248 Chapter 17 ■ Software robustness Let us turn to examining how an exception is thrown, using the same example. In Java, the method parseInt can be written as follows: public int parseInt(String string) throws NumberFormatException { int number = 0; for (int i = 0; i < string.length(); i++) { char c = string.charAt(i); if (c < '0' || c > '9') throw new NumberFormatException(); number = number * 10 + (c - '0'); } return number; } You can see that in the heading of the method the exception that may be thrown is declared, along with the specification of any parameters and return value. If this method detects that any of the characters within the string are illegal, it executes a throw instruction. This immediately terminates the method and transfers control to a catch block designed to handle the exception. In our example, the catch block is within the method that calls parseInt. Alternatively the try-catch combination can be written within the same method as the throw statement. Or it can be writ- ten within any of the methods in the calling chain that led to calling parseInt. Thus the designer can choose an appropriate place in the software structure at which to carry exception handling. The position in which the exception handler is written helps both to determine the action to be taken and what happens after it has dealt with the situation. > > SELF-TEST QUESTION 17.7 The method parseInt does not throw an exception if the string is of zero length. Amend it so that it throws the same exception in this situation. What happens after an exception has been handled? In the above example, the catch block ends with a return statement, which exits from the current method, actionPerformed and returns control to its caller. This is the appropriate action in this case – the program is able to recover and continue in a useful way. In general the options are either to recover from the exception and continue or to allow the program to gracefully degrade. The Java language mechanism supports various actions: ■ handle the exception. Control flow then either continues on down the program or the method can be exited using a return statement. ■ ignore the exception. This is highly dangerous and always leads to tears, probably after the software has been put into use. BELL_C17.QXD 1/30/05 4:24 PM Page 248 17.6 Recovery blocks 249 In the above example, the application program itself detected the exception. Sometimes, however, it is the operating system or the hardware that detects an excep- tion. An example is an attempt to divide by zero, which would typically be detected by the hardware. The hardware would alert the run-time system or operating system, which in turn would enter any exception handler associated with this exception. The mechanism described above is the exception handling facility provided in Java. Similar mechanisms are provided in Ada and C++. In old software systems the simplest solution to handling exceptions was to resort to the use of a goto statement to transfer control out of the immediate locality and into a piece of coding designed to handle the situation. The use of a goto was particularly appealing when the unusual situation occurred deep within a set of method calls. The throw statement has been criticized as being a goto statement in disguise. The response is that throw is indeed a “structured goto”, but that its use is restricted to dealing with errors and therefore it cannot be used in an undisciplined way. In summary, exception handlers allow software to cope with unusual, but anticipated, events. The software can take appropriate remedial action and continue with its tasks. Exception handlers therefore provide a mechanism for forward error recovery. In Java, the mechanism consists of three ingredients: 1. a try block, in which the program attempts to behave normally 2. the program throws an exception 3. a catch block handles the exceptional situation. Recovery blocks are a way of structuring backward error recovery to cope with unantic- ipated faults. In backward error recovery, periodic dumps of the state of the system are made at recovery points. When a fault is detected, the system is restored to its state at the most recent recovery point. (The assumption is that this is a correct state of the system.) The system now continues on from the recovery point, using some alternative course of action so as to avoid the original problem. An analogy: if you trip on a banana skin and spill your coffee, you can make a fresh cup (restore the state of the system) and carry on (carefully avoiding the banana skin). 17.6 ● Recovery blocks SELF-TEST QUESTION 17.8 What happens if the return statement is omitted in the above example of the exception handler? ■ throw another exception. This passes the buck to another exception handler further up the call chain, which the designer considers to be a more appropriate place to handle the exception. BELL_C17.QXD 1/30/05 4:24 PM Page 249 250 Chapter 17 ■ Software robustness As shown in Figure 17.3, backward error recovery needs: 1. the primary software component that is normally expected to work 2. a check that it has worked correctly 3. an alternative piece of software that can be used in the event of the failure of the primary module. We also need, of course, a mechanism for taking dumps of the system state and for restoring the system state. The recovery block notation embodies all of these features. Taking as an example a program that uses a method to sort some information, a fault tolerant fragment of program looks like this: ensure dataStillValid by superSort else by quickSort else by slowButSureSort else error Here supersort is the primary component. When it has tried to sort the infor- mation, the method dataStillValid tests to see whether a failure occurred. If there was a fault, the state of the program is restored to what it was before the sort method was executed. The alternative method quickSort is then executed. Should this now fail, a third alternative is provided. If this fails, there is no other alternative available, and the whole component has failed. This does