Information Technology Reference
In-Depth Information
2
5
X
200
E
200
E
200
1
3
4
FIGURE 8.5
Illustration of a Therac-25 bug revealed by fast-typing operators. (1) The
operator finishes filling in the form. The software knows the form is filled in because the
cursor is in the lower right-hand corner of the screen. (2) The software instructs the magnets
to move into the correct positions. While the magnets are moving, the software does not
check for screen edits. (3) The operator changes the prescription from X-ray to electron
beam. (4) The operator finishes the edit, returning the cursor to the lower right-hand corner
of the screen. (5) The magnets finish moving. The software now checks the screen cursor.
Since it is in the lower right-hand corner, the program assumes there have been no edits.
conditions. In a
race condition,
two or more concurrent tasks share a variable, and
the order in which they read or write the value of the variable can affect the behavior
of the program. Race conditions are extremely difficult to identify and fix, because
usually the two tasks do not interfere with each other and nothing goes wrong. Only
in rare conditions will the tasks actually interfere with each other as they manipulate the
variable, causing the error to occur. We describe both of these errors to give you some
insight into how difficult they are to detect.
The accidents at the ETCC occurred because of a race condition associated with
the command screen (Figure 8.5). One task was responsible for handling keyboard
input and making changes to the command screen. A second task was responsible for
monitoring the command screen for changes and moving the magnets into position.
After the operator uses the first task to complete the prescription (1), the second task
sees the cursor in the lower right-hand corner of the screen and begins the eight-second
process of moving the magnets (2). Meanwhile, the operator sees her mistake. The first
task responds to her keystrokes and lets her change the āXā to an āEā (3). She gets the
cursor back to the lower right-hand corner before eight seconds are up (4). Now the
second task finishes moving the magnets (5). It sees the cursor in the lower right-hand
corner of the screen and incorrectly assumes the screen has not changed. The crucial
substitution of electron beam for X-ray goes unnoticed.
What makes this bug particularly treacherous is that it only occurs with faster, more
experienced operators. Slower operators would not be able to complete the edit and
get the cursor back to the lower right-hand corner of the screen in only eight seconds.
If the cursor happened to be anywhere else on the screen when the magnets stopped
moving, the software would check for a screen edit and there would be no overdose. It is
