[plt-scheme] to define, or to let (new twist)

From: Paul Schlie (schlie at comcast.net)
Date: Tue Mar 23 22:48:51 EST 2004

> Bradd W. Szonye wrote:
>> - a program comprehensively covers as desired the entire encountered
>>   (not just anticipated) range and domain of its reachable state/data space.
>>    -> no errors, no problems.
> Are you talking about the program as designed or the program as
> implemented? If the program never encounters an error, that's good, but
> unless you can prove that it can't possibly encounter an error, you'll
> need to plan for the following two cases.

- agreed...

>> - a program reaches an unanticipated state, due to unanticipated data,
>>   and/or erroneous program code.
>>   -> data/state is still within the domain of the specified behavior
>>      of the code; no error, keeps running, although results may not be as
>>      intended.
> This situation is simply unacceptable in a program which must not halt.
> Not much you can say about it beyond that. If it's an embedded but
> non-critical app, you can halt, reset, and restart the system. You're
> pretty much screwed if it's a life-critical system.

- this condition was meant to depict the scenario where no errors were
  logically detected, but none-the-less were actually present, producing
  erroneous results due to logical code bugs, and/or unanticipated data
  value ranges, etc... (but not detected as an "errors", things simply keep
  going, arguably typical of most "non-catastrophic" failures resulting from
  program bugs).

  [ would be nice to avoid, but unlikely unless you know how to prove a
   program is comprehensively correct, which is likely impossible, as the
   description of the context in which a program would need to operate
   within would itself be a program subject to bugs, thus the best one could
   ever accomplish, would be to prove that two descriptions were self
   consistent; but not that either was itself actually correct. (would be
   nice but the world hasn't solved, "do what I meant, not what I said"), so
   the best one can do is try to delineate constraints on the program's
   behavior, and hope they were comprehensive enough to prevent catastrophic
   failure. ]

>>   -> data/state is outside the domain of the specified behavior of the code,
>>      error; program stops, whatever the program may have been doing (like
>>      controlling the cooling of a reactor core, it's not doing any longer,
>>      potentially catastrophic).
> I don't see much practical difference between these two cases, if the
> program truly must not fail. What good is it to keep the program running
> after you've detected an inconsistent program state or similar "panic"
> error? While the program may not "halt," it isn't doing what it's
> supposed to anymore, either. You can easily end up situations like the
> Airline catastrophe, where the incorrect data sets up a positive feedback
> loop.

- this condition was meant to depict the scenario where an unexpected state
  was actually detected, not by the program code, but by violation of the
  language or it's defined function's semantic specification which specified
  some condition as an error (such as divide by zero, or some code
  anticipated an byte value representing an numeric digit character being
  received from an input-stream, but actually received a alphabetic
  character value, and passed it to string->integer without checking, or
  whatever), therefore gets caught as a language run-time semantic
  violation, which isn't too difficult imagining happening, and that there
  are likely situations in which it would be preferable to not halt the
  program, (such as possibly if program had already accumulated a great
  amount of critical state history and/or context which may not be easily or
  quickly recoverable, and critical to subsequent processing requirements),
  therefore significantly more desirable to try to constrain the error to as
  fine a granularity context as possible, whether it be a subsystem, module,
  or single function, and return a known (safer than failure) result in it's
  place, thereby enabling the system to resume its execution in as close as
  possible context to the point in which the "error" was initially detected.

> If the program must not fail, then "soft" and "hard" failures are
> equally unacceptable....

- as I suspect you'd agree, unacceptable or not, they occur and must
  be dealt with in as practical a way as possible, as dictated by the
  application's requirement.

>> So maybe it would be more generally correct to observe that a
>> recoverable exception architecture possibly similar to MzScheme's
>> should considered for R6RS ....

> There is no general way to handle exceptional situations. One really
> must consider the nature of the program and the nature of the exception.
> Exception-handling is an important element of program design, and there
> is no generally-useful "default" IMO.

- fully agree that many factors influence the specification and utilization
  of exception handling within program code; however it should be clear that
  without a facility to enable the localized capture, classification and
  subsequent in-context resumption of scheme expressions which encounter
  "errors"; one can't even begin to specify exception handling behaviors,
  as may be desired, if not required for certain classes of applications.


Posted on the users mailing list.