From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 107f24,582dff0b3f065a52 X-Google-Attributes: gid107f24,public X-Google-Thread: 109fba,582dff0b3f065a52 X-Google-Attributes: gid109fba,public X-Google-Thread: 1014db,582dff0b3f065a52 X-Google-Attributes: gid1014db,public X-Google-Thread: 103376,bc1361a952ec75ca X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2001-08-03 00:48:29 PST Path: archiver1.google.com!newsfeed.google.com!newsfeed.stanford.edu!news.tele.dk!193.174.75.178!news-fra1.dfn.de!news-koe1.dfn.de!do.de.uu.net!bnewspeer01.bru.ops.eu.uu.net!bnewsifeed01.bru.ops.eu.uu.net!lnewspost00.lnd.ops.eu.uu.net!emea.uu.net!not-for-mail Message-ID: <3B6A588C.B67A9CF8@isltd.insignia.com> Date: Fri, 03 Aug 2001 08:53:48 +0100 From: Christian Bau Organization: Insignia Solutions plc X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 Newsgroups: comp.lang.ada,comp.lang.c,comp.lang.c++,comp.lang.functional Subject: Re: How Ada could have prevented the Red Code distributed denial of service attack. References: <3B687EDF.9359F3FC@mediaone.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cache-Post-Path: macallan.isltd.insignia.com!unknown@tigger.isltd.insignia.com X-Cache: nntpcache 2.4.0b2 (see http://www.nntpcache.org/) NNTP-Posting-Host: macallan.isltd.insignia.com X-Trace: 996824872 reading.news.pipex.net 3757 195.217.222.21 X-Complaints-To: abuse@uk.uu.net Xref: archiver1.google.com comp.lang.ada:11171 comp.lang.c:71830 comp.lang.c++:79583 comp.lang.functional:7241 Date: 2001-08-03T08:53:48+01:00 List-Id: Daniel Fischer wrote: (Discussing the Ariane failure) > > According to ESA, the failure was caused by a conversion of a value from a > 64 bit floating point representation to a 16 bit integer representation. > There was no protection against an operand error in this place, while here > was in others. > > The value was much higher than expected because the early part of the > trajectory of Ariane 5 differs from that of Ariane 4 and results in > considerably higher horizontal velocity values. Since this thread is about comparing C or C++ and Ada: If the software had been written in C, C++ or Java, the result would have been a completely wrong integer result. For example, casting a value of 40000.0 to a 16 bit signed int will give a strange result of -25536. (In Java, this is defined behaviour. In C or C++ this might be undefined or implementation defined; in practice the result will most likely be -25536). If it is true that this value was indeed never used then the decision to blow up the rocket was quite unfortunate. But if the value was used, then it is obvious that this wrong value could cause very bad things to happen; so blowing up the rocket was indeed correct. Why was there no "protection against operand errors"? In other words, why was there no code that would detect the error, take appropriate action against the error, and continue flying the rocket? There was of course a global "protection against unanticipated operand errors": Any overflow was indeed detected, and anything that comes unanticipated means that the software doesn't work as planned. Whether this is a hardware fault or a fault in some programmers logic doesn't really matter. All you know is that something is wrong, you cannot be sure that the rocket is doing what it is supposed to do, and this is a very dangerous situation, so you blow it up. I assume that someone determined that blowing it up is the least risky thing to do, at least once it is up in the air. I think any explicit check for this overflow and trying to handle it would have been inappropriate. It was (incorrectly) determined that an overflow could not happen, so there was no appropriate action possible. (This is assuming that the results were indeed used. If there is functionality in a rocket that is not related to its performance, like sending data to the ground, and a malfunction in this is detected, then ignoring that malfunction might be the better action).