From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public From: dewar@merv.cs.nyu.edu (Robert Dewar) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/24 Message-ID: #1/1 X-Deja-AN: 227974535 References: <332B5495.167EB0E7@eiffel.com> <332D113B.4A64@calfp.co.uk> <5gm8a6$2qu$2@news.irisa.fr> <3332BE49.8F9@lmtas.lmco.com> <33330FE5.3F54BC7E@eiffel.com> <3335BC24.13728473@eiffel.com> <3335BE7B.2C67412E@eiffel.com> Organization: New York University Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-24T00:00:00+00:00 List-Id: Bertrand Meyer wrote << !! Does this mean that the crash would automatically have !! been avoided had the mission used a language and method !! supporting built-in assertions and Design by Contract? !! Although it is always risky to draw such after-the-fact !! conclusions, the answer is probably yes:>> Note that this conclusion is completely language independent. In particular the use of assertions is not language dependent. No method can possibly *rely* on having actual execution of assertions, since that just reduces you to relying on testing, but certainly execution of assertions is a helpful adjunct to testing, and certanly at the level that was needed in this case, any language can certainly implement runtime assertions. The main point is that a systematic design using Design by Contract would indeed probably have avoided the error. However, be careful not to conclude from this observation that Design by Contract somehow has something special to say in the Ariane case. As has become painfully obvious in the aftermath, the Ariane 5 incident could have been avoided by any number of means, and almost any competent design approach, formal or informal, should have prevented this particular software error. Even in the absence of a systematic design approach, rigorous testing and/or common sense in approaching the design would have avoided the problem. The Ariane 5 crash was spectacular, and therefore acts as a focus for discussion, but in fact it is not a particularly instructive example of a BIG BUG. On the contrary it was the kind of simple minded carelessness that plagues software, and can be reduced or eliminated without any very specialized techniques if you have competent people working in a reasonably systematic manner.