From: jezequel@irisa.fr (Jean-Marc Jezequel)
Subject: Re: Papers on the Ariane-5 crash and Design by Contract
Date: 1997/03/20
Date: 1997-03-20T00:00:00+00:00 [thread overview]
Message-ID: <5gqrkt$bp1$1@news.irisa.fr> (raw)
In-Reply-To: JSA.97Mar19144933@alexandria
In article <JSA.97Mar19144933@alexandria>, jsa@alexandria (Jon S Anthony) writes:
>In article <5gp3hd$i0l@mulga.cs.mu.OZ.AU> fjh@murlibobo.cs.mu.OZ.AU (Fergus Henderson) writes:
>> >Why is Eiffel saying assertions are a new tool? C (and now C++) have been
>> >using #include <assert.h> for years? Software engineers have been using
>> >assert macros to verify program limits are not exceeded.
>> The major difference between C/C++/Ada assertions and Eiffel style
>> design-by-contract is that in the latter, the assertions are part of
>> the interface, not just embedded in the implementation.
>Well, in this particular sort of case, your claim here is not correct
>for Ada:
>subtype Bias_Constraint is Integer range Min_Bias..Max_Bias;
>
>function Convert ( High_Bias : Bias_Constraint ) return Integer;
>The asserstion is part of the interface, NOT the implementation.
>Further, to answer a point of Jean's, it will be inherited in any
>appropriate derivation case. And certainly we could do the same for
>the post condition (the return subtype).
Yes, that's true for pre- and post that actually correspond to range
constraints. But remember that Eiffel pre- and post can be much more general
than that, including any arbitrary function call.
Also, how do you check/inherit your class invariants in Ada?
(this is a real question, I really don't know whether it is possible)
>Now, as John McCabe, Ken Garlington, myself and others have pointed
>out, none of this was (or is in any sense likely to be) sufficient to
>prevent the type of error exhibited by this example. The required
>semantic context (scope of use, intended behavior, presumed
>environment, etc) is far to rich and complex to be dealt with by such
>rudimentary simple minded stuff as pre and post conditions on
In general, this may be true. But in this particular Ariane 501 crash, I maintain
that such "stuff" would have been enough, for a team fully embrassing design by contract,
to specify this particular assumption. By the mere definition of design by contract,
they should have done this. Then, with the process explained in another of my posts,
the constraint (along with many, many others) would have propagated to the boundaries of
the SRI module, as a constraint on the environment where the module could be reuse.
I would expect that you could agree with me on that, because it is just a bare bone application
of design by contract. What I concede you (Jon), is that the set of assertions
emerging at the SRI module level could have been so complex that it would have made
verification in the context of Ariane5 very costly in human ressources.
I know that humans can fail, but I'm confident that, given enough ressources (and
avoiding a 500M$ crash gives you some leeway) it could have been succesful.
You may disagree on this point, and we can stop this discussion by agreeing to disagree.
In the light of their very constructive posts and mails, I concede to Ken Garlington and
Paul Dietz that re-testing of the SRI in the context of the Ariane5 trajectory would
not have been as hard as I have thought initialy. But in any case, the solution they propose
would have broken the idea of a black-box (integrating all the inertial hardware and software)
reuse, since you have to enter the black box to "feed simulated accelerometer signals into the
rest of the system". OK, I admit this is a bit of dialectics, but it still illustrates one of the
main point of the paper: beware of black-box reuse (aka component reuse), when the specification
is limited to routine signatures (a la CORBA).
>signatures. *THE* most alarming aspect of this entire discussion is
>that many, including folks the caliber of Meyer and Jezequel, don't
Thanks for putting me on the same level as B. Meyer. I'm feeling flattered;-)
--
Jean-Marc Jezequel Tel : +33 2 99847192
IRISA/CNRS Fax : +33 2 99847171
Campus de Beaulieu e-mail : jezequel@irisa.fr
F-35042 RENNES (FRANCE) http://www.irisa.fr/pampa/PROF/jmj.html
next prev parent reply other threads:[~1997-03-20 0:00 UTC|newest]
Thread overview: 254+ messages / expand[flat|nested] mbox.gz Atom feed top
1997-03-15 0:00 Papers on the Ariane-5 crash and Design by Contract Bertrand Meyer
1997-03-18 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Jon S Anthony
[not found] ` <tz8ohcjv7cc.fsf@aimnet.com>
1997-03-16 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robert Dewar
1997-03-17 0:00 ` Please do not start a language war (was " Jean-Marc Jezequel
1997-03-18 0:00 ` Richard Irvine
1997-03-18 0:00 ` Ken Garlington
[not found] ` <199703190839.JAA02652@stormbringer.irisa.fr>
1997-03-19 0:00 ` Ken Garlington
1997-03-20 0:00 ` Roger T.