not necessarily mean that the whole program will fail, as there may be other recovery blocks programmed by the user of this sort module. What kinds of fault is this scheme designed to cope with? The recovery block mech- anism is designed primarily to deal with unanticipated faults that arise from bugs (design faults) in the software. When a piece of software is complete, it is to be expected that there will be residual faults in it, but what cannot be anticipated is the whereabouts of the bugs. User Normal module Checking module Alternative module Figure 17.3 Components in a recovery block scheme > > BELL_C17.QXD 1/30/05 4:24 PM Page 250 17.6 Recovery blocks 251 Recovery blocks will, however, also cope with hardware faults. For example, suppose that a fault develops in the region of main memory containing the primary sort method. The recovery block mechanism can then recover by switching over to an alternative method. There are stories that the developers of the recovery block mechanism at Newcastle University, England, used to invite visitors to remove memory boards from a live computer and observe that the computer continued apparently unaffected. We now examine some of the other aspects of recovery blocks. The acceptance test You might think that acceptance tests would be cumbersome methods, incurring high overheads, but this need not be so. Consider for example a method to calculate a square root. A method to check the outcome, simply by multiplying the answer by itself, is short and fast. Often, however, an acceptance test cannot be completely foolproof – because of the performance overhead. Take the example of the sort method. The acceptance test could check that the information had been sorted, that is, is in sequence. However, this does not guarantee that items have not been lost or created. An acceptance test, there- fore, does not normally attempt to ensure the correctness of the software, but instead carries out a check to see whether the results are acceptably good. Note that if a fault like division by zero, a protection violation, an array subscript out of range occurs while one of the sort methods is being executed, then these also con- stitute the result of checks on the behavior of the software. (These are checks carried out by the hardware or the run-time system.) Thus either software acceptance tests or hardware checks can trigger fault tolerance. The alternatives The software components provided as backups must accomplish the same end as the primary module. But they should achieve this by means of a different algorithm so that the same problem doesn’t arise. Ideally the alternatives should be developed by differ- ent programmers, so that they are not unwittingly sharing assumptions. The alterna- tives should also be less complex than the primary, so that they will be less likely to fail. For this reason they will probably be poorer in their performance (speed). Another approach is to create alternatives that provide an increasingly degraded service. This allows the system to exhibit what is termed graceful degradation. As an example of graceful degradation, consider a steel rolling mill in which a computer controls a machine that chops off the required lengths of steel. Normally the computer employs a sophisticat- ed algorithm to make optimum use of the steel, while satisfying customers’ orders. Should this algorithm fail, a simpler algorithm can be used that processes the orders strictly sequentially. This means that the system will keep going, albeit less efficiently. Implementation The language constructs of the recovery block mechanism hide the preservation of vari- ables. The programmer does not need to explicitly declare which variables should be stored and when. The system must save values before any of the alternatives is executed, BELL_C17.QXD 1/30/05 4:24 PM Page 251 252 Chapter 17 ■ Software robustness and restore them should any of the alternatives fail. Although this may seem a formidable task, only the values of variables that are changed need to be preserved, and the nota- tion highlights which ones these are. Variables local to the alternatives need not be stored, nor need parameters passed by value. Only global variables that are changed need to be preserved. Nonetheless, storing data in this manner probably incurs too high an overhead if it is carried out solely by software. Studies indicate that, suitably implement- ed with hardware assistance, the speed overhead might be no more than about 15%. No programming language has yet incorporated the recovery block notation. Even so, the idea provides a framework which can be used, in conjunction with any pro- gramming language, to structure fault tolerant software. This form of programming means developing n versions of the same software compo- nent. For example, suppose a fly-by-wire airplane has a software component that decides how much the rudder should be moved in response to information about speed, pitch, throttle setting, etc. Three or more version of the component are imple- mented and run concurrently. The outputs are compared by a voting module, the majority vote wins and is used to control the rudder (see Figure 17.4). It is important that the different versions of the component are developed by differ- ent teams, using different methods and (preferably) at different locations, so that a mini- mum of assumptions are shared by the developers. By this means, the modules will use different algorithms, have different mistakes and produce different outputs (if they do) under different circumstances. Thus the chances are that when one of the components fails and produces an incorrect result, the others will perform correctly and the faulty component will be outvoted by the majority. Clearly the success of an n-programming scheme depends on the degree of inde- pendence of the different components. If the majority embody a similar design fault, they will fail together and the wrong decision will be the outcome. This is a bold assumption, and some studies have shown a tendency for different developers to com- mit the same mistakes, probably because of shared misunderstandings of the (same) specification. The expense of n-programming is in the effort to develop n versions, plus the pro- cessing overhead of running the multiple versions. If hardware reliability is also an issue, 17.7 ● n-version programming Version 1 Version 2 Version 3 Voting module Input data Output data Figure 17.4 Triple modular redundancy BELL_C17.QXD 1/30/05 4:24 PM Page 252 17.8 Assertions 253 as in fly-by-wire airplanes, each version runs on a separate (but identical) processor. The voting module is small and simple, consuming minimal developer and processor time. For obvious reasons, an even number of versions is not appropriate. The main difference between the recovery block and the n-version schemes is that in the former the different versions are executed sequentially (if need be). Is n-programming forward error recovery or is it backward error recovery? The answer is that, once an error is revealed, the correct behavior is immediately available and the system can continue forwards. So it is forward error recovery. Assertions are statements written into software that say what should be true of the data. Assertions have been used since the early days of programming as an aid to verifying the correctness of software. An assertion states what should always be true at a particular point in a program. Assertions are usually placed: ■ at the entry to a method – called a precondition, it states what the relationship between the parameters should be ■ at the end of a method – called a postcondition, it states what the relationship between the parameters should be ■ within a loop – called a loop invariant, it states what is always true, before and after each loop iteration, however many iterations the loop has performed. ■ at the head of a class – called a class invariant, it states what is always true before and after a call on any of the class’s public methods. The assertion states a relation- ship between the variables of an instance of the class. An example should help see how assertions can be used. Take the example of a class that implements a data structure called a stack. Items can be placed in the data struc- ture by calling the public method push and removed by calling pop. Let us assume that the stack has a fixed length, described by a variable called capacity. Suppose the class uses a variable called count to record how many items are currently in the stack. Then we can make the following assertions at the level of the class. These class invariant is: assert count >= 0; assert capacity >= count; These are statements which must always be true for the entire class, before or after any use is made of the class. We can also make assertions for the individual methods. Thus for method push, we can say as a postcondition: assert newCount = oldCount + 1; For the method push, we can also state the following precondition: assert oldCount < capacity; 17.8 ● Assertions BELL_C17.QXD 1/30/05 4:24 PM Page 253 254 Chapter 17 ■ Software robustness Note that truth of assertions does not guarantee that the software is working cor- rectly. However, if the value of an assertion is false, then there certainly is a fault in the software. Note also that violation of a precondition means that there is a fault in the user of the method; a violation of a postcondition means a fault in the method itself. There are two main ways to make use of assertions. One way is to write assertions as comments in a program, to assist in manual verification. On the other hand, as indicated by the notation used above, some programming languages (including Java) allow asser- tions to be written as part of the language – and their correctness is checked at run- time. If an assertion is found to be false, an exception is thrown. There is something of an argument about whether assertions should be used only during development, or whether they should also be enabled when the software is put into productive use. Fault tolerance in hardware has long been recognized – and accommodated. Electronic engineers have frequently incorporated redundancy, such as triple modular redundancy, within the design of circuits to provide for hardware failure. Fault tolerance in software has become more widely addressed in the design of computer systems as it has become recognized that it is almost impossible to produce correct software. Exception handling is now supported by all the mainstream software engineering languages – Ada, C++, Visual Basic, C# and Java. This means that designers can provide for failure in an organ- ized manner, rather than in an ad hoc fashion. Particularly in safety-critical systems, either recovery blocks or n-programming is used to cope with design faults and enhance reliability. Fault tolerance does, of course, cost money. It requires extra design and program- ming effort, extra memory and extra processing time to check for and handle excep- tions. Some applications need greater attention to fault tolerance than others, and safety-critical systems are more likely to merit the extra attention of fault tolerance. However, even software packages that have no safety requirements often need fault tolerance of some kind. For example, we now expect a word processor to perform periodic and automatic saving of the current document, so that recovery can be per- formed in the event of power failure or software crash. End users are increasingly demanding that the software cleans up properly after failures, rather than leave them with a mess that they cannot salvage. Thus it is likely that ever-increasing attention will be paid to improving the fault tolerance of software. 