* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 11:40 ` Marius Amado Alves
@ 2004-11-26 12:21 ` Jean-Pierre Rosen
2004-11-26 13:00 ` Vinzent 'Gadget' Hoefler
` (5 subsequent siblings)
6 siblings, 0 replies; 68+ messages in thread
From: Jean-Pierre Rosen @ 2004-11-26 12:21 UTC (permalink / raw)
Marius Amado Alves a écrit :
> No. This whole talk of hardware-generated exception sounds like "FUD".
> Namely, it sounds like your trying to blame the hardware. The cause was
> a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And
> because it's connected to exceptions, the hypothesis that if the thing
> had been done in an exceptionless language like C the effect might have
> been different. And yes, maybe less bad. And none of the explanations
> I've seen so far (here, in books, and in the Internet) disprove this
> hypothesis.
>
Oh no, please...
There was a system design error. The software recognized the error and
behaved as required. Now, you are arguing that if the software had not
recognized the error, since it was in a module that shouldn't have been
running anyway, then it would have been OK.
This would have been a double error having less consequences than a
single one. Although it might have been the case, you cannot rely on
double errors for safety! Software should be correct "by construction" (tm)
--
---------------------------------------------------------
J-P. Rosen (rosen@adalog.fr)
Visit Adalog's web site at http://www.adalog.fr
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 11:40 ` Marius Amado Alves
2004-11-26 12:21 ` Jean-Pierre Rosen
@ 2004-11-26 13:00 ` Vinzent 'Gadget' Hoefler
2004-11-26 19:25 ` Jeffrey Carter
` (4 subsequent siblings)
6 siblings, 0 replies; 68+ messages in thread
From: Vinzent 'Gadget' Hoefler @ 2004-11-26 13:00 UTC (permalink / raw)
Marius Amado Alves wrote:
[Ariane5]
> Namely, it sounds like your trying to blame the hardware. The cause
> was a SOFTWARE enginering error. Yes, a BUG.
No. The software behaved _exactly_ as specified. Just that the
specification was for Ariane4, not Ariane5.
Vinzent.
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 11:40 ` Marius Amado Alves
2004-11-26 12:21 ` Jean-Pierre Rosen
2004-11-26 13:00 ` Vinzent 'Gadget' Hoefler
@ 2004-11-26 19:25 ` Jeffrey Carter
2004-11-26 19:50 ` Marius Amado Alves
2004-11-26 20:58 ` Mike Silva
` (3 subsequent siblings)
6 siblings, 1 reply; 68+ messages in thread
From: Jeffrey Carter @ 2004-11-26 19:25 UTC (permalink / raw)
Marius Amado Alves wrote:
> No. This whole talk of hardware-generated exception sounds like "FUD".
> Namely, it sounds like your trying to blame the hardware. The cause was
> a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And
> because it's connected to exceptions, the hypothesis that if the thing
> had been done in an exceptionless language like C the effect might have
> been different. And yes, maybe less bad. And none of the explanations
> I've seen so far (here, in books, and in the Internet) disprove this
> hypothesis.
I think you're mistaken. "Hardware-generated exception", "signal",
"interrupt", whatever you call it, this comes from the hardware and must
be handled regardless of the language used for the SW. Since the
behavior of the Ada SW was exactly that specified for this situation,
and the specification would have been the same regardless of the
language used, the choice of language would not have changed the
behavior of the SW.
--
Jeff Carter
"There's no messiah here. There's a mess all right, but no messiah."
Monty Python's Life of Brian
84
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 19:25 ` Jeffrey Carter
@ 2004-11-26 19:50 ` Marius Amado Alves
2004-11-26 22:58 ` Simon Wright
` (3 more replies)
0 siblings, 4 replies; 68+ messages in thread
From: Marius Amado Alves @ 2004-11-26 19:50 UTC (permalink / raw)
To: comp.lang.ada
Jeffrey Carter wrote:
> Marius Amado Alves wrote:
>
>> No. This whole talk of hardware-generated exception sounds like "FUD".
>> Namely, it sounds like your trying to blame the hardware. The cause
>> was a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And
>> because it's connected to exceptions, the hypothesis that if the thing
>> had been done in an exceptionless language like C the effect might
>> have been different. And yes, maybe less bad. And none of the
>> explanations I've seen so far (here, in books, and in the Internet)
>> disprove this hypothesis.
