From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public From: Ken Garlington Subject: Re: Please do not start a language war (was Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/24 Message-ID: <3336D8EF.1271@lmtas.lmco.com>#1/1 X-Deja-AN: 228011296 References: <332B5495.167EB0E7@eiffel.com> <5giu3p$beb$1@news.irisa.fr> <332ED8AB.21E7@lmtas.lmco.com> <199703190839.JAA02652@stormbringer.irisa.fr> <33302A36.7434@lmtas.lmco.com> <01bc356c$e3aae860$371883cc@beast.advancedsw.com> <5gth8r$2md$1@news.irisa.fr> Organization: Lockheed Martin Tactical Aircraft Systems Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.lang.ada Date: 1997-03-24T00:00:00+00:00 List-Id: Jean-Marc Jezequel wrote: > > I repeat again, because it > seems it does not make it through the brain of some people: the point of the paper > on Ariane 5 was that reusing a component without checking its specification can lead > to a catastroph. Design by contract helps in getting the proper specification of a component. I absolutely agree with both statements: 1. "reusing a component without checking its specification can lead to a catastrophy." 2. "Design by contract helps in getting the proper specification of a component." However, don't you see that #2 does not necessarily lead to #1? This is the underlying flaw of your paper, that getting a better specification at the code level was the critical factor in getting the Ariane V development team to check the module specification before reuse. It certainly may be the case that #2 is useful, possibly even necessary (although I could debate the point) to get to #1. However, as the final report makes clear, IN THE CASE OF ARIANE 5, #2 WOULD NOT HAVE CAUSED #1. There were simply too many other barriers, as explicitly stated in the final report. For example: 1. The Ariane 5 flight profile was not specified to the Ariane IRS development team. (No human or machine can check something that they don't know about!) 2. The IRS development team did not see this as an assertion that could be violated, which reduces the chance they would have included it - particularly in the presence of the 80% throughput factor. (This would not be an issue if the assertion were static, or was turned on during test and off during operation, but neither of these scenarios are proposed by your paper.) 3. Although testing could have been done to detect the problem, it was not done. This would effectively defeat any exectuable assertion. 4. The overall culture was that the software worked on Ariane 4, so it was not necessary to do analysis for Ariane 5. In *this* environment, assertions are easily defeated. > It replaces by itself neither V&V, system engineering, floral art... This statement completely contracts your paper, where you say that Design by Contract would have saved the Ariane 5. If you wish to claim that Design by Contract, *coupled* with effective V&V, system engineering, (and floral art? :) would have saved the system, then this would be a much more effective paper. Of course, I would argue that effective V&V alone would have saved the system, but the paper would at least have made some sense! You cannot have it both ways. Either you discuss Design by Contract (Eiffel) in the abstract, or you discuss it in terms of the concrete case of Ariane 5. Your paper attempts to do both, and gibberish results. > > -- > Jean-Marc Jezequel Tel : +33 2 99847192 > IRISA/CNRS Fax : +33 2 99847171 > Campus de Beaulieu e-mail : jezequel@irisa.fr > F-35042 RENNES (FRANCE) http://www.irisa.fr/pampa/PROF/jmj.html -- LMTAS - The Fighter Enterprise - "Our Brand Means Quality" For job listings, other info: http://www.lmtas.com or http://www.lmco.com