Checking procedures

A variety of causes may lead to wrong results. The chief of them are

• Machine breakdown, i.e. systematic error
• Intermittent machine error
• Wrong programmes on paper
• Wrong programmes in magnetic store, i.e. disagreeing with paper
• Finger trouble, i.e. erroneous use of controls

Measures concerning machine breakdown

Machine breakdown usually shows itself very clearly. In any case the measures against intermittent faults are also adequate for detecting most breakdowns.

Measures against intermittent error

This is one of the most serious problems about the machine, and certainly the most exasperating. Several kinds of action are taken about these errors.

(a) Before using the machine a daily sequence of test routines is run through. These are designed to try out every facility of the machine, though not in every combination: they test the storing power of individual lines of the electronic store and the magnetic transfers. All errors are counted. If each test routine will run for five minutes (say), without error the machine is pronounced serviceable.

(b) In any calculation, identities should be looked for and verified in the computation, e.g. if both the sine and the cosine of an angle have been obtained their squares should be added, and the machine stopped if the result is too far from unity.

(c) It is as well to try to divide a calculation up into parts which take sufficiently little time that the probability of an error having been made is relatively small, e.g. less than 0.2. If the calculation is then repeated and the same answer obtained it is rather strong evidence that the machine made no mistake on either occasion.

(d) It may be impracticable to take the course outlined in (c). It is then probably necessary to divide the working space of the machine into three equal parts $A$, $B$ and $C$, say, either of which would be sufficient for the job if the machine did not make errors. The computation is all done in $A$, and is divided into `bursts'. Each burst represents an attempt to get through a part of the calculation without error, and may be regarded as the computation of a function $f(A)$. One proceeds as follows

• Copy $A$ into $B$ and $C$
• Compute $f(A)$, possibly wrongly, leaving result in $A$
• Interchange $A$ and $B$
• Again compute $f(A)$, leaving result in $A$
• Compare $A$ and $B$. If there is agreement proceed to the next burst. If not copy $C$ back to $A$ and again compute $f$. If it still disagrees with $B$, copy $C$ back to $A$ [and $B$] and go back to the beginning of the work on this burst.

When the bursts are done in this way the working space is reduced three to one, and for many jobs this will be a fatal objection. Usually however it will be possible to apply the burst method more or less locally, i.e. to divide the problem up into parts which alter only a small part of the store and apply the bursts method to these parts.

(e) Certain particular programmed checks may be mentioned here. There is a check on punching in the input programme. If characters not representing numerals are punched for numerals the machine will stop. In the routine changing sequence there is an arrangement for verifying that the right new routine has been entered.

The effect of this last precaution, and of many other programmed checks is not so much to let one know that something has gone wrong, as to let one know it sufficiently early to avoid disastrous consequences (e.g. writing transfers), and to attempt some sort of diagnosis of the trouble. So serious an error as entering a wrong routine is almost certain eventually to have very noticeable effects.

Measures against wrong programmes

We have already described the process of making check sheets. If the initial conditions are carefully chosen nearly all the errors of the programme will be shown up when making the check sheets, if this is done conscientiously. One should aim at forgetting, whilst making the check sheets, both the purpose and the method of the routine: this tends to prevent one from writing down what one thinks an instruction should do, rather than what it really does. No doubt a colleague would be able to adopt the open mind better than the programmer himself, but he would be in danger of having such an open mind that he accepts everything that happens without question and goes on very far beyond the appearance of programme errors. A possible arrangement is for the programmer to make up check sheets and copy every tenth line (say) to blank sheets which can be passed to a colleague, for him to fill in the intermediate lines. The chief reasons for errors not being noticed at the check stage are

(a)

Preconceived ideas

(b)

Insufficiently many cases examined

(c)

Making alterations in the routine in the middle of the check sheet work without verifying that the earlier parts of the check sheets are unaffected. Likewise altering instructions on check sheets without also altering the routine.