>
> I think you're mistaken. "Hardware-generated exception", "signal",
> "interrupt", whatever you call it, this comes from the hardware and must
> be handled regardless of the language used for the SW. Since the
> behavior of the Ada SW was exactly that specified for this situation,
> and the specification would have been the same regardless of the
> language used, the choice of language would not have changed the
> behavior of the SW.
I'm not mistaken. What you say does not disprove my hypothesis. Look, I
probably know the story as well as you guys. And the story is that an
Ada software component from Ariane 4 was reused for Ariane 5 without
change. This and the fact that there was an hardware mismatch resulted
in a BUGGY software system. Just answer this: how was the system fixed?
Did they change the hardware? No. Ergo, the software was at fault, not
the hardware.
Sentences like "the behavior of the Ada SW was exactly that specified
for this situation" (above) or "The software behaved _exactly_ as
specified" (Vinzent) are worse than irrelevant, they are confusing, and
actually strictly false. Surely the specification for Ariane 5 did not
say "plug in software from Ariane 4 at will and crash on hardware
mismatches."
My hypothesis remains undisproven.
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 19:50 ` Marius Amado Alves
@ 2004-11-26 22:58 ` Simon Wright
2004-11-27 20:24 ` Jeffrey Carter
` (2 subsequent siblings)
3 siblings, 0 replies; 68+ messages in thread
From: Simon Wright @ 2004-11-26 22:58 UTC (permalink / raw)
Marius Amado Alves <amado.alves@netcabo.pt> writes:
> Sentences like "the behavior of the Ada SW was exactly that
> specified for this situation" (above) or "The software behaved
> _exactly_ as specified" (Vinzent) are worse than irrelevant, they
> are confusing, and actually strictly false. Surely the specification
> for Ariane 5 did not say "plug in software from Ariane 4 at will and
> crash on hardware mismatches."
This argument is just piffle in any reasonably-managed engineering
environment.
Of course the SYSTEM specification said no such thing, how could
it. But the SOFTWARE specification, produced by the SYSTEM engineers
(or maybe management) told the software engineers to do that and not
to check the results -- as software engineers they couldn't have
anyway, you need rigs for that sort of test.
It is perfectly possible for a SYSTEM to have bugs as a result of
containing bug-free but inappropriately specified software.
You would hardly describe software that required an FPU as "buggy" if
it failed to work on a processor without one.
--
Simon Wright 100% Ada, no bugs.
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 19:50 ` Marius Amado Alves
2004-11-26 22:58 ` Simon Wright
@ 2004-11-27 20:24 ` Jeffrey Carter
2004-11-29 1:09 ` Georg Bauhaus
2004-11-29 20:06 ` Preben Randhol
3 siblings, 0 replies; 68+ messages in thread
From: Jeffrey Carter @ 2004-11-27 20:24 UTC (permalink / raw)
Marius Amado Alves wrote:
> I'm not mistaken. What you say does not disprove my hypothesis. Look, I
> probably know the story as well as you guys. And the story is that an
> Ada software component from Ariane 4 was reused for Ariane 5 without
> change. This and the fact that there was an hardware mismatch resulted
> in a BUGGY software system. Just answer this: how was the system fixed?
> Did they change the hardware? No. Ergo, the software was at fault, not
> the hardware.
I think you'll find they changed the requirements, then made any changes
that necessitated to the design (possibly none), and then changed the
software to reflect the changes in the requirements and design.
I agree that the SW system had an error, but it was an error in
requirements, not in implementation.
Anyway, I was addressing the claim that an implementation in C would not
have exhibited the error, not where the error lay.
--
Jeff Carter
"Many times we're given rhymes that are quite unsingable."
