Graceful Degradation
The irony of grace is that, even though we associate it with perfection and elegance, it is truly apparent only when things have gone horribly wrong. Points of light become obvious only in darkness, and charity is most valuable when the need is desperate. The principle of being at our best when things are at their worst is manifest in the system design principle of graceful degradation.
The degree of civilization in a society can be judged by entering its prisons.
—unknown; often misattributed to Fyodor Dostoyevsky
The most obvious form of system degradation is catastrophic failure. Conventional wisdom is that when a computer program cannot serve its intended purpose, it should fail fast and loudly. The aptly named .NET Environment.FailFast method, for instance, “immediately terminates a process after writing a message.” We’ve previously discussed why Fail-fast isn’t always the best strategy; but when a program absolutely must crash, it should at least crash well.
GEOFFREY: Why, you chivalric fool—as if the way one fell down mattered.
RICHARD: When the fall is all there is, it matters.
—James Goldman, The Lion in Winter
Graceful fail-fast degradation is epitomized by the ‘expect’ method of Rust options. Options are containers that can either be empty, or hold a single value. The expect and unwrap methods both return the contained value, or else print an error message and terminate the program with bad status if the container is empty. The only difference between ‘expect’ and ‘unwrap’ is that ‘expect’ lets you customize the error message. Good error messages are grace incarnate. Rust programmers should always prefer ‘expect’ to ‘unwrap,’ for two reasons:
No matter how sure you are that a particular operation won’t fail… what if it does? The moment the impossible happens is precisely when a helping hand would be most appreciated.
We place absolute confidence in the Titanic. We believe the boat is unsinkable. —White Star Line Vice President P.A.S. Franklin
The Titanic actually carried just 20 lifeboats . . . This was far too few for the number of people aboard. —Titanic Facts
Believing your ship unsinkable is no excuse for not providing enough lifeboats.
Well-written error messages make code easier to read, because they explain why the author believes a particular state is unreachable, or at least what the relevant values represent. Good inline error messages are among the kindest mercies you can bestow on anyone who would maintain or extend your code, even if no end user ever sees them.
A more common form of graceful degradation is ensuring that media remain accessible to users who have (permanent, temporary, or situational) disabilities. Alternate text for online images, closed captions and audio descriptions for movies, and colorblind-friendly visual distinctions (such as consistent top-down ordering of red, yellow, and green traffic lights) are all forms of graceful degradation. At their best, such “alternate” forms of communication are first-class aspects of design in their own right. While a blind moviegoer may never see the images on screen, most sighted viewers will never see the closed captions or hear the audio descriptions that may be the most entertaining parts of the show.
No real-world system is ever infallible. Something as simple as providing a decent error message can make a big difference to users and developers alike. Getting things right when things go wrong is a mark of craftsmanship that distinguishes good engineers and designers from great ones.