09.4 Panic vs contract
When the runtime traps, when contracts fail at compile time, and how FFI keeps worlds apart.
Panic vs contract
Contract failure is a compile-time diagnostic—you fix the type or member before shipping.
Panic is a runtime trap for invariant violations, failed host assumptions, or policy-defined unwinds at boundaries—not a replacement for Result.
Compile-time: contracts win early
Section titled “Compile-time: contracts win early”Missing Dispose() on Disposable? E1601, not a stack trace in prod. That is the point of structural contracts (Contracts).
Runtime: panic policy
Section titled “Runtime: panic policy”Execution owns panic bridges and syscall surfaces:
Normative gist: Beskid panic must not assume foreign callers catch Rust/Beskid unwinds. Profiles define who may translate traps.
Recoverable vs non-recoverable
Section titled “Recoverable vs non-recoverable”| Mechanism | Use for |
|---|---|
Result / ? | Expected failures (parse errors, missing files, domain rules) |
test assertions | Harness failures with structured runner output |
| Panic / trap | Bug, violated invariant, host abort |
Do not catch panic in application Beskid as if it were Java. If you need control flow, use Result.
Mod analyzers
Section titled “Mod analyzers”Analyzer mods emit diagnostics and fixes—they do not throw into your runtime. Host merge either accepts typed rewrites or fails closed (Mod host bridge).