From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,FROM_LOCAL_HEX, FROM_STARTS_WITH_NUMS autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,7e8cebf09cf80560 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news4.google.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: "Vinzent Hoefler" <0439279208b62c95f1880bf0f8776eeb@t-domaingrabbing.de> Newsgroups: comp.lang.ada Subject: Re: How would Ariane 5 have behaved if overflow checking were not turned off? Date: Thu, 17 Mar 2011 19:43:07 +0100 Message-ID: References: <4d80b13f$0$43832$c30e37c6@exi-reader.telstra.net> <4d8200ce$0$43837$c30e37c6@exi-reader.telstra.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Trace: individual.net 7A5/VBwXybgFxJ2g3FoVFgKRGKAB294N36LWrXWGSDSzaons42 Cancel-Lock: sha1:KWaRr9f8DG4wPtjixTNwN5i950s= User-Agent: Opera Mail/11.01 (Win32) Xref: g2news1.google.com comp.lang.ada:18289 Date: 2011-03-17T19:43:07+01:00 List-Id: robin wrote: > Simon Wright wrote in message ... >> "robin" writes: >> >>> Anyone competent in real-time programming would never have let the >>> software go with unhandled overflow, because such an event would >>> result in failure of the mission. >> >> The engineers, being competent in tightly-constrained real-time >> programming, found that installing exception handlers cost cpu cycles >> they could not afford, so looked at all the potential overflow sites and >> found that _this_ one could only occur if there was a hardware >> failure. > > Nonsense. The Full Report says nothing of the kind. But the documentation does. :P > No, the exception handler could have done something sensible, > such as using the maximum integer value, thus allowing the trajectory to continue. > Better still would have been to include a magnitude test in the code that avoided > the need for an error handler. And then what? Using a bogus value to continue the flight? Admitted, it might even have been worked for Ariane 5, but the system was designed for Ariane 4 and I DO NOT think that using such a large value to continue the calculation would have done anything good there, because using flight parameters well outside of any operational limits simply can't be a good idea. If it was, you could just get rid of all sensors and replace them by random generators. > There were 7 places in the code in the vicinity where overflow could occur. > Four were chosen for protection, but three were not. > That was the fatal flaw. If they had protected all theoretically possible overflows, the software wouldn't have been able to fulfill the mission due to missing its deadline. I don't see how _this_ could possibly be considered flawless. Vinzent. -- A C program is like a fast dance on a newly waxed dance floor by people carrying razors. -- Waldi Ravens