From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public From: Ken Garlington Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/24 Message-ID: <3336C971.5A7F@lmtas.lmco.com>#1/1 X-Deja-AN: 227991480 References: <332B5495.167EB0E7@eiffel.com> <332D113B.4A64@calfp.co.uk> <5gl1f5$a26$2@quasar.dimensional.com> <332E8D5D.400F@calfp.co.uk> <5gnttg$jkc$1@quasar.dimensional.com> <5gp3hd$i0l@mulga.cs.mu.OZ.AU> <5gqtve$1ol@gcsin3.geccs.gecm.com> Organization: Lockheed Martin Tactical Aircraft Systems Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-24T00:00:00+00:00 List-Id: Paul Johnson wrote: > > Yes, but this doesn't help. Sure, the range limit is in the interface > to the conversion routine, but there is no way (other than comments) > to propogate that limit into the interfaces of its callers, and no > methodological rule that says you should. > The point about Eiffel is not merely that it has the syntax to express > these limits, but that it also has the rules and "programmer culture" > that causes these mechanisms to be used routinely. Then why is Design by Contract needed, if Eiffel is its own methodology? > This might well > have caused the limit in question to documented at a high enough level > to have been noticed by whoever it was that decided to re-use the Ariane > 4 inertial guidance system. Its not certain, but its a lot more likely. > > The report said that the limits *were* documented (commented I think) > in the code, but this was essentially invisible to any kind of management > oversight. Actually, it says the exact OPPOSITE: "No reference to justification of this decision was found directly in the source code... It is important to note that the decision to protect certain variables but not others was taken jointly by project partners at several contractual levels." > Had the limitation been propogated to a high level interface > then its more likely that someone would have noticed. > > Having said that, I must admit that this exception was caused by a high > horizontal speed sensed by the unit, rather than external data which > violated preconditions. Hence the restriction would not have appeared > at the API level for the sensor. > > Paul. > > -- > Paul Johnson | GEC-Marconi Ltd is not responsible for my > opinions. | > +44 1245 242244 > +-----------+-----------------------------------------+ > Work: | You are lost in a twisty maze of > little > Home: | standards, all different. -- LMTAS - The Fighter Enterprise - "Our Brand Means Quality" For job listings, other info: http://www.lmtas.com or http://www.lmco.com