Would You Fly an Airplane with a Linux-Based Control System?

Would You Fly an Airplane with a Linux-Based Control System?

[Preben Randhol]

See: http://www.technologyreview.com/blog/blog.asp?blogID=1654&trk=blog

Preben

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Simon Clubley]

In article <slrncq3k8c.29u8.randhol@bacchus.pvv.ntnu.no>, randhol@bacchus.pvv.ntnu.no (Preben Randhol) writes:
> See: http://www.technologyreview.com/blog/blog.asp?blogID=1654&trk=blog
> 
> Preben

The PDF linked to on that page seems to just be a series of slides in PDF
format (with a file size of about 15MB).

Is there any coherent article to go with the slides ?

I note that apart from one page commenting on RTOS's in general, the focus
on the suitability of Linux is about auditing of code and not about realtime
guarantees, or lack thereof, offered by standard Linux.

I recommend that Ada advocates with high blood pressure not read page 21 of
the PDF, especially the last line. :-)

Simon.

-- 
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP       
Microsoft: The Standard Oil Company of the 21st century

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Brian May]

>>>>> "Simon" == Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> writes:

    Simon> randhol@bacchus.pvv.ntnu.no (Preben Randhol) writes:
    >> See:
    >> http://www.technologyreview.com/blog/blog.asp?blogID=1654&trk=blog

Interesting article.

Linux was never designed for mission critical, life dependant
applications. Nor was it designed to be easy to audit for such
purposes. Linux has other design criteria. I don't think this is any
secret.

However, the article seems to be getting various issues confused. For
example:

* yes, the kernel has a huge number of lines in total. Now delete all
  the lines for other architectures, delete all lines for drivers not
  required, and count again; I think you will end up with a
  significantly smaller number.

* number of switches to "ls" seems irrelevant, I don't think any of
  these systems would need ls. Even if ls was required, it would be
  easy to write a cut down version that just has the required
  operations.

* IMHO if open source software was designed from the ground up to be
  used in mission critical applications, by people who know what they
  are doing, then just because these people may be volunteers doesn't
  mean it cannot be trusted.

* security issues can be related to bugs that are life threatening,
  but not always. Security issues are when somebody deliberately and
  intensionally attempts to break something. On the other hands,
  people involved with aircraft, generally speaking, want the aircraft
  to stay in the air. I would be kind of alarmed if any Fly-By-Wire
  computer system had an Internet connection... There are lots of ways
  of sabotaging an aircraft, you don't have to use software for that.

    Simon> I recommend that Ada advocates with high blood pressure not
    Simon> read page 21 of the PDF, especially the last line. :-)

"Pilot (driver, walker) asserts intent"?

Did I get the wrong page?
-- 
Brian May <bam@snoopy.apana.org.au>

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Ed Falis]

On Tue, 23 Nov 2004 09:36:19 +1100, Brian May <bam@snoopy.apana.org.au>  
wrote:

>     Simon> I recommend that Ada advocates with high blood pressure not
>     Simon> read page 21 of the PDF, especially the last line.
> "Pilot (driver, walker) asserts intent"?


I think Simon was referring to the slide with the mythological  
interpretation of the Ariane 5 event.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[David Botton]

For a real understanding of the Ariane 5 event, see the Ada FAQ:

http://www.adapower.com/index.php?Command=Class&ClassID=FAQ&CID=328

David Botton
http://www.adapower.com

On 2004-11-22 18:07:09 -0500, "Ed Falis" <falis@verizon.net> said:

> On Tue, 23 Nov 2004 09:36:19 +1100, Brian May <bam@snoopy.apana.org.au>  wrote:
> 
>>     Simon> I recommend that Ada advocates with high blood pressure not
>>     Simon> read page 21 of the PDF, especially the last line.
>> "Pilot (driver, walker) asserts intent"?
> 
> 
> I think Simon was referring to the slide with the mythological  
> interpretation of the Ariane 5 event.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Alexander E. Kopilovich]

David Botton wrote:

>For a real understanding of the Ariane 5 event, see the Ada FAQ:
>
>http://www.adapower.com/index.php?Command=Class&ClassID=FAQ&CID=328

I followed this link and read the article. Well, it's OK for that FAQ - it
explains what has happened and it is well-written.

But unlike other items of the FAQ, there is no obvious further reading for
this item for those who want more deep/detailed explanations.

At the same time, some readers of the FAQ may be interested in those details;
moreover, some readers probably will not believe the article without those
details.

For example, the article states that there was no testing - this is true,
but this may be unbelievable for some readers without detailed explanations
of how that happened. (Such a simple formula for the reason for avoiding
testing - "to save money" - may not satisfy them.)

So I propose to add (after the end of the article) a link "more details"
to the discussion on that topic in comp.lang.ada that occured in summer
(July-August) 2003. If it seems more appropriate to link to a single 
"summary" text instead of the whole discussion then the text from the message
in comp.lang.ada with subject:

  Ariane5 FAQ, Observer's version, 7th draft (hopefully final) 

may be used for that (it may be placed somewhere on website for convenience
of linking and somehow edited if needed).




Alexander Kopilovich                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Martin Krischik]

Alexander E. Kopilovich wrote:

>   Ariane5 FAQ, Observer's version, 7th draft (hopefully final)
> 
> may be used for that (it may be placed somewhere on website for
> convenience of linking and somehow edited if needed).

Well there are two Wiki articles allready:

http://en.wikipedia.org/wiki/Ada_programming_language#The_Ariane_5_failure
http://en.wikipedia.org/wiki/Ariane_5_Flight_501

It does not get much easier for editing then Wiki.

With Regards

Martin

-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Robert Kaiser]

In article <sa48y8tv7do.fsf@snoopy.apana.org.au>,
	Brian May <bam@snoopy.apana.org.au> writes:
>>>>>> "Simon" == Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> writes:
> ....
> 
> However, the article seems to be getting various issues confused. For
> example:
> 
> * yes, the kernel has a huge number of lines in total. Now delete all
>   the lines for other architectures, delete all lines for drivers not
>   required, and count again; I think you will end up with a
>   significantly smaller number.

I did that some time ago and arrived at some 1 Million LOC. This
is significantly less than the 5.5 Million mentioned in the slides
but still a bit too much for my taste.

> 
> * number of switches to "ls" seems irrelevant, I don't think any of
>   these systems would need ls. Even if ls was required, it would be
>   easy to write a cut down version that just has the required
>   operations.

True. However, the same argument (complexity) could just as well be
applied to sections of kernel code, but the kernel can not be
adapted/simplified so easily (because it is a monolith).

> 
> * IMHO if open source software was designed from the ground up to be
>   used in mission critical applications, by people who know what they
>   are doing, then just because these people may be volunteers doesn't
>   mean it cannot be trusted.

Very True. In fact, I think open source even has (or could have) an
advantage in mission critical applications because of the potentially
huge number and skill of reviewers. On the other hand, I have yet to see
an open source project that does work the way you describe. I believe this
is because volunteers tend to work on things that they consider "fun",
and very few people consider documenting a fun thing to do..


> * security issues can be related to bugs that are life threatening,
>   but not always. Security issues are when somebody deliberately and
>   intensionally attempts to break something. On the other hands,
>   people involved with aircraft, generally speaking, want the aircraft
>   to stay in the air.

That is one of the differences between safety and security. You are right
that people involved with aircraft are concerned mainly with safety.
However, a huge and complex trusted code base (such as 1 Million lines
of kernel code) is a concern for both safety and security.

