From: Samuel Mize <smize@link.com>
Subject: Re: Critique of Ariane 5 paper (finally!)
Date: 1997/08/22
Date: 1997-08-22T00:00:00+00:00 [thread overview]
Message-ID: <33FDDDA0.C38@link.com> (raw)
In-Reply-To: 5til7i$boi$1@flood.weeg.uiowa.edu
Robert S. White wrote:
> The other issue is that in the Ariane 5 case, the
> methodology that was in place (system requirements review and
> software requirements specification), was not followed
> adequately. To quote the inquiry report once more:
...
> My complaint is against the claim in the Eiffel paper:
>
> "Does this mean that the [Ariane 5] crash would
> automatically have been avoided had the mission used
> a language and method supporting built-in assertions
> and Design by Contract? Although it is always risky
> to draw such after-the-fact conclusions, the answer
> is probably yes..."
> ^^^^^^^^^^^^
>
> I say, IMO, probably no for the Ariane 5 case.
I'd even tolerate the "probably yes," if it weren't
explicitly stated that DBC is the ONLY method that would
probably have avoided the crash.
No discussion about whether DBC would have helped is relevant
to my point. I concede that DBC is one method that would
have helped.
I'll say that again:
I CONCEDE THAT DBC WOULD PROBABLY HAVE HELPED, IF ONLY
BECAUSE IT ISN'T DBC WITHOUT REVIEWS AND TEST.
But the paper says that ONLY DBC would have helped, as I'll
show below. If the authors had said "Yes, the claim was too
strong, sorry," a lot of us would have shut up and gone away.
Co-author Jean-Marc Jezequel has said that this does not
characterize what the paper was MEANT to say. I have
little dispute with what he says they MEANT to say[1]:
Let's finally sum up what I perceive as the most important
claims in this paper:
- reusing a component without checking its full specification
is dangerous, which means that simple minded CORBA-like
approaches at building components for mission-critical
software are doomed.
- using design by contract is an interesting way to specify the
behavior of a component
- at least in the case of Ariane 501, simple assertions (a la
Eiffel and other languages) would have been expressive enough
to specify the fatal hidden assumption.
But the paper DOES state explicitly that DBC is the ONLY method
that would have avoided the crash, and that existing methods were
applied but did not succeed.
Following are my reasons for stating that the paper says this.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
THE PAPER CLAIMS THAT ARIANE 5 APPLIED ALL RELEVANT EXISTING METHODS
At the very least it strongly implies this.
From the paper:
The ESA's software people knew what they were doing and applied
widely accepted industry practices.
No, the project made an explicit decision to NOT apply widely
accepted industry practices.
I have yet to see any support for this assertion: not in the Eiffel
paper, not in the ESA report, not in the net traffic.
From the paper:
Is it a testing error? Not really. ... But if one can test more
one cannot test all. Testing, we all know, can show the presence
of errors, not their absence.
This implies that the error in question would not likely have been
found through normal testing. Yet it is, in fact, one that would
have blown out a normal test scenario the first time they tried it.
The addition of DBC would have made no more difference than would
the addition of paper hats. There may indeed be errors that cannot
be found through testing, and that DBC would find, but this is NOT
demonstrated by the Ariane 5 case.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
THE PAPER CLAIMS THAT ONLY DBC WOULD HAVE PREVENTED THIS ERROR
The concluding section, labelled "The lesson for every software
developer," is clearly meant to state what the Ariane 5 crash shows.
It states:
To attempt to reuse software without Eiffel-like assertions is
to invite failures of potentially disastrous consequences.
...
For reuse to be effective, Design by Contract is a requirement.
Without a precise specification attached to each reusable
component -- precondition, postcondition, invariant -- no one
can trust a supposedly reusable component.
This says that, if a reused component has not been analyzed with
DBC, you cannot trust it, and you are inviting failure. No other
method is sufficient, by this statement.
From the paper:
Reuse without a contract is sheer folly.
Does this state that Ariane 5 would have crashed, no matter what
other methods were used, unless DBC were also used? In context,
yes. It's from the conclusions section, "The lesson for every
software developer." Surely this is meant to be the lesson of the
Ariane 5 crash. Surely "contract" in this context is intended to
refer specifically to a Design By Contract artifact.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[1] I'd dispute his first point if "full specification" is limited
to pre/post conditions and invariants. In some cases these are
too little, in others they may not be needed. However, it's
certainly failure-prone to reuse components without reviewing
their specs and designs. I know too little about CORBA to have
an opinion on its (in)sufficiency.
