Improve exception-safety of the DGI

[mcatanzaro]

Right now, when something unexpected happens (e.g. invalid input from a peer DGI), the DGI tends to crash. This doesn't generally happen because unexpected things don't generally happen.

We should be much smarter about this. E.g. if an exception comes from a message handler, or any function posted to the io_service, or a device adapter, then we should print a warning or error, but the system should otherwise continue to run.

It should be a general rule that functions posted to the global io_service must not throw unless the error is really fatal, and the current code should be audited to ensure this is the case. (It currently isn't.)

[scj7t4]

Error handling is not well defined: when should the DGI stop and when should it recover and continue.

This task is hard to objectively complete and there has been no discussion on it. Currently we don't track research goals on the wiki; If this becomes a priority, open issues for specific areas that need attention.