Program logic bugs vs input/environmental errors
Dicebot via Digitalmars-d
digitalmars-d at puremagic.com
Mon Oct 6 10:09:38 PDT 2014
On Sunday, 5 October 2014 at 23:01:48 UTC, Walter Bright wrote:
> On 10/5/2014 2:51 PM, Dicebot wrote:
>> On Sunday, 5 October 2014 at 20:41:44 UTC, Walter Bright wrote:
>>> On 10/5/2014 8:35 AM, Dicebot wrote:
>>>> I am fine with non-default being hard but I
>>>> want it to be still possible within legal language
>>>> restricions.
>>>
>>> D being a systems language, you can without much difficulty
>>> do whatever works
>>> for you.
>>
>> Yes but it shouldn't be in undefined behaviour domain. In
>> other words there
>> needs to be a confidence that some new compiler optimization
>> will not break the
>> application completely.
>
> Relying on program state after entering an unknown state is
> undefined by definition. I don't see how a language can make a
> statement like "it's probably ok".
It is only in undefined state because language handles Errors
that way. At the point of throwing the Error state was perfectly
defined and 100% recoverable. This is the typical case for
assertion failure in contract - it detects some program flaw like
inability to handle specific data combination from other process
but it does not mean memory is corrupted or program is inherently
broken. Just killing the fiber and continuing with other requests
(which don't trigger that unexpected code path) is absolutely
fine unless compiler kicks in and optimizes something away in
surprising fashion.
If destructors are ignored those must be always ignored and
defined in spec. Same for scope(exit) or any similar affected
feature. Currently it may or may not attempt cleanup and that is
the problem when trying to circumvent the semantics.
>> I think this is the only important concern I have as long as
>> power user stuff
>> remains possible without re-implementing whole exception
>> system from scratch.
>
> You can catch an Error. But what is done from there is up to
> you - and to do more than just log the error, engage the
> backup, and exit, I cannot recommend.
Killing whole process is unacceptable in many cases, it will
effectively shut down the whole service if faulty request happens
at least one in a few seconds.
> To do more, use an Exception. But to throw an Exception when a
> logic bug has been detected, then try and continue based on it
> "probably" being ok, is something I cannot recommend and D
> certainly cannot guarantee anything. If the program does
> anything that matters, that is.
Assertions / contracts use Error. Do you think it is a better
approach to prohibit using `assert` and throw custom exceptions
from contracts?
More information about the Digitalmars-d
mailing list