From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public From: Derek Clarke Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/04/04 Message-ID: <5i3fmr$cgn@gcsin3.geccs.gecm.com>#1/1 X-Deja-AN: 230750756 References: <01bc3603$f9373d40$b280400a@gavinspc> <01bc4021$607eea80$b280400a@gavinspc> Organization: GEC-Marconi Inflight Systems Newsgroups: comp.lang.eiffel,comp.lang.ada,comp.object,comp.programming.threads,comp.software-eng Date: 1997-04-04T00:00:00+00:00 List-Id: "Gavin Collings" wrote: >-- >Joachim Durchholz wrote > The class >EXCEPTION with several subclasses does exist as part of the >> standard libraries. Exception handlers can decide what to do based on the > >> run-time class of the exception. This facility does not seem to be in >> wide-spread use, but it's all there. > >Good. The main point about the Java model, though, is that the compiler >checks that the programmer has at least thought about handling all >exceptions that may be generated in nested calls. This means that the >programmer HAS to think about dealing with error conditions. So, in the >Ariane case, if the precondition existed (as some say it did) the compiler >would have given warnings to the effect that it IF the error occurred, it >would NOT have been handled. Wouldn't this have made the disaster less >likely? No, no and thrice no! The Ariane 4 software people _knew_ about this possibility. They made the judgement call that this particular floating-point to integer conversion would never exceed the integer range and cause an exception because the velocity reading that produced the floating-point value would never exceed the danger value in the real (Ariane 4) environment. Whether or not you agree with leaving exceptions unhandled on efficiency grounds, that was a genuine engineering decision in the light of all available evidence. Some long time following this judgement call, which was carefully documented , passed by several committees, and generally inspected to death, someone in the _management_ structure of the _Ariane 5_ project decided not to test the assumptions built into the unit concerned by denying the technical team for Ariane 5 access to data of the projected flight profile for the new launcher. No number of language features would get around this dumbass move.