Safety engineering tells us that, if the likelihood of a failure is high, one should limit the severity of its impact. In this engaging article, Berger argues that software bugs are inevitable and discusses novel strategies for limiting the damage they cause, concentrating on faults in memory management that often compromise the confidentiality and integrity of computing systems.

The article’s premise is that testing is inherently incomplete, static analysis remains limited, and logging and fixing bugs in widely deployed software is expensive and difficult. Using an analogy of safety measures deployed in automobiles, Berger describes methods for incorporating slack into memory resources to allow occasional errors such as overflows. Related strategies have been used in new releases of Microsoft Windows, markedly reducing failure rates. In addition to improved defense against memory errors, the article hints that similar strategies may be helpful in concurrency control.

One intriguing approach is the use of randomized memory allocation to reduce the likelihood that an instance of overflow will be harmful. Such a move from predictable Bohrbugs to less damaging but harder-to-track Heisenbugs sets the needs of the user against those of the debugger. Although the article discusses the possibility of dynamic defect detection and self-repairing software, the developer is not relieved of the responsibility for delivering low defect densities.

This article conveys its message with clarity and without unnecessary technical detail. Any software engineer will find it a thought-provoking contribution to the continuing debate around the cost/benefit tradeoffs that pervade systems development.