From: paul.johnson@gecm.com (Paul Johnson)
Subject: Re: Papers on the Ariane-5 crash and Design by Contract
Date: 1997/03/17
Date: 1997-03-17T00:00:00+00:00 [thread overview]
Message-ID: <5gj0id$2g7@miranda.gmrc.gecm.com> (raw)
In-Reply-To: tz8ohcjv7cc.fsf@aimnet.com
In article <tz8ohcjv7cc.fsf@aimnet.com>, nouser@nohost.nodomain says...
>What was required here was a simple check that a function argument was
>within a certain range. That check could have been expressed as an
>Ada type declaration and checked by the compiler at compile time, or
>as a runtime assertion/check.
The whole point of Eiffel is that the assertions are more than just a
run-time check. In fact the run-time checking is the least important
aspect of Eiffel assertions. Far more important are the self-documenting
aspects. This is where Ada misses out: the fatal exception occured
because the limitations were not properly documented.
>The design team apparently decided that
>either approach was too costly in terms of design or speed and instead
>opted for leaving the code unsafe and documenting the conditions under
>which the function could be used safely.
They did this by commenting the code, rather than writing it into the
documentation. Furthermore the exception occured (as I understand it)
because the compiler included explicit range checks in the compiled code,
and the programmers had opted not to include manual range checking and
limiting because of CPU limits. In other words they had a choice between
checking it once or twice (redundantly), and the single check option had
catastrophic consequences. The important thing is that neither of these
checks were actually very useful at run-time. The real cause of the
Arianne 5 failure was the policy that any exception be treated as fatal
while identical software was used on both inertial guidence units. Hence
any bug that caused an exception would inevitably lead to self-destruction.
In practice, due to the time at which the exception occured it would have
been better to continue processing because the results in question were not
actually being used. However if they had been in use then its difficult
to see how any kind of run-time checking could have helped: range limiting
only ensures that the wrong results are produced, and this would have been
as fatal as the exception.
[On annotation and documentation]
>And if the programmer culture on a project is such that
>they don't use Ada assertions, why would they use Eiffel
>preconditions?
Because Ada assertions don't form part of the documentation. Eiffel
assertions do. So by writing one piece of code you get both benefits.
Furthermore the "Eiffel culture" is very different to the "Ada culture".
In Eiffel the external assertions are seen as a key component of the
software, while in Ada they are just an optional extra.
> The exception was due to a floating-point error: a conversion from a
> 64-bit integer to a 16-bit unsigned integer, which should only have
> been applied to a number less than 2^16, was erroneously applied to a
> greater number, representing the "horizontal bias" of the flight.
> There was no explicit exception handler to catch the exception, so it
> followed the usual fate of uncaught exceptions and crashed the entire
> software, hence the on-board computers, hence the mission.
>I don't understand these statements at all.
Bertrand is accurately paraphrasing the published report, except for one
point: there was a high-level policy in the Arianne programme that any
exception should cause the shutdown of whatever unit of hardware it
occured in. The assumption seems to have been that the software was
perfect, and so any exception must indicate a hardware flaw. Therefore
the correct thing to do with an exception is to shut down and let the
backup unit take over. Unfortunately the backup in this case was running
exactly the same software and was receiving basically the same data.
Hence they crashed within a fraction of a second of each other.
There was no exception handler: the exception error message was actually
dumped onto the system bus and interpreted by the guidance mechanism as
real data. This would have probably destroyed the rocket anyway, but
the fact that both inertial sensors went permanently down made it
inevitable.
Paul.
--
Paul Johnson | GEC-Marconi Ltd is not responsible for my opinions. |
+44 1245 242244 +-----------+-----------------------------------------+
Work: <paul.johnson@gecm.com> | You are lost in a twisty maze of little
Home: <Paul@treetop.demon.co.uk> | standards, all different.
next prev parent reply other threads:[~1997-03-17 0:00 UTC|newest]
Thread overview: 254+ messages / expand[flat|nested] mbox.gz Atom feed top
1997-03-15 0:00 Papers on the Ariane-5 crash and Design by Contract Bertrand Meyer
1997-03-18 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Jon S Anthony
1997-03-19 0:00 ` Papers on the Ariane-5 crash and Design by Contract Chris Brand
[not found] ` <tz8ohcjv7cc.fsf@aimnet.com>
1997-03-16 0:00 ` Robert Dewar
1997-03-17 0:00 ` Please do not start a language war (was " Jean-Marc Jezequel
[not found] ` <tz8913l930b.fsf_-_@aimnet.com>
1997-03-18 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war Roedy Green
1997-03-18 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Gavin Collings
1997-03-18 0:00 ` Please do not start a language war (was Re: Papers on the Ariane-5 crash and Design by Contract Ken Garlington
[not found] ` <199703190839.JAA02652@stormbringer.irisa.fr>
1997-03-19 0:00 ` Ken Garlington
1997-03-20 0:00 ` Roger T.
