Comments on: A lesson on infinite loops http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/ Windows Enthusiast Community Sat, 07 Nov 2009 21:22:08 +0000 http://wordpress.org/?v=2.6.2 By: Notatnik zapisywany wieczorami http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-1361 Notatnik zapisywany wieczorami Sat, 07 Mar 2009 02:02:19 +0000 http://www.aeroxp.org/?p=756#comment-1361 <strong>Układanki - wybieranki...</strong> Gdyby obiektywnie popatrzeć na oprogramowanie, które tworzyłem - nawet te większe, latami rozwijane przez wiele osób systemy - to napisany kod, jakkolwiek by mierzyć jego rozmiar, jest jakimś nieszczęsnym ułamkiem całej infrastruktury. Malutkim zbiorem... Układanki - wybieranki…

Gdyby obiektywnie popatrzeć na oprogramowanie, które tworzyłem - nawet
te większe, latami rozwijane przez wiele osób systemy - to napisany
kod, jakkolwiek by mierzyć jego rozmiar, jest jakimś nieszczęsnym
ułamkiem całej infrastruktury. Malutkim zbiorem…

]]> By: ertp http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-1058 ertp Tue, 20 Jan 2009 09:47:03 +0000 http://www.aeroxp.org/?p=756#comment-1058 I design mission-critical software for embedded powerpc and ARM processors. I also design the ASIC for custom processors. I have been in this business for 13 years. It's tedious, boring, and I seriously regret ever getting my graduate degrees in computer science and electrical engineering. I will say this: It's not the programmer's fault! The lead engineer should have mitigated this problem at a higher level. If I relied on my code monkeys to output perfect code, there would be the blood of a lot of innocent people on my hands. . . literally. Testing with "100% code coverage" doesn't work: Unit Test Tools like VectorCAST can give you code coverage statistics, cyclomatic complexity, and paths exercised in Unit Testing, but that's NO GUARANTEE your test actually exercised the code under all possible in-the-wild conditions. I can easily get 100% code coverage, yet the code does not work? Why? Because 100% code coverage only says that every line of code must be covered which is different from every code path. Even though the lines of code were "covered", the result of the test may not have been dependent upon that path. Let's say you got 100% code coverage via two tests: One test covers paths A and B. Test two covers C. That's considered "100% code coverage" as it's defined by unit test tools, yet the path A->B->C was never tested nor were any significant permutations of that. Furthermore, the test result of your Unit Test may have resulted in the same answer regardless of the existence of an error in that "covered" path. These are all situations I have run into. My point is this: it's impossible to catch every bug in an embedded program and perfection has never happened and does not exist. It's really the lead engineer's job to mitigate the risk of misbehaving code at a higher level. Coders are usually working mindlessly to higher level design. Here's how I mitigate bad coding: Rule #1: No loops. All code must be in the form of an FSM (finite state machine) with a WATCHDOG TIMER for each state. Rule #2: No dynamic memory allocation. Screw what you learned in Computer Science. All structures must be static or global. Rule #1 eliminates the possibility of the program hanging from infinite loops. (Zune problem) Rule #2 eliminates the possibility of crashing due to overflow or null pointer. Embedded C is far different from C programming. This industry isn't about making code fast and efficient. It's about making it manageable so that if bugs are discovered they can be found. All of the suggestions to make this code more concise would just make bugs more difficult to find. Verbose and explicit coding may seem juvenile to people still in school, but that's the way people expect you to code in the real world. No one cares that you can write code in one line what might take an idiot 10 lines of code to accomplish. The byte code will look identical because of compiler optimizations. I design mission-critical software for embedded powerpc and ARM processors. I also design the ASIC for custom processors. I have been in this business for 13 years. It’s tedious, boring, and I seriously regret ever getting my graduate degrees in computer science and electrical engineering. I will say this: It’s not the programmer’s fault! The lead engineer should have mitigated this problem at a higher level. If I relied on my code monkeys to output perfect code, there would be the blood of a lot of innocent people on my hands. . . literally.