Monty Python and the Holy Grail
57
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 19:50 ` Marius Amado Alves
2004-11-26 22:58 ` Simon Wright
2004-11-27 20:24 ` Jeffrey Carter
@ 2004-11-29 1:09 ` Georg Bauhaus
2004-11-29 20:06 ` Preben Randhol
3 siblings, 0 replies; 68+ messages in thread
From: Georg Bauhaus @ 2004-11-29 1:09 UTC (permalink / raw)
Marius Amado Alves <amado.alves@netcabo.pt> wrote:
: I'm not mistaken. What you say does not disprove my hypothesis. Look, I
: probably know the story as well as you guys. And the story is that an
: Ada software component from Ariane 4 was reused for Ariane 5 without
: change. This and the fact that there was an hardware mismatch resulted
: in a BUGGY software system. Just answer this: how was the system fixed?
: Did they change the hardware? No. Ergo, the software was at fault, not
: the hardware.
An analogy, taken further to the point of absurdity:
If Intel decides to change the meaning of the DEC instruction to mean that a
value is increased by one, not decreased, then a software system that is
built following earlier Intel specs is to be blamed for having bugs, and
that's it?
Or might there not be some other "items" in the software development process
to be blamed for the mistake?
-- Georg Bauhaus
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 19:50 ` Marius Amado Alves
` (2 preceding siblings ...)
2004-11-29 1:09 ` Georg Bauhaus
@ 2004-11-29 20:06 ` Preben Randhol
3 siblings, 0 replies; 68+ messages in thread
From: Preben Randhol @ 2004-11-29 20:06 UTC (permalink / raw)
In article Marius Amado Alves wrote:
>I'm not mistaken. What you say does not disprove my hypothesis. Look, I
>probably know the story as well as you guys. And the story is that an
>Ada software component from Ariane 4 was reused for Ariane 5 without
>change. This and the fact that there was an hardware mismatch resulted
>in a BUGGY software system. Just answer this: how was the system fixed?
>Did they change the hardware? No. Ergo, the software was at fault, not
>the hardware.
Changing from Ariane 4 to Ariane 5 wasn't a hardware change?
Preben
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 11:40 ` Marius Amado Alves
` (2 preceding siblings ...)
2004-11-26 19:25 ` Jeffrey Carter
@ 2004-11-26 20:58 ` Mike Silva
2004-11-27 0:06 ` Marius Amado Alves
2004-11-26 21:09 ` Mike Silva
` (2 subsequent siblings)
6 siblings, 1 reply; 68+ messages in thread
From: Mike Silva @ 2004-11-26 20:58 UTC (permalink / raw)
Marius Amado Alves <amado.alves@netcabo.pt> wrote in message news:<mailman.123.1101469316.10401.comp.lang.ada@ada-france.org>...
> Alexander E. Kopilovich wrote:
> >...
> > - The on-board software detects that one of the accelerometers is out of
> > range (actually, there was FPU exception generated when float-to-integer
> > conversion exceeded the capacity of the integer), this was interpreted as
> > hardware error and caused the backup processor to take over;...
> >
> > Do you agree that this addition is enough there?
>
> No. This whole talk of hardware-generated exception sounds like "FUD".
> Namely, it sounds like your trying to blame the hardware. The cause was
> a SOFTWARE enginering error. Yes, a BUG.
What was the bug? Since there wasn't one, your answer should prove interesting!
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 20:58 ` Mike Silva
@ 2004-11-27 0:06 ` Marius Amado Alves
2004-11-27 0:55 ` Rod Haper
` (3 more replies)
0 siblings, 4 replies; 68+ messages in thread
From: Marius Amado Alves @ 2004-11-27 0:06 UTC (permalink / raw)
To: comp.lang.ada
Mike Silva wrote:
> What was the bug? Since there wasn't one, your answer should prove interesting!
Did they fix the hardware or the software? The inevitable conclusion
from your answer should prove interesting!
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 0:06 ` Marius Amado Alves
@ 2004-11-27 0:55 ` Rod Haper
2004-11-27 1:31 ` Marius Amado Alves
2004-11-27 7:59 ` Martin Krischik
` (2 subsequent siblings)
3 siblings, 1 reply; 68+ messages in thread
From: Rod Haper @ 2004-11-27 0:55 UTC (permalink / raw)
Marius Amado Alves wrote:
> Mike Silva wrote:
>
>> What was the bug? Since there wasn't one, your answer should prove
>> interesting!
>
>
> Did they fix the hardware or the software? The inevitable conclusion
> from your answer should prove interesting!
