Ideas on Glitching in Rust
I must be missing the point here, because this feels like bad advice. Calls like `panic` and `expect` and `assert` are there to uphold invariants, i.e. to deal with things that should never happen unless there is a logic error that invalidates the assumptions you hold about your program. It means "if you got here, I (the programmer) probably fucked up badly".
If an operation is fallible, it should return an error type and make it the job of the caller to deal with that. Silently returning default seems like a disaster waiting to happen, ala On Error Resume Next (which indeed was a disaster to deal with).
Now if this panic handler, instead of silently continuing in release mode, invoked some sort of "save your work and restart" handler such that the user doesn't lose anything and the program would restart in a known-good state, that seems like it would be a sensible way of doing things.
Actually that’s a fair point that should be clarified. These would be in places where practically panicking cannot happen, so you be tempted to swallow the Error and continue. But they should only be used where recovering with Default is okay.
[I added a note [NOTE: this strategy should only be used where returning early or default would be obvious to the user and be consistent with the upstream handling of an Err or None value.]]
First day at a new job: There's a bug in the password check at login... anyone who enters a valid user id can login... (on error resume next)
Oh, and variables like a1...a34, etc. and the passwords themselves... Database table [Phone2] ... why/how/wtf?!? Nobody knows. That was a godawful mess I will never forget.
This approach is brittle to upstream code changes, and I don't think it should be used, but at least there is an effort to avoid catastrophic behavior (unlike Linus's philosophy for Linux). Both panicking and arbitrarily-nested error bubbling are more standard and recommended, but I think they are still suboptimal, mainly for code quality/maintainability, and should be phased out gradually. I think the viable methods for robust software are promptly handling errors or making errors unrepresentable. To promptly handle errors, the program should be structured such that error bubbling nests shallowly. Unrepresentable errors work within type systems or formal verification, such as the classic advice of "parse, don't validate"[0], giving no way to speak of an error state (so hopefully a cosmic ray never causes it!). These latter approaches are more ideal, but can be a pain to implement.
[0] https://lexi-lambda.github.io/blog/2019/11/05/parse-don-t-va...
Error handling patterns very much depend on the domain with possibly completely opposite recommendations, and any principles should specify in which domain it is a good approach.
Pure and deterministic algorithms can have the luxury of having much more strict and concrete error handling strategies.
On the other hand, "promptly handling errors" sounds naive for large distributed systems where almost every call can fail for reasons unknown. Experience has already shown that exactly the opposite approach - just panic and restart the "service" (process in Erlang terms, but it's got nothing to do with Unix processes and is far more granular) can build extremely reliable systems. In conventional programming languages, that roughly corresponds to adding top-mid-level error boundaries (exception/panic handlers) at critical junctures.
But perhaps that's what you mean by "error bubbling nests shallowly"? No idea, since it's not exactly clear.
I generally agree with you. I have a bad habit of simplifying my statements and losing nuance. If an error occurs, it should be handled reasonably and soon. If the cause or solution to an error is unclear, restarting at the task boundary is valid. Blowing away the whole task in one stroke is an instance of handling the error promptly. If the solution is in-task, it should be expediently reached through the call structure. Returning through many functions, performing cleanup all the while, in order to reach the handler is the pattern of deeply-nested error bubbling that I dislike.
Of course, this is still a cursory description. I think various strategies by domain agree on general principles. There is likely a class of errors that is too likely and/or unsolvable, in which case whole-task-restarts are advisable. Within the task, there may be other kinds of errors that can and should reasonably be resolved. User interactivity is also relevant (e.g. is a user directly interacting with a task in the error state). Overall, this comes down to a few factors for each error, roughly: likelihood, severity, solvability. Errors should always be reported when possible and brought to the attention, if not fixed, of a capable supervisor, which eventually culimante at a person (e.g. user or sysadmin).
Yes, this is a somewhat pragmatic approach and perhaps that should have been made clearer.
It's necessary to help partially comply with the big spec.
As Tritium implements more of the spec, the solution is to eliminate the Option return value in the example altogether. The Cursor mis-fires there only due to a disconnect between the glyphs rendered on the canvas and the underlying AST representing those characters. Today, it probably never misses, but due to the complexity of the spec and essentially infinite nesting possible under it, Tritium can't guarantee that yet and so chooses to move the cursor to the top of the document. That's almost certainly better than panicking for the user, and its probability is approaching zero but non-zero. It's getting there.
This approach lets you ship something that is made safe by surfacing errors as a user-visible glitch rather than crashing in release builds.
I guess I don't understand how much the spec dictates the architecture of Tritium, or the motivation for the Option return type specifically. In any case, it seems like future development will improve upon this. Have fun and good luck!