[bind10-dev] Robustness in BIND 10, was whether/when to use exceptions

David W. Hankins dhankins at isc.org
Thu Oct 15 21:11:10 UTC 2009 

On Thu, Oct 15, 2009 at 12:19:04PM -0700, JINMEI Tatuya / 神明達哉 wrote:
> My concern is that we'll often not be so sure about the reason and
> seriousness of assumption mismatch in DB::findrdataset().  Even though
> this may seem to be a minor error of missing validation at the caller
> side, this might actually happen because 'type' is taken from a
> collapsed object in memory, which may also indicate that the system is
> fundamentally broken and cannot be recovered from it safely.

You are correct:  Placing exceptions at all the places we currently
use fatal assertions leaves us with the same quandry; "What do we do
about it?"  We are in no better position to know the answer at the
point where the exception is thrown, because it is the same point we
place assertions today.

I think however that the catcher may be in a better position to know
what its options are than the thrower is.  The thrower just knows the
pieces of data being compared aren't making sense.  The catcher knows
if one of those sets of data is untrustworthy (from the network
indirectly), or if any of those sets of data has a more reliable or
original source that it can be refreshed from gracefully.

If all the places we currently place assertions had that sort of
knowledge and code to cope gracefully, they would be encumbered with a
lot more context than they really need for the operations they mainly
process...


So I think we're missing the point if there are going to be 'fatal'
exceptions.  The fatality of the problem should never be a question
for the leaves on the call tree.

-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20091015/9962bd1c/attachment.bin>

More information about the bind10-dev mailing list