writing safety-critical flight avionics software
I think software for avionics has a lot to teach us. In particular, modified condition/decision coverage is important.
In this case a coverage analysis of these implementations run against their tests (maybe just the main blockchain) would show the nOut >= txTmp.vout.size() branch never taken.
What avionics software doesn't teach us as much about is handling adaptively hostile input (though if your code is correct for all inputs that hostile is just a subset— but hard to be confident that you're correct for all with cryptographic constructs in the loop), nor does it so much about implementation agreement in consensus systems. I suppose avionics would tell us we need to be testing the whole network as a single system because of the inescapable tight coupling, but sadly thats not realistic.
They could have had a test for it failing in that case... and seen that it rejected the block. The coverage would be good, it would be a sensible self-consistent behavior... but not consistent with the reference implementation.
Right now because the rules logic in the reference software doesn't have any test available which achieves anything close to modified condition/decision coverage (which, in also fairly hard to measure because the code is written in C++ and does a lot of dynamic allocation and boost) it means that even if you test an alternative well you can't compare it to Bitcoind unless you test.
But there are still tests which do test _a lot_ of it, and it seems they weren't used here:
It's worth noting here that Bluematt found this behavior about a year ago. The blocktester should be testing it. I guess this indicates these alternative implementations have not been tested with the blocktester. I suppose that in and of itself is a bit more concerning then even the specific failure. On the other hand, the fact that they haven't been means we actually get an indication of their level of review which we wouldn't have gotten if the blocktester had already been run an exposed all the known-troublesome spots.
retep and gmaxwell wrote a very good summary of the most common misunderstanding about Bitcoin and its development process.
Bitcoin software isn't safety-critical, it is correctness-critical.
In this regard it is less like avionics and more like medical.
So let me use the medical analogies:
1) what bitcoin is not: it isn't a pacemaker software where a gedanken function would return {send-a-jolt,no-jolt}
2) what bitcoin is like: it is a medical test software where a gedanken function
would return {true,false,change-the-batteries}
3) you may think that you know how to "safely" map "change-the-batteries" to either "true" or "false", then consider those two functions:
3a) bool isHIVpositive(...) throw(change_batteries);
3b) bool isPregnant(...) throw(change_batteries);
Now lets switch out of the medical field and get back to Bitcoin. Imagine what would happen in May of this year if Bitcoin software had
bool ProcessBlock(...) throw(...,database_resource_exhaustion,...);
instead of the current design
bool ProcessBlock(...);
with almost every "catch()" clause plugged to "return false;".
Anyway, Bitcoin is neither avionics nor medical. Bitcoin is finacial application. In accounting when the books don't close the procedure isn't:
A) kill all accountants that said "false" and promote the one that said "true"
The SOP is:
B) keep re-auditing the books until the majority of the accountants agrees.
In the Bitcoin millieu somehow (A) became the SOP. There will be a lot of killed accountants until the (B) is adopted.