cs, auhenrik bærbak christensen1 critical systems development sommerville 7th ed chapter 20 part i

CS, AU Henrik Bærbak Christensen 1

Critical Systems Development

Sommerville 7th Ed

Chapter 20 Part I


The three approaches

Dependability techniques:

– Fault avoidance: Use processes, tools, and techniques that prevent programming errors.

– Fault detection and removal: Find and remove the defects before they cause failures.

– Fault tolerance: Ensure that faults does not lead to failures.


In our context

Related to the course– Fault avoidance: Use processes, tools, and

techniques that prevent programming errors.• We will look a bit into it in this session

– Fault detection and removal: Find and remove the defects before they cause failures.

• Reliable Software = fault detection; Virtualization = detection• Debugging = fault removal

– Fault tolerance: Ensure that faults does not lead to failures.

• Architectural in nature– Overview of architectures, case studies, examples, …


Fundamental Techniques

Diversity– Do not put all eggs in the same basket– Divide your earthly goods in eight parts

• Diversify your investments• Have two types of locks on your door (America, sigh…)

Redundancy– Have a spare bulb and batteries– Buy lots of ketchup – Backup your files


… in software architectures

Redundancy– Have an extra preconfigured computer in the closet– Have a farm of web servers – Keep redundant information in data structures

• MFT can be recreated from the files on the disk• Outlook comes with ScanPST that repairs the outlook file

– Checksums are ‘redundant’ checks of validity• Detect defects before they become failures.

Diversity– Have two different implementations of the same

component– Run on two different computers/operating systems


… in development processes

Redundancy & diverstiy– Use both testing and reviewing of critical units– Static analysis, formal methods, …

– Several reviewers with different experience and background

– Several testers …


The cost

Redundancy and diversity are costly

They require more code and thus more risk of having defects! Is it better to spend the effort on rigorous verification and validation?

– Airbus 340 flight control: Redundancy and diversity

– Boeing 777 flight control: Single version


Dependable Processes

Avoiding failures by process


Avoid defects/errors by process

Repeatable, documented process that include– Requirements inspections– Requirements management– Model checking: Conformance of design and impl.– Design & code inspections: checklists, etc.– Static analysis: program analysis to find anomalies– Test planning and management


Dependable Programming

Avoiding failures by programming


Handling complexity

Programs are immensely complex artifacts!– The first binary search algorithm was published 1946– The first published version without bugs 12 years

later!– An experiment was conducted

• 100 really experienced programmers were asked to implement binary search in two hours in their favorite programming language

• 90% of all contained one or more defects!

But most errors are due to accidental complexity, i.e. because the language tricks you into making defects in your coding.


Programming constructs

Dijkstra (1968): Goto considered harmful– The machine code instruction jump (address) exists in

many old programming languages “goto”: BASIC, Fortran, C, C++

Problems:– Hides the block structure

• Handles both do..while, while…, if, and switch!

– Allows multi-entry procedures• Goto into the ‘middle’ of a procedure…

– Spaghetti code


Goto

The first large BASIC program I encountered– Super Star Trek

• Yeah I know – game freak…

Source: http://

www.codeproject.com/KB/game/startrek_1971_text.aspx

The ‘fire torpedo’ method


Modern languages?

Fortunately we cannot do that in modern languages


Modern languages?

C++ == modern langauge?

Here the C++ version

Java / C# Exercise:– Do they have ‘goto’?


Keep an eye on:

Floating-point numbers!– if ( double1 == double2 ) – Overflow errors are not reported in Java!

Pointers– ****a = **x[7]

Dynamic memory allocation wo. Garbage coll.– malloc(x) and delete; Pascal: mark and release– This kills any intelligent OO design

• Who has the responsibility to deallocate?

– Apache web server respawns itself every 12 hours• Easier than find and fix all the memory leak bugs!


Keep an eye on:

Concurrent programming– Just plain difficult– … and next to impossible to debug due to

unpredictable scheduling…

Recursion– Leave the ph.d.’s to code that

Inheritance– Deep hierarchies with methods that call ‘super’ much

means algorithms are split into many small fragments that has to be considered an entity

• Yo-yo syndrome in debugging


Keep an eye on:

Compositional, run-time based, designs:– Intensive use of the Decorator pattern has the same

liability

Aliasing:– Multiple, different-named, references to a single

underlying datastructure– Great way to introduce weird side-effects– C++ excels here: &*p[4]

Unbounded arrays– C arrays are not arrays, they are pointers into

memory – that is any memory including the program!


Oldies

– Fortran (& BASIC): Implicit variable declaration • DO I = 1, 10 (Java: for (int i = 1; i < 10; i++)• DOI = 1, 10 (Java: int DOI; DOI = 1; //,10)

– Fortran• Every character in column 72 or beyond are ignored

– PL1• Compiler vendor specific what this means

– CLOS• Multiple super-class calling sequence declared but

impossible to understand


C++ Barf bag

C++ is the better choice for job security and ability to show off your skills! Here are a couple of those things I knew 15 years ago that made me a star in my company– Weird compile errors in perfectly correct code

• look for the missing “;” in an include file mentioned in the top

– sizeof(data) returns the size of the data structure but only if the compiler can lay out the memory block statically, otherwise it is the size of the pointer (4 bytes).

– C++ constructors are not virtual so any virtual call inside them are statically decided!

• Java of course fixed this major headache!

– Casting in multiple fork-join hierarchies• Bjarne Stroustrup found the solution in only a week!

– if ( x = 3 ) { }


Fault tolerance

Exception Handling– Is essentially a language built-in fault tolerance technique

Idea:– Code that detect a run-time failure but has no means to

determine what to do with it throws an exception• E.g. a low level file writer experiences a disk full, but it is reused

both in a GUI app and a server app. It cannot determine proper action

– ‘insert another hard disk’ prompt does not really make sense in a server!

– Exception propagates up the call stack until it reaches a high level unit (closer to the ‘user’ or customer requirement fulfilling code) that sensibly can handle the exception. It catches the exception

• Server: alert maintenance• GUI: prompt the user to save the file on another disk


Conclusion

Programming involves– Intrinsically difficult challenges

• Damn hard no matter what tools we use

– Accidentally difficult challenges• Tools allow us or even invites us to make defects

Advice– Avoid old languages if possible– Use static analyzing tools

• Wikipedia: “static code analysis”• Java: FindBugs, CheckStyle, …


Fault Tolerance

Sommerville

Lyu

cs, auhenrik bærbak christensen1 critical systems development sommerville 7th ed chapter 20 part i

Documents