From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 101deb,12d7915e86ce849c,start X-Google-Attributes: gid101deb,public X-Google-Thread: 103376,5f645669103080a8 X-Google-Attributes: gid103376,public X-Google-Thread: 12b42c,12d7915e86ce849c,start X-Google-Attributes: gid12b42c,public From: rav@goanna.cs.rmit.edu.au (++ robin) Subject: Re: Ariane Crash (Was: Adriane crash) Date: 1996/07/26 Message-ID: <4ta1vu$m1u@goanna.cs.rmit.edu.au>#1/1 X-Deja-AN: 171132265 expires: 1 October 1996 00:00:00 GMT references: <838316030.18052.0@assen.demon.co.uk> organization: Comp Sci, RMIT, Melbourne, Australia newsgroups: comp.lang.ada,comp.lang.pl1,rmit.cs.100 nntp-posting-user: rav Date: 1996-07-26T00:00:00+00:00 List-Id: john@assen.demon.co.uk (John McCabe) writes: >JOINT ESA/CNES PRESS RELEASE N 33-96 - Paris, 23 July 1996 >Ariane 501 - Presentation of Inquiry Board report >------------------------------------------------------------------- >Hope this is useful. So basically it _was_ a software fault ---Is this a euphemism for a programming error? because that's what it was -- a programming error. The error was in assuming that a value would not overflow. The specific error was that a conversion of a double-precision floating-point value (~58 significant bits) to 15 significant bits caused fixed-point overflow. The conversion was not checked for overflow. It should have been. This is, after all, a real-time system. It's a fundamental check that a programmer experienced in real-time systems should have carried out. Control was then passed to the interrupt handler, which shut down the system. The question is, basically, why was Ada used for this work? PL/I has specific facilities for real-time programming, and especially for simulating exactly this (and other) exceptions -- as if the exceptions had actually occurred. The SIGNAL statement is designed for this purpose. The programmer would have discovered this problem the FIRST time he used it! And he could have included an exception handler for this and other similar kinds of trivial errors. These exception handlers would have returned control to the code. A PL/I programmer and/or a real-time systems programmer would have OBJECTED to the stupid requirement of shutting down the system when a trivial error occurred. >What I want to know is, who wrote that software, and if their was an >ESA representative responsible for it, who was he! >Not that I want to apportion blame of course, just interested! >Best Regards John McCabe