Making Students Care (MORE) About Safety

April 06 Popular Mechanics

• "Safer by Design"• "The escape system -- essentially the parachute I

was sitting on -- would work only if we could get the vehicle into a controlled glide …"

• "CEV's escape system can take my friends out of a bad day at any stage, from liftoff to orbital insertion."

• Author: Astronaut Thomas D. Jones

Optimal Control Problem Simulator

• How to achieve maximum bath fill at desired temperature while sitting in the tub

• A problem for click and clack• cc.awk• cc2.awk

– Uses stacks to simulate water in pipes– Uses hashes to implement stacks– Permits user-defined granularity, delta=0.1

• A bug? I don't normally get bugs

A very old problem

• for (i=0; i<=max; i+=delta) warmstack[i] = wstemp

• Usually my bugs are benign:for (i in array) aindex[array[i]] = 1 bindex[array[i]] = 1

• Forgotten braces easy to detect during programming because program doesn't work

• But correctness w.r.t. physics…

A test program

• Print i: 0.1, 0.2, …, 1.0, …, 59.9 but not 60• Integer conversion? No.• Did I wish for stronger typing? No.• A hack: for (i=0; i<=max+delta/2; i+=delta)• Solaris only? No. Awk vs. gawk? No.• Email Arnold Robbins?• Google: "awk & real number precision"• "Old problem with reals & precision"• Even in cs100b: if (x - xalmost < delta)

A test program

• Print i: 0.1, 0.2, …, 1.0, …, 59.9 but not 60• Integer conversion? No.• Did I wish for stronger typing? No.• A hack: for (i=0; i<=max+delta/2; i+=delta)• Solaris only? No. Awk vs. gawk? No.• Email Arnold Robbins?• Google: "awk & real number precision"• "Old problem with reals & precision"• Even in cs100b: if (abs(x - xalmost) <= delta)

July 02 Tech Review

• "Why is software so bad[?] -- and how to fix it"• Gates: "If the auto industry had developed like the

software industry, we would all be driving $25 cars that get 1000 mpg"

• Auto Exec: "And if cars were like software, they would crash twice a day for no reason and when you called for service they'd tell you reinstall the engine."

Componentry?

• Bought an xbox on ebay

• Power supply "went bad" after one day

• "open xbox", part VI (part 4?), Guide To A Dead Power Supply Fuse Replacement (v0.2)                                                                         

Errors

• Are inevitable– # of errors per line of code, per hour of attention– Amount of time to do something regardless of manpower

• Must design – for avoidance of flaws– for robustness– to minimize risk

• Must test for errors• Me Too?

– Bdog linux attack– CMU-FTP AI software -- divide by zero errors? Lockup? – Cgi dependencies?

Isn't OO-ware Componentry?

• So too were procedures and library calls• OO probably ok, but…• Middleware

– often very complex– hard to get guarantees on black boxes– Other people's code

• OO associated with C++– C++ probably too low-level

• OO associated with Java– Probably 10x more errors than hype (that's not good)

Some things I've learned about Saftey while Scripting

• You're testing your associative array implementations in c++ while I'm using them

– Any sufficiently complicated C or Fortran program contains an ad hoc, informally specified, bug-ridden, slow implementation of half of Common Lisp. — Philip Greenspun (Greenspun's Tenth Rule)

• I'm testing while you're coding -- for months• I'm working shorter times on shorter code -- w/focus

– Forgetting is the biggest problem in programming

• I can probe, debug, and checkpoint a lot easier• If it's critical, I will use programmer discipline

– Declared local variables– No shorthand syntax– Attention to types and type conversion– Modularization of functionality– Limits on complexity of pieces

My Hope for Better Correctness

• More OO scripting: python, ruby• Fewer languages that have bad outcomes:

– Perl (despite its write-friendliness)• "Perl is polluting UNIX" -- rpl

– Java (despite its intentions)• "write once, debug everywhere"

• More easy languages– php is ok– More use of higher-level easy languages

• Stronger fences: unix apps, not libraries• More testing, less teaming• More staged delivery schedules (always by v2.2)

Some Things to Worry About

• Classic SE course: celebrated failures:– So and so airport, this NASA that spacecraft– What a racket! Fear and doom, give me money to show you my

powerpoints– Microsoft suspended writing code for two months, mass training

thousands in security and reliability, showing flawed company code on big screens

• Real liability cases, real lawsuits• "Multidata Systems International of St. Louis, massively

overdosed patients in Panama in 2000, 2001…"• CMU study of wireless interference with GPS

– You could kill yourself & family this month with your dvd player turning itself on by accident in your carry-on

The Analogy to Bridges has Been Poor

• One bridge failure != one printer driver update– # of designs / # deployed systems mismatch– Not all software failure results in death

• Easier to:– Specify bridge performance requirements– Test bridge functionality at time of delivery

• As expectations evolve, not so easy to:– Predict bridge failure after earthquakes– Clean bridges after dirty terrorist bombs– Expand bridge performance to match traffic demand– Design spans to avoid visual blight, criminal activity– Design for impact

• Environmental• Economic• Physical

Better Analogies

• Cars– Shorter design times, similar time pressure– Many deployed, often recalled, redesigned– Many components interacting– Various levels of risk– BUT:

• Longer historical practice, more evolution than revolution (hybirds are AMAZING for amount of newtech)

• Much more specialization of work• Many bugs are manufacturing flaws (but this is changing)

• How about economic engineering?

RPL's Reality Check

• Since software controls nearly all aspects of our lives– Misleading to count massive failures

• E.g., better to tally by industry or by type of program or even by platform

– Misleading to join all kinds of failures• unavailability != cost overrun != incorrectness != large damages

– Counterproductive to generalize across different software purposes• Is architecture still lumped with industrial design?• Do glass-covered spaceframes have the same engineering problems as

chairs?• Simulator is about getting it RIGHT• Web is about getting it out right NOW• Cruise missile control is about getting it right THERE

436S

• DO ask yourself to do & to supervise quality engineering• DO consider all the various kinds of failure/success• DO pay attention to software failures in history, in the press, in theory• DO NOT believe in

– panacea– easy fix– software religion – (even SE itself?)

• DO pay attention to proposals for better practices• DO try to make useful analogies to other kinds of engineering (or other

kinds of correct construction)• WE will be having a CFP or two related to

– psim certification for wider deployment and – Psim test harnessing