1 / 25

INVARIANTS

INVARIANTS. EEN 417 Fall 2013. When is a Design of a System “ Correct ” ?. A design is correct when it meets its specification (requirements) in its operating environment “ A design without specification cannot be right or wrong, it can only be surprising! ”

miracle
Télécharger la présentation

INVARIANTS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INVARIANTS EEN 417 Fall 2013

  2. When is a Design of a System “Correct”? • A design is correct when it meets its specification (requirements) in its operating environment • “A design without specification cannot be right or wrong, it can only be surprising!” • Simply running a few tests is not enough! • Many embedded systems are deployed in safety-critical applications (avionics, automotive, medical, …)

  3. Ariane disaster, 1996 $500 million software failure FDIV error, 1994 $500 million Estimated worst-case worm cost: > $50 billion

  4. Ariane 5 Flight 501 • 4 June 1996, the first test flight of the Ariane 5 rocket system • Rocket self-destructed 37 seconds after launch.

  5. Ariane 5 Flight 501 • What caused the disaster? • A data conversion from 64-bit floating point to 16-bit signed integer

  6. Ariane 5 Flight 501 • Max value for 16-bit signed integer • 32,768 • Max value for a 64-bit floating point? • 1.79*10^308

  7. Ariane 5 Flight 501 • Software had been written and tested for the Ariane 4, where the variables had been protected by a handler. • Code was include in Ariane 5 for reuse, despite the fact that the software was not required for the Ariane 5.

  8. Pentium FDIV Bug • Intel’s Pentium 5 • Professor Thomas Nicely noticed inconsistencies in calculations when addingPentiums to his cluster • Floating-point divisionoperations didn’t quite comeout right.Off by 61 parts per million

  9. Pentium FDIV Bug • Intel acknowledged the flaw, but claimed it wasn’t serious. Wouldn’t affect most users. • Byte magazine estimatedonly 1 in 9 billion floatingpoint operations wouldsuffer the error.

  10. Pentium FDIV Bug • Total cost to Intel? $450 million

  11. Korean Air Flight 801 • Air Traffic Control Minimum Safe Altitude Warning system – lets pilots know when they are too close to the ground. • System in Guam had been giving off spurious alarms, and prevented the airport’s other systems from detecting aircrafts approaching below minimum safe altitude • Engineers modified the system to limit alarms.

  12. 200 Deaths

  13. High Frequency Trading • Algorithmic trading, seeks to exploit small differences in prices, millions of programs running • How do they interact? • How does somethingwritten by Company Aaffect somethingwritten by Company B?

  14. High Frequency Trading • 2010 Flash Crash – largest intraday point loss • Losses recovered in minutes, but scared regulatory bodies • US SEC and CFTCconsluded that HFTcontributed to thevolatility.

  15. High Frequency Trading • SEC and FTC stated – “market makers and other liquidity providers widened their quote spreads, reduced liquidity, and withdrew from the market” • Some signal set offtheir algorithms,caused a jointmovement whichhelped cause the crash

  16. How do we prevent these problems?

  17. Specification, Verification, and Control • Specification • A mathematical statement of the design objective (desired properties of the system) • Verification • Does the designed system achieve its objective in the operating environment? • Controller Synthesis • Given an incomplete design, synthesize a strategy to complete the system so that it achieves its objective in the operating environment

  18. Propositional Logic • Atomic formulas: Statements about an input, output, or state of a state machine. Examples: • These are propositions (true or false statements) about a state machine with input or output x and state s.

  19. Propositional Logic • Propositional logic formulas: More elaborate statements about an input, output, or state of a state machine. Examples: • Here, p1and p2 are either atomic formulas or propositional logic formulas.

  20. Execution Trace of a State Machine

  21. Propositional Logic on Traces

  22. Example: Specification of the SpaceWire Protocol (European Space Agency standard)

  23. The problem with most specifications • Specifications tend to be written by non-engineers, and tend to be written in English. • Why is this a problem?

  24. WRAP UP

  25. For next time Read Chapter 12 – Invariants and Temporal Logic

More Related