Sam Mize
next prev parent reply other threads:[~1997-08-22 0:00 UTC|newest]
Thread overview: 141+ messages / expand[flat|nested] mbox.gz Atom feed top
1997-08-21 0:00 Critique of Ariane 5 paper (finally!) aek
[not found] ` <33FC66AD.9A0799D4@calfp.co.uk>
1997-08-22 0:00 ` Robert S. White
1997-08-22 0:00 ` Samuel Mize [this message]
1997-08-22 0:00 ` Samuel Mize
1997-08-23 0:00 ` Ken Garlington
[not found] ` <33FFA4B1.3543@flash.net>
1997-08-26 0:00 ` Nick Leaton
[not found] ` <3403940F.4154@pseserv3.fw.hac.com>
1997-08-27 0:00 ` Design By Contract Ted Velkoff
[not found] ` <5u3c6v$gtf$2@miranda.gmrc.gecm.com>
[not found] ` <34058808.3BF@pseserv3.fw.hac.com>
1997-08-28 0:00 ` Darren New
1997-08-28 0:00 ` Patrick Doyle
1997-09-06 0:00 ` Joachim Durchholz
1997-09-06 0:00 ` Patrick Doyle
[not found] ` <JSA.97Aug27180328@alexandria.organon.com>
1997-08-28 0:00 ` W. Wesley Groleau x4923
1997-09-03 0:00 ` Don Harrison
1997-09-03 0:00 ` Jon S Anthony
1997-09-04 0:00 ` Don Harrison
[not found] ` <EFM140.Fy9@syd.csa.com.au>
1997-08-28 0:00 ` Robert Dewar
1997-08-29 0:00 ` Don Harrison
1997-08-28 0:00 ` Jon S Anthony
1997-08-29 0:00 ` Patrick Doyle
1997-08-29 0:00 ` Jon S Anthony
[not found] ` <EFqDw0.3x7@ecf.toronto.edu>
[not found] ` <JSA.97Aug30145354@alexandria.organon.com>
1997-09-01 0:00 ` Patrick Doyle
1997-08-29 0:00 ` Don Harrison
1997-08-29 0:00 ` Jon S Anthony
[not found] ` <EFqE8L.4Eq@ecf.toronto.edu>
[not found] ` <JSA.97Aug30145058@alexandria.organon.com>
1997-09-01 0:00 ` Patrick Doyle
1997-09-02 0:00 ` Don Harrison
1997-09-02 0:00 ` Jon S Anthony
1997-09-03 0:00 ` Don Harrison
[not found] ` <JSA.97Sep3201329@alexandria.organon.com>
1997-09-04 0:00 ` Paul Johnson
1997-09-05 0:00 ` Jon S Anthony
[not found] ` <5un58u$9ih$1@gonzo.sun3.iaf.nl>
1997-09-06 0:00 ` Building blocks (Was: Design By Contract) Joachim Durchholz
1997-09-08 0:00 ` Paul Johnson
1997-09-08 0:00 ` Brian Rogoff
1997-09-09 0:00 ` Veli-Pekka Nousiainen
1997-09-09 0:00 ` Jon S Anthony
1997-09-09 0:00 ` Veli-Pekka Nousiainen
1997-09-09 0:00 ` Matthew Heaney
1997-09-09 0:00 ` W. Wesley Groleau x4923
1997-09-10 0:00 ` Robert A Duff
1997-09-12 0:00 ` Jon S Anthony
1997-09-09 0:00 ` Brian Rogoff
1997-09-10 0:00 ` Paul Johnson
1997-09-10 0:00 ` Matthew Heaney
1997-09-10 0:00 ` Darren New
1997-09-10 0:00 ` Robert Dewar
1997-09-12 0:00 ` Paul Johnson
1997-09-14 0:00 ` Robert Dewar
1997-09-14 0:00 ` Robert Dewar
1997-09-15 0:00 ` John G. Volan
1997-09-14 0:00 ` Robert Dewar
1997-09-12 0:00 ` Jon S Anthony
1997-09-12 0:00 ` Robert Dewar
1997-09-16 0:00 ` Brian Rogoff
1997-09-09 0:00 ` W. Wesley Groleau x4923
1997-09-08 0:00 ` Design By Contract Nick Leaton
1997-09-08 0:00 ` Matthew Heaney
1997-09-09 0:00 ` Paul Johnson
[not found] ` <EFzLn7.481@ecf.toronto.edu>
1997-09-04 0:00 ` Jon S Anthony
[not found] ` <EFz0pD.E6n@syd.csa.com.au>
1997-09-05 0:00 ` subjectivity W. Wesley Groleau x4923
1997-09-05 0:00 ` subjectivity Matthew Heaney
1997-09-10 0:00 ` subjectivity Don Harrison
1997-09-12 0:00 ` subjectivity Jon S Anthony
1997-09-16 0:00 ` subjectivity Don Harrison
1997-09-16 0:00 ` subjectivity Jon S Anthony
1997-09-10 0:00 ` subjectivity Don Harrison
1997-09-10 0:00 ` subjectivity W. Wesley Groleau x4923
1997-09-11 0:00 ` subjectivity Don Harrison
1997-09-10 0:00 ` subjectivity W. Wesley Groleau x4923
1997-09-05 0:00 ` Design By Contract W. Wesley Groleau x4923
[not found] ` <JSA.97Sep4172912@alexandria.organon.com>
