From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,a83c46b54bacb7f6 X-Google-Attributes: gid103376,public From: "Pat Rogers" Subject: Re: JOB:Sr. SW Engineers Wanted-Fortune 500 Co Date: 2000/02/01 Message-ID: #1/1 X-Deja-AN: 580440299 References: <3894A823.92EC75D1@bondtechnologies.com> <874b7r$mj9$1@nnrp1.deja.com> <38967537_1@news.jps.net> X-Priority: 3 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 X-Complaints-To: newsabuse@supernews.com Organization: Software Arts & Sciences X-MSMail-Priority: Normal Newsgroups: comp.lang.ada Date: 2000-02-01T00:00:00+00:00 List-Id: "Hyman Rosen" wrote in message news:t7bt606bro.fsf@calumny.jyacc.com... > "Pat Rogers" writes: > > Error checking at run-time is still vital, and Ada's checking (if left > > in) can help. > > > > Although it is a common practice in (well-done!) safety-critical > > development to prove that exceptions cannot occur, they still can. The > > obvious cause is radiation-induced hardware errors. The more difficult > > issue, because it is based upon human imperfection, is that of errors in > > the specification. No amount of program proof will circumvent that > > problem. In that case run-time checks can serve to invoke the fault > > tolerance mechanisms, however extensive those may or may not be. > > Clearly some applications can have no fall-back position (the classic > > example is a launched missile) and in those cases there's no point in > > checking. But in those cases in which faults can be tolerated the > > checks are directly helpful. > > But it's exactly that mechanism that led to the Ariane 5 crash. No. They treated all exceptions as indication of hardware failures because they didn't believe they could happen due to software. They didn't meaningfully handle the exception -- they aborted the program! Since they abused the software they were reusing (by using it in a different context, in which exceptions were unavoidable) their assumptions were invalid. > I have > argued before that *not* catching such errors at runtime might be a > better approach, because it's possible that such an error would cause > only slight local effects which would quickly damp out, whereas invoking > error handling leads to massive global effects. A man falls off a very, very tall building. Halfway down he is heard to say "This isn't so bad after all!". Placing one's head in the sand seems a very unhelpful approach. The Ariane 5 management made a very bad mistake by doing just that. -- Pat Rogers Training and Consulting in: http://www.classwide.com Deadline Schedulability Analysis progers@classwide.com Software Fault Tolerance (281)648-3165 Real-Time/OO Languages