On Saturday 7 September 2024 16:19:20 CEST Marc Mutz via Development wrote: > So I fail to see how throwing precondition handlers, siting, security-wise, > smack between the Q_ASSERT and unchecked UB modes we already support > right _now_, could be any less acceptable than these polar ends? It's > just a new grey gradient stop between the current black and white ones > we already have.
I think you rewrote the paragraph above and it became disconnected. IIUC, you're arguing it's in-between the extreme of a UB whose behaviour we cannot predict at all and the safest that is the immediate stoppage of the application. You have a good argument and I mostly agree. But given *how* UB is actually emitted, I argue that exceptions are no better than the UB. That is, they're just as bad. They just have different bad behaviours. On one, the precondition violation will execute some unexpected code and very likely will corrupt some state (e.g., cancelling a timer that the object didn't own). On the other, the immediate problem gets prevented, but as a consequence untested code paths in the unwind path do get executed and those are equally in a bad state. Either way, it doesn't change our conclusion. Throwing on precondition violation is a useful tool for unit-testing some APIs and we want to have that, but using it in production code is dangerous because it's untested. Use at your own peril. -- Thiago Macieira - thiago.macieira (AT) intel.com Principal Engineer - Intel DCAI Platform & System Engineering
smime.p7s
Description: S/MIME cryptographic signature
-- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development