On Tuesday, June 12, 2018 17:38:07 wjoe via Digitalmars-d-learn wrote:
> On Monday, 11 June 2018 at 00:47:27 UTC, Jonathan M Davis wrote:
> > On Sunday, June 10, 2018 23:59:17 Bauss via Digitalmars-d-learn
> > wrote:
> > Errors are supposed to kill the program, not get caught. As
> > such, why does it matter if it can throw an Error?
> >
> > Now, personally, I'm increasingly of the opinion that the fact
> > that we have Errors is kind of dumb given that if it's going to
> > kill the program, and it's not safe to do clean-up at that
> > point, because the program is in an invalid state, then why not
> > just print the message and stack trace right there and then
> > kill the program instead of throwing anything? But
> > unforntunately, that's not what happens, which does put things
> > in the weird state where code can catch an Error even though it
> > shouldn't be doing that.
> Sorry for off topic but this means that I should revoke a private
> key every time a server crashes because it's not possible to
> erase secrets from RAM ?

The fact that an Error was thrown means that either the program ran out of a
resource that it requires to do it's job and assumes is available such that
it can't continue without it (e.g. failed memory allocation) and/or that the
program logic is faulty. At that point, the program is in an invalid state,
and by definition can't be trusted to do the right thing. Once the program
is in an invalid state, running destructors, scope statements, etc. could
actually make things much worse. They could easily be operating on invalid
data and do entirely the wrong thing. Yes, there are cases where someone
could look at what's happening and determine that based on what exactly went
wrong, some amount of clean-up is safe, but without knowing exactly what
went wrong and why, that's not possible.

And remember that regardless of what happens with Errors, other things can
kill your program (e.g. segfaults), so if you want a robust server
application, you have to deal with crashes regardless. You can't rely on
your program always exiting cleanly or doing any proper clean-up, much as
you want it to exit cleanly normally. Either way, if your program is
crashing frequently enough that the lack of clean-up poses a real problem,
then you have serious problems anyway. Certainly, if you're getting enough
crashes that having to do something annoying like revoke a private key is
happening anything but rarely, then you have far worse problems than having
to revoke a private key or whatever else you might have to do because the
program didn't shut down cleanly.

- Jonathan M Davis

Reply via email to