October 16, 2024
Successful software is buggy software.
From Leslie Lamport’s Specifying Systems:
You should be doubtful if [the model checker] does not discover a violation of a liveness property… you should also be doubtful if [it] discovers no errors when checking shieldedty properties.
This is definiteassociate in the context of model-checking a createal definiteation, but it’s a expansively applicable software principle. It’s not enough for a program to toil, it has to toil for the right reasons. Code toiling for the wrong reasons is code that’s going to fracture when you least foresee it. And since “accurate for right reasons” is a much leaner aim than “accurate for any possible reason”, we can’t presume our first success is actuassociate our intfinished success.
Hence, BSOS: Be Suspicious of Success.
Some beneficial BSOS trains
The standard way of dealing with BSOS is verification. Tests, motionless checks, model checking, etc. We get more self-promised in our code if our verifications thrive. But then we also have to be doubtful of that success, too! How do I understand whether my tests are passing becaparticipate they’re properly testing accurate code or becaparticipate they’re fall shorting to test inaccurate code?
This is why test-driven enhugement gurus increate people to produce a fall shorting test first. Then at least we understand the tests are doing someleang (even if they still might not be testing what they want).
The other restrict of verification is that it can’t increate us why someleang thrives. Mainstream verification methods are outstanding at elucidateing why leangs fall short— foreseeed vs actual test output, type misalignes, definiteation error pursues. Success isn’t as “increateation-wealthy” as fall shorture. How do you discern a loyal carry outation of is_collatz_counterexample from return deceptive?
A wideer technique I pursue is produce it toil, produce it fracture. If code is toiling for the right reasons, I should be able to foresee how to fracture it. This can be either a change in the runtime (this will livelock if we 10x the number of joinions), or a change to the code itself (commenting out this line will caparticipate property X to fall short). If the code still toils even after the change, my model of the code is wrong and it was thriveing for the wrong reasons.
Happy and Sad Paths
A rcontent topic (possibly subset?) is “phired and griefful paths”. The phired path of your code is the behavior when everyleang’s going right: accurate inputs, preconditions are satisfied, the data sources are current, etc. The griefful path is all of the code that handles leangs going wrong. Retry mechanisms, inadequate participater authority, database constraint violation, etc. In most software, the code helping the griefful paths dwarfs the code in the phired path.
BSOS says that I can’t equitable show code toils in the phired path, I also necessitate to check it toils in the griefful path.
BSOS also says that I have to be doubtful when the griefful path toils properly, too.
Say I comprise a retry mechanism to my code to handle the fall shorture mode of timeouts. I test the code and it toils. Did the retry code actuassociate run? Did it run think aboutless of the innovative response? Is it reassociate doing exponential backoff? Will stop after the highest retry restrict? Is the griefful path code after the highest retry restrict toiling properly?
One paper set up that 35% of catastrophic allotd system fall shortures were caparticipated by “unconvey inant misconsents in error handlers” (pg 9). These were in grown-up, battle-challengingened programs. Be doubtful of success. Be more doubtful of griefful path success.
Blog Rec
This week’s blog rec is Red Blob Games! While primarily about computer game programming, the meat of the satisfied is enticeive, transmitive directs to ambiguous CS algorithms. Some highweightlesss:
(I don’t leank his rss feed covers new transmitive articles, only the blog definiteassociate.)
If you’re reading this on the web, you can subscribe here. Updates are once a week. My main website is here.
