Discriminate Bug Density

If you intend to use the KLOC scale as a guide to when to launch your product and wind down your programming, you should monitor KLOCs by their severity:

KLOC-A = Class A Bugs per thousand lines. KLOC-B = Class B Bugs per thousand lines. KLOC-C = Class C Bugs per thousand lines. KLOC-D = Class D Bugs per thousand lines.

These can sometimes be grouped as follows:

KLOC-AB = Class A+B Bugs per thousand lines. KLOC-CD = Class C+D Bugs per thousand lines.

A Cautionary Tale

In June 1996, after 10 years' work and an investment of $7 billion, the European Space Agency proudly launched the Ariane 5 rocket carrying four uninsured commercial satellites. Ariane 5 lifted off perfectly for its first and last 39 seconds. Then, before the horrified eyes of space scientists, it self-destructed.

Clearly, quality checks didn't work. Why? Someone tried to cram a 64-bit number in a 16-bit space. The experts at the launch site in Guyana knew about this issue. However, they decided it was not an issue as the rocket couldn't go fast enough to generate this error. This was practicable but not perfect logic for Ariane's forebears. Unfortunately, everyone forgot that Ariane 5 was significantly faster than its predecessors.

What happened was this. The rocket's direction was controlled by built-in gyroscopes and accelerometers feeding the guidance computers. As the rocket picked up speed the Inertial Navigation System (INS) tried to stuff the 64-bit floating-point number into the 16-bit single integer space. This caused a runtime error. On receiving this, the INS decided to shut down in a fit of logic. Being smart, the designers had created a backup unit. The good news was that the backup system worked. The bad news was that it was identical, bug and all, to the main system, so it failed a few milliseconds later in exactly the same way. Both the primary and backup INS computers sent the same error message to the main computer. This interpreted the data as a massive but legal course correction and commanded a nozzle to deflect, forcing the rocket to flip sideways. This caused the booster to be ripped off the main frame. Ariane 5 lurched off course and self-destructed.

The irony is that the offending piece of code was only required to monitor the sideways motion of the rocket prior to launch, but was kept running for 40 seconds after the countdown in the event of a quick restart. The rocket malfunctioned 36.7 seconds into its flight. If it had been programmed to shut down 4 seconds sooner, it would have been the programmer's oversight that would have been buried.

This is where bug classification could have made the difference between failure and success. Simulations should have generated the problem. It would immediately have been classified as a Class A bug and the rocket would not have been allowed to launch until it had been fixed (and it would have cost a lot less).

Using KLOCs, the ideal release criteria are KLOC-AB is 0, KLOC-CD close to single figures. In this respect, it is much like the proof requirements for a book.

0 0

Post a comment