On Mon, 01 Apr 2013 22:34:39 +0200, Ali Çehreli <acehr...@yahoo.com> wrote:
A safe program must first guarantee that that cleanup is harmless, which is not possible when the program is in an invalid state. Imagine sending almost infinite number of "cleanup" commands to a device that can harm people who are around it.
Of course. But the opposite is also the case - failure to turn off dangerous
hardware, or leaving hardware in a dangerous state when the program fails is just as bad as putting it in an unknown state. The decision must be made on a case-by-case basis. I am reminded of Therac-25[1]. though the situation there was slightly different, similar situations could arise from not turning off hardware. [1]: http://en.wikipedia.org/wiki/Therac-25 -- Simen