This thread on Hacker News terrifies me

Jonathan M Davis newsgroup.d at jmdavisprog.com
Mon Sep 3 06:35:57 UTC 2018 

On Sunday, September 2, 2018 11:54:57 PM MDT Nick Sabalausky (Abscissa) via 
Digitalmars-d wrote:
> On 09/03/2018 12:46 AM, H. S. Teoh wrote:
> > Anything less is unsafe, because being
> > in an invalid state means you cannot predict what the program will do
> > when you try to recover it.  Your state graph may look nothing like what
> > you thought it should look like, so an action that you thought would
> > bring the program into a known state may in fact bring it into a
> > different, unknown state, which can exhibit any arbitrary behaviour.
>
> You mean attempting to doing things, like say, generate a stack trace or
> format/display the name of the Error class and a diagnostic message? ;)
>
> Not to say it's all-or-nothing of course, but suppose it IS memory
> corruption and trying to continue WILL cause some bigger problem like
> arbitrary code execution. In that case, won't the standard Error class
> stuff still just trigger that bigger problem, anyway?

Throwing an Error is a lot less likely to cause problems than actually
trying to recover. However, personally, I'm increasingly of the opinion that
the best thing to do would be to not have Errors but to kill the program at
the point of failure. That way, you could get a coredump at the point of
failure, with all of the state that goes with it, making it easier to debug,
and it would be that much less likely to cause any more problems before the
program actually exits. You might still have it print an error message and
stack trace before triggering a HLT or whatever, but I think that that's the
most that I would have it do. And while doing that would still potentially
open up problems, unless someone hijacked that specific piece of code, it
would likely be fine, and it would _really_ help on systems that don't have
coredumps enabled - not to mention seeing that in the log could make
bringing up the coredump in the debugger unnecessary in some cases.
Regardless, getting a coredump at the point of failure would be far better
IMHO than what we currently have with Errors.

- Jonathan M Davis

More information about the Digitalmars-d mailing list