(d)

Incorrect magnetic transfers.

(e)

Incorrect control transfers, particularly `failure to subtract 1' and confusion of the control transfer number with its own address.

(f)

Failure to observe all the details of subroutines. None of the instructions of a subroutine should be shown on the check sheets. The subroutine should be treated something like a single instruction, whose properties are given in the official account of the routine. A special danger is that one may not notice the lines used in the subroutine. Every such line should be noted on the check sheets in column 4.

In order to reduce the danger (b) one should at least arrange that every instruction of the programme appears somewhere on the check sheets for some case. One should also make sure that all the points of difficulty that were considered in the construction of the programmer are represented.

There are sometimes points which are liable to get through the check sheets, and correspond to exceptional cases which were not considered by the programmer. An interesting example of this occurred with the obsolete machine in connection with linear interpolation. On that machine multiplication was very much slower than other operations, and the time involved was essentially proportional to the number of digits 1 in the multiplier. For this reason it was decided to approximate $\alpha_{f+}x+(1-\alpha_{f+})y$ by $(\alpha\land\tp{//////!!})_{f+}x +(\{-(\alpha\land\tp{//////!!})_\pm\}_0^{79})_{f+}y$. This is a reasonable approximation for all values of $\alpha_{f+}$ except those less than $2^{-10}$, for which it is 0. The chance of this being detected by check sheets with random numbers is of course $2^{-10}$. It was actually detected because $\alpha_{f+}=0$ occurred in one of the cases investigated. A somewhat similar danger is that of `overrunning the capacity of a line' e.g. of applying instruction /J where ${\tt\bf A}_+ + 2^{40}{\tt\bf S}_+ > 2^{80}$ so that ${\tt\bf A}_+'\ne {\tt\bf A}_+ + 2^{40}{\tt\bf S}_+$. This danger can only be eliminated by a detailed investigation of inequalities connected with the content of store lines at various stages in the computation: this can be made to be an investigation of accuracy also, and can in fact be made to constitute a formal proof of the validity of the routine for its officially stated properties. The accurate notations introduced on pp. - are a considerable aid in doing this, but these need to be supplemented in various ways. It is necessary for instance to have a notation for the content of the accumulator. The writer uses the notation $(\alpha \beta)$ for `the content of A immediately following the instruction stored in $\alpha\beta$. Likewise $(\alpha\beta\vert)$ and $(\vert\alpha\beta)$ represent the contents of L and M at this time. But the use of such a notation implies that the investigation is restricted to a `straight sequence' of instructions without repetitions, and the notation for store line contents implies that no line is altered more than once. No entirely satisfactory system has yet been worked out, and the subject must therefore be left. It may be added however than the understanding of the theory of a routine may be greatly aided by providing at the time of construction one or two statements concerning the state of the machine at well chosen points. This was done with SUMPGA (p. ).

[Turing's last statement here is remarkably prescient -- the theory of formal program verification which has subsequently developed is largely concerned with tracing through the consequences of such things as preconditions, postconditions, and loop invariants, which are in fact statements concerning the state of the machine at well chosen points in the program.]

Measures against routines wrong in magnetic tracks

Routines may get wrong in the magnetic tracks either because the tapes have been wrongly punched, or because of a machine error or finger trouble in connection with writing transfers. There is little that can be done about the tapes but to take care in the punching and the checking of the printed form of the punched tape. These errors are not a great anxiety, for they are likely to be eliminated at the same time as genuine programme errors and are usually smaller in number and more easily found. Once a correct tape has been made it can be relied on. The contents of the tracks can be satisfactorily checked by means of the ROLCAL routine which adds up and records the contents of each of the tracks. The sums may then be compared with the anticipated values, previously obtained on some occasion when all was well.

Measures against finger trouble

We have already described `the formal mode', which should be a complete insurance against finger trouble. It is recommended that the formal mode be applied when the results are anything more than experimental.