Program logic bugs vs input/environmental errors
Kagamin via Digitalmars-d
digitalmars-d at puremagic.com
Fri Oct 31 13:23:04 PDT 2014
On Friday, 24 October 2014 at 18:47:59 UTC, H. S. Teoh via
Digitalmars-d wrote:
> Basically, if you want a component to recover from a serious
> problem
> like a failed assertion, the recovery code should be in a
> *separate*
> component. Otherwise, if the recovery code is within the failing
> component, you have no way to know if the recovery code itself
> has been
> compromised, and trusting that it will do the right thing is
> very
> dangerous (and is what often leads to nasty security exploits).
> The
> watcher must be separate from the watched, otherwise how can
> you trust
> the watcher?
You make process isolation sound like a silver bullet, but
failure can happen on any scale from a temporary variable to
global network. You can't use process isolation to contain a
failure of a larger than process scale, and it's an overkill for
a failure of a temporary variable scale.
More information about the Digitalmars-d
mailing list