Everything should be written crash-only[1]. That way they don't have to worry ab...

acveilleux · on Feb 4, 2015

Crash-only is nice and all but you can't crash the other side of a socket...

Like you couldn't crash a steel mill controller and expect the process equipment to be magically free of solidified metal. It only means the servers will come back up with a consistent state.

derefr · on Feb 4, 2015

"Crash-only engineering" is a method of systems engineering, not device engineering; it only works if you get to design both sides of the socket.

In the case of a system that needs hard-realtime input once it gets going (like milling equipment), the "crash-only" suggestion would be for it to have a watchdog timer to detect disconnections, and automatically switch from a "do what the socket says" state to a "safe auto-clean and shutdown" state.

In other words, crash-only systems act in concert to push the consequences of failure away from the site of the failure (the server) and back to whoever requested the invalid operation be done (the client.) If the milling controller crashes, the result would be a mess of waste metal ejected from the temporarily-locked-up-and-ignoring-commands process equipment. The equipment would be fine; the output product (and the work area, and maybe the operators if they hadn't been trained for the failure case) would not be.

userbinator · on Feb 4, 2015

At first I thought you had written "rocket" instead of "socket", which would also make much sense.

dredmorbius · on Feb 4, 2015

And as a general rule of thumb, what the other end of the rocket should be doing is pointing down.

ars · on Feb 9, 2015

A bit trivial, but actually a rocket flies sideways, not straight up.

You go straight up you just fall back down - you need to go into orbit which means flying sideways.

marcosdumay · on Feb 4, 2015

Nah. Some times you want it to crash too.