On Friday, 24 October 2014 at 18:47:59 UTC, H. S. Teoh via
Digitalmars-d wrote:
Basically, if you want a component to recover from a serious
problem
like a failed assertion, the recovery code should be in a
*separate*
component. Otherwise, if the recovery code is within the failing
component, you have no way to know if the recovery code itself
has been
compromised, and trusting that it will do the right thing is
very
dangerous (and is what often leads to nasty security exploits).
The
watcher must be separate from the watched, otherwise how can
you trust
the watcher?
You make process isolation sound like a silver bullet, but
failure can happen on any scale from a temporary variable to
global network. You can't use process isolation to contain a
failure of a larger than process scale, and it's an overkill for
a failure of a temporary variable scale.
