From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,fee8802cc3d8334d X-Google-Attributes: gid103376,public From: "Samuel T. Harris" Subject: Re: Ada and Java. different behaviour. casting long to int problem. Date: 1999/06/21 Message-ID: <376E87D3.FA9FD42C@hso.link.com>#1/1 X-Deja-AN: 492198132 Content-Transfer-Encoding: 7bit References: <7jt2c0$vrb@drn.newsguy.com> <7k57vb$1ipf@drn.newsguy.com> <3766650F.705125B7@pwfl.com> <7k64t7$igo$1@its.hooked.net> <7k689a$ci2@drn.newsguy.com> <3766C842.E1EAB60A@pwfl.com> <3766D1CC.D712895E@itools.symantec.com> <7k8nn5$qcb$1@its.hooked.net> <3767E8A2.EF1A0570@itools.symantec.com> <7k8tv3$3gm@drn.newsguy.com> <7kg9is$85g@dfw-ixnews8.ix.netcom.com> X-Accept-Language: en Content-Type: text/plain; charset=us-ascii Organization: Raytheon Training Inc. Mime-Version: 1.0 Newsgroups: comp.lang.ada Date: 1999-06-21T00:00:00+00:00 List-Id: Sera Hirasuna wrote: > > This is Richard Riehle appropriating time on his wife's email account. > > In article , > Hyman Rosen wrote: > > > > The Arianne engineers, if I recall correctly, chose to use one of the > unchecked operations. Such operations have a default of "unsafe." In > effect, unchecked operations allow a programmer the same freedom permitted > by C, C++, or Java, but require the same responsibility -- more, because > the rest of the program is under the rules of the Ada language. > > The report did not mentioned an unchecked_conversion. It said a conversion from integer to float. As someone mentioned waaayyy back when this thread was discussed at the outset of the report, it is common for a scaled conversion to occur. In other words, a set of integers, say 0..255, represent a collection of preassigned floating point values. Perhaps linear or even logarithmic in scale. Converting between the integer and a float or fixed-point number is not a unchecked_conversion. Since the Ariane 5 had 4 times the thrust (if I remember this factor correctly) one can easily see an overflow or some such error being detected. As has been said in this thread a couple of times, no feature of the language was at fault either by it usage or by is avoidance. The analysis, design, and implementation were all based on the Ariane 4 flight trajectory and performance characteristics. The practices employed are common and accepted within the industry performed with due diligence as applied to the Ariane 4. The problem was simply one of not reverifying reused code in a new situation. Ariane 5 flight numbers were not provided. The bounds checks were not reanalyzed to confirm which were needed and which were not. A no simulation tests were performed using Ariane 5 numbers. Had a single simulation test been run using Ariane 5 numbers then the exception would have immediately clued the folks in on their problem. Simply running verification tests on the software in the new situation would have avoided the millions of dollars in cost as well as the loss of the payload. All in all, it was a major management problem involving in the reuse of code. The lesson to be learned is that reused code must be reverified against the requirements of the new situation. They cut out each and every verification step based on cost or a perception of not needing each step. Each decision may seem reasonable to most (read the report for details). The problem was that they cut out _all_ of the steps they could have taken to verify the software for th Ariane 5. After reading the report, the only software bug I could discern was the improper interpretation of diagnostic information provided by the failed units to the central processer as _real_ attitude data. That strikes me as a design/implementation flaw. As each of the two units got their exceptions, each unit assumed a hardware failure and provided diagnostic data to the central processor. The central processor, instead of treating the data as diagnostics, treated it as real altitude and attitude data. Since this data was garbage according to this interpretation, an huge course correction was ordered. The engine nozzles were commanded to maximum flex causing the rocket to fly "sideways" (kind of like a car skidding on a wet road). Flying sideways is extremely stressful to the superstructure which began to buckle. This buckling was detected by the appropriate sensors and the rocket was commanded internally to self-destruct because of the catastrophic nature of the situation. Everything after the misinterpretation of the diagnostic data went according to contigency plans build within the rocket itself. -- Samuel T. Harris, Principal Engineer Raytheon, Scientific and Technical Systems "If you can make it, We can fake it!"