Re: Ariane 5 - not an exception?

[Steve O'Neill <smoneill@sanders.lockheed.com>]

++ robin wrote:
I previously said:
>         > So they set about picking
>         >> and choosing which conversions to protect.
> 

to which ++ robin replied:
> ---This doesn't sppear specifically in the report as regards
> this conversion and the 2 others in the vicinity.  There's
> the impliciation that these conversions were overlooked.
> In any case, the test would have introduced a trivial
> number of additional instructions.

Well, here's what the report said:
"It has been state that to the Board that not all of the conversions 
were protected because a maximum workload target of 80% had been set for 
the SRI computer.  To determine the vulnerability of unprotected code, 
an analysis was performed on every operation which could give rise to an 
exception, including an Operand Error.  In particular, the conversion of 
floating point values to integers was analysed and operations involving 
seven variables were at risk of leading to an Operand Error.  This led 
to protection being added to four of the variables, evidence of which 
appears in the Ada code.  However, three of the variables were left 
unprotected.  No reference to justification of this decision was found 
directly in the source code.  Given the large amount of documentation 
associated with any industrial application, the assumption, was 
essentially obscured, though not deliberately, from any external review.

The reason for the three remaining variables, including the one denoting 
horizontal bias, being unprotectedwas that further reasoning indicated 
that they were either physically limited or that there was a large margin 
of safety, a reasoning which in the case of the variable BH turned out to 
be faulty.  It is important to note that the decision to protect certain 
variables but not others was taken jointly by project partners at several 
contractual levels."

So, what this tells us is that they did what they thought was a thorough 
analysis and consciously made the decision to leave 3 variables 
unprotected.  An that this was not a unilateral decision.  I'm not 
saying that this whole approach made sense.  What I am saying is that 
this scenario is independent of the language used.  

Yes, in hindsight, it would have been much easier to add a couple lines 
of code even if it did cost 0.01% of that margin?

and ++robin continues to profess:
> 
> ---As I stated, a PL/I programmer experienced in real-time
> programming, would not have made this stupid mistake.
> 

And with this point I will continue to disagree. I guess that I need to 
learn PL/I since it obviously automatically endows people with god-like 
powers of reasoning that makes it impossible for them to build flawed 
systems.  Wow, I wonder if NASA and the FAA know this?! ;)

++robin> ---You do not appear to have grounds for this opinion.

Well, everyone has grounds for their opinions - it's called belief and 
it's mostly based on their experiences.  My experiences obviously differ 
from yours therefore we have different opinions.  Probably neither mine 
nor yours is entirely right or entirely wrong.

And with that I think I'll stop my participation in this thread.

-- 
Steve O'Neill                      | "No,no,no, don't tug on that!
Sanders, A Lockheed Martin Company |  You never know what it might
smoneill@sanders.lockheed.com      |  be attached to." 
(603) 885-8774  fax: (603) 885-4071|    Buckaroo Banzai