From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI autolearn=unavailable autolearn_force=no version=3.4.4 X-Google-Thread: 103376,ac9405996d0dcb7f X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news1.google.com!proxad.net!usenet-fr.net!enst.fr!melchior!cuivre.fr.eu.org!melchior.frmug.org!not-for-mail From: "Alexander E. Kopilovich" Newsgroups: comp.lang.ada Subject: Re: Would You Fly an Airplane with a Linux-Based Control System? Date: Fri, 26 Nov 2004 06:11:11 +0300 (MSK) Organization: Cuivre, Argent, Or Message-ID: References: <20619edc.0411251028.3e249bf3@posting.google.com> NNTP-Posting-Host: lovelace.ada-france.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: melchior.cuivre.fr.eu.org 1101438719 12053 212.85.156.195 (26 Nov 2004 03:11:59 GMT) X-Complaints-To: usenet@melchior.cuivre.fr.eu.org NNTP-Posting-Date: Fri, 26 Nov 2004 03:11:59 +0000 (UTC) To: comp.lang.ada@ada-france.org Return-Path: In-Reply-To: <20619edc.0411251028.3e249bf3@posting.google.com>; from Mike Silva at 25 Nov 2004 10:28:24 -0800 X-Mailer: Mail/@ [v2.44 MSDOS] X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at ada-france.org X-BeenThere: comp.lang.ada@ada-france.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Gateway to the comp.lang.ada Usenet newsgroup" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Xref: g2news1.google.com comp.lang.ada:6491 Date: 2004-11-26T06:11:11+03:00 Mike Silva wrote: > A small but, I think, important correction. The hardware at the > center of the failure was apparently built around the Motorola > 68020/68881 chips, not the MIL-STD-1750. The "Operand Error" that > triggered the failure is a hardware exception generated by the FPU > when, among other conditions, a float-to-integer conversion exceeds > the capacity of the integer, exactly as occurred. The reason this is > important is because it shows that the exception was not generated by > the Ada compiler code but by the hardware, and would therefore have > occurred regardless of the programming language used. If that's the > case then the "it wouldn't have exploded if it were written in C" > argument evaporates, unless they want to argue that the exception > handler behavior would have been specified differently if the > implementation language was C -- not likely! I think that the fact that the chain of events was initiated by FPU exception really deserves to be mentioned. Therefore I'm going to update my own Ariane 5 FAQ appropriately. Currently, 8th Q-A pair of it reads as follows: ---------------------------------------------------------------------------- Q. Can you explain in several words what was the actual cause of the launch failure, technically? A. There are several points which are different for Ariane 5 vs. Ariane 4, one of which was instrumental to the events: Ariane 4 is a vertical launch vehicle where as Ariane 5 is slightly tilted. Ariane 4 software was developed to tolerate certain amount of inclination but not as much as required by Ariane 5. The chain of events were as follows: - The on-board software detects that one of the accelerometers is out of range, this was interpreted as hardware error and caused the backup processor to take over; - The backup processor also detects that one of the accelerometers is out of range (the same way), which caused the system to advice an auto destruction. ---------------------------------------------------------------------------- It seems that the following modification of the description of the chain of events takes your suggestion into account: ---------------------------------------------------------------------------- - The on-board software detects that one of the accelerometers is out of range (actually, there was FPU exception generated when float-to-integer conversion exceeded the capacity of the integer), this was interpreted as hardware error and caused the backup processor to take over; - The backup processor also detects that one of the accelerometers is out of range (the same way), which caused the system to advice an auto destruction. ---------------------------------------------------------------------------- Do you agree that this addition is enough there? Or particular processor model is of some importance also? Alexander Kopilovich aek@vib.usr.pu.ru Saint-Petersburg Russia