Dead Programs Tell No Lies

Dead Programs Tell No Lies

Have you noticed that sometimes other people can detect that things aren't well with you before you're aware of the problem yourself? It's the same with other people's code. If something is starting to go awry with one of our programs, sometimes it is a library routine that catches it first. Maybe a stray pointer has caused us to overwrite a file handle with something meaningless. The next call to read will catch it. Perhaps a buffer overrun has trashed a counter we're about to use to determine how much memory to allocate. Maybe we'll get a failure from malloc. A logic error a couple of million instructions ago means that the selector for a case statement is no longer the expected 1, 2, or 3. We'll hit the default case (which is one reason why each and every case/switch statement needs to have a default clausewe want to know when the " impossible " has happened ).

It's easy to fall into the "it can't happen" mentality . Most of us have written code that didn't check that a file closed successfully, or that a trace statement got written as we expected. And all things being equal, it's likely that we didn't need tothe code in question wouldn't fail under any normal conditions. But we're coding defensively. We're looking for rogue pointers in other parts of our program trashing the stack. We're checking that the correct versions of shared libraries were actually loaded.

All errors give you information. You could convince yourself that the error can't happen, and choose to ignore it. Instead, Pragmatic Programmers tell themselves that if there is an error, something very, very bad has happened.

Crash, Don't Trash

One of the benefits of detecting problems as soon as you can is that you can crash earlier. And many times, crashing your program is the best thing you can do. The alternative may be to continue, writing corrupted data to some vital database or commanding the washing machine into its twentieth consecutive spin cycle.

The Java language and libraries have embraced this philosophy. When something unexpected happens within the runtime system, it throws a RuntimeException. If not caught, this will percolate up to the top level of the program and cause it to halt, displaying a stack trace.

You can do the same in other languages. If you don't have an exception mechanism, or if your libraries don't throw exceptions, then make sure you handle the errors yourself. In C, macros can be very useful for this:

  #define  CHECK(LINE, EXPECTED)               \       {  int  rc = LINE;                          \  if  (rc != EXPECTED)                     \             ut_abort(__FILE__, __LINE__, #LINE,  rc, EXPECTED); }  void  ut_abort(  char  *file,  int  ln,  char  *line,  int  rc,  int  exp) {       fprintf(stderr,  "%s line %d\n'%s': expected %d, got %d\n",  file, ln, line, exp, rc);       exit(1);     } 

Then you can wrap calls that should never fail using

 CHECK(stat("/tmp", &stat_buff), 0); 

If it should fail, you'd get a message written to stderr:

 source.c line 19     'stat("/tmp", &stat_buff)': expected 0, got -1 

Clearly it is sometimes inappropriate simply to exit a running program. You may have claimed resources that might not get released, or you may need to write log messages, tidy up open transactions, or interact with other processes. The techniques we discuss in When to Use Exceptions, will help here. However, the basic principle stays the samewhen your code discovers that something that was supposed to be impossible just happened, your program is no longer viable . Anything it does from this point forward becomes suspect, so terminate it as soon as possible. A dead program normally does a lot less damage than a crippled one.

Related sections include:

• Design by Contract

• When to Use Exceptions