From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public From: wiu09524@rrzc4 (Ulrich Windl) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/21 Message-ID: #1/1 X-Deja-AN: 227328336 References: <332B5495.167EB0E7@eiffel.com> Organization: University of Regensburg, Germany Reply-To: Ulrich Windl Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-21T00:00:00+00:00 List-Id: In article <33308C91.40CC@lmtas.lmco.com> Ken Garlington writes: > Ulrich Windl wrote: > > > > The modules computing course corrrection data both failed due to to > > problems mentioned (violating the specs for that code); they shut > > themselves down. But to me the main issue is that the module that > > received the course correction data did not detect that both computing > > modules failed and that the data was just a "test pattern" to indicate > > that event. Probably a better reaction would have been to stop making > > further corrections instead of driving the engine to its borders. > > This is the same as saying: "If the driver of an automobile has a heart > attack and dies, the steering system should ignore further inputs and > lock the wheels in the last 'good' position." It doesn't work with > automobiles, Well, the main problem i see is "detecting the heart attack" here. > and it doesn't work with missiles, either. The flight control system > must > receive valid sensor data to maintain control of the aircraft. There is > generally no reasonable 'fail-safe" value for a feedback system like > this! I was never claiming fail-safe-ness, but back in University the professor teaching logic used constructs like "loop-forever" or "halt" in situations where a precondition was violated. I just wanted to say that there is a better way in most cases. Still you can flash the read light, or start the post-mortem dump if you like. (It's completely off-topic, but if you think about your body, it works a lot like that. Otherwise you would die too easily.) > > > If the modules to compute course correction data would have failed in > > a more paraniod way (the module had an exception due to overflow and > > shut itself down. If it would have continue with the appropriately > > signed maximum possible value, well I don't know). > > > > Maybe one could postulate "Every part in a software system that must > > not fail that receives an unexpected exception should handle the > > situation as good as possible, even if it can't guarantee its > > specification". This sounds contrary to programming by contract, but > > sometimes this can help. Theoreticans might say "quit on the first > > error encountered" while real hackers might say "continue as long as > > you can". > > Sounds good. Unfortunately, sometimes there is not an obvious way to > continue. This is the fallacy of the "add exception handlers to make > code safer" crowd - there has to be a reasonable response to the failure > available to the designer. Sometimes, there isn't one. Adding exception > handlers where there isn't a reasonable response only makes the design > more complex - which generally means a greater risk of failure! Again, I was not stating that the code after the first detected error is still valid, I was just saying "you might turn on fuzzy mode if you must go on". Fuzzy mode might be wrong (lead to wrong results). If you have an algorithm that is performing in a limited window of time, it would be an advantage if the equipment were still together after the algorithm's time is over. Agreed, with rockets you just don't have enough fuel to do a course correction later. [...] Ulrich