invariants een 417 fall 2013. when is a design of a system “correct”? a design is correct when...
Post on 31-Dec-2015
219 Views
Preview:
TRANSCRIPT
INVARIANTS
EEN 417Fall 2013
When is a Design of a System “Correct”?
•A design is correct when it meets its specification (requirements) in its operating environment
•“A design without specification cannot be right or wrong, it can only be surprising!”
•Simply running a few tests is not enough!
•Many embedded systems are deployed in safety-critical applications (avionics, automotive, medical, …)
Ariane disaster, 1996$500 million software failure
FDIV error, 1994$500 million
Estimated worst-case worm cost: > $50 billion
Ariane 5 Flight 501
• 4 June 1996, the first test flight of the Ariane 5 rocket system
• Rocket self-destructed 37 seconds after launch.
Ariane 5 Flight 501
• What caused the disaster?
• A data conversion from 64-bit floating point to 16-bit signed integer
Ariane 5 Flight 501
• Max value for 16-bit signed integer– 32,768
• Max value for a 64-bit floating point?– 1.79*10^308
Ariane 5 Flight 501
• Software had been written and tested for the Ariane 4, where the variables had been protected by a handler.
• Code was include in Ariane 5 for reuse, despite the fact that the software was not required for the Ariane 5.
Pentium FDIV Bug
• Intel’s Pentium 5– Professor Thomas Nicely noticed inconsistencies in
calculations when addingPentiums to his cluster
– Floating-point divisionoperations didn’t quite comeout right.Off by 61 parts per million
Pentium FDIV Bug
• Intel acknowledged the flaw, but claimed it wasn’t serious. Wouldn’t affect most users.
• Byte magazine estimatedonly 1 in 9 billion floatingpoint operations wouldsuffer the error.
Pentium FDIV Bug
• Total cost to Intel?
$450 million
Korean Air Flight 801
• Air Traffic Control Minimum Safe Altitude Warning system – lets pilots know when they are too close to the ground.
• System in Guam had been giving off spurious alarms, and prevented the airport’s other systems from detecting aircrafts approaching below minimum safe altitude
• Engineers modified the system to limit alarms.
200 Deaths
High Frequency Trading
• Algorithmic trading, seeks to exploit small differences in prices, millions of programs running
• How do they interact?• How does something
written by Company Aaffect somethingwritten by Company B?
High Frequency Trading
• 2010 Flash Crash – largest intraday point loss– Losses recovered in minutes, but scared regulatory
bodies• US SEC and CFTC
consluded that HFTcontributed to thevolatility.
High Frequency Trading
• SEC and FTC stated – “market makers and other liquidity providers widened their quote spreads, reduced liquidity, and withdrew from the market”
• Some signal set offtheir algorithms,caused a jointmovement whichhelped cause the crash
HOW DO WE PREVENT THESE PROBLEMS?
Specification, Verification, and Control
•Specification•A mathematical statement of the design objective (desired properties of the system)
•Verification•Does the designed system achieve its objective in the operating environment?
•Controller Synthesis•Given an incomplete design, synthesize a strategy to complete the system so that it achieves its objective in the operating environment
Propositional Logic
•Atomic formulas: Statements about an input, output, or state of a state machine. Examples:
•These are propositions (true or false statements) about a state machine with input or output x and state s.
formula meaning
x x is present
x = 1 x is present and has value 1
s machine is in state s
Propositional Logic
•Propositional logic formulas: More elaborate statements about an input, output, or state of a state machine. Examples:
•Here, p1 and p2 are either atomic formulas or propositional logic formulas.
formula meaning
Execution Trace of a State Machine
Propositional Logic on Traces
Example: Specification of the SpaceWire Protocol (European
Space Agency standard)
The problem with most specifications
• Specifications tend to be written by non-engineers, and tend to be written in English.
• Why is this a problem?
WRAP UP
For next time
Read Chapter 12 – Invariants and Temporal Logic
top related