Comments on: Dead Programs Tell No Tales (or “We don’t need no stinkin’ error handling!”) http://blog.markturansky.com/archives/42 software architecture & engineering, code hints, sometimes philosophy, photography, life, etc. Sun, 20 Jun 2010 07:51:38 -0400 http://wordpress.org/?v=2.8.6 hourly 1 By: Roger Hayes http://blog.markturansky.com/archives/42/comment-page-1#comment-866 Roger Hayes Wed, 10 Sep 2008 17:06:32 +0000 http://blog.markturansky.com/archives/42#comment-866 See "fail-stop", Schlichting 1983. See “fail-stop”, Schlichting 1983.

]]> By: » Code complete doesn’t mean you’re done http://blog.markturansky.com/archives/42/comment-page-1#comment-134 » Code complete doesn’t mean you’re done Wed, 13 Feb 2008 11:00:13 +0000 http://blog.markturansky.com/archives/42#comment-134 [...] our case, testing with big numbers revealed concurrency issues that we did not and could not find when developing with simple, smaller tests. Our multi-threaded, [...] [...] our case, testing with big numbers revealed concurrency issues that we did not and could not find when developing with simple, smaller tests. Our multi-threaded, [...]

]]> By: Dan http://blog.markturansky.com/archives/42/comment-page-1#comment-103 Dan Thu, 07 Feb 2008 13:22:35 +0000 http://blog.markturansky.com/archives/42#comment-103 I am on Mark's team. Paul: Good point about development-time assertions. They are a typically overlooked strategy in most Java-land projects I've seen (my own included!). I think I'm going to make it a point when we get back to do a sweep of the codebase and strengthen our pre/postcondition assertions into actual Assert assertions. I believe we got pretty focused on the "try to work for as long as possible" aspect prematurely. Thanks for the sanity check. Ram: Another good point. For some reason, Mark didn't mention in his post that we relied heavily upon remote debugging and thread dumps to track down these problems. I don't know what we'd do without the JMX console and jdb... I think it'd be nearly impossible to build a large, stable concurrent system like without them. I am on Mark’s team.

Paul:
Good point about development-time assertions. They are a typically overlooked strategy in most Java-land projects I’ve seen (my own included!). I think I’m going to make it a point when we get back to do a sweep of the codebase and strengthen our pre/postcondition assertions into actual Assert assertions. I believe we got pretty focused on the “try to work for as long as possible” aspect prematurely. Thanks for the sanity check.

Ram:
Another good point. For some reason, Mark didn’t mention in his post that we relied heavily upon remote debugging and thread dumps to track down these problems. I don’t know what we’d do without the JMX console and jdb… I think it’d be nearly impossible to build a large, stable concurrent system like without them.

]]> By: Ram http://blog.markturansky.com/archives/42/comment-page-1#comment-97 Ram Tue, 05 Feb 2008 22:41:13 +0000 http://blog.markturansky.com/archives/42#comment-97 Thats why you have the thread dump ! Thread dumps are always more useful than exception stack trace. Tools like Lockness make the job of identifying a problem. If your whole application model is state based (Read NIO) with a lot of transitions - you are back to square one where depending on logs is the best bet - since a prior state affects the behavior of the next transitioned state. These are hard to replicate problems. Thats why you have the thread dump ! Thread dumps are always more useful than exception stack trace. Tools like Lockness make the job of identifying a problem. If your whole application model is state based (Read NIO) with a lot of transitions – you are back to square one where depending on logs is the best bet – since a prior state affects the behavior of the next transitioned state. These are hard to replicate problems.