>     Simon> I recommend that Ada advocates with high blood pressure not
>     Simon> read page 21 of the PDF, especially the last line. :-)
> 
> "Pilot (driver, walker) asserts intent"?
> 
> Did I get the wrong page?

Probably. The last two lines of that page read (Ada
advocates with high blood pressure please look away):

<snip>
 * Ada is smart - it knows better!
 * C would have just corrupted memory and flown
<snap>

Rob

-- 
Robert Kaiser                     email: rkaiser AT sysgo DOT com
SYSGO AG                          http://www.elinos.com
Klein-Winternheim / Germany       http://www.sysgo.com

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Georg Bauhaus]

Ed Falis <falis@verizon.net> wrote:
: On Tue, 23 Nov 2004 09:36:19 +1100, Brian May <bam@snoopy.apana.org.au>  
: wrote:
: 
:>     Simon> I recommend that Ada advocates with high blood pressure not
:>     Simon> read page 21 of the PDF, especially the last line.
:> "Pilot (driver, walker) asserts intent"?
: 
: I think Simon was referring to the slide with the mythological  
: interpretation of the Ariane 5 event.

How many people in the world are there who draw the right
conclusions from the case, and how many are there who can
actually claim detailed knowledge of the case?


-- Georg Bauhaus

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Martin Krischik]

Robert Kaiser wrote:

> Probably. The last two lines of that page read (Ada
> advocates with high blood pressure please look away):
> 
> <snip>
>  * Ada is smart - it knows better!
>  * C would have just corrupted memory and flown
> <snap>

Which shows how stuid the author realy is. Anybody worth his salt in
software development know that a programm with corrupted memory may or may
not continue to run - depending on how lucky you are today.

With C it would have been a lottery.

With Regards

Martin

-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Simon Wright]

bitbucket@invalid-domain-see-sig.nil (Robert Kaiser) writes:

> Very True. In fact, I think open source even has (or could have) an
> advantage in mission critical applications because of the
> potentially huge number and skill of reviewers.

They have to be competent and -- possibly more difficult -- motivated!

-- 
Simon Wright                               100% Ada, no bugs.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Brian May]

>>>>> "Simon" == Simon Wright <simon@pushface.org> writes:

    Simon> bitbucket@invalid-domain-see-sig.nil (Robert Kaiser)
    Simon> writes:

    >> Very True. In fact, I think open source even has (or could
    >> have) an advantage in mission critical applications because of
    >> the potentially huge number and skill of reviewers.

    Simon> They have to be competent and -- possibly more difficult --
    Simon> motivated!

open source doesn't mean unpaid for...

If a company really wants an open source solution, they can pay
programmers to write and maintain it. They can sell the hardware with
the source code to the customer giving the customer the security they
can check every line of the code independently for safety if they so
desire (and not just take the companies word for it when it says it is
"safe").

I doubt this is going to happen though, for a variety of reasons. One
such reason is if the customer has access to the source code,
presumably they can change it; I doubt the aviation authorities are
going to like this... In this country, for instance to get a GPS
receiver that is rated for GPS non-precision-approaches, the software
*must* be written so that GPS way points cannot be updated accept via
approved update.
-- 
Brian May <bam@snoopy.apana.org.au>

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Simon Wright]

Brian May <bam@snoopy.apana.org.au> writes:

> >>>>> "Simon" == Simon Wright <simon@pushface.org> writes:
> 
>     Simon> bitbucket@invalid-domain-see-sig.nil (Robert Kaiser)
>     Simon> writes:
> 
>     >> Very True. In fact, I think open source even has (or could
>     >> have) an advantage in mission critical applications because of
>     >> the potentially huge number and skill of reviewers.
> 
>     Simon> They have to be competent and -- possibly more difficult --
>     Simon> motivated!
> 
> open source doesn't mean unpaid for...

But (my point was) that if you expect a huge number of reviewers you
must pay them in some currency; and giving them something really
interesting to review is one approach.

> If a company really wants an open source solution, they can pay
> programmers to write and maintain it. They can sell the hardware
> with the source code to the customer giving the customer the
> security they can check every line of the code independently for
> safety if they so desire (and not just take the companies word for
> it when it says it is "safe").
> 
> I doubt this is going to happen though, for a variety of
> reasons. One such reason is if the customer has access to the source
> code, presumably they can change it; I doubt the aviation
> authorities are going to like this... In this country, for instance
> to get a GPS receiver that is rated for GPS
> non-precision-approaches, the software *must* be written so that GPS
> way points cannot be updated accept via approved update.

Our prime customer (the UK MoD) usually requires full source
disclosure anyway, to that would be nothing new.

I don't see that being able to view the source necessarily equates to
being able to change a delivered system in the field. You would have
thought that some digital signing technique/dongle would be possible
-- after all, if a customer wanted to change the firmware he could,
with enough physical access.

-- 
Simon Wright                               100% Ada, no bugs.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Mike Silva]

> I recommend that Ada advocates with high blood pressure not read page 21 of
> the PDF, especially the last line. :-)

Yeah.  First he points out correctly that "Program halt is
_specified_", then he assumes that in C such a halt (based on a
language-independent FP hardware trap, BTW) would not have been
specified.  I guess they would just have put a RET in that trap vector
if the program had been written in C.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Mike Silva]

David Botton <david@botton.com> wrote in message news:<2004112218292016807%david@bottoncom>...
> For a real understanding of the Ariane 5 event, see the Ada FAQ:
> 
> http://www.adapower.com/index.php?Command=Class&ClassID=FAQ&CID=328

A small but, I think, important correction.  The hardware at the
center of the failure was apparently built around the Motorola
68020/68881 chips, not the MIL-STD-1750.  The "Operand Error" that
triggered the failure is a hardware exception generated by the FPU
when, among other conditions, a float-to-integer conversion exceeds
the capacity of the integer, exactly as occurred.  The reason this is
important is because it shows that the exception was not generated by
the Ada compiler code but by the hardware, and would therefore have
occurred regardless of the programming language used.  If that's the
case then the "it wouldn't have exploded if it were written in C"
argument evaporates, unless they want to argue that the exception
handler behavior would have been specified differently if the
implementation language was C -- not likely!

Re: Would You Fly an Airplane with a Linux-Based Control System?

[David Botton]

Can you modify the text of the FAQ and send me the new version.

Thanks,
David Botton

On 2004-11-25 13:28:24 -0500, snarflemike@yahoo.com (Mike Silva) said:

> David Botton <david@botton.com> wrote in message 
> news:<2004112218292016807%david@bottoncom>...
>> For a real understanding of the Ariane 5 event, see the Ada FAQ:
>> 
>> http://www.adapower.com/index.php?Command=Class&ClassID=FAQ&CID=328
> 
> A small but, I think, important correction.  The hardware at the
> center of the failure was apparently built around the Motorola
> 68020/68881 chips, not the MIL-STD-1750.  The "Operand Error" that
> triggered the failure is a hardware exception generated by the FPU
> when, among other conditions, a float-to-integer conversion exceeds
> the capacity of the integer, exactly as occurred.  The reason this is
> important is because it shows that the exception was not generated by
> the Ada compiler code but by the hardware, and would therefore have
> occurred regardless of the programming language used.  If that's the
> case then the "it wouldn't have exploded if it were written in C"
> argument evaporates, unless they want to argue that the exception
> handler behavior would have been specified differently if the
> implementation language was C -- not likely!

