From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,7e8cebf09cf80560 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news2.google.com!news2.google.com!goblin1!goblin3!goblin.stu.neva.ru!exi-transit.telstra.net!news.telstra.net!exi-spool.telstra.net!exi-reader.telstra.net!not-for-mail From: "robin" Newsgroups: comp.lang.ada References: <4d80b13f$0$43832$c30e37c6@exi-reader.telstra.net> Subject: Re: How would Ariane 5 have behaved if overflow checking were not turned off? Date: Thu, 17 Mar 2011 23:39:34 +1100 X-Newsreader: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Message-ID: <4d8200ce$0$43837$c30e37c6@exi-reader.telstra.net> NNTP-Posting-Host: 123.3.20.123 X-Trace: 1300365518 exi-reader.telstra.net 43837 123.3.20.123:1030 Xref: g2news2.google.com comp.lang.ada:19249 Date: 2011-03-17T23:39:34+11:00 List-Id: Simon Wright wrote in message ... >"robin" writes: > >> Anyone competent in real-time programming would never have let the >> software go with unhandled overflow, because such an event would >> result in failure of the mission. > >The engineers, being competent in tightly-constrained real-time >programming, found that installing exception handlers cost cpu cycles >they could not afford, so looked at all the potential overflow sites and >found that _this_ one could only occur if there was a hardware >failure. Nonsense. The Full Report says nothing of the kind. > Even if they had installed an exception handler, the only >proper response would have been to shutdown this node and hand over to >the alternate; No, the exception handler could have done something sensible, such as using the maximum integer value, thus allowing the trajectory to continue. Better still would have been to include a magnitude test in the code that avoided the need for an error handler. > and this was the action that would result from not having >an exception handler in the first place. So, after considerable thought, >they decided against having an exception handler. There were 7 places in the code in the vicinity where overflow could occur. Four were chosen for protection, but three were not. That was the fatal flaw.