From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public From: eachus@spectre.mitre.org (Robert I. Eachus) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/20 Message-ID: #1/1 X-Deja-AN: 227088661 References: <332B5495.167EB0E7@eiffel.com> Organization: The Mitre Corp., Bedford, MA. Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-20T00:00:00+00:00 List-Id: In article <5gqtve$1ol@gcsin3.geccs.gecm.com> Paul Johnson writes: >function Convert ( High_Bias : Bias_Constraint ) return Integer; > Yes, but this doesn't help. Sure, the range limit is in the interface > to the conversion routine, but there is no way (other than comments) > to propogate that limit into the interfaces of its callers, and no > methodological rule that says you should. The way to do this, if appropriate, is to use a derived type not a subtype: type Bias_Constraint is new Integer range Min_Bias..Max_Bias; ...but that would not be appropriate here. The horizontal velocity should be permitted to range up to at least 25000 kilometers/second or more. It was just in this one routine where the value was limited. So it makes sense to have the routine do an internal check and have the external interface include an exception called maybe Too_Fast_for_Calibration that would be raised in the case of overflow. As it was, the exception raise was effetively Hardware_Broken, and the rest is history. > The point about Eiffel is not merely that it has the syntax to > express these limits, but that it also has the rules and > "programmer culture" that causes these mechanisms to be used > routinely. This might well have caused the limit in question to > documented at a high enough level to have been noticed by whoever > it was that decided to re-use the Ariane 4 inertial guidance > system. Its not certain, but its a lot more likely. Again, this is part of where the process was totally haywire. The decision to reuse the software HAD ALREADY BEEN MADE when the developers were debating this issue and adding the quick turnaround support. But the Ariane 4 developers were not allowed to see the planned Ariane 5 flight profile, and the Ariane 5 designers never looked at the Ariane 4 software specs. -- Robert I. Eachus with Standard_Disclaimer; use Standard_Disclaimer; function Message (Text: in Clever_Ideas) return Better_Ideas is...