>
Butting into this eternal argument:
The "bug" that got "fixed" was the specification. That in turn
necessitated a change to the software to comply with the updated
specification. The "error" was in the old Ariane IV's specification's
lack of applicability to the new Ariane V's requirements. The "failure"
was one of design, not software implementation, and was independent of
what language was or might have been used for the implementation.
What is your point vis-a-vis hardware or software? The "conclusion" I
draw is that you seem to be hung up on some agenda which ignores the
simple facts of the case.
--
Rod
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 0:55 ` Rod Haper
@ 2004-11-27 1:31 ` Marius Amado Alves
2004-11-27 8:07 ` Martin Krischik
2004-11-27 9:16 ` Dmitry A. Kazakov
0 siblings, 2 replies; 68+ messages in thread
From: Marius Amado Alves @ 2004-11-27 1:31 UTC (permalink / raw)
To: comp.lang.ada
Rod Haper wrote:
> The "bug" that got "fixed" was the specification. That in turn
> necessitated a change to the software to comply with the updated
> specification. The "error" was in the old Ariane IV's specification's
> lack of applicability to the new Ariane V's requirements. The "failure"
> was one of design, not software implementation, and was independent of
> what language was or might have been used for the implementation.
>
> What is your point vis-a-vis hardware or software? The "conclusion" I
> draw is that you seem to be hung up on some agenda which ignores the
> simple facts of the case.
My agenda is to make sure things are called by their names with no
guilt. A bug is a bug is a bug. A specification is a software item. A
defect in a specification is a bug. I got the impression the text that
was being cooked up for the FAQs (wikibooks?) was avoiding admitting
that the error was on the software part and trying to blame the
hardware. An Ada bias forging a falsity. That had to be stopped. Sorry
if I misunderstood.
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 1:31 ` Marius Amado Alves
@ 2004-11-27 8:07 ` Martin Krischik
2004-11-27 9:16 ` Dmitry A. Kazakov
1 sibling, 0 replies; 68+ messages in thread
From: Martin Krischik @ 2004-11-27 8:07 UTC (permalink / raw)
Marius Amado Alves wrote:
> Rod Haper wrote:
>> The "bug" that got "fixed" was the specification. That in turn
>> necessitated a change to the software to comply with the updated
>> specification. The "error" was in the old Ariane IV's specification's
>> lack of applicability to the new Ariane V's requirements. The "failure"
>> was one of design, not software implementation, and was independent of
>> what language was or might have been used for the implementation.
>>
>> What is your point vis-a-vis hardware or software? The "conclusion" I
>> draw is that you seem to be hung up on some agenda which ignores the
>> simple facts of the case.
> My agenda is to make sure things are called by their names with no
> guilt. A bug is a bug is a bug. A specification is a software item. A
> defect in a specification is a bug. I got the impression the text that
> was being cooked up for the FAQs (wikibooks?) was avoiding admitting
> that the error was on the software part and trying to blame the
> hardware. An Ada bias forging a falsity. That had to be stopped. Sorry
> if I misunderstood.
But the specification was for a rocked with "vertical lift off" and the
Ariane 5 - like the Space Shuttle - is a "tilted lift off".
Who is to blame when one uses fiat punto tires for a max vel. of 180km/h on
a ferrari with max vel. of 280km/h and all 4 tires explode at 240 km/h? The
tires? The car? Or the person who choose to combine them?
With Regards
Martin
--
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 1:31 ` Marius Amado Alves
2004-11-27 8:07 ` Martin Krischik
@ 2004-11-27 9:16 ` Dmitry A. Kazakov
2004-11-27 9:51 ` Marius Amado Alves
1 sibling, 1 reply; 68+ messages in thread
From: Dmitry A. Kazakov @ 2004-11-27 9:16 UTC (permalink / raw)
On Sat, 27 Nov 2004 01:31:12 +0000, Marius Amado Alves wrote:
> Rod Haper wrote:
>> The "bug" that got "fixed" was the specification. That in turn
>> necessitated a change to the software to comply with the updated
>> specification. The "error" was in the old Ariane IV's specification's
>> lack of applicability to the new Ariane V's requirements. The "failure"
>> was one of design, not software implementation, and was independent of
>> what language was or might have been used for the implementation.
