[plt-scheme] to define, or to let (new twist)

From: Joe Marshall (jrm at ccs.neu.edu)
Date: Wed Mar 24 14:06:44 EST 2004

"Bradd W. Szonye" <bradd+plt at szonye.com> writes:

> Paul Schlie wrote:
>
>>   -> data/state is still within the domain of the specified behavior
>>      of the code; no error, keeps running, although results may not be as
>>      intended.
>>
>>   -> data/state is outside the domain of the specified behavior of the code,
>>      error; program stops, whatever the program may have been doing (like
>>      controlling the cooling of a reactor core, it's not doing any longer,
>>      potentially catastrophic).
>
> I don't see much practical difference between these two cases, if the
> program truly must not fail. What good is it to keep the program running
> after you've detected an inconsistent program state or similar "panic"
> error? While the program may not "halt," it isn't doing what it's
> supposed to anymore, either. You can easily end up situations like the
> Ariane catastrophe, where the incorrect data sets up a positive feedback
> loop.
>
> If the program must not fail, then "soft" and "hard" failures are
> equally unacceptable.

Agreed.  And it is far easier to build a robust system on top of a
fail-fast system than on top of a fail-slow one.



Posted on the users mailing list.