Each failure event becomes a state transition instead of an exception. You can then go a long way towards proving that nothing in the FSM object's state was trashed. You can also build a test harness that provides good coverage ( up to 100% ) and documentation of that level of coverage.
That's one way to do hi-rel processing in 'C'.... it all makes choice of language less of an issue. And if you have adequate logging of test site installs ( meaning all state transition data is logged ), then you can reproduce 100% of failures in a controlled environment.
It's not magic, but somehow, making the error cases
explicit events has ( on me at least ) the effect of being
able to reason about them more effectively. It's just another event.
That's one way to do hi-rel processing in 'C'.... it all makes choice of language less of an issue. And if you have adequate logging of test site installs ( meaning all state transition data is logged ), then you can reproduce 100% of failures in a controlled environment.
It's not magic, but somehow, making the error cases explicit events has ( on me at least ) the effect of being able to reason about them more effectively. It's just another event.