17.9 ● Discussion SELF-TEST QUESTION 17.9 Write pre- and post-conditions for method pop. BELL_C17.QXD 1/30/05 4:24 PM Page 254 Exercises 255 17.1 For each of the computer systems detailed in Appendix A, list the faults that can arise, categorizing them into user errors, hardware faults and software faults. Decide whether each of the faults is anticipated or unanticipated. Suggest how the faults could be dealt with. 17.2 Explain the following terms, giving an example of each to illustrate your answer: fault tol- erance, software fault tolerance, reliability, robustness, graceful degradation. Summary Faults in computer systems are caused by hardware failure, software bugs and user error. Software fault tolerance is concerned with: ■ detecting faults ■ assessing damage ■ repairing the damage ■ continuing. Of these, faults can be detected by both hardware and software. One hardware mechanism for fault detection is protection mechanisms, which have two roles: 1. they limit the spread of damage, thus easing the job of fault tolerance 2. they help find the cause of faults. Faults can be classified in two categories – anticipated and unanticipated. Recovery mechanisms are of two types: ■ backward – the system returns to an earlier, safe state ■ forward – the system continues onwards from the error. Anticipated faults can be dealt with by means of forward error recovery. Exception handlers are a convenient programming language facility for coping with these faults. Unanticipated faults – such as software design faults – can be handled using either of: ■ recovery blocks, a backward error recovery mechanism ■ n-programming, a forward error recovery mechanism. Assertions are a way of stating assumptions that should be valid when software exe- cutes. Automatic checking of assertions can assist debugging. Exercises • BELL_C17.QXD 1/30/05 4:24 PM Page 255 256 Chapter 17 ■ Software robustness 17.3 Consider a programming language with which you are familiar. In what ways can you deliberately (or inadvertently) write a program that will: 1. crash 2. access main memory in an undisciplined way 3. access a file protected from you. What damage is caused by these actions? How much damage is possible? Assuming you didn’t already know it, is it easy to diagnose the cause of the prob- lem? Contemplate that if it is possible deliberately to penetrate a system, then it is certainly possible to do it by accident, thus jeopardizing the reliability and security of the system. 17.4 “Compile-time checking is better than run-time checking.” Discuss. 17.5 Compare and contrast exception handling with assertions. 17.6 The Java system throws an IndexOutOfBoundsException exception if a pro- gram attempts to access elements of an array that lie outside the valid range of subscripts. Write a method that calculates the total weekly rainfall, given an array of floating point numbers (values of the rainfall for each of seven days of the week) as its single parameter. The method should throw an exception of the same type if an array is too short. Write code to catch the exception. 17.7 Outline the structure of recovery block software to cope with the following situation. A fly-by-wire aircraft is controlled by software. A normal algorithm calculates the opti- mal speed and the appropriate control surface and engine settings. A safety module checks that the calculated values are within safe limits. If they are not, it invokes an alternative module that calculates some safe values for the settings. If, again, this module fails to suggest safe values, the pilots are alerted and the aircraft reverts to manual control. 17.8 Compare and contrast the recovery block scheme with the n-programming scheme for fault tolerance. Include in your review an assessment of the development times and performance overheads associated with each scheme. 17.9 Searching a table for a desired object is a simple example of a situation in which it can be tempting to use a goto to escape from an unusual situation. Write a piece of program to search a table three ways: 1. using goto 2. using exceptions 3. avoiding both of these. Compare and contrast the three solutions. BELL_C17.QXD 1/30/05 4:24 PM Page 256 Answers to self-test questions 257 17.10 Consider a program to make a copy of a disk file. Devise a structure for the program that uses exception handlers so that it copes with the following error situations: 1. the file doesn’t exist (there is no file with the stated name) 2. there is a hardware fault when reading information from the old file 3. there is a hardware fault when writing to the new file. Include in your considerations actions that the filing system (or operating system) needs to take. 17.11 Explain the difference between using a goto statement and using a throw state- ment. Discuss their relative advantages for dealing with exceptions. 17.12 “There is no such thing as an exceptional situation. The software should explicitly deal with all possible situations.” Discuss. 17.13 Some word processors provide an undo command. Suppose we interpret a user wanting to undo what they have done as a fault, what form of error recovery does the software provide and how is it implemented? 17.14 Examine the architecture and operating system of a computer for which you have documentation. Investigate what facilities are provided for detecting software and hardware faults. 17.15 Compare and contrast approaches to fault tolerance in software with approaches for hardware. Answers to self-test questions 17.1 1. unanticipated 2. unanticipated 3. unanticipated 4. anticipated 5. anticipated 17.2 stack overflow use of a null pointer 17.3 The module could check that all the items in the new array are in order. (This is not foolproof because the new array could contain different data to the old.) 17.4 Pro: prevent the spread of damage, assist in diagnosing the cause. Cons: expensive hardware and software, reduction in performance (speed). ➞ BELL_C17.QXD 1/30/05 4:24 PM Page 257 . many iterations the loop has performed. ■ at the head of a class – called a class invariant, it states what is always true before and after a call on any of the class’s public methods. The assertion. of the data. Assertions have been used since the early days of programming as an aid to verifying the correctness of software. An assertion states what should always be true at a particular point. contrast approaches to fault tolerance in software with approaches for hardware. Answers to self-test questions 17.1 1. unanticipated 2. unanticipated 3. unanticipated 4. anticipated 5. anticipated 17.2