From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public From: Ken Garlington Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/24 Message-ID: <3336C84B.572@lmtas.lmco.com>#1/1 X-Deja-AN: 227993417 References: <332B5495.167EB0E7@eiffel.com> <332D113B.4A64@calfp.co.uk> <5gl1f5$a26$2@quasar.dimensional.com> <332E8D5D.400F@calfp.co.uk> <5gnttg$jkc$1@quasar.dimensional.com> <5gp3hd$i0l@mulga.cs.mu.OZ.AU> <5gqrkt$bp1$1@news.irisa.fr> Organization: Lockheed Martin Tactical Aircraft Systems Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-24T00:00:00+00:00 List-Id: Jean-Marc Jezequel wrote: > > Yes, that's true for pre- and post that actually correspond to range > constraints. But remember that Eiffel pre- and post can be much more general > than that, including any arbitrary function call. > Also, how do you check/inherit your class invariants in Ada? > (this is a real question, I really don't know whether it is possible) Does any of this have anything to do with the Ariane 5 crash? Your own paper says that Ada assertions were adequate in this case. > In general, this may be true. But in this particular Ariane 501 crash, I maintain > that such "stuff" would have been enough, for a team fully embrassing design by contract, > to specify this particular assumption. *Specifically* for the Ariane 501 crash, I disagree (as do others). I even went so far as to quote sections of the Ariane 501 final report that dispute your belief, rather than just relying on my own experience in building similar systems. Do you wish to respond? > I know that humans can fail, but I'm confident that, given enough ressources (and > avoiding a 500M$ crash gives you some leeway) it could have been succesful. > You may disagree on this point, and we can stop this discussion by agreeing to disagree. Apparently, you do not wish to respond. It would be interesting to see this subject addressed in a referreed paper, rather than only in Mr. Meyer's opinion column and on a web page. Too bad there's not a way to post permanent responses to a web page... given the presence of Mr. Meyer's name, I'm sure it will be quoted as an "authoritative" source on how assertions would have prevented this crash. It's times like this that I really hate software engineering. To think that such gibberish could ever see the light of day in a respected software engineering magazine! > > In the light of their very constructive posts and mails, I concede to Ken Garlington and > Paul Dietz that re-testing of the SRI in the context of the Ariane5 trajectory would > not have been as hard as I have thought initialy. But in any case, the solution they propose > would have broken the idea of a black-box (integrating all the inertial hardware and software) > reuse, since you have to enter the black box to "feed simulated accelerometer signals into the > rest of the system". This is a routine test for such systems. I have no idea what your issue is here. I assume your main problem is that it would have detected the error either with or without assertions, thus making it difficult to say that Design by Contract (i.e., Eiffel) would have been a better choice. > OK, I admit this is a bit of dialectics, but it still illustrates one of the > main point of the paper: beware of black-box reuse (aka component reuse), when the specification > is limited to routine signatures (a la CORBA). I would go further: beware of black-box reuse REGARDLESS of the richness of the specification, particularly for critical systems. > > -- > Jean-Marc Jezequel Tel : +33 2 99847192 > IRISA/CNRS Fax : +33 2 99847171 > Campus de Beaulieu e-mail : jezequel@irisa.fr > F-35042 RENNES (FRANCE) http://www.irisa.fr/pampa/PROF/jmj.html -- LMTAS - The Fighter Enterprise - "Our Brand Means Quality" For job listings, other info: http://www.lmtas.com or http://www.lmco.com