]]> By: Paul W. Homer http://blog.markturansky.com/archives/42/comment-page-1#comment-96 Paul W. Homer Tue, 05 Feb 2008 20:01:55 +0000 http://blog.markturansky.com/archives/42#comment-96 The trick, I've always found is to reduce the time between the problem occurring, and the program stopping, when in development. Way back, we would use assert statements in C and set the debug flag to true while we were developing. Any problem, no matter how tiny would grind the whole system to a halt. You can't move forward until you've fixed the base problems. That would force the developers to fix the problems instead of ignoring them. Problems often cascade, so an earlier ignored problem might actually the part of the cause of a latter one. It is always best to deal with the problems in the order they occurred. That strategy is great for development, but lousy for support. Once in 'wild' the code should try to work for as long as possible (producing lots of nasty log messages if needed), and there should be plenty of room for work-arounds. There should be a way to get a huge amount of information 'easily' from the users once the system has crashed. In that type of case, too much information is never a problem, too little is. Once a problem has been diagnosed, a work-around is the first (and cheapest) approach, while a patch is a fall back. I've always found that mixing between the two strategies based on running environment is the best way to handle the two completely opposite problems. Paul. http://theprogrammersparadox.blogspot.com The trick, I’ve always found is to reduce the time between the problem occurring, and the program stopping, when in development. Way back, we would use assert statements in C and set the debug flag to true while we were developing. Any problem, no matter how tiny would grind the whole system to a halt. You can’t move forward until you’ve fixed the base problems. That would force the developers to fix the problems instead of ignoring them.

Problems often cascade, so an earlier ignored problem might actually the part of the cause of a latter one. It is always best to deal with the problems in the order they occurred.

That strategy is great for development, but lousy for support. Once in ‘wild’ the code should try to work for as long as possible (producing lots of nasty log messages if needed), and there should be plenty of room for work-arounds. There should be a way to get a huge amount of information ‘easily’ from the users once the system has crashed. In that type of case, too much information is never a problem, too little is. Once a problem has been diagnosed, a work-around is the first (and cheapest) approach, while a patch is a fall back.

I’ve always found that mixing between the two strategies based on running environment is the best way to handle the two completely opposite problems.

Paul.
http://theprogrammersparadox.blogspot.com

]]> By: Georgi http://blog.markturansky.com/archives/42/comment-page-1#comment-95 Georgi Tue, 05 Feb 2008 17:49:28 +0000 http://blog.markturansky.com/archives/42#comment-95 Hi Mark, I had a deja vue straight ahead reading your article. We had exactly the same problem with toArray() in a server, it was a list that stored notification e-mails to be sent in case a fatal error occured. All program parts and Threads can access this interface. A customer called stating that no emails are sent any more so we analysed the problem, found the bug pretty fast and fixed it within minutes. It was a one in a million chance: Two parts of the program "went fatal" and wanted to send an email simultaneously. Finding the erroneous part that quick only was possible because we have a kind of logging-guidelines and do improve the software from time to time. This way, we do not have that much "error" - logging entries (and merely never a "fatal" one) and can follow them up pretty fast. Will say: We try to avoid to log into the error-channel where possible. (Part)Recoverable actions that occur (i.e. connection errors where you can retry etc.) are logged into the info-channel more and more as the program evolves. Thus I think it is not an option to exit a program (or more worse: To System.exit() in case you write a Framework or module for your program). Just imagine you go to productive level and forget a System.exit() - statement ... . It will help much more to improve where/what/how to log. If you want to, have a look at http://goit-postal.blogspot.com/2007/01/how-to-successful-log-in-programming.html . Just my 0,02$, Georgi Hi Mark,

I had a deja vue straight ahead reading your article. We had exactly the same problem with toArray() in a server, it was a list that stored notification e-mails to be sent in case a fatal error occured. All program parts and Threads can access this interface. A customer called stating that no emails are sent any more so we analysed the problem, found the bug pretty fast and fixed it within minutes. It was a one in a million chance: Two parts of the program “went fatal” and wanted to send an email simultaneously.

Finding the erroneous part that quick only was possible because we have a kind of logging-guidelines and do improve the software from time to time. This way, we do not have that much “error” – logging entries (and merely never a “fatal” one) and can follow them up pretty fast. Will say: We try to avoid to log into the error-channel where possible. (Part)Recoverable actions that occur (i.e. connection errors where you can retry etc.) are logged into the info-channel more and more as the program evolves.

Thus I think it is not an option to exit a program (or more worse: To System.exit() in case you write a Framework or module for your program). Just imagine you go to productive level and forget a System.exit() – statement … .

It will help much more to improve where/what/how to log. If you want to, have a look at http://goit-postal.blogspot.com/2007/01/how-to-successful-log-in-programming.html .

Just my 0,02$, Georgi

]]>