From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,7e8cebf09cf80560 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII Path: g2news1.google.com!news1.google.com!postnews.google.com!o21g2000prh.googlegroups.com!not-for-mail From: KK6GM Newsgroups: comp.lang.ada Subject: Re: How would Ariane 5 have behaved if overflow checking were not turned off? Date: Tue, 15 Mar 2011 10:40:42 -0700 (PDT) Organization: http://groups.google.com Message-ID: <8f20dc95-f0f5-4817-9dca-11b5242d3fcc@o21g2000prh.googlegroups.com> References: <82d3lsvqw7.fsf@stephe-leake.org> NNTP-Posting-Host: 12.35.64.226 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: posting.google.com 1300210843 4814 127.0.0.1 (15 Mar 2011 17:40:43 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Tue, 15 Mar 2011 17:40:43 +0000 (UTC) Complaints-To: groups-abuse@google.com Injection-Info: o21g2000prh.googlegroups.com; posting-host=12.35.64.226; posting-account=qZVz2QoAAAAN9WxYp-9jYb7jORc4Zqwt User-Agent: G2/1.0 X-HTTP-Via: 1.1 barracudaweb.tritool.rancho:8080 (http_scan/4.0.2.6.19) X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MDDR; .NET4.0C; .NET4.0E; InfoPath.1),gzip(gfe) Xref: g2news1.google.com comp.lang.ada:18216 Date: 2011-03-15T10:40:42-07:00 List-Id: On Mar 15, 10:32=A0am, Keith Thompson wrote: > Stephen Leake writes: > > Elias Salom=E3o Helou Neto writes: > >> I have followed the (quite lenghty) on a topic, IIRC, about bitwise > >> operators, which eventually lead to people mentioning the Ariane 5 > >> case. > > >> Since then I have been wondering. If compiler checking where actually > >> turned on, what would have happened? How could it avoid the disaster? > > > Just to remind people; the real problem was that Ariane 4 code was > > reused on Ariane 5, without carefully considering the design, also > > without adequate testing. > > > Ariane 5 is a bigger rocket; it has bigger accelerations. The range for > > accelerations in the code, which was correct for Ariane 4, was incorrec= t > > for Ariane 5. > > > No amount of "defensive programming" can handle such a fundamental > > design error. > > As I recall, the problem was that an exception message was sent > and interpreted as binary data, because it was incorrectly assumed > that the exception could never happen. =A0The exception occurred in > a subsystem that wasn't even needed at the time. =A0(It's entirely > possible I've got this wrong.) > > What if the subsystem had handled the exception and quietly > terminated? That was only after both primary and secondary guidance computers had shut down, according to spec, upon having received "impossible" data. Once both computers stopped running the rocket was doomed. The diagnostic data being interpreted as nozzle deflection data (IIRC) just made that doom more spectacular than it might otherwise have been.