|
|
|
|
|
|
by int08h
166 days ago
|
|
|
Hmm, it seems you actually agree with the OP: OP says (your quote): > [Most production incidents] are due to the code entering a state that should never have been possible. You say: > [...] it is more true that most production incidents are due to the system entering into one of thousands of unsafe states which were possible and latent in production potentially for years I see you both agree that a broken system enters an "unsafe state" (your words) or a "state that should never have been possible" (OP's words). "Unsafe state" and "state that should not have been possible" are, in practice in a real system, the same practical thing. I suspect you both would agree "system confuses a string for an integer and acts based on erroneous value" or "system acts on internal state that indicates the valve is both open and closed" would be states that a system should not be in. Outside pedantry, your descriptions are practically synonymous with each other. |
|
|
Another way of casting it is like this. The goal may be:
1. Eliminate possibility code can enter invalid state 2. Control parameters of the system so that it remains in a safe condition
Those are very different goals.