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Alexander E. Kopilovich]

Mike Silva wrote:

> A small but, I think, important correction.  The hardware at the
> center of the failure was apparently built around the Motorola
> 68020/68881 chips, not the MIL-STD-1750.  The "Operand Error" that
> triggered the failure is a hardware exception generated by the FPU
> when, among other conditions, a float-to-integer conversion exceeds
> the capacity of the integer, exactly as occurred.  The reason this is
> important is because it shows that the exception was not generated by
> the Ada compiler code but by the hardware, and would therefore have
> occurred regardless of the programming language used.  If that's the
> case then the "it wouldn't have exploded if it were written in C"
> argument evaporates, unless they want to argue that the exception
> handler behavior would have been specified differently if the
> implementation language was C -- not likely!

I think that the fact that the chain of events was initiated by FPU exception
really deserves to be mentioned. Therefore I'm going to update my own
Ariane 5 FAQ appropriately. Currently, 8th Q-A pair of it reads as follows:

----------------------------------------------------------------------------

Q. Can you explain in several words what was the actual cause of the launch
failure, technically?

A. There are several points which are different for Ariane 5 vs. Ariane 4,
one of which was instrumental to the events: Ariane 4 is a vertical launch
vehicle where as Ariane 5 is slightly tilted.
  Ariane 4 software was developed to tolerate certain amount of inclination
but not as much as required by Ariane 5. The chain of events were as follows:

- The on-board software detects that one of the accelerometers is out of range,
this was interpreted as hardware error and caused the backup processor to take
over;
- The backup processor also detects that one of the accelerometers is out of
range (the same way), which caused the system to advice an auto destruction.

----------------------------------------------------------------------------

It seems that the following modification of the description of the chain of
events takes your suggestion into account:

----------------------------------------------------------------------------

- The on-board software detects that one of the accelerometers is out of
range (actually, there was FPU exception generated when float-to-integer 
conversion exceeded the capacity of the integer), this was interpreted as
hardware error and caused the backup processor to take over;
- The backup processor also detects that one of the accelerometers is out of
range (the same way), which caused the system to advice an auto destruction.

----------------------------------------------------------------------------

Do you agree that this addition is enough there? Or particular processor
model is of some importance also?





Alexander Kopilovich                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Alex R. Mosteo]

Mike Silva wrote:
> (...)  If that's the
> case then the "it wouldn't have exploded if it were written in C"
> argument evaporates, unless they want to argue that the exception
> handler behavior would have been specified differently if the
> implementation language was C -- not likely!

Anyway, isn't the C argument ridiculous? I mean, is preferible to have a 
huge explosive thing flying on corrupted data? So it can by chance go 
where it should... or not?

I know[*] in this particular case these component had no further purpose 
in the flight so it would have get away safely... but that's not 
relevant IMO.

[*] (IIRC it was only used during some limited time after lift-off).

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Marius Amado Alves]

Alexander E. Kopilovich wrote:
>... 
> - The on-board software detects that one of the accelerometers is out of
> range (actually, there was FPU exception generated when float-to-integer 
> conversion exceeded the capacity of the integer), this was interpreted as
> hardware error and caused the backup processor to take over;...
> 
> Do you agree that this addition is enough there?

No. This whole talk of hardware-generated exception sounds like "FUD". 
Namely, it sounds like your trying to blame the hardware. The cause was 
a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And 
because it's connected to exceptions, the hypothesis that if the thing 
had been done in an exceptionless language like C the effect might have 
been different. And yes, maybe less bad. And none of the explanations 
I've seen so far (here, in books, and in the Internet) disprove this 
hypothesis.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Marius Amado Alves]

Alex R. Mosteo wrote:
> Anyway, isn't the C argument ridiculous?

No, as your own words show.

> I mean, is preferible to have a 
> huge explosive thing flying on corrupted data? So it can by chance go 
> where it should... or not?
> 
> I know[*] in this particular case these component had no further purpose 
> in the flight so it would have get away safely... but that's not 
> relevant IMO.
> 
> [*] (IIRC it was only used during some limited time after lift-off).

Of course it is relevant. Maybe it failed just before being shut up and 
the ship would have a chance to stabilize.

See also my previous post.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Jean-Pierre Rosen]

Marius Amado Alves a écrit :

> No. This whole talk of hardware-generated exception sounds like "FUD". 
> Namely, it sounds like your trying to blame the hardware. The cause was 
> a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And 
> because it's connected to exceptions, the hypothesis that if the thing 
> had been done in an exceptionless language like C the effect might have 
> been different. And yes, maybe less bad. And none of the explanations 
> I've seen so far (here, in books, and in the Internet) disprove this 
> hypothesis.
> 
Oh no, please...
There was a system design error. The software recognized the error and 
behaved as required. Now, you are arguing that if the software had not 
recognized the error, since it was in a module that shouldn't have been 
running anyway, then it would have been OK.

This would have been a double error having less consequences than a 
single one. Although it might have been the case, you cannot rely on 
double errors for safety! Software should be correct "by construction" (tm)

-- 
---------------------------------------------------------
            J-P. Rosen (rosen@adalog.fr)
Visit Adalog's web site at http://www.adalog.fr

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Alex R. Mosteo]

Marius Amado Alves wrote:
> 
> Alex R. Mosteo wrote:
> 
>> Anyway, isn't the C argument ridiculous?
> 
> 
> No, as your own words show.

I disagree (obviously).

My words show that I put safety above "maybe" & "have a chance" when you 
*know* that something is going wrong in your rocket. But that's just my 
POV, of course.

>> I mean, is preferible to have a huge explosive thing flying on 
>> corrupted data? So it can by chance go where it should... or not?
>>
>> I know[*] in this particular case these component had no further 
>> purpose in the flight so it would have get away safely... but that's 
>> not relevant IMO.
>>
>> [*] (IIRC it was only used during some limited time after lift-off).
> 
> Of course it is relevant. Maybe it failed just before being shut up and 
> the ship would have a chance to stabilize.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Vinzent 'Gadget' Hoefler]

Marius Amado Alves wrote:

[Ariane5]
> Namely, it sounds like your trying to blame the hardware. The cause
> was a SOFTWARE enginering error. Yes, a BUG.

No. The software behaved _exactly_ as specified. Just that the
specification was for Ariane4, not Ariane5.


Vinzent.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Adrien Plisson]

Alex R. Mosteo wrote:
> Anyway, isn't the C argument ridiculous? 

well, it depends on the interpretation you make of it.

it may be an argument against Ada and for C:
'look, the bad Ada language made the whole thing crash, whereas the good 
C language would have made it fly' (where ? the argument does not tell, 
but surely not on the original path)

but it can also be interpreted as an argument against C and for Ada:
'look, the cool Ada language prevented the whole thing to get out of 
control, whereas the bad C language would have continue to fly it 
without notice'

so, the ridiculouness of the argument depends on the interpretation, and 
i really think you are misinterpreting there.

-- 
rien

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Marius Amado Alves]

> 'look, the cool Ada language prevented the whole thing to get out of 
> control, whereas the bad C language would have continue to fly it 
> without notice'

This is better. Now, can you prove this? That the ship could get out of 
control and crash on a city for example? If C had been used instead? Or 
if the exception had not been catched? (Probably not invoking the backup 
system.)

(The other replies by Rosen at al. are irrelevant.)