>>
>> What is your point vis-a-vis hardware or software? The "conclusion" I
>> draw is that you seem to be hung up on some agenda which ignores the
>> simple facts of the case.
>
> My agenda is to make sure things are called by their names with no
> guilt. A bug is a bug is a bug.
There is no such thing as bug without semantics. Absolutely any program is
both buggy and correct depending on what it is supposed to do.
> A specification is a software item.
A specification of a program is not a part of the program. It is a part of
the software development process.
> A defect in a specification is a bug.
Maybe, but it is not a bug *in* the program that implements that
specification.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 9:16 ` Dmitry A. Kazakov
@ 2004-11-27 9:51 ` Marius Amado Alves
2004-11-27 13:44 ` Dmitry A. Kazakov
2004-11-27 20:31 ` Jeffrey Carter
0 siblings, 2 replies; 68+ messages in thread
From: Marius Amado Alves @ 2004-11-27 9:51 UTC (permalink / raw)
To: comp.lang.ada
>>A defect in a specification is a bug.
>
> Maybe, but it is not a bug *in* the program that implements that
> specification.
Ok. I understand your concept of "bug" is stronger than mine. And the
general public's. I guess this story cannot be made short. Just make
sure you don't blame the hardware. Sorry if I wasted your time.
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 9:51 ` Marius Amado Alves
@ 2004-11-27 13:44 ` Dmitry A. Kazakov
2004-11-29 20:13 ` Preben Randhol
2004-11-27 20:31 ` Jeffrey Carter
1 sibling, 1 reply; 68+ messages in thread
From: Dmitry A. Kazakov @ 2004-11-27 13:44 UTC (permalink / raw)
On Sat, 27 Nov 2004 09:51:21 +0000, Marius Amado Alves wrote:
>>>A defect in a specification is a bug.
>>
>> Maybe, but it is not a bug *in* the program that implements that
>> specification.
>
> Ok. I understand your concept of "bug" is stronger than mine. And the
> general public's.
Nope. Public perfectly understands that if a rocket explodes there should
be something explosive in it, a bug for instance, or maybe fuel? (:-))
> I guess this story cannot be made short. Just make
> sure you don't blame the hardware.
I don't blame the hardware. However, using your theory why not to blame it?
Look, let's take some software specifications and blame the hardware which
does not fit to them!
"Bug" is a conditional. Something is buggy under some specified conditions.
A software is buggy under the condition that it does not respond to the
requirements. It would be nice to define all requirements as "the rocket
should fly". Alas, it is not how things work. Yes, under so formulated
conditions Ariane's software is indeed buggy. But no more than the
hardware, fuel, gravity and laws of the nature...
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 13:44 ` Dmitry A. Kazakov
@ 2004-11-29 20:13 ` Preben Randhol
0 siblings, 0 replies; 68+ messages in thread
From: Preben Randhol @ 2004-11-29 20:13 UTC (permalink / raw)
In article Dmitry A. Kazakov wrote:
>Nope. Public perfectly understands that if a rocket explodes there should
>be something explosive in it, a bug for instance, or maybe fuel? (:-))
>
"It was the sort of thing you expected in the Street of Alchemists. The
neighbours preferred explosions, which were at least identifiable and
soon over. They were better than the smells, which crept up on you."
(Moving Pictures, Terry Pratchett)
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 9:51 ` Marius Amado Alves
2004-11-27 13:44 ` Dmitry A. Kazakov
@ 2004-11-27 20:31 ` Jeffrey Carter
1 sibling, 0 replies; 68+ messages in thread
From: Jeffrey Carter @ 2004-11-27 20:31 UTC (permalink / raw)
Marius Amado Alves wrote:
> Ok. I understand your concept of "bug" is stronger than mine. And the
> general public's. I guess this story cannot be made short. Just make
> sure you don't blame the hardware. Sorry if I wasted your time.
I don't think anyone's trying to blame the HW. They're trying to make it
clear that this problem would have arisen regardless of the language
used to implement the SW. Just because C doesn't have exceptions doesn't
mean it can ignore an interrupt from the HW.
--
Jeff Carter
"Many times we're given rhymes that are quite unsingable."
