Abstract

An acceptability envelope is a region of imperfect but acceptable software systems surrounding a given perfect system. Explicitly targeting the acceptability envelope during development (rather than attempting to minimize the number of errors, as is the current practice) has several potential benefits. Specifically, leaving acceptable errors in the system eliminates the risks and costs associated with attempting to repair the errors; investing fewer resources in less critical regions of the program and more resources in more critical regions may increase acceptability and reduce the overall investment of development resources.

To realize these benefits, the acceptability envelope must be both sizable and accessible. We present several case studies that explore the acceptability envelopes of the Pine email client and the SurePlayer MPEG decoder. These studies show that both Pine and SurePlayer can tolerate the addition of many off-by-one errors without producing unacceptable behavior. This result suggests that current systems may be overengineered in the sense that they can tolerate many more errors than they currently contain.

Our SurePlayer case study also shows that SurePlayer has unforgiving regions of code that must be close to perfect for the system to function at all. To effectively exploit the acceptability envelope, developers must be able to distinguish forgiving and unforgiving regions so that they can appropriately prioritize their development effort. In SurePlayer, the unforgiving regions occur in code that uses metadata to parse the input stream; the forgiving regions tend to access the data within each image. This result suggests that developers may be able to use relatively simple indicators to effectively prioritize their development effort.