1997-03-21 0:00 ` Jean-Marc Jezequel
1997-03-24 0:00 ` Ken Garlington
1997-03-21 0:00 ` Ken Garlington
1997-03-20 0:00 ` Robert S. White
1997-03-20 0:00 ` John L. Ahrens
1997-03-20 0:00 ` Martin Tom Brown
1997-03-21 0:00 ` Wolfgang Gellerich
1997-03-21 0:00 ` Robert S. White
1997-03-19 0:00 ` Jean-Marc Jezequel
1997-03-19 0:00 ` Richard Kaiser
1997-03-21 0:00 ` Ken Garlington
1997-03-21 0:00 ` Jean-Marc Jezequel
1997-03-25 0:00 ` Ken Garlington
1997-03-26 0:00 ` Trust but verify " Robert S. White
1997-03-25 0:00 ` Bertrand Meyer
1997-03-26 0:00 ` Robb Nebbe
1997-03-27 0:00 ` Ken Garlington
1997-03-28 0:00 ` Karel Th�nissen
1997-03-28 0:00 ` Ken Garlington
1997-04-07 0:00 ` Jean-Marc Jezequel
1997-03-28 0:00 ` Jeffrey W. Stulin
1997-03-31 0:00 ` Ken Garlington
1997-03-29 0:00 ` the one and only real true kibo
1997-03-18 0:00 ` Please do not start a language war " Richard Irvine
1997-03-17 0:00 ` John McCabe
[not found] ` <tz8n2s1hrdc.fsf@aimnet.com>
1997-03-20 0:00 ` John McCabe
1997-03-20 0:00 ` John McCabe
1997-03-20 0:00 ` Jean-Marc Jezequel
1997-03-20 0:00 ` John McCabe
1997-03-21 0:00 ` Niall Cooling
1997-03-21 0:00 ` Gavin Collings
1997-03-27 0:00 ` Joachim Durchholz
1997-04-03 0:00 ` Gavin Collings
1997-04-03 0:00 ` Ken Garlington
1997-04-04 0:00 ` Derek Clarke
1997-04-04 0:00 ` Derek Clarke
1997-04-06 0:00 ` Robert Dewar
1997-04-07 0:00 ` Ken Garlington
1997-04-09 0:00 ` Gavin Collings
1997-04-03 0:00 ` Robert I. Eachus
1997-04-04 0:00 ` Chris Beer
1997-04-04 0:00 ` Derek Clarke
1997-04-04 0:00 ` Ken Garlington
1997-04-04 0:00 ` Robert Dewar
1997-04-03 0:00 ` Robin Rosenberg
1997-03-24 0:00 ` Ken Garlington
1997-03-26 0:00 ` Thomas Beale
1997-03-26 0:00 ` Ken Garlington
1997-03-21 0:00 ` "Paul E. Bennett"
1997-03-22 0:00 ` Nigel Tzeng
1997-03-23 0:00 ` John McCabe
1997-03-17 0:00 ` Paul Johnson [this message]
1997-03-17 0:00 ` Enrico Facchin - Sartori E.T.
1997-03-19 0:00 ` Anders Pytte
1997-03-18 0:00 ` Ken Garlington
1997-03-17 0:00 ` Alexander Anderson
1997-03-17 0:00 ` Nick Leaton
1997-03-17 0:00 ` Richard Kaiser
[not found] ` <tz8g1xtzx9y.fsf@aimnet.com>
1997-03-18 0:00 ` Anders Pytte
1997-03-18 0:00 ` Jean-Marc Jezequel
1997-03-18 0:00 ` Anders Pytte
1997-03-19 0:00 ` Programming language fanaticism! Louis Bastarache
1997-03-20 0:00 ` Anders Pytte
1997-03-20 0:00 ` Papers on the Ariane-5 crash and Design by Contract Matt Kennel (Remove 'nospam' to reply)
1997-03-24 0:00 ` Joachim Durchholz
1997-03-24 0:00 ` Anders Pytte
1997-03-26 0:00 ` Robert Dewar
1997-03-27 0:00 ` the one and only real true kibo
1997-03-29 0:00 ` the one and only real true kibo
1997-03-29 0:00 ` Nick S Bensema
1997-03-30 0:00 ` the one and only real true kibo
1997-03-26 0:00 ` Matt Kennel (Remove 'nospam' to reply)
1997-03-29 0:00 ` Anders Pytte
1997-03-29 0:00 ` Steve Furlong
1997-03-18 0:00 ` Anders Pytte
1997-03-21 0:00 ` Ken Garlington
1997-03-21 0:00 ` Bertrand Meyer
1997-03-21 0:00 ` William Clodius
1997-03-21 0:00 ` Bertrand Meyer
1997-03-23 0:00 ` William Clodius
1997-03-23 0:00 ` the one and only real true kibo
1997-03-22 0:00 ` Fergus Henderson
1997-03-22 0:00 ` Bertrand Meyer
1997-03-23 0:00 ` the one and only real true kibo
1997-03-23 0:00 ` Anders Pytte
1997-03-24 0:00 ` FUD (Re: Papers on the Ariane-5 crash and Design by Contract) Alexander Anderson
1997-03-24 0:00 ` Alexander Anderson
1997-03-23 0:00 ` Papers on the Ariane-5 crash and Design by Contract Anders Pytte
[not found] ` <3335BC24.13728473@eiffel.com>