1997-03-21 0:00 ` Jean-Marc Jezequel
1997-03-24 0:00 ` Ken Garlington
1997-03-21 0:00 ` Ken Garlington
1997-03-20 0:00 ` Robert S. White
1997-03-20 0:00 ` Martin Tom Brown
1997-03-21 0:00 ` Wolfgang Gellerich
1997-03-21 0:00 ` Robert S. White
1997-03-20 0:00 ` John L. Ahrens
1997-03-19 0:00 ` Jean-Marc Jezequel
1997-03-19 0:00 ` Richard Kaiser
1997-03-21 0:00 ` Ken Garlington
1997-03-21 0:00 ` Jean-Marc Jezequel
1997-03-25 0:00 ` Ken Garlington
1997-03-26 0:00 ` Trust but verify " Robert S. White
1997-03-25 0:00 ` Bertrand Meyer
1997-03-26 0:00 ` Robb Nebbe
1997-03-27 0:00 ` Ken Garlington
1997-03-28 0:00 ` Jeffrey W. Stulin
1997-03-31 0:00 ` Ken Garlington
1997-03-28 0:00 ` Karel Th�nissen
1997-03-28 0:00 ` Ken Garlington
1997-04-07 0:00 ` Jean-Marc Jezequel
1997-03-29 0:00 ` the one and only real true kibo
[not found] ` <tz8913l930b.fsf_-_@aimnet.com>
1997-03-18 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Gavin Collings
1997-03-18 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war Roedy Green
1997-03-17 0:00 ` Papers on the Ariane-5 crash and Design by Contract John McCabe
[not found] ` <tz8n2s1hrdc.fsf@aimnet.com>
1997-03-20 0:00 ` John McCabe
1997-03-20 0:00 ` John McCabe
1997-03-20 0:00 ` Jean-Marc Jezequel
1997-03-20 0:00 ` John McCabe
1997-03-21 0:00 ` Niall Cooling
1997-03-21 0:00 ` Gavin Collings
1997-03-27 0:00 ` Joachim Durchholz
1997-04-03 0:00 ` Robert I. Eachus
1997-04-04 0:00 ` Derek Clarke
1997-04-04 0:00 ` Chris Beer
1997-04-03 0:00 ` Gavin Collings
1997-04-03 0:00 ` Ken Garlington
1997-04-04 0:00 ` Derek Clarke
1997-04-04 0:00 ` Derek Clarke
1997-04-06 0:00 ` Robert Dewar
1997-04-07 0:00 ` Ken Garlington
1997-04-09 0:00 ` Gavin Collings
1997-04-04 0:00 ` Ken Garlington
1997-04-04 0:00 ` Robert Dewar
1997-04-03 0:00 ` Robin Rosenberg
1997-03-24 0:00 ` Ken Garlington
1997-03-26 0:00 ` Thomas Beale
1997-03-26 0:00 ` Ken Garlington
1997-03-21 0:00 ` "Paul E. Bennett"
1997-03-22 0:00 ` Nigel Tzeng
1997-03-23 0:00 ` John McCabe
1997-03-17 0:00 ` Paul Johnson
1997-03-17 0:00 ` Enrico Facchin - Sartori E.T.
1997-03-19 0:00 ` Anders Pytte
1997-03-18 0:00 ` Ken Garlington
1997-03-17 0:00 ` Alexander Anderson
1997-03-17 0:00 ` Nick Leaton
1997-03-17 0:00 ` Richard Kaiser
[not found] ` <tz8g1xtzx9y.fsf@aimnet.com>
1997-03-18 0:00 ` Anders Pytte
1997-03-18 0:00 ` Jean-Marc Jezequel
1997-03-18 0:00 ` Anders Pytte
1997-03-18 0:00 ` Anders Pytte
1997-03-19 0:00 ` Programming language fanaticism! Louis Bastarache
1997-03-20 0:00 ` Anders Pytte
1997-03-20 0:00 ` Papers on the Ariane-5 crash and Design by Contract Matt Kennel (Remove 'nospam' to reply)
1997-03-24 0:00 ` Joachim Durchholz
1997-03-24 0:00 ` Anders Pytte
1997-03-26 0:00 ` Matt Kennel (Remove 'nospam' to reply)
1997-03-29 0:00 ` Anders Pytte
1997-03-29 0:00 ` Steve Furlong
1997-03-26 0:00 ` Robert Dewar
1997-03-27 0:00 ` the one and only real true kibo
1997-03-29 0:00 ` the one and only real true kibo
1997-03-29 0:00 ` Nick S Bensema
1997-03-30 0:00 ` the one and only real true kibo
1997-03-21 0:00 ` Ken Garlington
1997-03-21 0:00 ` Bertrand Meyer
1997-03-21 0:00 ` William Clodius
1997-03-21 0:00 ` Bertrand Meyer
1997-03-23 0:00 ` William Clodius
1997-03-23 0:00 ` the one and only real true kibo
1997-03-22 0:00 ` Fergus Henderson
1997-03-22 0:00 ` Bertrand Meyer
1997-03-23 0:00 ` the one and only real true kibo
1997-03-23 0:00 ` Anders Pytte
1997-03-24 0:00 ` FUD (Re: Papers on the Ariane-5 crash and Design by Contract) Alexander Anderson
