INVARIANTS

EEN 417Fall 2013

When is a Design of a System “Correct”?

•A design is correct when it meets its specification (requirements) in its operating environment

•“A design without specification cannot be right or wrong, it can only be surprising!”

•Simply running a few tests is not enough!

•Many embedded systems are deployed in safety-critical applications (avionics, automotive, medical, …)

Ariane disaster, 1996$500 million software failure

FDIV error, 1994$500 million

Estimated worst-case worm cost: > $50 billion

Ariane 5 Flight 501

• 4 June 1996, the first test flight of the Ariane 5 rocket system

• Rocket self-destructed 37 seconds after launch.

Ariane 5 Flight 501

• What caused the disaster?

• A data conversion from 64-bit floating point to 16-bit signed integer

Ariane 5 Flight 501

• Max value for 16-bit signed integer– 32,768

• Max value for a 64-bit floating point?– 1.79*10^308

Ariane 5 Flight 501

• Software had been written and tested for the Ariane 4, where the variables had been protected by a handler.

• Code was include in Ariane 5 for reuse, despite the fact that the software was not required for the Ariane 5.

Pentium FDIV Bug

• Intel’s Pentium 5– Professor Thomas Nicely noticed inconsistencies in

calculations when addingPentiums to his cluster

– Floating-point divisionoperations didn’t quite comeout right.Off by 61 parts per million

Pentium FDIV Bug

• Intel acknowledged the flaw, but claimed it wasn’t serious. Wouldn’t affect most users.

• Byte magazine estimatedonly 1 in 9 billion floatingpoint operations wouldsuffer the error.

Pentium FDIV Bug

• Total cost to Intel?

$450 million

Korean Air Flight 801

• Air Traffic Control Minimum Safe Altitude Warning system – lets pilots know when they are too close to the ground.

• System in Guam had been giving off spurious alarms, and prevented the airport’s other systems from detecting aircrafts approaching below minimum safe altitude

• Engineers modified the system to limit alarms.

200 Deaths

High Frequency Trading

• Algorithmic trading, seeks to exploit small differences in prices, millions of programs running

• How do they interact?• How does something

written by Company Aaffect somethingwritten by Company B?

High Frequency Trading

• 2010 Flash Crash – largest intraday point loss– Losses recovered in minutes, but scared regulatory

bodies• US SEC and CFTC

consluded that HFTcontributed to thevolatility.

High Frequency Trading

• SEC and FTC stated – “market makers and other liquidity providers widened their quote spreads, reduced liquidity, and withdrew from the market”

• Some signal set offtheir algorithms,caused a jointmovement whichhelped cause the crash

HOW DO WE PREVENT THESE PROBLEMS?

Specification, Verification, and Control

•Specification•A mathematical statement of the design objective (desired properties of the system)

•Verification•Does the designed system achieve its objective in the operating environment?

•Controller Synthesis•Given an incomplete design, synthesize a strategy to complete the system so that it achieves its objective in the operating environment

Propositional Logic

•Atomic formulas: Statements about an input, output, or state of a state machine. Examples:

•These are propositions (true or false statements) about a state machine with input or output x and state s.

formula meaning

x x is present

x = 1 x is present and has value 1

s machine is in state s

Propositional Logic

•Propositional logic formulas: More elaborate statements about an input, output, or state of a state machine. Examples:

•Here, p1 and p2 are either atomic formulas or propositional logic formulas.

formula meaning

Execution Trace of a State Machine

Propositional Logic on Traces

Example: Specification of the SpaceWire Protocol (European

Space Agency standard)

The problem with most specifications

• Specifications tend to be written by non-engineers, and tend to be written in English.

• Why is this a problem?

WRAP UP

For next time

Read Chapter 12 – Invariants and Temporal Logic