cs, auhenrik bærbak christensen1 critical systems development sommerville 7th ed chapter 20 part i
TRANSCRIPT
CS, AU Henrik Bærbak Christensen 1
Critical Systems Development
Sommerville 7th Ed
Chapter 20 Part I
CS, AU Henrik Bærbak Christensen 2
The three approaches
Dependability techniques:
– Fault avoidance: Use processes, tools, and techniques that prevent programming errors.
– Fault detection and removal: Find and remove the defects before they cause failures.
– Fault tolerance: Ensure that faults does not lead to failures.
CS, AU Henrik Bærbak Christensen 3
In our context
Related to the course– Fault avoidance: Use processes, tools, and
techniques that prevent programming errors.• We will look a bit into it in this session
– Fault detection and removal: Find and remove the defects before they cause failures.
• Reliable Software = fault detection; Virtualization = detection• Debugging = fault removal
– Fault tolerance: Ensure that faults does not lead to failures.
• Architectural in nature– Overview of architectures, case studies, examples, …
CS, AU Henrik Bærbak Christensen 4
Fundamental Techniques
Diversity– Do not put all eggs in the same basket– Divide your earthly goods in eight parts
• Diversify your investments• Have two types of locks on your door (America, sigh…)
Redundancy– Have a spare bulb and batteries– Buy lots of ketchup – Backup your files
CS, AU Henrik Bærbak Christensen 5
… in software architectures
Redundancy– Have an extra preconfigured computer in the closet– Have a farm of web servers – Keep redundant information in data structures
• MFT can be recreated from the files on the disk• Outlook comes with ScanPST that repairs the outlook file
– Checksums are ‘redundant’ checks of validity• Detect defects before they become failures.
Diversity– Have two different implementations of the same
component– Run on two different computers/operating systems
CS, AU Henrik Bærbak Christensen 6
… in development processes
Redundancy & diverstiy– Use both testing and reviewing of critical units– Static analysis, formal methods, …
– Several reviewers with different experience and background
– Several testers …
CS, AU Henrik Bærbak Christensen 7
The cost
Redundancy and diversity are costly
They require more code and thus more risk of having defects! Is it better to spend the effort on rigorous verification and validation?
– Airbus 340 flight control: Redundancy and diversity
– Boeing 777 flight control: Single version
CS, AU Henrik Bærbak Christensen 8
Dependable Processes
Avoiding failures by process
CS, AU Henrik Bærbak Christensen 9
Avoid defects/errors by process
Repeatable, documented process that include– Requirements inspections– Requirements management– Model checking: Conformance of design and impl.– Design & code inspections: checklists, etc.– Static analysis: program analysis to find anomalies– Test planning and management
CS, AU Henrik Bærbak Christensen 10
Dependable Programming
Avoiding failures by programming
CS, AU Henrik Bærbak Christensen 11
Handling complexity
Programs are immensely complex artifacts!– The first binary search algorithm was published 1946– The first published version without bugs 12 years
later!– An experiment was conducted
• 100 really experienced programmers were asked to implement binary search in two hours in their favorite programming language
• 90% of all contained one or more defects!
But most errors are due to accidental complexity, i.e. because the language tricks you into making defects in your coding.
CS, AU Henrik Bærbak Christensen 12
Programming constructs
Dijkstra (1968): Goto considered harmful– The machine code instruction jump (address) exists in
many old programming languages “goto”: BASIC, Fortran, C, C++
Problems:– Hides the block structure
• Handles both do..while, while…, if, and switch!
– Allows multi-entry procedures• Goto into the ‘middle’ of a procedure…
– Spaghetti code
CS, AU Henrik Bærbak Christensen 13
Goto
The first large BASIC program I encountered– Super Star Trek
• Yeah I know – game freak…
Source: http://
www.codeproject.com/KB/game/startrek_1971_text.aspx
The ‘fire torpedo’ method
CS, AU Henrik Bærbak Christensen 14
Modern languages?
Fortunately we cannot do that in modern languages
CS, AU Henrik Bærbak Christensen 15
Modern languages?
C++ == modern langauge?
Here the C++ version
Java / C# Exercise:– Do they have ‘goto’?
CS, AU Henrik Bærbak Christensen 16
Keep an eye on:
Floating-point numbers!– if ( double1 == double2 ) – Overflow errors are not reported in Java!
Pointers– ****a = **x[7]
Dynamic memory allocation wo. Garbage coll.– malloc(x) and delete; Pascal: mark and release– This kills any intelligent OO design
• Who has the responsibility to deallocate?
– Apache web server respawns itself every 12 hours• Easier than find and fix all the memory leak bugs!
CS, AU Henrik Bærbak Christensen 17
Keep an eye on:
Concurrent programming– Just plain difficult– … and next to impossible to debug due to
unpredictable scheduling…
Recursion– Leave the ph.d.’s to code that
Inheritance– Deep hierarchies with methods that call ‘super’ much
means algorithms are split into many small fragments that has to be considered an entity
• Yo-yo syndrome in debugging
CS, AU Henrik Bærbak Christensen 18
Keep an eye on:
Compositional, run-time based, designs:– Intensive use of the Decorator pattern has the same
liability
Aliasing:– Multiple, different-named, references to a single
underlying datastructure– Great way to introduce weird side-effects– C++ excels here: &*p[4]
Unbounded arrays– C arrays are not arrays, they are pointers into
memory – that is any memory including the program!
CS, AU Henrik Bærbak Christensen 19
Oldies
– Fortran (& BASIC): Implicit variable declaration • DO I = 1, 10 (Java: for (int i = 1; i < 10; i++)• DOI = 1, 10 (Java: int DOI; DOI = 1; //,10)
– Fortran• Every character in column 72 or beyond are ignored
– PL1• Compiler vendor specific what this means
– CLOS• Multiple super-class calling sequence declared but
impossible to understand
CS, AU Henrik Bærbak Christensen 20
C++ Barf bag
C++ is the better choice for job security and ability to show off your skills! Here are a couple of those things I knew 15 years ago that made me a star in my company– Weird compile errors in perfectly correct code
• look for the missing “;” in an include file mentioned in the top
– sizeof(data) returns the size of the data structure but only if the compiler can lay out the memory block statically, otherwise it is the size of the pointer (4 bytes).
– C++ constructors are not virtual so any virtual call inside them are statically decided!
• Java of course fixed this major headache!
– Casting in multiple fork-join hierarchies• Bjarne Stroustrup found the solution in only a week!
– if ( x = 3 ) { }
CS, AU Henrik Bærbak Christensen 21
Fault tolerance
Exception Handling– Is essentially a language built-in fault tolerance technique
Idea:– Code that detect a run-time failure but has no means to
determine what to do with it throws an exception• E.g. a low level file writer experiences a disk full, but it is reused
both in a GUI app and a server app. It cannot determine proper action
– ‘insert another hard disk’ prompt does not really make sense in a server!
– Exception propagates up the call stack until it reaches a high level unit (closer to the ‘user’ or customer requirement fulfilling code) that sensibly can handle the exception. It catches the exception
• Server: alert maintenance• GUI: prompt the user to save the file on another disk
CS, AU Henrik Bærbak Christensen 22
Conclusion
Programming involves– Intrinsically difficult challenges
• Damn hard no matter what tools we use
– Accidentally difficult challenges• Tools allow us or even invites us to make defects
Advice– Avoid old languages if possible– Use static analyzing tools
• Wikipedia: “static code analysis”• Java: FindBugs, CheckStyle, …
CS, AU Henrik Bærbak Christensen 23
Fault Tolerance
Sommerville
Lyu