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Jeffrey Carter]

Marius Amado Alves wrote:

> No. This whole talk of hardware-generated exception sounds like "FUD". 
> Namely, it sounds like your trying to blame the hardware. The cause was 
> a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And 
> because it's connected to exceptions, the hypothesis that if the thing 
> had been done in an exceptionless language like C the effect might have 
> been different. And yes, maybe less bad. And none of the explanations 
> I've seen so far (here, in books, and in the Internet) disprove this 
> hypothesis.

I think you're mistaken. "Hardware-generated exception", "signal", 
"interrupt", whatever you call it, this comes from the hardware and must 
be handled regardless of the language used for the SW. Since the 
behavior of the Ada SW was exactly that specified for this situation, 
and the specification would have been the same regardless of the 
language used, the choice of language would not have changed the 
behavior of the SW.

-- 
Jeff Carter
"There's no messiah here. There's a mess all right, but no messiah."
Monty Python's Life of Brian
84

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Marius Amado Alves]

Jeffrey Carter wrote:
> Marius Amado Alves wrote:
> 
>> No. This whole talk of hardware-generated exception sounds like "FUD". 
>> Namely, it sounds like your trying to blame the hardware. The cause 
>> was a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And 
>> because it's connected to exceptions, the hypothesis that if the thing 
>> had been done in an exceptionless language like C the effect might 
>> have been different. And yes, maybe less bad. And none of the 
>> explanations I've seen so far (here, in books, and in the Internet) 
>> disprove this hypothesis.
> 
> I think you're mistaken. "Hardware-generated exception", "signal", 
> "interrupt", whatever you call it, this comes from the hardware and must 
> be handled regardless of the language used for the SW. Since the 
> behavior of the Ada SW was exactly that specified for this situation, 
> and the specification would have been the same regardless of the 
> language used, the choice of language would not have changed the 
> behavior of the SW.

I'm not mistaken. What you say does not disprove my hypothesis. Look, I 
probably know the story as well as you guys. And the story is that an 
Ada software component from Ariane 4 was reused for Ariane 5 without 
change. This and the fact that there was an hardware mismatch resulted 
in a BUGGY software system. Just answer this: how was the system fixed? 
Did they change the hardware? No. Ergo, the software was at fault, not 
the hardware.

Sentences like "the behavior of the Ada SW was exactly that specified 
for this situation" (above) or "The software behaved _exactly_ as 
specified" (Vinzent) are worse than irrelevant, they are confusing, and 
actually strictly false. Surely the specification for Ariane 5 did not 
say "plug in software from Ariane 4 at will and crash on hardware 
mismatches."

My hypothesis remains undisproven.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Mike Silva]

Marius Amado Alves <amado.alves@netcabo.pt> wrote in message news:<mailman.123.1101469316.10401.comp.lang.ada@ada-france.org>...
> Alexander E. Kopilovich wrote:
> >... 
> > - The on-board software detects that one of the accelerometers is out of
> > range (actually, there was FPU exception generated when float-to-integer 
> > conversion exceeded the capacity of the integer), this was interpreted as
> > hardware error and caused the backup processor to take over;...
> > 
> > Do you agree that this addition is enough there?
> 
> No. This whole talk of hardware-generated exception sounds like "FUD". 
> Namely, it sounds like your trying to blame the hardware. The cause was 
> a SOFTWARE enginering error. Yes, a BUG. 

What was the bug?  Since there wasn't one, your answer should prove interesting!

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Mike Silva]

Marius Amado Alves <amado.alves@netcabo.pt> wrote in message news:<mailman.123.1101469316.10401.comp.lang.ada@ada-france.org>...
> Alexander E. Kopilovich wrote:
> >... 
> > - The on-board software detects that one of the accelerometers is out of
> > range (actually, there was FPU exception generated when float-to-integer 
> > conversion exceeded the capacity of the integer), this was interpreted as
> > hardware error and caused the backup processor to take over;...
> > 
> > Do you agree that this addition is enough there?
> 
> No. This whole talk of hardware-generated exception sounds like "FUD". 
> Namely, it sounds like your trying to blame the hardware. The cause was 
> a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And 
> because it's connected to exceptions, the hypothesis that if the thing 
> had been done in an exceptionless language like C the effect might have 
> been different. And yes, maybe less bad. And none of the explanations 
> I've seen so far (here, in books, and in the Internet) disprove this 
> hypothesis.

Even accepting your assertion that your hypothesis has not been
disproven, what conclusion do you draw?  That deliberately ignoring
out-of-range data (not throwing it away, just ignoring it) will
generally lead to safer systems than dealing with out-of-range data in
some pre-determined way that may not always be the right choice
(especially if the system is mis-used in a manner so that out-of-range
data is suddenly legal)?

What, again, is your conclusion?

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Adrien Plisson]

Marius Amado Alves wrote:
> This is better. Now, can you prove this? That the ship could get out of 
> control and crash on a city for example? If C had been used instead? Or 
> if the exception had not been catched? (Probably not invoking the backup 
> system.)

ok, let's take an example.

the system seems to control data associated with the trajectory of the 
ship. if a value arrives and overflows and if the exception is not 
catched, there is a lot of chances the value will be truncated and used 
as a normal value.

the result depends on the action you take with this value:

we will first consider the system is using this value to control 
directly the trajectory, by acting on directionnal engines. the value is 
less than the real value. you try to correct the trajectory but don't 
correct enough, the ship is going out of its programmed path.
- at best, it will then miss the orbit it was programmed for: the 
satellites will become useless or eventually crash on other satellites 
on the same orbit, pieces of those satellites may fall down on earth.
- at worst, the correction is so bad the ship continue to be out of the 
path. the more the ship derives, the more the exception arises and is 
not caught, the more the values are wrong. the ship gets out of control, 
  and start to fall down. since it is out of control, we cannot predict 
where it will fall... (maybe on cuba which will think of a strike from 
the u.s. then reply with the atomic bomb. WW3 is starting).

the second case is that those values are stored and used as a reference 
to calculate the absolute position of the ship throughout its journey.
obvioulsy, the ship will never take the right path and we are back in 
the best case of the first consideration.

the predictability of the path the ship will take with these truncated 
values is like predicating the weather: you are able to calculate for 
some times ahead, but rapidly do not hve enough informations to predict 
further.

now i see your next question: what had happened if C had been used 
instead ? well, if C had caught the exception, the software would have 
behaved the same way as the Ada software, and the ship would have 
exploded too... but exception handling is not really easy in C, 
considered that there is NO way in the langauge to do it (maybe the 
exception handling facility that would have been implemented in C would 
have been buggy...)

i can continue for a long time with ifs, maybes and suppositions. "avec 
des si, on mettrais Paris en bouteille". so we will stop the 
suppositions, and believe me, it is better that the ship exploded.

-- 
rien

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Simon Wright]

Marius Amado Alves <amado.alves@netcabo.pt> writes:

> Sentences like "the behavior of the Ada SW was exactly that
> specified for this situation" (above) or "The software behaved
> _exactly_ as specified" (Vinzent) are worse than irrelevant, they
> are confusing, and actually strictly false. Surely the specification
> for Ariane 5 did not say "plug in software from Ariane 4 at will and
> crash on hardware mismatches."

This argument is just piffle in any reasonably-managed engineering
environment.

Of course the SYSTEM specification said no such thing, how could
it. But the SOFTWARE specification, produced by the SYSTEM engineers
(or maybe management) told the software engineers to do that and not
to check the results -- as software engineers they couldn't have
anyway, you need rigs for that sort of test.

