From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public From: Bertrand Meyer Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/04/01 Message-ID: <3341AD65.2781E494@eiffel.com>#1/1 X-Deja-AN: 230028640 References: <332B5495.167EB0E7@eiffel.com> <332D113B.4A64@calfp.co.uk> <5gm8a6$2qu$2@news.irisa.fr> <3332BE49.8F9@lmtas.lmco.com> <33330FE5.3F54BC7E@eiffel.com> <3335BC24.13728473@eiffel.com> <3335BE7B.2C67412E@eiffel.com> <33400A09.5572@lmtas.lmco.com> Organization: Interactive Software Engineering Inc. Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-04-01T00:00:00+00:00 List-Id: Ken Garlington wrote: [Quoting the article by Jezequel and me:] >!! But most importantly the assertions are a prime component of the >!! software and its documentation ("short form", produced >!! automatically by tools). In an environment such as that of >!! Ariane where there is so much emphasis on quality control >!! and thorough validation of everything, they would be the QA >!! team's primary focus of attention. Any team worth >!! its salt would have checked systematically that every call >!! satisfies the precondition. That would have immediately >!! revealed that the Ariane 5 calling software did not meet >!! the expectation of the Ariane 4 routines that it called. [Ken Garlington:] > I believe Mr. Meyer considers this a critical distinction between > Eiffel and other languages such as Ada. The ability to document > assertions explicitly, and have them _read_ as part of the > _specification_, appears to be a prime consideration. Yes. It is a critical distinction. > Certainly, declaring the name of the exception (Rate_Error, in this > case) could be argued as an equivalent, but I don't believe Mr. Meyer > would agree. Well, yes and no. It's pursuing the same general goal, but I would not call it an equivalent because it's using very different techniques (a posteriori detection of an abnormal case). I think the a priori technique, whenever applicable, is much better. But that's partly a matter of opinion. I find myself disagreeing less and less with the comments in the tail end of this discussion - except perhaps for Robert Dewar's mention that the Ariane 5 crash >> is not a particularly instructive example of a BIG BUG which strikes me as rather paradoxical (even in the full quotation - read the original message). I think I understand Prof. Dewar's point but a "BIG BUG" does not have to be a tricky, complicated mistake having to do with an intellectually challenging issue. It's big because of its consquences. Admittedly this is a matter of how you define things, but contrary to him I think this specific bug is indeed "particularly instructive" and deserves to be examined in courses and textbooks, as well as articles like ours. -- Bertrand Meyer, President, ISE Inc., Santa Barbara (California) 805-685-1006, fax 805-685-6869, - ftp://ftp.eiffel.com Visit our Web page: http://www.eiffel.com (including instructions to download Eiffel 4 for Windows)