From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 101deb,12d7915e86ce849c X-Google-Attributes: gid101deb,public X-Google-Thread: 12b42c,12d7915e86ce849c X-Google-Attributes: gid12b42c,public X-Google-Thread: 103376,5f645669103080a8 X-Google-Attributes: gid103376,public From: rav@goanna.cs.rmit.edu.au (++ robin) Subject: Re: Ariane Crash (Was: Adriane crash) Date: 1996/07/30 Message-ID: <4tkfe5$did@goanna.cs.rmit.edu.au>#1/1 X-Deja-AN: 171063724 expires: 1 November 1996 00:00:00 GMT references: <4ta1vu$m1u@goanna.cs.rmit.edu.au> <4tiods$ehp@zeus.orl.mmc.com> organization: Comp Sci, RMIT, Melbourne, Australia newsgroups: comp.lang.ada,comp.lang.pl1,rmit.cs.100 nntp-posting-user: rav Date: 1996-07-30T00:00:00+00:00 List-Id: rgilbert@unconfigured.xvnews.domain (Bob Gilbert) writes: >In article <4ta1vu$m1u@goanna.cs.rmit.edu.au>, rav@goanna.cs.rmit.edu.au (++ robin) writes: >> >> ---Is this a euphemism for a programming error? because that's >> what it was -- a programming error. >> >> The error was in assuming that a value would not overflow. >The error was assuming that the Ariane 4 design would be adaquate >for the Ariane 5 system. >> The specific error was that a conversion of a double-precision >> floating-point value (~58 significant bits) to 15 significant >> bits caused fixed-point overflow. The conversion was not >> checked for overflow. It should have been. >It was checked, hence the exception and an exception handler to >take corrective action. ---The SRI computer (& its backup) had an exception handler, to be sure, but it did not have an exception handler to take corrective action. The exception handler shut the computer down. > Unfortunately the corrective action was >to assume that the SRI had failed and to shut it down. The >software performed exactly as designed. ---The software did not performed as designed. It was intended to shut down the computer only in the event of a hardware error. The software shut down the computer because of a programming error. The software performed only as written! >> This is, after all, >> a real-time system. It's a fundamental check that a programmer >> experienced in real-time systems should have carried out. >> >> Control was then passed to the interrupt handler, which >> shut down the system. >Exactly as designed. ---Again, not as designed. It was designed to shut down only in the event that the SRI computer failed. Then the backup would be used.