From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00, PP_MIME_FAKE_ASCII_TEXT autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: a07f3367d7,7e8cebf09cf80560 X-Google-Attributes: gida07f3367d7,public,usenet X-Google-NewGroupId: yes X-Google-Language: ENGLISH,ASCII Path: g2news1.google.com!news1.google.com!goblin1!goblin3!goblin.stu.neva.ru!exi-transit.telstra.net!news.telstra.net!exi-spool.telstra.net!exi-reader.telstra.net!not-for-mail From: "robin" Newsgroups: comp.lang.ada References: Subject: Re: How would Ariane 5 have behaved if overflow checking were not turned off? Date: Wed, 16 Mar 2011 21:33:20 +1100 X-Newsreader: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Message-ID: <4d80b13f$0$43832$c30e37c6@exi-reader.telstra.net> NNTP-Posting-Host: 123.3.18.145 X-Trace: 1300279615 exi-reader.telstra.net 43832 123.3.18.145:1028 Xref: g2news1.google.com comp.lang.ada:18240 Date: 2011-03-16T21:33:20+11:00 List-Id: Elias Salom�o Helou Neto wrote in message ... >I have followed the (quite lenghty) on a topic, IIRC, about bitwise >operators, which eventually lead to people mentioning the Ariane 5 >case. > >Since then I have been wondering. If compiler checking where actually >turned on, what would have happened? How could it avoid the disaster? You mean, what if a user-supplied error handler had been provided? To understand what that might have done, it is necessary to look at what happened. An integer overflow occurred. It was not caught by a user-written error handler. For such an event, the OS was required to place the error number on the data bus, and shut down the computer. The assumption was that any such error was a hardware error, and that the backup computer would then continue correctly. Because the backup computer was programmed to do exactly the same thing, a very short time later, it also shut down [because the error was not a hardware error]. The error number on the data bus was then taken as guidance data, and the result was catastrophic change of direction. Thus, had an error handler been provided, the data bus would not have had an error number placed on it, and that error number would not have been taken as guidance data. >Right now I think of three possibilities, the two former seem very >unlikely to me. > >a) It would, even if the problem went undetected during testing, have >made the developers actually develop code handling this exceptional >possibility. > >b) The compiler default action for unhandled overflows have saved the >day; It didn't and couldn't. What was required was an error handler. >c) Developers would probably ignore the exceptional flow path and the >disaster would happen anyway. Anyone competent in real-time programming would never have let the software go with unhandled overflow, because such an event would result in failure of the mission. >Which one, if any, is close to reality?