Postmortem: Template unittests are bad & you shouldn't catch Error
H. S. Teoh
hsteoh at quickfur.ath.cx
Fri Oct 23 17:04:02 UTC 2020
On Fri, Oct 23, 2020 at 09:30:53AM -0700, Ali Çehreli via Digitalmars-d wrote:
[...]
> Over the years, I've been a part of many error management strategy
> discussions on these forums and elsewhere I still don't know what to
> do. For example, there are safety-critical programs out there that
> can't even abort. The thinking is that instead of leaving a machine
> in its "invalid state", which may kill humans, there is always a
> better way of degrading the machine's operations to do something
> safer. For example, in the case of autonomous driving, slowing down
> the vehicle slowly and parking on the side of the road may be better
> than aborting at 120kph on the highway.
I think Walter's go-to answer on that one is, have a monitor process
that detects when the main process has crashed, and immediately take
over to initiate a safe shutdown procedure. Basically, the main process
has entered an invalid state, so we can no longer assume it's able to
correctly carry out the safe shutdown procedure (what if the bug that
triggered the assert has also corrupted the program's data so that when
it tries to slow down it accelerates instead?). So we use a redundant,
independent component (the monitor process) that's known to be in a
consistent state to do the safe shutdown.
I'm not sure how to apply this principle (or if it's even applicable) to
all situations, but there you have it.
T
--
Маленькие детки - маленькие бедки.
More information about the Digitalmars-d
mailing list