It is perfectly possible for a SYSTEM to have bugs as a result of
containing bug-free but inappropriately specified software.

You would hardly describe software that required an FPU as "buggy" if
it failed to work on a processor without one.

-- 
Simon Wright                               100% Ada, no bugs.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Marius Amado Alves]

Mike Silva wrote:
> What was the bug?  Since there wasn't one, your answer should prove interesting!

Did they fix the hardware or the software? The inevitable conclusion 
from your answer should prove interesting!

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Marius Amado Alves]

Mike Silva wrote:
> Even accepting your assertion that your hypothesis has not been
> disproven, what conclusion do you draw?  That deliberately ignoring
> out-of-range data (not throwing it away, just ignoring it) will
> generally lead to safer systems than dealing with out-of-range data in
> some pre-determined way that may not always be the right choice
> (especially if the system is mis-used in a manner so that out-of-range
> data is suddenly legal)?
> 
> What, again, is your conclusion?

I do not draw a general conclusion. I merely point out that it is 
essential in this particular case to elicit the results of catching vs. 
not catching the exception, and in that context of using an 
"exceptional" language vs. an exceptionless one. Be very aware of 
general conclusions. Again, general expressions like "deliberately 
ignoring out-of-range data (not throwing it away, just ignoring it)" 
just make things worse. Out of what range? What is the difference 
between ignoring and throwing away? If it's data it's processed in some 
way, cannot really be ignored or thrown away can it?

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Marius Amado Alves]

Adrien Plisson wrote:
> Marius Amado Alves wrote:
> 
>> This is better. Now, can you prove this? That the ship could get out 
>> of control and crash on a city for example? If C had been used 
>> instead? Or if the exception had not been catched? (Probably not 
>> invoking the backup system.)
>
 > ...
> i can continue for a long time with ifs, maybes and suppositions. "avec 
> des si, on mettrais Paris en bouteille". so we will stop the 
> suppositions, and believe me, it is better that the ship exploded.

Nice read. Indeed, "se a minha avo' tivesse rodas era uma bicicleta." 
The hypothesis is still not proved or disproved. Note I too suspect 
selfdestruction was better. But I'd like to be sure, that's all.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Rod Haper]

Marius Amado Alves wrote:
> Mike Silva wrote:
> 
>> What was the bug?  Since there wasn't one, your answer should prove 
>> interesting!
> 
> 
> Did they fix the hardware or the software? The inevitable conclusion 
> from your answer should prove interesting!
> 

Butting into this eternal argument:

The "bug" that got "fixed" was the specification.  That in turn 
necessitated a change to the software to comply with the updated 
specification.  The "error" was in the old Ariane IV's specification's 
lack of applicability to the new Ariane V's requirements.  The "failure" 
was one of design, not software implementation, and was independent of 
what language was or might have been used for the implementation.

What is your point vis-a-vis hardware or software?  The "conclusion" I 
draw is that you seem to be hung up on some agenda which ignores the 
simple facts of the case.

-- 
Rod

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Marius Amado Alves]

Rod Haper wrote:
> The "bug" that got "fixed" was the specification.  That in turn 
> necessitated a change to the software to comply with the updated 
> specification.  The "error" was in the old Ariane IV's specification's 
> lack of applicability to the new Ariane V's requirements.  The "failure" 
> was one of design, not software implementation, and was independent of 
> what language was or might have been used for the implementation.
> 
> What is your point vis-a-vis hardware or software?  The "conclusion" I 
> draw is that you seem to be hung up on some agenda which ignores the 
> simple facts of the case.

My agenda is to make sure things are called by their names with no 
guilt. A bug is a bug is a bug. A specification is a software item. A 
defect in a specification is a bug. I got the impression the text that 
was being cooked up for the FAQs (wikibooks?) was avoiding admitting 
that the error was on the software part and trying to blame the 
hardware. An Ada bias forging a falsity. That had to be stopped. Sorry 
if I misunderstood.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Martin Krischik]

Marius Amado Alves wrote:

> Alexander E. Kopilovich wrote:
>>...
>> - The on-board software detects that one of the accelerometers is out of
>> range (actually, there was FPU exception generated when float-to-integer
>> conversion exceeded the capacity of the integer), this was interpreted as
>> hardware error and caused the backup processor to take over;...
>> 
>> Do you agree that this addition is enough there?
> 
> No. This whole talk of hardware-generated exception sounds like "FUD".
> Namely, it sounds like your trying to blame the hardware. The cause was
> a SOFTWARE enginering error. Yes, a BUG. In the Ada software.

The specification for that paricular pice of software was for the Ariane 4 -
and there it was proofen then all possible values where smaller then then
the range of Integer

The Software was right for what it was designed for. If you use the tires of
fiat punto on a ferrari you should not be supprised when you end up on the
hard sholder. And nobody would blame the tires - one would blame the stupid
driver.

It was a management descicion error to reuse the software.

With regards

Martin
-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Martin Krischik]

Marius Amado Alves wrote:

> Mike Silva wrote:
>> What was the bug?  Since there wasn't one, your answer should prove
>> interesting!
> 
> Did they fix the hardware or the software? The inevitable conclusion
> from your answer should prove interesting!

To continue my argument from another post:

"If you use the tires of fiat punto on a ferrari you should not be supprised
when you end up on the hard sholder".

You are right: You need another set of tires to drive your ferrari safely.

But that does not make the fiat punto tires fautly and you could not sue the
manufacture of punto tires for damamges.

There is only one to blame: The idiot who made the decision to use the wrong
combination of tires (software) and car (hardware). 

With Regards

Martin

-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Martin Krischik]

Marius Amado Alves wrote:

> Rod Haper wrote:
>> The "bug" that got "fixed" was the specification.  That in turn
>> necessitated a change to the software to comply with the updated
>> specification.  The "error" was in the old Ariane IV's specification's
>> lack of applicability to the new Ariane V's requirements.  The "failure"
>> was one of design, not software implementation, and was independent of
>> what language was or might have been used for the implementation.
>> 
>> What is your point vis-a-vis hardware or software?  The "conclusion" I
>> draw is that you seem to be hung up on some agenda which ignores the
>> simple facts of the case.
 
> My agenda is to make sure things are called by their names with no
> guilt. A bug is a bug is a bug. A specification is a software item. A
> defect in a specification is a bug. I got the impression the text that
> was being cooked up for the FAQs (wikibooks?) was avoiding admitting
> that the error was on the software part and trying to blame the
> hardware. An Ada bias forging a falsity. That had to be stopped. Sorry
> if I misunderstood.

But the specification was for a rocked with "vertical lift off" and the
Ariane 5 - like the Space Shuttle - is a "tilted lift off".

Who is to blame when one uses fiat punto tires for a max vel. of 180km/h on
a ferrari with max vel. of 280km/h and all 4 tires explode at 240 km/h? The
tires? The car? Or the person who choose to combine them?

With Regards

Martin

-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Pascal Obry]

Marius Amado Alves <amado.alves@netcabo.pt> writes:

> Did they fix the hardware or the software? The inevitable conclusion from
> your answer should prove interesting!

As many already said, the software behaved as expected.

If you decide to shoot yourself in the foot will you blame the gun ? The gun
will work as expected if it creates some damages to your foot, right ? Now
I'm not saying that this is ok, but it was designed this way and did the right
thing. Don't use a gun this way, do not reuse software components without
properly rethink/test/vailidate the applicability in another context.

Just my 2 cents,
Pascal.