1997-03-23 0:00 ` Bertrand Meyer
1997-03-24 0:00 ` Robert Dewar
1997-03-31 0:00 ` Ken Garlington
1997-04-01 0:00 ` Bertrand Meyer
1997-03-25 0:00 ` Ken Garlington
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` the one and only real true kibo
1997-03-24 0:00 ` Ken Garlington
1997-03-26 0:00 ` Robert Dewar
1997-03-26 0:00 ` Ken Garlington
[not found] ` <E7ox17.MKx@syd.csa.com.au>
1997-03-28 0:00 ` Ken Garlington
1997-03-24 0:00 ` John Hogg
1997-03-18 0:00 ` Laurent Moussault
1997-03-18 0:00 ` Richard Kaiser
1997-03-18 0:00 ` Jean-Marc Jezequel
1997-03-19 0:00 ` Ken Garlington
1997-03-18 0:00 ` Nick Leaton
1997-03-19 0:00 ` Richard Kaiser
1997-03-19 0:00 ` Jean-Marc Jezequel
1997-03-19 0:00 ` Richard Kaiser
1997-03-19 0:00 ` Fergus Henderson
1997-03-18 0:00 ` Richard Kaiser
1997-03-18 0:00 ` Nick Leaton
1997-03-18 0:00 ` "Paul E. Bennett"
1997-03-19 0:00 ` Nick Leaton
1997-03-24 0:00 ` Joachim Durchholz
1997-03-25 0:00 ` Robert Dewar
1997-03-31 0:00 ` Joachim Durchholz
1997-04-02 0:00 ` Robert Dewar
1997-04-03 0:00 ` Martin Tom Brown
1997-04-04 0:00 ` Derek Clarke
1997-04-04 0:00 ` Jonathan Egre'
1997-04-06 0:00 ` Robert Dewar
1997-04-06 0:00 ` Nick Roberts
1997-03-31 0:00 ` Jan Galkowski
1997-03-31 0:00 ` Alexander Anderson
1997-04-01 0:00 ` Alexander Anderson
1997-04-02 0:00 ` Ken Garlington
1997-03-20 0:00 ` John the Hamster
1997-03-17 0:00 ` Bertrand Meyer
1997-03-18 0:00 ` John McCabe
1997-03-18 0:00 ` Ray McVay
1997-03-27 0:00 ` Robert Dewar
1997-03-29 0:00 ` the one and only real true kibo
1997-03-30 0:00 ` Nick Roberts
1997-04-06 0:00 ` Doctorb
1997-04-08 0:00 ` Ron Crocker
1997-04-11 0:00 ` Richard Riehle
1997-03-17 0:00 ` Please do not start a language war (was " Jon S Anthony
1997-03-18 0:00 ` Kent Tong
1997-03-20 0:00 ` Ranan Fraer
1997-03-17 0:00 ` Robert I. Eachus
1997-03-17 0:00 ` Martin Tom Brown
1997-03-18 0:00 ` Jon S Anthony
1997-03-18 0:00 ` Jon S Anthony
1997-03-19 0:00 ` Ron Forrester
1997-03-21 0:00 ` Ken Garlington
1997-03-22 0:00 ` Ron Forrester
1997-03-18 0:00 ` Ulrich Windl
1997-03-18 0:00 ` Jon S Anthony
1997-03-18 0:00 ` Robert I. Eachus
1997-03-18 0:00 ` Tarjei Jensen
1997-03-18 0:00 ` Jon S Anthony
1997-03-18 0:00 ` Ken Garlington
1997-03-19 0:00 ` Eric M. Boyd
1997-03-19 0:00 ` Jeffrey W. Stulin
[not found] ` <3345cd60.2092398@news.sydney.apana.org.au>
1997-04-03 0:00 ` Ariane-5 crash , Eiffel and Ada Jeffrey W. Stulin
1997-04-03 0:00 ` Nick Leaton
1997-04-08 0:00 ` AdaWorks
1997-03-19 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Karel Th�nissen
1997-03-19 0:00 ` Papers on the Ariane-5 crash and Design by Contract Karel Th�nissen
1997-03-19 0:00 ` Jon S Anthony
1997-03-20 0:00 ` Paul Johnson
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` Design by Contract in C++ (was Re: Papers on the Ariane-5 crash and Design by Contract) Anders Pytte
1997-03-20 0:00 ` Papers on the Ariane-5 crash and Design by Contract Jean-Marc Jezequel
1997-03-24 0:00 ` Ken Garlington
1997-03-19 0:00 ` Nick Leaton
1997-03-19 0:00 ` Jon S Anthony
1997-03-19 0:00 ` Karel Th�nissen
1997-03-19 0:00 ` Ken Garlington
1997-03-19 0:00 ` Ken Garlington
1997-03-20 0:00 ` Richard Kaiser
1997-03-24 0:00 ` Ken Garlington
1997-03-20 0:00 ` Martin Tom Brown
1997-03-21 0:00 ` Frank Manning
1997-03-21 0:00 ` Martin Tom Brown
1997-03-23 0:00 ` Frank Manning
1997-03-25 0:00 ` Ken Garlington
1997-03-20 0:00 ` Robert I. Eachus
