at 23:23:45 UTC, nohbdy wrote:
>>>
>>>> It's exacerbated because Walter is in a mindset of writing
>>>> mission-critical applications where any detectable bug means you
>>>> need to restart the program. Honestly, if I were writing flight
>>>> control systems for Airbus, I could modify druntime to raise SIGABRT
>>>> or call exit(3) when you try to throw an Error. It would be easy,
>>>> and it would be worthwhile. If you really need cleanup, atexit(3) is
>>>> available.
>>>
>>> The worst thing happened in programming in the last 30 years is just
>>> that less and less programmers are adopting Walter mindset...
>>>
>>> I'm really really puzzled by why this topic pops up so often...
>>>
>>>
>>> /Paolo
>>
>> I don't get why you would /restart/ mission-critical software that has
>> been shown to be buggy. What you need to do instead: Have a few more
>> development teams that create independent implementations of your
>> service. (Completely from scratch, as the available libraries were not
>> developed to the necessary standard.) All of them should run on
>> different hardware produced in different factories by different
>> companies. Furthermore, you need to hire a team of testers and
>> software verification experts vastly exceeding the team of developers
>> in magnitude, etc.
>
> That's what should be done in mission-critical software, and we are
> relaxing the constraint of mission critical, it seems [1]
> ...
That document says that the crash was caused by a component going down
after an unexpected condition instead of just continuing to operate
normally. (Admittedly this is biased reporting, but it is true.)
> The point is software, somehow, has to be run, with bugs, or sometimes
> logic flaws: alas bugged software is running here [2]...
> ...
I.e., a detected bug is not always a sufficient reason to bring down the
entire system.
> So, if you have to, you should restart 'not-so-critical-software', and
> you should code it as it should be restarted from time to time.
> ...
I agree. What I don't agree with is the idea that the programmer should
have no way to figure out which component failed and only stop or
restart that component if that is the most sensible thing to do under
the given circumstances. Ideally, the Mars mission shouldn't need to be
restarted just because there is a bug in one component of the probe.
> It's an opinion, when it's the better moment to just restart it, and a
> judgement between risks and opportunities.
> ...
I.e., the language shouldn't mandate it to be one way or the other.
> My personal opinion, it should be stopped ASAP a bug is detected.
> ...
Which is the right thing to do often enough.
> /Paolo
>
> [1]
> http://exploration.esa.int/mars/59176-exomars-2016-schiaparelli-anomaly-inquiry
>
> [2]
> https://motherboard.vice.com/en_us/article/the-f-35s-software-is-so-buggy-it-might-ground-the-whole-fleet
>
More information about the Digitalmars-d
mailing list