On 03.06.2017 12:44, Paolo Invernizzi wrote:
On Saturday, 3 June 2017 at 09:48:05 UTC, Timon Gehr wrote:
On 03.06.2017 08:55, Paolo Invernizzi wrote:
On Friday, 2 June 2017 at 23:23:45 UTC, nohbdy wrote:
It's exacerbated because Walter is in a mindset of writing
mission-critical applications where any detectable bug means you
need to restart the program. Honestly, if I were writing flight
control systems for Airbus, I could modify druntime to raise SIGABRT
or call exit(3) when you try to throw an Error. It would be easy,
and it would be worthwhile. If you really need cleanup, atexit(3) is
available.
The worst thing happened in programming in the last 30 years is just
that less and less programmers are adopting Walter mindset...
I'm really really puzzled by why this topic pops up so often...
/Paolo
I don't get why you would /restart/ mission-critical software that has
been shown to be buggy. What you need to do instead: Have a few more
development teams that create independent implementations of your
service. (Completely from scratch, as the available libraries were not
developed to the necessary standard.) All of them should run on
different hardware produced in different factories by different
companies. Furthermore, you need to hire a team of testers and
software verification experts vastly exceeding the team of developers
in magnitude, etc.
That's what should be done in mission-critical software, and we are
relaxing the constraint of mission critical, it seems [1]
...
That document says that the crash was caused by a component going down
after an unexpected condition instead of just continuing to operate
normally. (Admittedly this is biased reporting, but it is true.)
The point is software, somehow, has to be run, with bugs, or sometimes
logic flaws: alas bugged software is running here [2]...
...
I.e., a detected bug is not always a sufficient reason to bring down the
entire system.
So, if you have to, you should restart 'not-so-critical-software', and
you should code it as it should be restarted from time to time.
...
I agree. What I don't agree with is the idea that the programmer should
have no way to figure out which component failed and only stop or
restart that component if that is the most sensible thing to do under
the given circumstances. Ideally, the Mars mission shouldn't need to be
restarted just because there is a bug in one component of the probe.
It's an opinion, when it's the better moment to just restart it, and a
judgement between risks and opportunities.
...
I.e., the language shouldn't mandate it to be one way or the other.
My personal opinion, it should be stopped ASAP a bug is detected.
...
Which is the right thing to do often enough.
/Paolo
[1]
http://exploration.esa.int/mars/59176-exomars-2016-schiaparelli-anomaly-inquiry
[2]
https://motherboard.vice.com/en_us/article/the-f-35s-software-is-so-buggy-it-might-ground-the-whole-fleet
