From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_05,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 107079,eca28648989efca9 X-Google-Attributes: gid107079,public X-Google-Thread: 103376,885dab3998d28a4 X-Google-Attributes: gid103376,public From: pattis@cs.washington.edu (Richard Pattis) Subject: Re: Ariane 5 failure Date: 1996/09/27 Message-ID: #1/1 X-Deja-AN: 185869471 distribution: inet x-nntp-posting-host: june.cs.washington.edu sender: news@beaver.cs.washington.edu (USENET News System) references: <1780E8471.KUNNE@frcpn11.in2p3.fr> <1996Sep27.023246.18774@jarvis.cs.toronto.edu> organization: Computer Science & Engineering, U of Washington, Seattle newsgroups: comp.lang.ada,sci.math.num-analysis Date: 1996-09-27T00:00:00+00:00 List-Id: As an instructor in CS1/CS2, this discussion interests me. I try to talk about designing robust, reusable code, and actually have students reuse code that I have written as well as some that they (and their peers) have written. The Ariane falure adds a new view to robustness, having to do with future use of code, and mathematical proof vs "engineering" considerations.. Should a software engineer remove safety checks if he/she can prove - based on physical limitations, like a rocket not exceeding a certain speed - that they are unnecessary. Or, knowing that his/her code will be reused (in an unknown context, by someone who is not so skilled, and will probably not think to redo the proof) should such checks not be optimized out? What rule of thumb should be used to decide (e.g., what if the proof assumes the rocket speed will not exceed that of light)? Since software operates in the real world (not the world of mathematics) should mathematical proofs about code always yield to engineering rules of thumb to expect the unexpected. "In the Russian theatre, every 5 years an unloaded gun accidentally discharges and kills someone; every 20 years a broom does." What is the rule of thumb about when should mathematics be believed? As to saving SPEED by disabling the range checks: did the code not meet its speed requirements with range checks on? Only in this case would I have turned them off. Does "real time" mean fast enough or as fast as possible? To misquote Einstein, "Code should run as fast as necessary, but no faster...." since something is always traded away to increase speed. If I were to try to create a lecture on this topic, what other similar failures should I know about (beside the legendary Venus probe)? Your comments? Rich