-- 

--|------------------------------------------------------
--| Pascal Obry                           Team-Ada Member
--| 45, rue Gabriel Peri - 78114 Magny Les Hameaux FRANCE
--|------------------------------------------------------
--|              http://www.obry.org
--| "The best way to travel is by means of imagination"
--|
--| gpg --keyserver wwwkeys.pgp.net --recv-key C1082595

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Dmitry A. Kazakov]

On Sat, 27 Nov 2004 01:31:12 +0000, Marius Amado Alves wrote:

> Rod Haper wrote:
>> The "bug" that got "fixed" was the specification.  That in turn 
>> necessitated a change to the software to comply with the updated 
>> specification.  The "error" was in the old Ariane IV's specification's 
>> lack of applicability to the new Ariane V's requirements.  The "failure" 
>> was one of design, not software implementation, and was independent of 
>> what language was or might have been used for the implementation.
>> 
>> What is your point vis-a-vis hardware or software?  The "conclusion" I 
>> draw is that you seem to be hung up on some agenda which ignores the 
>> simple facts of the case.
> 
> My agenda is to make sure things are called by their names with no 
> guilt. A bug is a bug is a bug.

There is no such thing as bug without semantics. Absolutely any program is
both buggy and correct depending on what it is supposed to do.

> A specification is a software item.

A specification of a program is not a part of the program. It is a part of
the software development process.

> A defect in a specification is a bug.

Maybe, but it is not a bug *in* the program that implements that
specification.

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Marius Amado Alves]

>>A defect in a specification is a bug.
> 
> Maybe, but it is not a bug *in* the program that implements that
> specification.

Ok. I understand your concept of "bug" is stronger than mine. And the 
general public's. I guess this story cannot be made short. Just make 
sure you don't blame the hardware. Sorry if I wasted your time.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Dmitry A. Kazakov]

On Sat, 27 Nov 2004 09:51:21 +0000, Marius Amado Alves wrote:

>>>A defect in a specification is a bug.
>> 
>> Maybe, but it is not a bug *in* the program that implements that
>> specification.
> 
> Ok. I understand your concept of "bug" is stronger than mine. And the 
> general public's.

Nope. Public perfectly understands that if a rocket explodes there should
be something explosive in it, a bug for instance, or maybe fuel? (:-))

> I guess this story cannot be made short. Just make 
> sure you don't blame the hardware.

I don't blame the hardware. However, using your theory why not to blame it?
Look, let's take some software specifications and blame the hardware which
does not fit to them!

"Bug" is a conditional. Something is buggy under some specified conditions.
A software is buggy under the condition that it does not respond to the
requirements. It would be nice to define all requirements as "the rocket
should fly". Alas, it is not how things work. Yes, under so formulated
conditions Ariane's software is indeed buggy. But no more than the
hardware, fuel, gravity and laws of the nature...

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Mike Silva]

Marius Amado Alves <amado.alves@netcabo.pt> wrote in message news:<mailman.128.1101514001.10401.comp.lang.ada@ada-france.org>...
> Mike Silva wrote:
> > What was the bug?  Since there wasn't one, your answer should prove interesting!
> 
> Did they fix the hardware or the software? The inevitable conclusion 
> from your answer should prove interesting!

They fixed the match between the hardware, the software and the flight
profile.  To do so they removed correct software (correctly
implemented to a correct specification for Ariane 4) and replaced it
with software correctly implemented to a correct specification for
Ariane 5.  They did not fix the software because the software was not
broken.  They modified correct software for one specification to
correct software for a new specification.  There was no _software_
bug, as you assert.  There was a reuse error, or if you like, a reuse
bug, but not a software bug.  The software no more failed by correctly
reacting to the new H-bias value according to its design spec than the
H-bias sensor failed by correctly reacting to the new flight path of
the rocket according to its design spec.

The situation is similar to correctly using a 5 Amp fuse in a
particular circuit, and then changing the circuit (the hardware) so
that it draws 10 Amps.  The 5 Amp fuse then blows, but was the 5 Amp
fuse defective?  Or was it simply the wrong part for the new circuit?

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Mike Silva]

Marius Amado Alves <amado.alves@netcabo.pt> wrote in message news:<mailman.129.1101514556.10401.comp.lang.ada@ada-france.org>...
> Mike Silva wrote:
> > Even accepting your assertion that your hypothesis has not been
> > disproven, what conclusion do you draw?  That deliberately ignoring
> > out-of-range data (not throwing it away, just ignoring it) will
> > generally lead to safer systems than dealing with out-of-range data in
> > some pre-determined way that may not always be the right choice
> > (especially if the system is mis-used in a manner so that out-of-range
> > data is suddenly legal)?
> > 
> > What, again, is your conclusion?
> 
> I do not draw a general conclusion. I merely point out that it is 
> essential in this particular case to elicit the results of catching vs. 
> not catching the exception, and in that context of using an 
> "exceptional" language vs. an exceptionless one. 

But the exception was generated by the hardware.  A non-maskable
exception handler was vectored to.  What would that exception handler
have done differently if an exceptionless language had been used?

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Jeffrey Carter]

Marius Amado Alves wrote:

> I'm not mistaken. What you say does not disprove my hypothesis. Look, I 
> probably know the story as well as you guys. And the story is that an 
> Ada software component from Ariane 4 was reused for Ariane 5 without 
> change. This and the fact that there was an hardware mismatch resulted 
> in a BUGGY software system. Just answer this: how was the system fixed? 
> Did they change the hardware? No. Ergo, the software was at fault, not 
> the hardware.

I think you'll find they changed the requirements, then made any changes 
that necessitated to the design (possibly none), and then changed the 
software to reflect the changes in the requirements and design.

I agree that the SW system had an error, but it was an error in 
requirements, not in implementation.

Anyway, I was addressing the claim that an implementation in C would not 
have exhibited the error, not where the error lay.

-- 
Jeff Carter
"Many times we're given rhymes that are quite unsingable."
Monty Python and the Holy Grail
57

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Jeffrey Carter]

Marius Amado Alves wrote:

> Ok. I understand your concept of "bug" is stronger than mine. And the 
> general public's. I guess this story cannot be made short. Just make 
> sure you don't blame the hardware. Sorry if I wasted your time.

I don't think anyone's trying to blame the HW. They're trying to make it 
clear that this problem would have arisen regardless of the language 
used to implement the SW. Just because C doesn't have exceptions doesn't 
mean it can ignore an interrupt from the HW.

-- 
Jeff Carter
"Many times we're given rhymes that are quite unsingable."
Monty Python and the Holy Grail
57

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Georg Bauhaus]

Marius Amado Alves <amado.alves@netcabo.pt> wrote:
 
: I'm not mistaken. What you say does not disprove my hypothesis. Look, I 
: probably know the story as well as you guys. And the story is that an 
: Ada software component from Ariane 4 was reused for Ariane 5 without 
: change. This and the fact that there was an hardware mismatch resulted 
: in a BUGGY software system. Just answer this: how was the system fixed? 
: Did they change the hardware? No. Ergo, the software was at fault, not 
: the hardware.

An analogy, taken further to the point of absurdity:
If Intel decides to change the meaning of the DEC instruction to mean that a
value is increased by one, not decreased, then a software system that is
built following earlier Intel specs is to be blamed for having bugs, and
that's it?
Or might there not be some other "items" in the software development process
to be blamed for the mistake?