1997-03-24 0:00 ` Alexander Anderson
1997-03-23 0:00 ` Papers on the Ariane-5 crash and Design by Contract Anders Pytte
[not found] ` <3335BC24.13728473@eiffel.com>
1997-03-23 0:00 ` Bertrand Meyer
1997-03-24 0:00 ` Robert Dewar
1997-03-31 0:00 ` Ken Garlington
1997-04-01 0:00 ` Bertrand Meyer
1997-03-25 0:00 ` Ken Garlington
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` the one and only real true kibo
1997-03-24 0:00 ` Ken Garlington
1997-03-26 0:00 ` Robert Dewar
1997-03-26 0:00 ` Ken Garlington
[not found] ` <E7ox17.MKx@syd.csa.com.au>
1997-03-28 0:00 ` Ken Garlington
1997-03-24 0:00 ` John Hogg
1997-03-18 0:00 ` Laurent Moussault
1997-03-18 0:00 ` Richard Kaiser
1997-03-18 0:00 ` Nick Leaton
1997-03-19 0:00 ` Richard Kaiser
1997-03-19 0:00 ` Jean-Marc Jezequel
1997-03-19 0:00 ` Richard Kaiser
1997-03-19 0:00 ` Fergus Henderson
1997-03-18 0:00 ` Jean-Marc Jezequel
1997-03-19 0:00 ` Ken Garlington
1997-03-18 0:00 ` Richard Kaiser
1997-03-18 0:00 ` Nick Leaton
1997-03-18 0:00 ` "Paul E. Bennett"
1997-03-19 0:00 ` Nick Leaton
1997-03-24 0:00 ` Joachim Durchholz
1997-03-25 0:00 ` Robert Dewar
1997-03-31 0:00 ` Jan Galkowski
1997-03-31 0:00 ` Joachim Durchholz
1997-04-02 0:00 ` Robert Dewar
1997-04-03 0:00 ` Martin Tom Brown
1997-04-04 0:00 ` Derek Clarke
1997-04-04 0:00 ` Jonathan Egre'
1997-04-06 0:00 ` Robert Dewar
1997-04-06 0:00 ` Nick Roberts
1997-03-31 0:00 ` Alexander Anderson
1997-04-01 0:00 ` Alexander Anderson
1997-04-02 0:00 ` Ken Garlington
1997-03-20 0:00 ` John the Hamster
1997-03-17 0:00 ` Bertrand Meyer
1997-03-18 0:00 ` John McCabe
1997-03-18 0:00 ` Ray McVay
1997-03-27 0:00 ` Robert Dewar
1997-03-29 0:00 ` the one and only real true kibo
1997-03-30 0:00 ` Nick Roberts
1997-04-06 0:00 ` Doctorb
1997-04-08 0:00 ` Ron Crocker
1997-04-11 0:00 ` Richard Riehle
1997-03-17 0:00 ` Robert I. Eachus
1997-03-17 0:00 ` Martin Tom Brown
1997-03-17 0:00 ` Please do not start a language war (was " Jon S Anthony
1997-03-18 0:00 ` Kent Tong
1997-03-20 0:00 ` Ranan Fraer
1997-03-18 0:00 ` Jon S Anthony
1997-03-18 0:00 ` Jon S Anthony
1997-03-19 0:00 ` Ron Forrester
1997-03-21 0:00 ` Ken Garlington
1997-03-22 0:00 ` Ron Forrester
1997-03-18 0:00 ` Ulrich Windl
1997-03-18 0:00 ` Jon S Anthony
1997-03-18 0:00 ` Robert I. Eachus
1997-03-18 0:00 ` Tarjei Jensen
1997-03-18 0:00 ` Jon S Anthony
1997-03-18 0:00 ` Ken Garlington
1997-03-19 0:00 ` Eric M. Boyd
1997-03-19 0:00 ` Jeffrey W. Stulin
[not found] ` <3345cd60.2092398@news.sydney.apana.org.au>
1997-04-03 0:00 ` Ariane-5 crash , Eiffel and Ada Jeffrey W. Stulin
1997-04-03 0:00 ` Nick Leaton
1997-04-08 0:00 ` AdaWorks
1997-03-19 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Karel Th�nissen
1997-03-19 0:00 ` Papers on the Ariane-5 crash and Design by Contract Karel Th�nissen
1997-03-19 0:00 ` Nick Leaton
1997-03-19 0:00 ` Jon S Anthony
1997-03-20 0:00 ` Paul Johnson
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` Design by Contract in C++ (was Re: Papers on the Ariane-5 crash and Design by Contract) Anders Pytte
1997-03-20 0:00 ` Jean-Marc Jezequel [this message]
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Ken Garlington
1997-03-19 0:00 ` Jon S Anthony
1997-03-19 0:00 ` Karel Th�nissen
1997-03-19 0:00 ` Ken Garlington
1997-03-19 0:00 ` Ken Garlington
1997-03-20 0:00 ` Richard Kaiser
1997-03-24 0:00 ` Ken Garlington
1997-03-20 0:00 ` Martin Tom Brown
1997-03-21 0:00 ` Frank Manning
1997-03-21 0:00 ` Martin Tom Brown
1997-03-23 0:00 ` Frank Manning