Testing with “100% code coverage” doesn’t work: Unit Test Tools like VectorCAST can give you code coverage statistics, cyclomatic complexity, and paths exercised in Unit Testing, but that’s NO GUARANTEE your test actually exercised the code under all possible in-the-wild conditions. I can easily get 100% code coverage, yet the code does not work? Why? Because 100% code coverage only says that every line of code must be covered which is different from every code path. Even though the lines of code were “covered”, the result of the test may not have been dependent upon that path. Let’s say you got 100% code coverage via two tests: One test covers paths A and B. Test two covers C. That’s considered “100% code coverage” as it’s defined by unit test tools, yet the path A->B->C was never tested nor were any significant permutations of that. Furthermore, the test result of your Unit Test may have resulted in the same answer regardless of the existence of an error in that “covered” path. These are all situations I have run into.

My point is this: it’s impossible to catch every bug in an embedded program and perfection has never happened and does not exist. It’s really the lead engineer’s job to mitigate the risk of misbehaving code at a higher level. Coders are usually working mindlessly to higher level design. Here’s how I mitigate bad coding:

Rule #1: No loops. All code must be in the form of an FSM (finite state machine) with a WATCHDOG TIMER for each state.
Rule #2: No dynamic memory allocation. Screw what you learned in Computer Science. All structures must be static or global.

Rule #1 eliminates the possibility of the program hanging from infinite loops. (Zune problem)
Rule #2 eliminates the possibility of crashing due to overflow or null pointer.

Embedded C is far different from C programming. This industry isn’t about making code fast and efficient. It’s about making it manageable so that if bugs are discovered they can be found. All of the suggestions to make this code more concise would just make bugs more difficult to find. Verbose and explicit coding may seem juvenile to people still in school, but that’s the way people expect you to code in the real world. No one cares that you can write code in one line what might take an idiot 10 lines of code to accomplish. The byte code will look identical because of compiler optimizations.

]]> By: Zunes bug - Page 2 | keyongtech http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-1042 Zunes bug - Page 2 | keyongtech Sun, 18 Jan 2009 17:35:24 +0000 http://www.aeroxp.org/?p=756#comment-1042 [...] > days -= 365; > year += 1; > } > } > More information and analysis can be found at http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/ -- jacob navia jacob at jacob point remcomp point fr logiciels/informatique [...] [...] > days -= 365; > year += 1; > } > } > More information and analysis can be found at http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/ — jacob navia jacob at jacob point remcomp point fr logiciels/informatique [...]

]]> By: Microsoft supera se stessa | hilpers http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-1038 Microsoft supera se stessa | hilpers Sat, 17 Jan 2009 20:52:00 +0000 http://www.aeroxp.org/?p=756#comment-1038 [...] tutti gliZuneda 30 GB sono > apparentemente svampati. Tra l'altro poi si [...] tutti gliZuneda 30 GB sono > apparentemente svampati. Tra l’altro poi si

]]> By: Gândaci şi brute « Keep IT simple http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-1031 Gândaci şi brute « Keep IT simple Thu, 15 Jan 2009 11:26:18 +0000 http://www.aeroxp.org/?p=756#comment-1031 [...] La sfârşitul lui 2008 (chiar în 31 decembrie), o grămada de device-uri Zune s-au sinucis în masă din cauza unui bug destul de banal (via). Cum a fost posibil ca o bucată de cod să nu fie acoperită de nici o serie de teste şi să bage o parte a Microsoftului în şedinţă ? Iaca, fu posibil :). Detalii despre bug, aici. [...] [...] La sfârşitul lui 2008 (chiar în 31 decembrie), o grămada de device-uri Zune s-au sinucis în masă din cauza unui bug destul de banal (via). Cum a fost posibil ca o bucată de cod să nu fie acoperită de nici o serie de teste şi să bage o parte a Microsoftului în şedinţă ? Iaca, fu posibil :). Detalii despre bug, aici. [...]

]]> By: Los programas de nuestra vida : Blogografia http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-1030 Los programas de nuestra vida : Blogografia Wed, 14 Jan 2009 23:05:55 +0000 http://www.aeroxp.org/?p=756#comment-1030 [...] culpable del problema fue un fallo en la programación del firmware de los Zune que hacía que una rutina que calcula la fecha se quedara en un bucle [...] [...] culpable del problema fue un fallo en la programación del firmware de los Zune que hacía que una rutina que calcula la fecha se quedara en un bucle [...]

]]> By: eirik http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-998 eirik Fri, 09 Jan 2009 19:59:51 +0000 http://www.aeroxp.org/?p=756#comment-998 Something like this seems much cleaner: for (year = ORIGINYEAR; days >= daysInYear(year); year++) days -= daysInYear(year); where daysInYear(int year) = (IsLeapYear(year) ? 366 : 365) I haven't tried it and for all I care to check it might not even work, but at least it is very easy to verify that the routine will eventually complete in all cases. Something like this seems much cleaner:

for (year = ORIGINYEAR; days >= daysInYear(year); year++)
days -= daysInYear(year);

where daysInYear(int year) = (IsLeapYear(year) ? 366 : 365)

I haven’t tried it and for all I care to check it might not even work, but at least it is very easy to verify that the routine will eventually complete in all cases.

]]> By: 生 魚片的Blog » 從血淋淋的乖乖事件看乖乖 http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-991 生 魚片的Blog » 從血淋淋的乖乖事件看乖乖 Thu, 08 Jan 2009 03:17:32 +0000 http://www.aeroxp.org/?p=756#comment-991 [...] 當偶發狀況發生時,不是每一個人都有能力去找到真正的原因,畢竟除錯是一門專業的學問,可能需要經過環境比對找出硬體瑕疵或故障、需要了解軟體運作與設定來找出設計上的漏洞、也許是時間造成、也許是相容性的關係,當然在台灣這種濕氣重+地震、颱風不斷的地方,更大大提升了硬體被影響的機會,縱然機房往往都是溫控、濕控的地方~ [...] [...] 當偶發狀況發生時,不是每一個人都有能力去找到真正的原因,畢竟除錯是一門專業的學問,可能需要經過環境比對找出硬體瑕疵或故障、需要了解軟體運作與設定來找出設計上的漏洞、也許是時間造成、也許是相容性的關係,當然在台灣這種濕氣重+地震、颱風不斷的地方,更大大提升了硬體被影響的機會,縱然機房往往都是溫控、濕控的地方~ [...]

]]> By: publius http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-990 publius Thu, 08 Jan 2009 00:07:13 +0000 http://www.aeroxp.org/?p=756#comment-990 100% coverage testing would have easily caught this bug. First, it would have identified that the leap-year branch of the code had never been exercised by a unit test. Then, the person writing the unit test would have added a check for that, and the next run would have gone into an infinite loop. The reason silly bugs like this slip through is that the industry has deluded itself into thinking that 80% (or some other number less than 100%) is acceptable. 100% coverage testing would have easily caught this bug. First, it would have identified that the leap-year branch of the code had never been exercised by a unit test. Then, the person writing the unit test would have added a check for that, and the next run would have gone into an infinite loop. The reason silly bugs like this slip through is that the industry has deluded itself into thinking that 80% (or some other number less than 100%) is acceptable.

]]> By: King Kong http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/#comment-989 King Kong Wed, 07 Jan 2009 14:10:35 +0000 http://www.aeroxp.org/?p=756#comment-989 Regarding testing every loop/permutation, I have always been curious: how do you do it? Someone has to sit down and document the expected correct result for every loop/permutation. Surely he would have died of old age before he finishes a small percentage of it. I always thought that void SomeMethod(int x, int y) is already a big disaster. The person who wants SomeMethod has to specify 2E+128 outcomes that he wants. So I have given up a long time ago about wanting to work in General Dynamics. The people who do not forgive the Zune bug are simply armchair critics. I can bet they will be most unwilling to pay $20,000,000 for an MP3 player. Regarding testing every loop/permutation, I have always been curious: how do you do it? Someone has to sit down and document the expected correct result for every loop/permutation. Surely he would have died of old age before he finishes a small percentage of it.

I always thought that void SomeMethod(int x, int y) is already a big disaster. The person who wants SomeMethod has to specify 2E+128 outcomes that he wants. So I have given up a long time ago about wanting to work in General Dynamics.

The people who do not forgive the Zune bug are simply armchair critics. I can bet they will be most unwilling to pay $20,000,000 for an MP3 player.

]]>