-- Georg Bauhaus

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Georg Bauhaus]

Marius Amado Alves <amado.alves@netcabo.pt> wrote:
 
: The hypothesis is still not proved or disproved.

It's not easy to prove or disprove a sentences that you claim
to be both a hypothesis and based on imprecise notions.


-- Georg Bauhaus

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Christoph Karl Walter Grein]

> > A specification is a software item.
> 
> A specification of a program is not a part of the program. It is a part of
> the software development process.
> 
> > A defect in a specification is a bug.
> 
> Maybe, but it is not a bug *in* the program that implements that
> specification.

Indeed. A program undergoes formal specification testing, and if during this process, the software deviates from the specification, normally the software will be changed to conform to the specification.
________________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt neu bei WEB.DE FreeMail: http://freemail.web.de/?mc=021193

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Christoph Karl Walter Grein]

> "Bug" is a conditional. Something is buggy under some specified conditions.
> A software is buggy under the condition that it does not respond to the
> requirements.

Indeed. Normally you would say, a statement like X := 1.0/0.0; is a bug. But if the specification says: Write a program that raises an exception, it is correct.
__________________________________________________________
Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min.
weltweit telefonieren! http://freephone.web.de/?mc=021201

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Preben Randhol]

In article  Marius Amado Alves wrote:
>No. This whole talk of hardware-generated exception sounds like "FUD". 
>Namely, it sounds like your trying to blame the hardware. The cause was 
>a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And 
>because it's connected to exceptions, the hypothesis that if the thing 
>had been done in an exceptionless language like C the effect might have 
>been different. And yes, maybe less bad. And none of the explanations 
>I've seen so far (here, in books, and in the Internet) disprove this 
>hypothesis.

I'm confused. Didn't they turn off all exceptions checks?

Preben

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Preben Randhol]

In article Marius Amado Alves wrote:
>I'm not mistaken. What you say does not disprove my hypothesis. Look, I 
>probably know the story as well as you guys. And the story is that an 
>Ada software component from Ariane 4 was reused for Ariane 5 without 
>change. This and the fact that there was an hardware mismatch resulted 
>in a BUGGY software system. Just answer this: how was the system fixed? 
>Did they change the hardware? No. Ergo, the software was at fault, not 
>the hardware.

Changing from Ariane 4 to Ariane 5 wasn't a hardware change?

Preben

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Preben Randhol]

In article Dmitry A. Kazakov wrote:

>Nope. Public perfectly understands that if a rocket explodes there should
>be something explosive in it, a bug for instance, or maybe fuel? (:-))
>

"It was the sort of thing you expected in the Street of Alchemists. The
neighbours preferred explosions, which were at least identifiable and
soon over. They were better than the smells, which crept up on you."

                                (Moving Pictures, Terry Pratchett)

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Alexander E. Kopilovich]

Preben Randhol wrote:

> > ... hardware-generated exception ...
>
> I'm confused. Didn't they turn off all exceptions checks?

They turned off software exception checks - because that brought much needed
gain in speed. But masking FPU exceptions would be unreasonable (if possible
at all for the particular processor architecture) - it will not speed up FPU
operations.





Alexander Kopilovich                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Martin Krischik]

Preben Randhol wrote:

> In article  Marius Amado Alves wrote:
>>No. This whole talk of hardware-generated exception sounds like "FUD".
>>Namely, it sounds like your trying to blame the hardware. The cause was
>>a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And
>>because it's connected to exceptions, the hypothesis that if the thing
>>had been done in an exceptionless language like C the effect might have
>>been different. And yes, maybe less bad. And none of the explanations
>>I've seen so far (here, in books, and in the Internet) disprove this
>>hypothesis.
> 
> I'm confused. Didn't they turn off all exceptions checks?

They turned of a few select runtime checks. They had proof that on an Ariane
4 they would not be needed as the Arinane 4 will never exceed the max.
values.

However, as Alexander pointed out, with the software checks disabled some
hardware checks from the floating point unit kicked in instead and crashed
the hole programm.

You must understande that modern CPUs there support hardware exceptions and
modern programming laguages support software exceptions. And they have
nothing to do with each other.

On as side note: The new M$ C and C++ compiler automaticly convert hardware
exceptions into software exceptions - which I have to confess make things a
lot easier.

With Regards

Martin

-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Mike Silva]

"Alexander E. Kopilovich" <aek@VB1162.spb.edu> wrote in message news:<mailman.155.1101784287.10401.comp.lang.ada@ada-france.org>...
> Preben Randhol wrote:
> 
> > > ... hardware-generated exception ...
> >
> > I'm confused. Didn't they turn off all exceptions checks?
> 
> They turned off software exception checks - because that brought much needed
> gain in speed. But masking FPU exceptions would be unreasonable (if possible
> at all for the particular processor architecture) - it will not speed up FPU
> operations.

At least equally important is that they determined, through analysis,
that data for the variable in question that exceeded the range of a
16-bit integer could only be due to a hardware problem, and that the
code should act accordingly (switch to backup hardware).  They had
"protected" other similar conversions but determined that this
conversion should be left unprotected (capable of generating an
out-of-range exception).  To quote from the report:

 "The reason for the three remaining variables, including the one
denoting horizontal bias, being unprotected was that further reasoning
indicated that they were either physically limited or that there was a
large margin of safety, a reasoning which in the case of the variable
BH turned out to be faulty. It is important to note that the decision
to protect certain variables but not others was taken jointly by
project partners at several contractual levels."

Thus if one of these variable conversions produced an out-of-range
result it was considered to indicate a hardware failure, and that the
designated action for hardware failure was appropriate.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Preben Randhol]

In article <3193657.BGZLZqeFdM@linux1.krischik.com>, Martin Krischik wrote:
>
>They turned of a few select runtime checks. They had proof that on an Ariane
>4 they would not be needed as the Arinane 4 will never exceed the max.
>values.
>
>However, as Alexander pointed out, with the software checks disabled some
>hardware checks from the floating point unit kicked in instead and crashed
>the hole programm.
>
>You must understande that modern CPUs there support hardware exceptions and
>modern programming laguages support software exceptions. And they have
>nothing to do with each other.

Yes, but if C doesn't have exceptions, then I don't see why a C program
wouldn't crashed as the Ada program did when they had turned off the
sw exceptions. 

Preben

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Alexander E. Kopilovich]

Mike Silva wrote:

> At least equally important is that they determined, through analysis,
> that data for the variable in question that exceeded the range of a
> 16-bit integer could only be due to a hardware problem, and that the
> code should act accordingly (switch to backup hardware).  They had
> "protected" other similar conversions but determined that this
> conversion should be left unprotected (capable of generating an
> out-of-range exception).  To quote from the report:
>
> "The reason for the three remaining variables, including the one
> denoting horizontal bias, being unprotected was that further reasoning
> indicated that they were either physically limited or that there was a
> large margin of safety, a reasoning which in the case of the variable
> BH turned out to be faulty. It is important to note that the decision
> to protect certain variables but not others was taken jointly by
> project partners at several contractual levels."
>
> Thus if one of these variable conversions produced an out-of-range
> result it was considered to indicate a hardware failure, and that the
> designated action for hardware failure was appropriate.

Yes, they dealt with their data checks very selectively. And yes, this is
important indeed to recognize that, if one studies the case to that depth,
from a programmer's viewpoint.

(But it is outside of FAQ's scope, I think... at least outside of the scope
of Observer's version of the FAQ; anyway, I believe that those persons who
are able to recognize that importance and are interested in it, can and should
read Report from the beginning to the end and acquire that info from there.)





