May 16, 2017

Code Matters

  —A look at how poor language design affects implementation.

In Code Matters, Bertrand Meyer discusses several flaws introduced as a result of poor language design. He cites examples from an Apple and OpenSSL security vulnerability announced in 2014. It’s a nice discussion on the importance of language design and how it affects implementation.

I found Meyer’s discussion on root cause analysis informative, particularly the example on how a combination of factors create situations that are difficult to detect. What makes Meyer’s discussion really valuable is his reference to Nancy Leveson.

Leveson’s home page contains a good collection of papers on safety in engineering. One paper investigates the Therac-25. The Therac-25 is a medical device containing software issues that massively overdosed six patients. The section on “Causal Factors” is informative.

One conclusion from Leveson’s paper is that focusing on particular bugs does not lead to safe design. The mistakes attributed to the Therac-25 involve poor software engineering practices and using software to ensure safe operation. You can’t patch your way out of a poor implementation and you shouldn’t involve software in safety critical functions.

Meyer’s point in his example is how combinations of factors can be difficult to detect and can result in catastrophic failure is made real in Leveson’s discussion of “Unrealistic Risk Assessment” in the Therac-25.

It also looks like a good lesson in probabilities. A probability of greater than zero means that the event can occur (however unlikely).

A look at race conditions in the Therac-25.