Tue Jan 26 10:13:04 UTC 2010

David Woolley <david at ex.djwhome.demon.invalid> wrote:
> Richard B. Gilbert wrote:
>> If I see a notation in code saying, in effect, "can't get here" I add 
>> whatever call means "suicide with crash dump" if it's not already 
>> present.  I don't get many crash dumps but if the impossible happens I 
>> like to have it documented.
> In the environment in which I work, that strategy would be totally 
> uncacceptable to Marketing, as it essential that customer systems do not 
> stop dead.  I suspect that applies to many politically critical uses of 
> NTP.  Logging is desirable, but stopping is not.

Note it also was the way in which the first Ariane 5 launch failed.
The control system stopped dead because it encountered an overflow
in an unimportant calculation.  The backup system ran the same code
and stopped dead the same way.

Sometimes it is simply not clever to handle errors that way.

