[Development] Disavowing the Lakos Rule for Q_ASSERT
Thiago Macieira
thiago.macieira at intel.com
Sat Sep 7 16:44:04 CEST 2024
On Saturday 7 September 2024 16:19:20 CEST Marc Mutz via Development wrote:
> So I fail to see how throwing precondition handlers, siting, security-wise,
> smack between the Q_ASSERT and unchecked UB modes we already support
> right _now_, could be any less acceptable than these polar ends? It's
> just a new grey gradient stop between the current black and white ones
> we already have.
I think you rewrote the paragraph above and it became disconnected.
IIUC, you're arguing it's in-between the extreme of a UB whose behaviour we
cannot predict at all and the safest that is the immediate stoppage of the
application. You have a good argument and I mostly agree.
But given *how* UB is actually emitted, I argue that exceptions are no better
than the UB. That is, they're just as bad. They just have different bad
behaviours. On one, the precondition violation will execute some unexpected
code and very likely will corrupt some state (e.g., cancelling a timer that
the object didn't own). On the other, the immediate problem gets prevented,
but as a consequence untested code paths in the unwind path do get executed
and those are equally in a bad state.
Either way, it doesn't change our conclusion. Throwing on precondition
violation is a useful tool for unit-testing some APIs and we want to have
that, but using it in production code is dangerous because it's untested. Use
at your own peril.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Principal Engineer - Intel DCAI Platform & System Engineering
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5152 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/development/attachments/20240907/23798c13/attachment.bin>
More information about the Development
mailing list