From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public From: eachus@spectre.mitre.org (Robert I. Eachus) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/04/03 Message-ID: #1/1 X-Deja-AN: 230426075 References: <01bc3603$f9373d40$b280400a@gavinspc> Organization: The Mitre Corp., Bedford, MA. Newsgroups: comp.lang.eiffel,comp.lang.ada,comp.object,comp.programming.threads,comp.software-eng Date: 1997-04-03T00:00:00+00:00 List-Id: In article <01bc4021$607eea80$b280400a@gavinspc> "Gavin Collings" writes: > Good. The main point about the Java model, though, is that the compiler > checks that the programmer has at least thought about handling all > exceptions that may be generated in nested calls. This means that the > programmer HAS to think about dealing with error conditions. > So, in the Ariane case, if the precondition existed (as some say it did) It did. > the compiler would have given warnings to the effect that it IF > the error occurred, it would NOT have been handled. Not quite, the warning that the developers were presented with was that if this exception occured it would be handled by a non-local (default) handler. There were no "unhandled" exceptions as such. > Wouldn't this have made the disaster less likely? Hardly. The message that the Ariane 4 developers got was VERY clear. If this happens, rocket crashes. Well actually it was apparently more of a list of conditions under which the guidance system would shut itself down and spew failure diagnostics to the ground systems. But I don't get the impression that anyone thought this meant anything other than rocket crashes here. Of a list of seven such occurances, local handlers were added for either four or five. The others, including this one, were determined to be physically impossible. (Unless, of course, you put the guidance system in a different rocket--or launched from a different planet.) This is the point that Robert Dewar, Ken and myself I have been emphasizing again and again--there was no error in software development (for the Ariane 4), and ANY reasonable approach to reuse would have found the potential problems. Remember the actual failure sequence involved deflecting the engines beyond the acceptable stresses for the Ariane 5, which were apparently less than for the rocket the system was designed for. -- Robert I. Eachus with Standard_Disclaimer; use Standard_Disclaimer; function Message (Text: in Clever_Ideas) return Better_Ideas is...