Alexander Kopilovich                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Martin Krischik]

Preben Randhol wrote:

> In article <3193657.BGZLZqeFdM@linux1.krischik.com>, Martin Krischik
> wrote:
>>
>>They turned of a few select runtime checks. They had proof that on an
>>Ariane 4 they would not be needed as the Arinane 4 will never exceed the
>>max. values.
>>
>>However, as Alexander pointed out, with the software checks disabled some
>>hardware checks from the floating point unit kicked in instead and crashed
>>the hole programm.
>>
>>You must understande that modern CPUs there support hardware exceptions
>>and modern programming laguages support software exceptions. And they have
>>nothing to do with each other.
> 
> Yes, but if C doesn't have exceptions, then I don't see why a C program
> wouldn't crashed as the Ada program did when they had turned off the
> sw exceptions.

Maybe you want to brush up your C  and read "ISO/IEC 9899:1999 7.14". In C
exceptions are called signal and in the case discussed a the "SIGFPE" would
have been raised. Without a signal handler the programm would have died.

With Regards

Martin

-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Preben Randhol]

In article <1780586.KJpDkK3SiU@linux1.krischik.com>, Martin Krischik wrote:
>Maybe you want to brush up your C  and read "ISO/IEC 9899:1999 7.14". In C
>exceptions are called signal and in the case discussed a the "SIGFPE" would
>have been raised. Without a signal handler the programm would have died.

Ok now I'm even more confused. Could somebody please explain why a C
program would have worked even with the HW exception? Wasn't that the
argument? That C would work and Ada would fail?

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Martin Krischik]

Preben Randhol wrote:

> In article <1780586.KJpDkK3SiU@linux1.krischik.com>, Martin Krischik
> wrote:
>>Maybe you want to brush up your C  and read "ISO/IEC 9899:1999 7.14". In C
>>exceptions are called signal and in the case discussed a the "SIGFPE"
>>would have been raised. Without a signal handler the programm would have
>>died.
 
> Ok now I'm even more confused. Could somebody please explain why a C
> program would have worked even with the HW exception? Wasn't that the
> argument? That C would work and Ada would fail?

Simson Garfinkel (http://www.klein.com/dvk/publications/FlyingLinux.pdf)
thinks that C would have worked but most of us here at comp.lang.ada thing
that C would have failed as well.

With Regards

Martin
-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Preben Randhol]

Martin Krischik <martin@krischik.com> wrote on 01/12/2004 (19:01) :
> Preben Randhol wrote:
> 
> > In article <1780586.KJpDkK3SiU@linux1.krischik.com>, Martin Krischik
> > wrote:
> >>Maybe you want to brush up your C  and read "ISO/IEC 9899:1999 7.14". In C
> >>exceptions are called signal and in the case discussed a the "SIGFPE"
> >>would have been raised. Without a signal handler the programm would have
> >>died.
>  
> > Ok now I'm even more confused. Could somebody please explain why a C
> > program would have worked even with the HW exception? Wasn't that the
> > argument? That C would work and Ada would fail?
> 
> Simson Garfinkel (http://www.klein.com/dvk/publications/FlyingLinux.pdf)
> thinks that C would have worked but most of us here at comp.lang.ada thing
> that C would have failed as well.

OK Then I'm not confused anymore as I think the same :-)

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Enrique Laso Leon]

I am wondering why people try to make this accident an issue with the
programming language and not what it was : a total failure in a software
project management.

 The problem here was that the people who designed the IRS for Ariane 4 used
an asumption on its trajectory in order to avoid a check that would have
made the software tolerant to Ariane 5 trajectory (but why ?). This is at
best ignoring a basic rule of engineering : expect your design to be used in
a way you did not think about, because this is just what is going to happen.
It applies to machinery as it applies to software. How many of us use "bugs"
or "safety flaws"  in our favorite applications in order to get things done
?

 The other problem was with the baffling lack of testing. Once more it comes
from a management belief that experimentation is the root of all evil (takes
time thus money). Engineers there have a strong responsibility for the
existence of this belief. We tend to sell as a strong point that our design
and analysis methods are so perfect that we can produce zero fault out of
the box. This is simply forgeting that engineers, even supported by the most
efficient methods and computing tools, are human beings, that systems are
getting more complex than anything a human organisation can cope with, and
that error is not only probable, it is frequent...

 Tackle those two issues and you avoid blowing up a brand new rocket and 4
satelittes.
Regardless of the programming language.

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Alexander E. Kopilovich]

Enrique Laso Leon wrote:

> The problem here was that the people who designed the IRS for Ariane 4 used
>an asumption on its trajectory in order to avoid a check that would have
>made the software tolerant to Ariane 5 trajectory (but why ?).
Yes, why?... Why what? Why they avoid that check or why they didn't think
about possible unhappy consequences for Ariane 5, Ariane 6, etc., assuming
all kinds of misuse attempts? Or perhaps they should design that IRS as truly
universal, suitable not for rockets only, but for all future devices that
need a functionality of this sort?

> This is at
>best ignoring a basic rule of engineering : expect your design to be used in
>a way you did not think about, because this is just what is going to happen.
To which limits? Are there any limits or not? Are those limits the same for
all kinds of products - commodities, standard parts, unique systems (rockets,
for example)? Who is in charge for setting those limits? Is there any basic
rule for judging from outside whether those limits were set incorrectly when
they were exceeded and disaster happened?





Alexander Kopilovich                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Brian May]

>>>>> "Preben" == Preben Randhol <randhol@bacchus.pvv.ntnu.no> writes:

    Preben> Ok now I'm even more confused. Could somebody please
    Preben> explain why a C program would have worked even with the HW
    Preben> exception? Wasn't that the argument? That C would work and
    Preben> Ada would fail?

If the program was implemented based on the same specifications for
both languages, and hence responded in the same way to error
conditions in the same way, then both would have exactly the same
problem.

Perhaps, though a C programmer would be more likely to ignore an error
condition and pretend nothing went wrong? If so, I am not sure this is
a good strategy.
-- 
Brian May <bam@snoopy.apana.org.au>

Re: Would You Fly an Airplane with a Linux-Based Control

[Larry Kilgallen]

In article <mailman.172.1102210142.10401.comp.lang.ada@ada-france.org>, "Alexander E. Kopilovich" <aek@VB1162.spb.edu> writes:

> Yes, why?... Why what? Why they avoid that check or why they didn't think
> about possible unhappy consequences for Ariane 5, Ariane 6, etc., assuming
> all kinds of misuse attempts? Or perhaps they should design that IRS as truly
> universal, suitable not for rockets only, but for all future devices that
> need a functionality of this sort?

On whose budget ?

Re: Would You Fly an Airplane with a Linux-Based Control System?

[Simon Clubley]

In article <ZMnsd.1657$Of5.1155@nntpserver.swip.net>, "Enrique Laso Leon" <enrique.laso-leon@tele2.fr> writes:
> I am wondering why people try to make this accident an issue with the
> programming language and not what it was : a total failure in a software
> project management.
> 

Politics.

People seem not to be able to handle the fact that a US DoD designed
language is better for writing mission critical software than their
favourite language of the month.

As a result, Ada is blamed (even wrongly) whenever possible. "Look! You
get spectacular fireworks displays with Ada as well as with our language!"

Simon.

-- 
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP       
Microsoft: The Standard Oil Company of the 21st century