> On Mar 6, 2017, at 4:20 PM, Elijah Johnson via swift-evolution
> <swift-evolution@swift.org> wrote:
>
> Hi,
>
> I’ve been recently considering Swift on the server-side, and there came up
> the question, “what happens when a null optional is forcibly unwrapped?” and
> the answer was clearly that not only would the request crash, but the entire
> server would also crash, since the server itself is/would be also written in
> Swift.
>
> I think that this highlights serveral weaknesses in Swift’s “null safety”
> attempts. The first is that there needs to be a way to isolate blocks of code
> so that a “null pointer exception” does not crash the system. I think it is
> fair to say, in the language of Java, that these are really “runtime
> exceptions” and for some reason are being treated as segmentation faults
> would be in C/C++. In my opinion, the existence of these things has the
> ability to bring Swift down below Java and closer to an unamanged language.
> Not really sure why it would ever be desireable, but in terms of server-side
> programming, it is definitely a serious issue.
>
> Secondly, Swift’s “null safety” is really completely undermined by these
> “force-unwrap” errors. I agree with the usage of new language features like
> guard, optional binding, etc to remove a null value, but I see this
> force-unwrap as extremely pervasive for a lot of reasons:
>
> 1. When porting code from a C style language to Swift, force-unwrap is needed
> to make the code work without refractoring.
> 2. XCode itself reccomends this operator and when it is used to satisfy a
> requirement, then it can be left in the code
> 3. Some styles of coding just can’t work without force-unwrap.
>
> I don’t think the logic of making the consequences extreme for making a
> mistake are a rational for making better coders. In fact, I personally see
> the “force-unwrap” operator having very great potential usage as a deliberate
> assertion exception - the programmer demands that a certain value be non-null
> for execution to continue, only there should be a proper scope and context
> where these exceptions can propogate to. On debug modes, one might want it to
> pause on the line, but for other uses, it should be caught IMO - on regular
> code by the user, and inside dispatch blocks by the queue itself. For a
> multithreaded app or server to exit, the user should have to explicitly write
> exit(0), isn’t this the goal of a managed language? Maybe in some cases,
> Apple will want the program to crash, but if Swift is given an audience not
> just with Apple hardware, then it should have more flexibility IMO.
The long-term vision here is to have some form of finer-grained fault isolation
("actors" being the buzzword for that we tend to throw around). As others
noted, using `!` is intended to indicate that it is *impossible* for a value to
be nil at a certain point, and that the programmers screwed up if the value is
nil at that point. The only safe thing to do in a situation the programmers
didn't plan for is stop execution; anything else is just going to lead to
harder-to-debug, potentially-exploitable inconsistencies further removed from
the original problem. With actors, it could become possible for that crash to
only take down an isolated subprogram, and give a supervisor subprogram an
opportunity to gracefully wind down the process—on clients, this might mean
saving application state so that the app can be cleanly restarted, and on the
server, this might mean closing the process's accept socket but still letting
existing requests complete before restarting the potentially-compromised
process. There's still a tradeoff here from a defense-in-depth standpoint,
since any requests running in the same process have the potential to corrupt
each other's state. Swift's crash-early design hopes to minimize the
opportunity for corruption to leak.
-Joe
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org
https://lists.swift.org/mailman/listinfo/swift-evolution
