Readit News logoReadit News
twhitmore commented on Cloudflare outage on November 18, 2025 post mortem   blog.cloudflare.com/18-no... · Posted by u/eastdakota
Terr_ · a month ago
"Checked Exceptions Are Actually Good" gang, rise up! :p

I think adoption would have played out very different if there had only been some more syntactic-sugar. For example, an easy syntax for saying: "In this method, any (checked) DeepException e that bubbles up should immediately be replaced by a new (checked) MylayerException(e) that contains the original one as a cause.

We might still get lazy programmers making systems where every damn thing goes into a generic MylayerException, but that mess would still be way easier to fix later than a hundred scattered RuntimeExceptions.

twhitmore · a month ago
Exception handling would be better than what we're seeing here.

The problem is that any non-trivial software is composition, and encapsulation means most errors aren't recoverable.

We just need easy ways to propagate exceptions out to the appropriate reliability boundary, ie. the transaction/ request/ config loading, and fail it sensibly, with an easily diagnosable message and without crashing the whole process.

C# or unchecked Java exceptions are actually fairly close to ideal for this.

The correct paradigm is "prefer throw to catch" -- requiring devs to check every ret-val just created thousands of opportunities for mistakes to be made.

By contrast, a reliable C# or Java version might have just 3 catch clauses and handle errors arising below sensibly without any developer effort.

https://literatejava.com/exceptions/ten-practices-for-perfec...

twhitmore commented on Cloudflare outage on November 18, 2025 post mortem   blog.cloudflare.com/18-no... · Posted by u/eastdakota
ojosilva · a month ago
This is the multi-million dollar .unwrap() story. In a critical path of infrastructure serving a significant chunk of the internet, calling .unwrap() on a Result means you're saying "this can never fail, and if it does, crash the thread immediately."The Rust compiler forced them to acknowledge this could fail (that's what Result is for), but they explicitly chose to panic instead of handle it gracefully. This is textbook "parse, don't validate" anti-pattern.

I know, this is "Monday morning quarterbacking", but that's what you get for an outage this big that had me tied up for half a day.

twhitmore · a month ago
Interesting to see Rust error handling flunk out in practice.

It may be that forcing handling at every call tends to makes code verbose, and devs insensitized to bad practice. And the diagnostic Rust provided seems pretty garbage.

There is bad practice here too -- config failure manifesting as request failure, lack of failing to safe, unsafe rollout, lack of observability.

Back to language design & error handling. My informed view is that robustness is best when only major reliability boundaries need to be coded.

This the "throw, don't catch" principle with the addition of catches on key reliability boundaries -- typically high-level interactions where you can meaningfully answer a failure.

For example, this system could have a total of three catch clauses "Error Loading Config" which fails to safe, "Error Handling Request" which answers 5xx, and "Socket Error" which closes the HTTP connection.

twhitmore commented on Use Your Type System   dzombak.com/blog/2025/07/... · Posted by u/ingve
abraxas · 5 months ago
An adjacent point is to use checked exceptions and to handle them appropriate to their type. I don't get why Java checked exceptions were so maligned. They saved me so many headaches on a project where I forced their use as I was the tech lead for it. Everyone hated me for a while because it forced them to deal with more than just the happy path but they loved it once they got in the rhythm of thinking about all the exceptional cases in the code flow. And the project was extremely robustness even though we were not particularly disciplined about unit testing
twhitmore · 5 months ago
Checked exceptions were a reasonable idea, but the Java library implementation & use of these was totally wrong.

Checked exceptions work well for occasional major "expectable" failures -- opening a file, making a network connection.

They work extremely poorly when required for ongoing access or use of IO/ network resources, since this forces failures which are rare & impossible to usefully recover from to be explicitly declared/ caught/ rethrown with great verbosity and negative value added.

All non-trivial software is composition, so the idea of calling code "recovering" from a failure is at odds with encapsulation. What we end up with is business logic which can fail anywhere, can't recover anything, yet all middle layers -- not just the outer transaction boundary -- are forced to catch or declare these exceptions.

Requiring these "technical exceptions" to be pervasively handled is thus not just substantially invalid & pointless, but actually leads to serious rates of faulty error-handling. Measured experience in at least a couple of large codebases is that about 5-10% of catch clauses have fucked implementations either losing the cause or (worse) continue execution with null or erroneous results.

https://literatejava.com/exceptions/checked-exceptions-javas...

twhitmore commented on Nominal for Storing, Structural for Manipulating   welltypedwitch.bearblog.d... · Posted by u/todsacerdoti
twhitmore · a year ago
The examples at the start seem confused & poor. A type that "can return either one result, many results or an error" is trying to fit two different cardinalities into a single API.

APIs should either be typed to be unary (possibly with optionality/ error), or plural (allowing 0..many).

I've dealt with similar woolly design before. Introducing clear distinction between cardinalities gave a major improvement in logical clarity.

twhitmore commented on Silent data corruptions at scale (2021)   arxiv.org/abs/2102.11245... · Posted by u/losfair
twhitmore · 2 years ago
Interesting. The corruption was in a math.pow() calculation, representing a compressed filesize prior to a file decompression step.

Compressing data, with the increased information density & greater number of CPU instructions involved, seems obviously to increase the exposure to corruption/ bitflips.

