From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public From: Derek Clarke Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/04/04 Message-ID: <5i3gln$cgn@gcsin3.geccs.gecm.com>#1/1 X-Deja-AN: 230715266 References: <01bc3603$f9373d40$b280400a@gavinspc> <01bc4021$607eea80$b280400a@gavinspc> Organization: GEC-Marconi Inflight Systems Newsgroups: comp.lang.eiffel,comp.lang.ada,comp.object,comp.programming.threads,comp.software-eng Date: 1997-04-04T00:00:00+00:00 List-Id: eachus@spectre.mitre.org (Robert I. Eachus) wrote: >In article <01bc4021$607eea80$b280400a@gavinspc> "Gavin Collings" writes: > > > Good. The main point about the Java model, though, is that the compiler > > checks that the programmer has at least thought about handling all > > exceptions that may be generated in nested calls. This means that the > > programmer HAS to think about dealing with error conditions. > > > So, in the Ariane case, if the precondition existed (as some say it did) > > It did. Yep. > > > the compiler would have given warnings to the effect that it IF > > the error occurred, it would NOT have been handled. > > Not quite, the warning that the developers were presented with >was that if this exception occured it would be handled by a non-local >(default) handler. There were no "unhandled" exceptions as such. In the sense that the microprocessor executing the instructions hit a floating point exception that wasn't covered by the language system. I'd tend to call that an unhandled exception. > > > Wouldn't this have made the disaster less likely? > > Hardly. The message that the Ariane 4 developers got was VERY >clear. If this happens, rocket crashes. Not true. The message was actually "We don't care about what happens because this can situation can never arise". That was true for Ariane 4. Well actually it was >apparently more of a list of conditions under which the guidance >system would shut itself down and spew failure diagnostics to the >ground systems. But I don't get the impression that anyone thought >this meant anything other than rocket crashes here. If they seriously believed the situation could arise, they would have properly covered (_not_ handled necessarily) the exception. They certainly didn't plan on their bit making the launcher blow up. > > Of a list of seven such occurances, local handlers were added for >either four or five. The others, including this one, were determined >to be physically impossible. (Unless, of course, you put the guidance >system in a different rocket--or launched from a different planet.) Not _physically possible_. The exceptions weren't covered for efficiency reasons. Instead of looking at some way of handling the problem more sophisticated than "shall I include this automatic feature or not"... > This is the point that Robert Dewar, Ken and myself I have been >emphasizing again and again--there was no error in software >development (for the Ariane 4), Although I'm rather dubious about the treatment of floating-point exceptions as "hardware errors". >and ANY reasonable approach to reuse >would have found the potential problems. Only if the re-use specification of the hardware unit had included the maximum horizontal velocity that the unit should be subjected to. Can you see the likelihood of that popping out of an Eiffel compiler? I can't... Remember the actual failure >sequence involved deflecting the engines beyond the acceptable >stresses for the Ariane 5, which were apparently less than for the >rocket the system was designed for. If Ariane 4 had followed the same flight profile on a launch, it too would have broken up. All liquid-fuel launchers are pressurised tubes of very low wall thickness, and none of them could take that abuse! The biggest bug was surely the flight controller interpreting the diagnostic data put on the bus by the crashed SRI(s) as real flight data, and swivelling the rockets to suit. Given the fact the the SRI(s) weren't needed in flight anyway, if the flight controller had been able to ignore the rubbish, all would have been sweetness and light. And possibly SRI(s) would harmlessly crash on every other Ariane 5 flight thereafter...