On Mon, Nov 16, 2009 at 03:19:06PM -0500, bearophile wrote: > One Ariane missile has self-destroyed (and destroyed an extremely important > scientific satellite it was carrying whose mission I miss still) because of > this silly behaviour united with the inflexibility of the Ada language.
Would you have preferred it to just randomly do its own thing and potentially end up landing on people? Blowing it up over the ocean or the launch site is something they would be prepared for anyway, so it is relatively safe to people, which is what ultimately matters. Even expensive, important pieces of equipment can always be replaced. > A program that stops working in a random moment because of a null is not safe. What would you have it do? Carry on in the error state, doing Lord knows what? That's clearly unsafe. Terminating it is a completely predictable situation - one you can design the safe system as a whole around. The rocket scientists know their rocket might blow up at launch, so they build the launch pad out far enough from people and schedule lift off on a day with favourable weather, so if it does explode, the odds of someone getting hurt are low. Hospitals know their medical machines might screw up, so they keep a nurse on duty at all times who can handle the situation - restart the failed machine, or bring in a replacement before it kills someone. Similarly, if your program simply must not fail, null pointer problems don't preclude this. You can predict the eventuality of termination, and set up an external process to restart the dead program: while [ true ] ; do ./buggy-program ; done It might not be convenient all the time, but it is safe. Certainly safer than the alternative of carrying on in an unknown state. > A safer program is a program that avoids null pointer exception because the > type system has formally verified the program has no nulls. I wouldn't say safer, though I will concede that it is easier to debug. -- Adam D. Ruppe http://arsdnet.net