Postmortem: Template unittests are bad & you shouldn't catch Error
Ali Çehreli
acehreli at yahoo.com
Fri Oct 23 18:24:27 UTC 2020
On 10/23/20 10:04 AM, H. S. Teoh wrote:
> I think Walter's go-to answer on that one is, have a monitor process
> that detects when the main process has crashed, and immediately take
> over to initiate a safe shutdown procedure.
And "immediately" must be a very short time.
> Basically, the main process
> has entered an invalid state, so we can no longer assume it's able to
> correctly carry out the safe shutdown procedure (what if the bug that
> triggered the assert has also corrupted the program's data so that when
> it tries to slow down it accelerates instead?). So we use a redundant,
> independent component (the monitor process) that's known to be in a
> consistent state to do the safe shutdown.
Yes, that's what's being done in the industry. But how to debug what
happened? Perhaps leave a trace that explains what was being attempted,
instead of what went wrong? I guess...
Or perhaps, if possible, decouple the faulty program and let it attempt
to give more information in a sand box.
> I'm not sure how to apply this principle (or if it's even applicable) to
> all situations, but there you have it.
Yeah, this kind of discussion better be attached to how safety-critical
the system is. Yes, in theory even a format() will not work but it's
ingrained in our assert() expressions and we use it all over the place
and it's very practical:
assert(c, format!"Can this work? %s"(i));
In practice it works and is extremely useful.
Ali
More information about the Digitalmars-d
mailing list