曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
the effects were different and caused different numbers of failures in the affected versions [18]. One
version failed 231 times because of this fault and a second only 37 times. However, whenever the second
of the two failed, the first did also. The reason for the difference is the interaction between this fault and
the overall algorithms used by the different versions.
7. DISCUSSION
An important problem in performing experiments at universities is obtaining programmers with a
realistic experience level. An experiment of this size would be extremely expensive to undertake if
professional programmers were used as the experimental subjects. Our use of students could be criticized
as being unrealistic but we point out that all of the versions were written by graduate students or by seniors
with high grade point averages, many of whom had returned to the university after having worked as
professional programmers, and all of whom would be entering the professional programming workforce at
high levels after graduation. Of the twenty seven programmers, twenty one had less than one year of
programming experience outside their degree programs, three had between two and five years, and two had
more than five years programming experience. We note that the program written for this experiment by the
most experienced real-time programmer (who has worked at the Jet Propulsion Laboratory and Oak Ridge)
contained multiple faults in common with other programs.
It could also be argued that our results are biased by the fact that the experimental subjects came
from similar backgrounds. This in fact is not the case. There is a considerable diversity of education and
experience in the students backgrounds. However, the use of two geographically separate universities also
contributes to the diversity amongst the subjects.
The twenty seven versions ranged in length from 327 to 1004 lines of code. This is much smaller
than most real-time systems which may include millions of lines of code. Since many faults occur in the
- 18 -
interconnection between components in a large modular system, results of this experiment relate only to
duplication of small pieces of a large system. It would be interesting to do a further experiment with a
larger problem. However, from a practical standpoint, economic factors would make it unlikely that many
projects could afford complete duplication or triplication of the software. A more likely alternative is that
the most critical functions will be identified and separated from the less critical functions and fault
tolerance features applied only to those components which have the greatest potential for damage in case of
failure. In this respect, the problem used in this experiment is then very realistic.
It might be argued that this experiment does not reflect realistic program development in industry and
that one million test cases does not reflect very much operational time for programs of this type. In fact,
the acceptance test is the equivalent of a very elaborate testing process for production programs of this type.
Each of our test cases represents an ‘‘unusual’’ event seen by the radar. Most of the time the radar echoes
will be identical from one scan to the next with only an occasional change due to the entry of an object into
the field of view. Producing realistic unusual events to test a production tracking program is clearly an
expensive undertaking and we feel that two hundred such events would indeed be a realistic number.
One million test cases (several hundred hours of computer time per version) corresponds to dealing
with one million unusual cases during production use. In practice once again, these one million events will
be separated by a much larger number of executions for usual events. If the program is executed once per
second and unusual events occur every ten minutes, then one million tests correspond to about twenty years
of operational use.
8. CONCLUSIONS
For the particular problem that was programmed for this experiment, we conclude that the
assumption of independence of errors that is fundamental to the analysis of N-version programming does
not hold. Using a probabilistic model based on independence, our results indicate that the model has to be
- 19 -
rejected at the 99% confidence level.
It is important to understand the meaning of this statement. First, it is conditional on the application
that we used. The result may or may not extend to other programs, we do not know. Other experiments
must be carried out to gather data similar to ours in order to be able to draw general conclusions. However,
the result does suggest that the use of N-version programming in crucial systems, where failure could
endanger human lives for example, should be deferred until further evidence is available.
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
航空资料35(192)