1997-03-25 0:00 ` Ken Garlington
1997-03-20 0:00 ` Robert I. Eachus
1997-03-20 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Karel Th�nissen
1997-03-20 0:00 ` Nick Leaton
1997-03-20 0:00 ` Nick Leaton
1997-03-20 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robert I. Eachus
[not found] ` <tz8sp1qiywm.fsf@aimnet.com>
1997-03-21 0:00 ` ae59
1997-03-21 0:00 ` Ulrich Windl
1997-03-21 0:00 ` Alexander Anderson
1997-03-23 0:00 ` "Paul E. Bennett"
1997-03-21 0:00 ` Please do not start a language war (was " Jon S Anthony
1997-03-22 0:00 ` Bertrand Meyer
1997-03-22 0:00 ` Anders Pytte
1997-03-23 0:00 ` Steve Furlong
1997-03-24 0:00 ` Anders Pytte
1997-03-24 0:00 ` Simulating Eiffel-style assertions (was: Papers on the Ariane-5 crash and Design by Contract) Wolfgang Reddig
1997-03-24 0:00 ` Anders Pytte
1997-03-25 0:00 ` Wolfgang Reddig
1997-03-25 0:00 ` Anders Pytte
1997-03-31 0:00 ` Joachim Durchholz
1997-03-26 0:00 ` Alan Brain
1997-03-26 0:00 ` Wolfgang Reddig
1997-03-29 0:00 ` How old time languages survive EJon
1997-03-22 0:00 ` Papers on the Ariane-5 crash and Design by Contract Bertrand Meyer
1997-03-23 0:00 ` Dale Stanbrough
[not found] ` <3335E18E.33590565@eiffel.com>
1997-03-23 0:00 ` FUD (Re: Papers on the Ariane-5 crash and Design by Contract) Bertrand Meyer
1997-03-24 0:00 ` William Grosso
1997-03-24 0:00 ` Brad Appleton
1997-03-24 0:00 ` Bertrand Meyer
1997-03-24 0:00 ` William Clodius
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robert Dewar
1997-03-24 0:00 ` Manners (was Re: Papers on the Ariane-5 crash and Design by Contract) Bertrand Meyer
1997-03-25 0:00 ` the one and only real true kibo
1997-03-22 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Stuart Yeates
1997-03-22 0:00 ` Papers on the Ariane-5 crash and Design by Contract Jon S Anthony
1997-03-28 0:00 ` Matt Kennel (Remove 'nospam' to reply)
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Ken Garlington
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Jon S Anthony
1997-03-24 0:00 ` Alexander Anderson
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Nick Leaton
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Ken Garlington
1997-03-27 0:00 ` Joachim Durchholz
1997-03-31 0:00 ` Ken Garlington
1997-04-06 0:00 ` Joachim Durchholz
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Ken Garlington
1997-03-24 0:00 ` William Clodius
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robb Nebbe
1997-03-25 0:00 ` Robert I. Eachus
1997-03-25 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Ken Garlington
1997-03-25 0:00 ` David Starr
1997-03-25 0:00 ` Ken Garlington
1997-03-26 0:00 ` Papers on the Ariane-5 crash and Design by Contract Ken Garlington
1997-03-26 0:00 ` Alexander Anderson
1997-03-26 0:00 ` Jon S Anthony
1997-03-27 0:00 ` Trust but verify (was " Robert I. Eachus
1997-03-28 0:00 ` Robert I. Eachus
1997-03-28 0:00 ` Jon S Anthony
1997-03-31 0:00 ` Ken Garlington
1997-03-19 0:00 ` Chris Brand
1997-03-23 0:00 ` the one and only real true kibo
-- strict thread matches above, loose matches on Subject: below --
1997-03-17 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-03-20 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-03-25 0:00 ` Nick Roberts
1997-03-24 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-03-27 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-04-03 0:00 Adrian B.Y. Hoe
1997-04-05 0:00 ` Nick Roberts
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox