"Dead programs tell no lies" in the context of GUI programs

Question

In The Pragmatic Programmer, the authors write:

One of the benefits of detecting problems as soon as you can is that you can crash earlier, and crashing is often the best thing you can do. The alternative may be to continue, writing corrupted data to some vital database or commanding the washing machine into its twentieth consecutive spin cycle.

...when your code discovers that something that was supposed to be impossible just happened, your program is no longer viable. Anything it does from this point forward becomes suspect, so terminate it as soon as possible.

To what extent does this principle apply in the context of GUI applications? That is, is the best course of action when faced with an unanticipated exception or an assertion failure to terminate the GUI program (possibly with an appropriate error messages to the user). What are the trade offs involved in applying it or not applying it?

What about single-page javascript applications? For example, terminating the page (or perhaps prompting to refresh?) when an uncaught promise rejection is detected.

Answer 1

Quoting the same passage from the book (emphasis mine):

One of the benefits of detecting problems as soon as you can is that you can crash earlier, and crashing is often the best thing you can do. The alternative may be to continue, writing corrupted data to some vital database or commanding the washing machine into its twentieth consecutive spin cycle.

...when your code discovers that something that was supposed to be impossible just happened, your program is no longer viable. Anything it does from this point forward becomes suspect, so terminate it as soon as possible.

When a programmer uses an assertion, they're saying "This should never happen." Normally, terminating the program under these conditions is an appropriate response, especially since the programmer's assertion has been violated for unknown reasons. This is as true of a program with a GUI as it is for a console program or service.

For normal exceptions, the question becomes the same as it's always been: can we meaningfully recover from this exception? That depends; did the exception occur during a write to a critical database, or did the user simply give us a file name that does not exist?

Answer 2

I think you are asking the wrong question. IMHO it is pretty obvious that the principle applies especially in the context of GUI (and other UI) applications, and one should better ask if it applies also in the context of non-UI applications.

Why? Simply because for a UI program, there is usually a user sitting in front of the system who can react accordingly. When a UI program detects something which indicates a bug in the running process, there is no justification to sweep this under the rug, or pretend nothing really bad happened. The process should terminate with a clearly visible error message, maybe together with some post-mortem information. This immediately gives the user who sees the message the possibility for taking a sensible course of action. Depending on the kind of application, this might be something like

• restart the program again and try if the failure will occur again

• try if the issue can be circumvented

• check if some data was lost and initiate a recovery procedure

• call the hotline, or send them an email with the error message and a description what has happened

• use a different program (or maybe no software at all) as long as there is no bug fix available

or whatever makes most sense for the given system. Doing this as early as possible will not only prevent the program from actively cause any unintended damage, but also make it easier for the hotline or the maintenance dev to find the root cause of the issue.

For non-UI applications, the situation is a little bit more complicated. They will often require some automatic failure handling, because the systems are typically working unattended. To implement this in a reliable fashion, one usually makes use of multiple processes, where at least one process, which is not too complex and written in a robust manner, has the role of a monitor or controller, and others have the role of workers. The worker processes can still follow the "crash-early" principle. For the controller, a worker which crashes is an anticipated behaviour. So the controller can apply some heuristics how to react accordingly (often, it automates exactly the actions listed above, the ones a human would apply for a crashed GUI program). There exist other models than worker-controller for resolving this issue, but all of them utilize multiple processes.

Today even lots of complex GUI applications like web browsers, word processors or dozens of other programs are implemented that way: certain parts of them run in external processes. When such a process "crashes early", it is often not necessary to shutdown the whole program, just terminating the process, and giving the user some of the options I mentioned, directly within the GUI, can be enough.

Answer 3

In short

Yes, early crash is an advisable approach also for GUI, but at the same time, the robustness expectations being higher, one shall seek to minimize as much as psosible the risk of reaching an inconsistent state.

Some more arguments

Early crash in a GUI

A GUI has the goal to make user’s life easy and the system understandable. When crashing, a GUI is no longer graphical and the user is lost. It failed its prime purpose. Here, for example, is an inviting cafeteria screen at an airport:

Nevertheless, if the system detects that it can no longer guarantee reliable operations (e.g. unexpected inconsistency, resources exhausted, etc...), and it can do nothing to revert to a safe situation, the best thing is indeed to terminate in a way to limit damage as much as possible. It's not only an advice of Andy Hunt’s pragmatic programmer, it's also an ethical principle: AVOID HARM.

Is it the only way?

Before jumping prematurely to an easy early-crash solution, ask yourself critically how the detected inconsistency could be avoided in the first place, and if it is unavoidable how it can be recovered from. Here a more friendly recoverable action:

Instead of finding out that the pipe arm is not where it is supposed to be, it shows a useful error in a user friendly way. It does not crash. Depending on its design, it could retry, clean the current state and restart the arm control subsystem, or just give further instruction when the technician opens the device.

More robust systems

My point here is that the "crash early" is still valid, but it should not be considered in isolation, without at the same time considering making the system more robust.

How many so called "internal errors" are just bugs or consequences of poor practice: nowadays hackers still exploit buffer overflows, because it was forgotten to sanitize the input? Segmentation faults still happen because someone assumed memory allocation always works. Divide by zero still crashes because that defect sensor returned 0 Kelvins (that's -273°C: couldn't someone have checked that the parameter is in an acceptable range?).

Moreover, there are quite some errors that can be recovered: a function may raise an exception that is caught to limit damage; a module, a thread, a process, a subsystem may be killed/reinitialized/restarted. The system can even diagnose itself looking at performance stats to inform user preventively that the system is under unusually high load.

And there are systems that are not allowed to fail. In the 20th century, Margaret Hamilton saved the Apollo team by designing a priority-based scheduler that could cope with (unanticipated) capacity overload. If she had just written a crash early, some astronauts would not have made it back to Earth.

We are in the 21st century: every smartphone has 100 times the processing power of an Apollo space computer. A lot can be done to prevent a crash in the first instance.

Conclusion

So yes, consider the crash-early advice of the pragmatic programmer as valid. But please, consider in the same time at least some elementary defensive programming practices such as verifying parameters and verifying error status after a call. And maybe the higher robustness will require revising the architecture or some additional design, but your users will definitively value it.

Answer 4

It depends. In theory, everything is possible and terminating the whole process is the only safe course of action.

In practice, we (= my company) do the following: When an unexpected error occurs in the business logic layer or below, we

• catch the exception in the UI layer,
• rollback all transactions,
• log the error,
• show an error message to the user, and then
• let the user continue to work in the UI layer.

It works for us, because (a) all important database operations are done in the business layer and (b) we use transactions to ensure atomicity of operations, so reverting back to the UI layer is reverting back to a known safe state.

Yes, there is the possibility that the UI might now show outdated data, but this is something that can always occur in multi-user systems (even without unexpected errors), so the program needs to be able to to deal with it anyway.

We've been doing that for decades and, so far, we have not had one single data corruption that could have been prevented by deliberately crashing the UI. For our software, this has turned out to be the right compromise between safety and user experience. Obviously, if your software is safely-critical (ours isn't) and human lives are at stake, your choice might be different.

Answer 5

The assert() primitive is a classic way to test for a condition and to throw an exception if "what can never happen ... just did." When designing software, I fill my code with assertions (and similar "suspicious defenses"), and upon deployment I leave them in. My software is always looking out for trouble, because "the software itself" is really the only party that is capable of realizing that something is wrong and calling attention to it.

Your application should have an "outermost-level" exception handler which will intercept "an exception of last resort," and you should carefully work out a meaningful class hierarchy for those exceptions – above and beyond whatever is built-in to the language. Be specific in trapping the exceptions that you expect to find in a particular section of the code, allowing unexpected exceptions to bubble-up to a higher level handler. Figure out a strategy for handling them all, even if one is "we now have no choice but to terminate the program."

The "exception" mechanism can also be used as a goto of sorts. For example, you might be deeply buried in code when you realize that the user made a mistake. You can throw an exception of an appropriate class, knowing that it will eventually be caught by the chosen handler. You can attach arguments to the exception object, and I suggest that one (dummy ...) argument should be one that allows you to uniquely identify the point in the code where it was thrown. This is actually a very clean way to handle these "exceptional" situations.

"If something goes wrong, a yellow baseball is going to come flying from somewhere toward the catcher's mitt. Therefore, if you don't see such a baseball, nothing has gone wrong (yet) because everybody's looking for trouble."

Answer 6

As you're asking about what you perceive to be a difference between "GUI" applications and "non-GUI", which I will interpret as no UI at all since the passage quoted refers to washing machines, it seems to me there are two significant differences between them. Note that I'm using my own experience - I develop both embedded control and related GUI, plus some general scripts.

In a GUI application, you have the option to communicate. This is much harder in, say, a motor car's fuel injection controller. Given this, it makes a lot of sense to inform the user of what you think went wrong, even if that's just "the programmer asserted that X should be 0 and it's not", before giving up. If it's a desktop application with no external influence beyond corrupting files, you may choose then to offer an option to carry on regardless. However, I'd weigh that up with serious consideration first.

In an embedded controller, carrying on regardless is likely to have serious potential consequences. On the other hand, giving up completely may not be much better. A fuel injection controller that just stops completely when you're in the middle of overtaking on a single carriageway road with a bend coming up (yes, I've been there!) really isn't good. In this case disabling only part of the functionality or, in extremis, rebooting (quickly!) is a better option.

So as to whether the advice "also" applies to a GUI, I'd say in many ways it applies more to a GUI, but the distinction isn't the right one. The important distinction is whether the application is mission / safety critical and, if so, what the results of the FMEA are.

Answer 7

In production environment, when unexpected crash may not be preferred, it is often possible to abort a smaller unit of execution. For GUI, this would often be a single user action (menu item selected, keystroke, icon clicked or the like), logging the error somewhere and reverting the application to the state as was. The action will not work, and the bug will be reported but this is much less annoying than crashing the whole application.

For server application is often a single web request that can be aborted, but for security reasons you may also need to invalidate the session. Here also, if we shutdown the server, the administrator will likely just restart it anyway.

For serial document analysis, web crawling, it is usually a single document or picture. Here it is important to log what has not been processed, and the possibility to reprocess the failed entries at some time later.

A database transaction is a very useful feature in this context, as it allows to stay in consistent state after rollback. Worst designs I ever seen were making multiple changes in the database without transactions, so that a crash leaves it inconsistent.

Terminating such an execution unit is one of the proper ways of using exceptions. The unit is terminated by throwing the exception that is caught by the code responsible for the cleanup and starting another unit. Apart from logging, this code normally does not care about the precise reason, why did the previous unit failed. Hence huge diversity of exceptions is not needed. Google Go only has one exception, 'panic'.

Answer 8

I think an informative decision on handling errors in UI comes from one of the most ubiquitous UI technologies - React. The following snippet comes from the documentation on Error Boundaries, which are components that can catch and handle errors from components nested below them in the hierarchy:

As of React 16, errors that were not caught by any error boundary will result in unmounting of the whole React component tree.

We debated this decision, but in our experience it is worse to leave corrupted UI in place than to completely remove it. For example, in a product like Messenger leaving the broken UI visible could lead to somebody sending a message to the wrong person. Similarly, it is worse for a payments app to display a wrong amount than to render nothing.

This doesn't inform much about error-handling in UIs in general, but does provide a good example for why it's a reasonable default to bubble up errors and fail completely when an error isn't explicitly handled.

Answer 9

When you encounter a situation where you don’t know what to do, the only thing to do is throw up your hands and say “I don’t know what to do” and stop doing what you were trying to.

A GUI is composed of various sub systems, and all of those systems should do the same thing with a situation they don’t know how to handle — throw up their metaphorical hands and metaphorically say “I don’t know what to do”. Eventually that message will either become lost or will reach a part of the process that knows what to do.

It doesn’t matter if it’s a GUI application or function in a command line or an AWS function. Anything else is, as the quote implies, a lie. Told to do something, the system either reports back “did it” when in fact they didn’t or just never says anything again. Both are a lie.

Crash early, crash often.