What I did wonder was why compress the filesize as an exponent? One would imagine that representing as a floating-point exponent would take lots of cycles, pretty much as many bits, and have nasty precision inaccuracies at larger sizes.

twhitmore commented on I is for Intent   acko.net/blog/i-is-for-in... · Posted by u/devdoshi
twhitmore · 2 years ago
This article is very interesting. I have previously noticed the contrast between strict state representations, and the messier practicalities of user- and externally-sourced data.

I like the insight of splitting Intent and State. There's a lot to the article & I'm not sure I fully understand the latter half yet, but I'm filing this one away for further exploration.

twhitmore commented on I is for Intent   acko.net/blog/i-is-for-in... · Posted by u/devdoshi
mattxxx · 2 years ago
I know. This author is writing from a pretty weird place, especially if they're first categorizing fictional "Stanley" as backend Engineer.
twhitmore · 2 years ago
I don't know, I've met a lot of devs who've found the "true religion" of strict data integrity and have been reluctant to allow for the messier practicalities of user- and externally-sourced data.

None of them called Stanley, but there's definitely a fairly common pattern I recognise.

twhitmore commented on It's not microservice or monolith; it's cognitive load   fernandovillalba.substack... · Posted by u/DevOpsy
Nextgrid · 2 years ago
> I'd love to be able to separate myself and my team from others by an agreed-upon interface.

My experience suggests that speccing out such an interface well is a tremendous amount of work, and if you get it wrong (you most likely will) or if it needs to evolve it will generate lots of work since now it's set in stone and very hard to change so you're likely going to pay "interest" by working around its shortcomings for the foreseeable future.

twhitmore · 2 years ago
Difficulty & cost evolving the interface between microservices can seriously hinder improving the actual product.

I've seen the misguided adoption of microservices affect a couple of companies & products.

twhitmore commented on The surprising connection between after-hours work and decreased productivity   slack.com/intl/en-gb/blog... · Posted by u/tchalla
seeknotfind · 2 years ago
For me, I'm most productive after hours because during the day, I get too many pings and escalations. After hours is the only time I can focus and get deep work done myself. This is something I'd really like to improve, but I'm really not sure how. I've tried creating discussion groups and many other approaches to make knowledge transfer more efficient. However, the real issue is company growth. A huge recent period of growth has meant a focus on training people. This is only the kind of thing I could defend against if I were 1-2 ranks higher in the company, and honestly, this lack of longterm growth planning is one of the reasons I would leave my company.

One approach I've been thinking of experimenting with is saving everything I say, and using an LLM with my custom knowledge base to answer a question. I actually think a borg-like communication structure in a company could be really efficient. If every communication was publicly available, and we used ML to make that information consistent and to answer queries, I think you could achieve coherence with a company much faster, move as a unit much faster, and get a lot more done.

However, it's still a pipe dream at this point due to the context length limits. The actual amount of important context at a company is many times what a model can keep in mind now. As models get bigger, or if a group can run multiple models many times to make the company info widely consistent, it would be much better.

For instance imagine now, 30 people at your company work on one project, and 50 people work on another. They might take a slightly different definition for a term, and do work which is ultimately counterproductive to each other. Usually, it takes a conflict arising to resolve this, and people are long stuck with the mutually-incorrect definition. If an ML algorithm can look at everything both groups are saying and point out inefficiencies, I think you could get more cohesion, especially before problems get big enough to be a drain.

That being said, this type of system is more of a pipe dream, and I don't think it will be feasible for a few more years. In the meantime, I'm struggling how to balance communication with work. Advice appreciated.

twhitmore · 2 years ago
Yes, there's this amazing thing called "documentation".

Confluence works well if you KISS - write just what the audience needs to know, in terms they can read & find.

Avoid writing grand tracts of wanna-be architecture, policy, theory or planning; just write useful actionable material on topics your audience needs. You will find this works.

Source: I led 400 devs and this was the only way that could scale.

http://literatejava.com/documentation/how-to-write-good-wiki...

twhitmore commented on GCC always assumes aligned pointer accesses (2020)   trust-in-soft.com/blog/20... · Posted by u/luu
olliej · 2 years ago
As others have pointed out, GCC is completely allowed to do this because unaligned access is UB.

So the problem is not that GCC assumes your code has no UB.

The issue is that the C (and C++) specifications persist in this obnoxious and odious desire to label definable behaviour as UB, with no justification.

All of the arguments about needing UB to support different hardware fail immediately to the simple fact that the specification already has specific terms that would cover this: Implementation Defined Behavior, and Unspecified Behaviour. Using either of these instead of UB would support just as much hardware, without inflicting clearly anti-programmer optimizations on developers where the compiler is allowed to assume objectively false things about the hardware.

Undefined behaviour should be used solely for behavior that cannot be defined - for example using out of bounds, unallocated, or released memory cannot be defined because the C VM does not specify allocation, variable allocation, etc. Calling a function with a mismatched type signature is not definable as C does not specify the ABI. etc.

twhitmore · 2 years ago
Exactly this. At this point the obsession with categorising potentially useful & useable behaviour as UB should be widely acknowledged.
t

u/twhitmore

KarmaCake day283April 22, 2019View Original