From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: *** X-Spam-Status: No, score=3.8 required=5.0 tests=BAYES_00,INVALID_MSGID, RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 107d55,a48e5b99425d742a X-Google-Attributes: gid107d55,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public From: "Gavin Collings" Subject: Re: Ariane-5: can you clarify? (Re: Please do not start a language war) Date: 1997/03/18 Message-ID: <01bc3389$46204f70$b280400a@gavinspc>#1/1 X-Deja-AN: 226400600 X-NNTP-Posting-Host: firewall2.sperry-sun.co.uk References: <332B5495.167EB0E7@eiffel.com> <5giu3p$beb$1@news.irisa.fr> Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.lang.ada,comp.lang.java.tech Date: 1997-03-18T00:00:00+00:00 List-Id: > There are multiple ways of reducing the probability of a catastrophic > software defect like Ariane 5. Two of them are the following. > (1) You can test more, enable runtime checks, and implement multiple > levels of exception handling and recovery. (2) You can adopt a Design > by Contract methodology. (3) You can assume that no matter how much testing you do and even if you use design by contract to its full potential that some errors still exist in the software. So no such exception should be treated as fatal. Quoting an earlier reply :- > There was a high-level policy in the Arianne programme that any > exception should cause the shutdown of whatever unit of hardware it > occurred in. The assumption seems to have been that the software was > perfect, and so any exception must indicate a hardware flaw. > The real cause of the Arianne 5 failure was the policy that any > exception be treated as fatal while identical software was used > on both inertial guidence units. Hence any bug that caused > an exception would inevitably lead to self-destruction. Don't get me wrong - design by contract is a useful and necessary concept for the development of reliable software. BUT we should always remember that contracts CAN and WILL be broken Two decisions seem to have gone against this realisation: (1) The decision to run identical software on the backup computer - if the software contains errors - this is not a backup at all; (2) To treat the software as intrinsically more reliable than the hardware seems to go against all experience and indeed against common sense. The corollary to this second point - allowing an exception to propagate to the extent of crashing the entire system seems to be the grossest possible violation of the principle of loose coupling between modules! This is the light in which I would view the comments in the original article and in this area Eiffel does indeed have a valuable contribution to make. That of eliminating the half-hearted approach to exception handling which is all to common in the industry. -- Gavin Collings gcollings@sperry-sun.com P.S. I used to work on Ariane 4.