From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,7e8cebf09cf80560 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII Path: g2news2.google.com!postnews.google.com!r19g2000prm.googlegroups.com!not-for-mail From: KK6GM Newsgroups: comp.lang.ada Subject: Re: How would Ariane 5 have behaved if overflow checking were not turned off? Date: Mon, 14 Mar 2011 09:17:10 -0700 (PDT) Organization: http://groups.google.com Message-ID: <2442baf5-d53e-4e9a-bbe6-6803feead512@r19g2000prm.googlegroups.com> References: NNTP-Posting-Host: 12.35.64.226 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: posting.google.com 1300119430 7180 127.0.0.1 (14 Mar 2011 16:17:10 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Mon, 14 Mar 2011 16:17:10 +0000 (UTC) Complaints-To: groups-abuse@google.com Injection-Info: r19g2000prm.googlegroups.com; posting-host=12.35.64.226; posting-account=qZVz2QoAAAAN9WxYp-9jYb7jORc4Zqwt User-Agent: G2/1.0 X-HTTP-Via: 1.1 barracudaweb.tritool.rancho:8080 (http_scan/4.0.2.6.19) X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MDDR; .NET4.0C; .NET4.0E; InfoPath.1),gzip(gfe) Xref: g2news2.google.com comp.lang.ada:19147 Date: 2011-03-14T09:17:10-07:00 List-Id: On Mar 14, 8:49=A0am, Elias Salom=E3o Helou Neto wrote: > I have followed the (quite lenghty) on a topic, IIRC, about bitwise > operators, which eventually lead to people mentioning the Ariane 5 > case. > > Since then I have been wondering. If compiler checking where actually > turned on, what would have happened? How could it avoid the disaster? > > Right now I think of three possibilities, the two former seem very > unlikely to me. > > a) It would, even if the problem went undetected during testing, have > made the developers actually develop code handling this exceptional > possibility. > > b) The compiler default action for unhandled overflows have saved the > day; > > c) Developers would probably ignore the exceptional flow path and the > disaster would happen anyway. > > Which one, if any, is close to reality? To be clear, "overflow checking" was not turned off. It was, rather, left to the default handling for the conversion in question. The default handling was designed based on the assumption that anything that triggered it was due to a hardware problem. So the two other options would have been (a) have the default handling ignore ALL range errors (really?!!), or add custom exception handling to the conversion in question. In that case, what would the exception handling have done differently, and by what justification? It really all comes back to the essential question, if variable X is known, PROVEN, to never exceed the range A..B, and suddenly it does exceed that range, what is the correct action? You can't just throw it away and read it again, since in the Ariane 5 case it would have continued to exceed its proven valid range. So what do you do?