From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,7e8cebf09cf80560 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,UTF8 Path: g2news2.google.com!news3.google.com!feeder.news-service.com!85.214.198.2.MISMATCH!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail From: Keith Thompson Newsgroups: comp.lang.ada Subject: Re: How would Ariane 5 have behaved if overflow checking were not turned off? Date: Tue, 15 Mar 2011 10:32:09 -0700 Organization: None to speak of Message-ID: References: <82d3lsvqw7.fsf@stephe-leake.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: mx03.eternal-september.org; posting-host="mytEQcPL+ceHcrnNa7VoaQ"; logging-data="23571"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX189aTFnc6gbhL6kutkwTVEG" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) Cancel-Lock: sha1:lKe+g/73u5nnj/uRPyXVG7aGgKA= sha1:/NYKQJ2ZNpsHnnniDq0CVF/KrC0= Xref: g2news2.google.com comp.lang.ada:19186 Date: 2011-03-15T10:32:09-07:00 List-Id: Stephen Leake writes: > Elias Salomão Helou Neto writes: >> I have followed the (quite lenghty) on a topic, IIRC, about bitwise >> operators, which eventually lead to people mentioning the Ariane 5 >> case. >> >> Since then I have been wondering. If compiler checking where actually >> turned on, what would have happened? How could it avoid the disaster? > > Just to remind people; the real problem was that Ariane 4 code was > reused on Ariane 5, without carefully considering the design, also > without adequate testing. > > Ariane 5 is a bigger rocket; it has bigger accelerations. The range for > accelerations in the code, which was correct for Ariane 4, was incorrect > for Ariane 5. > > No amount of "defensive programming" can handle such a fundamental > design error. As I recall, the problem was that an exception message was sent and interpreted as binary data, because it was incorrectly assumed that the exception could never happen. The exception occurred in a subsystem that wasn't even needed at the time. (It's entirely possible I've got this wrong.) What if the subsystem had handled the exception and quietly terminated? -- Keith Thompson (The_Other_Keith) kst-u@mib.org Nokia "We must do something. This is something. Therefore, we must do this." -- Antony Jay and Jonathan Lynn, "Yes Minister"