Movement against float.init being nan

[Walter Bright]

On 8/24/2022 7:03 AM, Steven Schveighoffer wrote:
> I actually proved this too with a test, so that's good news! Maybe I just need 
> to define all my structs using C :P

You could, but NaN default initialization is better.

I inferred that you relied on detecting a wrong 0 initialization by looking for 
unexpected behavior. This is less reliable than looking for a NaN in the output. 
When the behavior of a mistake being most of the time it will work out ok, is 
not acceptable because there's that case where it won't be ok and could be very 
costly.

It should not be "the output looks sort of right, so assume it is right." It 
should *be* right, or be *obviously* wrong.

People should have to explicitly work at getting it wrong.

These are more of those lessons I picked up from working on flight controls at 
Boeing.

For example, hydraulic actuators (rams) drive the flight control surfaces back 
and forth. The actuators have a hydraulic fluid input port, and an output port. 
If the hydraulic lines are hooked to the wrong ports, the airplane will be 
uncontrollable and will crash. This has happened many times in the past. 
Boeing's solution is to:

1. the ports are different sizes
2. one is a left-hand thread, the other is a right-hand thread
3. the lines and ports are color-coded
4. the lines are laid out so the hydraulic lines are not long enough to connect 
to the wrong port
5. inspectors have to sign off on it
6. the flight controls are tested for correct operation as part of the 
pre-flight checklist

This has stopped the problem. Note how hard a mechanic would have to work to get 
it wrong, and if he succeeded it would be *obviously* wrong to the inspector.

I try to infuse this philosophy into D's design where ever it fits.