[not found] ` <EG0oz8.F6M@syd.csa.com.au>
[not found] ` <EG0rp7.GtL@syd.csa.com.au>
1997-09-05 0:00 ` Matthew Heaney
1997-09-05 0:00 ` Jon S Anthony
1997-09-05 0:00 ` Nick Leaton
1997-09-08 0:00 ` Jon S Anthony
1997-09-09 0:00 ` Nick Leaton
1997-09-10 0:00 ` Paul Johnson
1997-09-06 0:00 ` Patrick Doyle
1997-09-09 0:00 ` Robert A Duff
1997-09-09 0:00 ` Matthew Heaney
1997-09-02 0:00 ` Joerg Rodemann
1997-09-02 0:00 ` Jon S Anthony
[not found] ` <349224633wnr@eiffel.demon.co.uk>
1997-08-27 0:00 ` Design by Contract Robert Dewar
1997-08-29 0:00 ` Don Harrison
[not found] ` <3406BEF7.2FC3@flash.net>
[not found] ` <3406E0F7.6FF7ED99@calfp.co.uk>
1997-09-02 0:00 ` Critique of Ariane 5 paper (finally!) Ken Garlington
-- strict thread matches above, loose matches on Subject: below --
1997-08-22 0:00 Marin David Condic, 561.796.8997, M/S 731-96
1997-08-22 0:00 Critique of Ariane 5 paper (finally) AdaWorks
1997-08-03 0:00 Critique of Ariane 5 paper (finally!) Ken Garlington
[not found] ` <dewar.870870888@merv>
[not found] ` <33E8FC54.41C67EA6@eiffel.com>
1997-08-07 0:00 ` Ken Garlington
1997-08-07 0:00 ` Ken Garlington
[not found] ` <33EB4935.167EB0E7@eiffel.com>
1997-08-08 0:00 ` Bertrand Meyer
1997-08-08 0:00 ` Ken Garlington
1997-08-08 0:00 ` Ken Garlington
1997-08-11 0:00 ` Bertrand Meyer
1997-08-12 0:00 ` Robert Dewar
1997-08-13 0:00 ` Samuel Mize
1997-08-13 0:00 ` Ken Garlington
[not found] ` <33F22AD8.41C67EA6@eiffel.com>
1997-08-13 0:00 ` Bertrand Meyer
1997-08-13 0:00 ` Ken Garlington
[not found] ` <33F28DBF.794BDF32@eiffel.com>
1997-08-13 0:00 ` Bertrand Meyer
1997-08-15 0:00 ` Ken Garlington
1997-08-15 0:00 ` Jon S Anthony
1997-08-16 0:00 ` Ken Garlington
1997-08-14 0:00 ` Jon S Anthony
1997-08-14 0:00 ` Matthew Heaney
1997-08-14 0:00 ` Bertrand Meyer
1997-08-15 0:00 ` Jon S Anthony
1997-08-14 0:00 ` geldridg
1997-08-14 0:00 ` Samuel Mize
1997-08-15 0:00 ` Thomas Beale
1997-08-15 0:00 ` Samuel Mize
1997-08-15 0:00 ` Bertrand Meyer
1997-08-15 0:00 ` Jon S Anthony
1997-08-16 0:00 ` Ken Garlington
1997-08-14 0:00 ` Robert S. White
1997-08-15 0:00 ` Ken Garlington
1997-08-16 0:00 ` Robert Dewar
1997-08-13 0:00 ` Bertrand Meyer
1997-08-13 0:00 ` Ken Garlington
1997-08-16 0:00 ` Robert Dewar
1997-08-17 0:00 ` Bertrand Meyer
1997-08-19 0:00 ` Ken Garlington
1997-08-20 0:00 ` Robert Dewar
1997-08-21 0:00 ` Thomas Beale
1997-08-21 0:00 ` Robert Dewar
[not found] ` <33FD8685.AAAE3B4F@stratasys.com>
1997-08-22 0:00 ` Robert Dewar
[not found] ` <3401811D.1700E7BE@stratasys.com>
1997-08-25 0:00 ` Jon S Anthony
1997-08-29 0:00 ` Ken Garlington
1997-08-29 0:00 ` Jeff Kotula
1997-09-02 0:00 ` Ken Garlington
[not found] ` <33FE8732.4FBB@invest.amp.com.au>
1997-08-26 0:00 ` Nick Leaton
[not found] ` <33FFA324.4DB9@flash.net>
[not found] ` <34013F3E.27D4@invest.amp.com.au>
1997-08-29 0:00 ` Ken Garlington
1997-08-23 0:00 ` Ken Garlington
1997-08-20 0:00 ` Robert Dewar
[not found] ` <33FB3B29.41C67EA6@eiffel.com>
1997-08-20 0:00 ` Bertrand Meyer
[not found] ` <5tv9cs$85q@nntpa.cb.lucent.com>
[not found] ` <340341CA.2F1CF0FB@eiffel.com>
1997-08-27 0:00 ` Samuel Mize
1997-08-29 0:00 ` Ken Garlington
1997-08-21 0:00 ` W. Wesley Groleau x4923
1997-08-22 0:00 ` Bertrand Meyer
1997-08-22 0:00 ` W. Wesley Groleau x4923
1997-08-16 0:00 ` Robert Dewar
1997-08-11 0:00 ` Don Harrison
1997-08-09 0:00 ` Marinos J. Yannikos
1997-08-07 0:00 ` Juergen Schlegelmilch
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox