From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public From: David Starr Subject: Re: Ariane-5: can you clarify? (Re: Please do not start a language war) Date: 1997/03/25 Message-ID: <3337F130.7E8A@analog.com>#1/1 X-Deja-AN: 228251485 References: <332B5495.167EB0E7@eiffel.com> Organization: Analog Devices Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.lang.ada Date: 1997-03-25T00:00:00+00:00 List-Id: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I say the crash was caused by the requirement for the inertial nav software to shut down and enter hardware test mode upon exception. In other words, the program did what it was asked to do, and it was asked to destroy the rocket upon any kind of unforseen problem. Be careful what you ask for, you might get it. If the inertial nav software had been required to press on regardless there is an excellent chance the mission would have flown. I don't think a clever programming language could be so good as to guarantee no exceptions ever. The software was required to shut down upon exeception. It got an exception and it shut down. David Starr Nick Leaton wrote: > > > > > > I would however be interested in a discussion on how exceptions should > > > be handled. > > > > > > 1) Report and fail > > > 2) Have logic. In the Ariane case, just shut down the SRI after launch > > > 3) Fix and retry - could just be wait and retry > > > 4) Try method B > > > > > > Are there any others? > > > > I wouldn't recommend #2 in the Ariane 5 case, since that is exactly what > > the SRI did in response to the exception!!!!! > > > > In reality, there is no "one size fits all" response to exceptions. Each > > case must be analyzed separately - which is part of what makes writing > > good assertions so difficult. > > You misunderstand me, probably because 2) is not as explicit as I > originally intended. > > SRI raises exception. > Exception handler receives exception. > Exception handler checks launch status and finds out that > the rocket is launched. Since SRI is used for alignment, it is > now redundant so can be shutdown/ignored. > > -- > > Nick