Making alloca more safe
Derek Parnell
derek at psych.ward
Mon Nov 16 13:13:29 PST 2009
On Mon, 16 Nov 2009 12:48:51 -0800, Walter Bright wrote:
> bearophile wrote:
>> Walter Bright:
>>> I just wished to point out that it was not a *safety* issue.<
>> A safe system is not a program that switches itself off as soon as
>> there's a small problem.
>
> Computers cannot know whether a problem is "small" or not.
But designers who make the system can.
> Pretending a program hasn't failed when it has, and just "soldiering
> on", is completely unacceptable behavior in a system that must be reliable.
...
> If you've got a system that relies on the software continuing to
> function after an unexpected null seg fault, you have a VERY BADLY
> DESIGNED and COMPLETELY UNSAFE system. I really cannot emphasize this
> enough.
What is the 'scope' of "system"? Is that if any component in a system
fails, then all other components are also in an unknown, and therefore
potentially unsafe, state too?
For example, can one describe this scenario below as a single system or
multiple systems...
"A software failure causes the cabin lights to be permanently turned on, so
should the 'system' also assume that the toilets must no longer be
flushed?"
Is the "system" the entire aircraft, i.e. all its components, or is there a
set of systems involved here?
In the "set of systems" concept, is it possible that a failure of one
system can have no impact on another system in the set, or must it be
assumed that every system is reliant on all other systems in the same set?
--
Derek Parnell
Melbourne, Australia
skype: derek.j.parnell
More information about the Digitalmars-d
mailing list