1997-03-20 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Nick Leaton
1997-03-20 0:00 ` Karel Th�nissen
1997-03-20 0:00 ` Nick Leaton
1997-03-20 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robert I. Eachus
[not found] ` <tz8sp1qiywm.fsf@aimnet.com>
1997-03-21 0:00 ` ae59
1997-03-21 0:00 ` Ulrich Windl
1997-03-21 0:00 ` Alexander Anderson
1997-03-23 0:00 ` "Paul E. Bennett"
1997-03-21 0:00 ` Please do not start a language war (was " Jon S Anthony
1997-03-22 0:00 ` Bertrand Meyer
1997-03-22 0:00 ` Anders Pytte
1997-03-23 0:00 ` Steve Furlong
1997-03-24 0:00 ` Anders Pytte
1997-03-24 0:00 ` Simulating Eiffel-style assertions (was: Papers on the Ariane-5 crash and Design by Contract) Wolfgang Reddig
1997-03-24 0:00 ` Anders Pytte
1997-03-25 0:00 ` Wolfgang Reddig
1997-03-25 0:00 ` Anders Pytte
1997-03-31 0:00 ` Joachim Durchholz
1997-03-26 0:00 ` Alan Brain
1997-03-26 0:00 ` Wolfgang Reddig
1997-03-29 0:00 ` How old time languages survive EJon
1997-03-22 0:00 ` Papers on the Ariane-5 crash and Design by Contract Bertrand Meyer
1997-03-23 0:00 ` Dale Stanbrough
[not found] ` <3335E18E.33590565@eiffel.com>
1997-03-23 0:00 ` FUD (Re: Papers on the Ariane-5 crash and Design by Contract) Bertrand Meyer
1997-03-24 0:00 ` William Grosso
1997-03-24 0:00 ` William Clodius
1997-03-24 0:00 ` Bertrand Meyer
1997-03-24 0:00 ` Brad Appleton
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robert Dewar
1997-03-24 0:00 ` Manners (was Re: Papers on the Ariane-5 crash and Design by Contract) Bertrand Meyer
1997-03-25 0:00 ` the one and only real true kibo
1997-03-22 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Stuart Yeates
1997-03-22 0:00 ` Papers on the Ariane-5 crash and Design by Contract Jon S Anthony
1997-03-28 0:00 ` Matt Kennel (Remove 'nospam' to reply)
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Ken Garlington
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Jon S Anthony
1997-03-24 0:00 ` Alexander Anderson
1997-03-24 0:00 ` Ken Garlington
1997-03-27 0:00 ` Joachim Durchholz
1997-03-31 0:00 ` Ken Garlington
1997-04-06 0:00 ` Joachim Durchholz
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Nick Leaton
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Ken Garlington
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Ken Garlington
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robb Nebbe
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) William Clodius
1997-03-25 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robert I. Eachus
1997-03-25 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Ken Garlington
1997-03-25 0:00 ` David Starr
1997-03-25 0:00 ` Ken Garlington
1997-03-26 0:00 ` Papers on the Ariane-5 crash and Design by Contract Ken Garlington
1997-03-26 0:00 ` Alexander Anderson
1997-03-26 0:00 ` Jon S Anthony
1997-03-27 0:00 ` Trust but verify (was " Robert I. Eachus
1997-03-28 0:00 ` Robert I. Eachus
1997-03-28 0:00 ` Jon S Anthony
1997-03-31 0:00 ` Ken Garlington
1997-03-23 0:00 ` the one and only real true kibo
-- strict thread matches above, loose matches on Subject: below --
1997-03-17 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-03-20 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-03-25 0:00 ` Nick Roberts
1997-03-24 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-03-27 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-04-03 0:00 Adrian B.Y. Hoe
1997-04-05 0:00 ` Nick Roberts
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox