#9 -- that will definitely give you more reliable software (and hardware, if you adopt a similar methodology for it) than what we have now.

It will also lengthen development times and costs. What I keep saying is that the market won't accept that.

And even if you develop a system like that, I think the present level of complexity is great enough that you'd still have the occasional unforseen problem. W2K is what, 40M lines of bloat? I'm not sure you can debug that in polynomial time...

there is a practical way, very thorough program design coupled with modularization, testing of modules then finally a step by step integration of modules.

Yep. With a budget of $35 million a year and only 420 thousand lines of code to support -- spread over 260 people -- and being used on a manned spacecraft, it better be perfect. Note that it also runs on extremely antiquated hardware. Did you know the astronauts have HP programmable calculators stuck strategically around the cabin, because they're more capable than the Shuttle computer system? :)

OTOH, Galileo's computer has crashed several times. So has NEAR Shoemaker's, presently in orbit around the asteroid Eros. Clementine's computer crashed badly enough that it never turned off the thruster it turned on, and the spacecraft ran out of fuel. The first Ariane 5 was lost because of a software error; the Mars Polar Lander probably crashed because of an unchecked register. And on, and on...

Anyway, I can't argue: the Shuttle's software is good. It does support what I said earlier, though -- it was written at an incredible price, one which isn't scaleable to today's business hardware and software. W2K has something like 100 times that volume of code -- but no one could afford to pay $3.5 billion a year to support it, and even that figure's not high enough: it's much more than 100 times more complex than Shuttle's, because each new line of code can interact with all the pre-existing code as well as with each of the other new lines of code. There's no practical way to completely debug it -- and it will be replaced by something much more complex in a few years.

Good link, though.

Yet the spacecraft computers still crash.

Check out this article on te space shuttle software:
http://www.fastcompany.com/online/06/writestuff.html

An excerpt:
But how much work the software does is not what makes it remarkable. What makes it remarkable is how well the software works. This software never crashes. It never needs to be re-booted. This software is bug-free. It is perfect, as perfect as human beings have achieved. Consider these stats : the last three versions of the program -- each 420,000 lines long-had just one error each. The last 11 versions of this software had a total of 17 errors. Commercial programs of equivalent complexity would have 5,000 errors.

Veritas, I recognize the process you're describing: I work as a consultant in the aerospace industry, and see some of what they do by way of computer hardware/software development (although I don't work directly with that myself).

NASA in particular is rigorous this way; that's why spacecraft use i386's instead of PIII's -- it takes forever to actually demonstrate the reliability of a part (well, and then there's radiation-hardening... but that's only part of the issue).

But even with this rigor, they don't develop stuff with a reliability of 1.0 (perfection, in other words); they get something like R = 0.9985 or 0.99932, or whatever meets the spec. Even for manned spacecraft, overall (system) reliability is no better than "three nines" in most cases; the computers and software are of course better than that, because they're only part of the whole. But every "nine" in the reliability costs at least a factor of ten more than the previous one.

My point is that this is taking place with i386 and just recently with i486 CPUs; I can't imagine that mission-critical servers, 'net servers, or heavily-used data servers are going to go back to those low-end parts. Nor are they going to run software as simple as what NASA flies on spacecraft.

Yet the spacecraft computers still crash.

We can get better than Win9x (hell, I'm there already with W2K), but getting a lot better is going to be expensive. Getting perfect is impossible.

I have to agree with TwoFer. We will never see something that is completely crashproof. However, I do not doubt that it is possible to develop a system that is relatively stable compared to what we have today.

In order to achieve something like this I think 3 things really need to occur. First, formal specification would have to be a way of life for the software industry. Formal specification is a software development process that uses rigourous mathematics to essentially prove that a piece of software will behave as it is designed too. Second, the hardware industry will have to become more adamant about not allowing engineering estimations to creep into final products. What I mean by this is that when a hardware product is in the initial design phase, shortcut techniques are used to show that, for example, an amplifier will work in a certain way. While this estimation is close enough, a build up of estimated values in a design can lead to serious problems. I have a feeling that many of the circuits designed using these estimation techniques are never refined using more accurate equations and thus leads to unstability in the system. I say this from experience when I am in a hurry to get homework done in my microelectronics class. I use the quick estimation technique to get close to the right answer so that the grader will count it right, but I don't go back and refine it to the exact theoretical value. The final requirement for a crash proof system would need to include a closed set of software and hardware, for obvious reasons.

There are two huge "ifs" in your statement, though:

There are hardware standards. Microsoft has been trying to force their hardware standard on us for years: remember PC98, PC99, and so on? And there's the standard for IDE, for SCSI, etc. -- just because there's a standard doesn't mean everyone (even well-intentioned manufacturers) are going to exactly follow it.

There's just too much stuff we want to stick into these boxen, too short a development cycle, and too many people who make it -- and remember, it's fiercely competitive, and testing all this stuff for compatibility is hugely expensive, so guess what gets shorted...

There are also software standards. Everything I said goes for this, in spades: even Microsoft can't seem to follow their own rules, and they wrote 'em!

I understand what you're saying, dissonance -- but what I'm saying is that this will never happen. The ever-increasing complexity of the software and hardware, and the resulting interactions which aren't forseeable (and therefore testable), is going to prevent it. There's not enough money in the world to do that, and people aren't going to be restricted in their choice of hardware and software -- that's how we got here to begin with, isn't it? Remember IBM clones?

The almighty dollar rules. We get what we pay for, and we refuse to pay for "crashproof."

NASA already has the closest thing to crashproof computers, because they use antique technology and keep their software simple and then test the holy hell out of it. And it's still not crashproof, because of the complexity... and this will only get worse with complexity, not better.

Originally Posted by dissonance
I dunno, look at consoles... while I don\'t have a lot of experience with them I assume that on a closed platform they don\'t crash often, if at all. If they could develop a hardware standard for all machines and only run approved software one would think that they could come up with something crashproof.

The more I work and play with computers (and thereby learn more about them and how they work), the more it amazes me that they work at all. These things are astoundingly complex, and getting more complex (but cheaper!) all the time.

I simply can't believe they can be made not to crash. More reliable, yes -- crashproof, no.