Monty Python and the Holy Grail
57
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 0:06 ` Marius Amado Alves
2004-11-27 0:55 ` Rod Haper
@ 2004-11-27 7:59 ` Martin Krischik
2004-11-27 8:24 ` Pascal Obry
2004-11-27 19:36 ` Mike Silva
3 siblings, 0 replies; 68+ messages in thread
From: Martin Krischik @ 2004-11-27 7:59 UTC (permalink / raw)
Marius Amado Alves wrote:
> Mike Silva wrote:
>> What was the bug? Since there wasn't one, your answer should prove
>> interesting!
>
> Did they fix the hardware or the software? The inevitable conclusion
> from your answer should prove interesting!
To continue my argument from another post:
"If you use the tires of fiat punto on a ferrari you should not be supprised
when you end up on the hard sholder".
You are right: You need another set of tires to drive your ferrari safely.
But that does not make the fiat punto tires fautly and you could not sue the
manufacture of punto tires for damamges.
There is only one to blame: The idiot who made the decision to use the wrong
combination of tires (software) and car (hardware).
With Regards
Martin
--
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 0:06 ` Marius Amado Alves
2004-11-27 0:55 ` Rod Haper
2004-11-27 7:59 ` Martin Krischik
@ 2004-11-27 8:24 ` Pascal Obry
2004-11-27 19:36 ` Mike Silva
3 siblings, 0 replies; 68+ messages in thread
From: Pascal Obry @ 2004-11-27 8:24 UTC (permalink / raw)
Marius Amado Alves <amado.alves@netcabo.pt> writes:
> Did they fix the hardware or the software? The inevitable conclusion from
> your answer should prove interesting!
As many already said, the software behaved as expected.
If you decide to shoot yourself in the foot will you blame the gun ? The gun
will work as expected if it creates some damages to your foot, right ? Now
I'm not saying that this is ok, but it was designed this way and did the right
thing. Don't use a gun this way, do not reuse software components without
properly rethink/test/vailidate the applicability in another context.
Just my 2 cents,
Pascal.
--
--|------------------------------------------------------
--| Pascal Obry Team-Ada Member
--| 45, rue Gabriel Peri - 78114 Magny Les Hameaux FRANCE
--|------------------------------------------------------
--| http://www.obry.org
--| "The best way to travel is by means of imagination"
--|
--| gpg --keyserver wwwkeys.pgp.net --recv-key C1082595
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 0:06 ` Marius Amado Alves
` (2 preceding siblings ...)
2004-11-27 8:24 ` Pascal Obry
@ 2004-11-27 19:36 ` Mike Silva
3 siblings, 0 replies; 68+ messages in thread
From: Mike Silva @ 2004-11-27 19:36 UTC (permalink / raw)
Marius Amado Alves <amado.alves@netcabo.pt> wrote in message news:<mailman.128.1101514001.10401.comp.lang.ada@ada-france.org>...
> Mike Silva wrote:
> > What was the bug? Since there wasn't one, your answer should prove interesting!
>
> Did they fix the hardware or the software? The inevitable conclusion
> from your answer should prove interesting!
They fixed the match between the hardware, the software and the flight
profile. To do so they removed correct software (correctly
implemented to a correct specification for Ariane 4) and replaced it
with software correctly implemented to a correct specification for
Ariane 5. They did not fix the software because the software was not
broken. They modified correct software for one specification to
correct software for a new specification. There was no _software_
bug, as you assert. There was a reuse error, or if you like, a reuse
bug, but not a software bug. The software no more failed by correctly
reacting to the new H-bias value according to its design spec than the
H-bias sensor failed by correctly reacting to the new flight path of
the rocket according to its design spec.
The situation is similar to correctly using a 5 Amp fuse in a
particular circuit, and then changing the circuit (the hardware) so
that it draws 10 Amps. The 5 Amp fuse then blows, but was the 5 Amp
fuse defective? Or was it simply the wrong part for the new circuit?
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 11:40 ` Marius Amado Alves
` (3 preceding siblings ...)
2004-11-26 20:58 ` Mike Silva
@ 2004-11-26 21:09 ` Mike Silva
2004-11-27 0:15 ` Marius Amado Alves
2004-11-27 7:47 ` Martin Krischik
2004-11-29 20:04 ` Preben Randhol
6 siblings, 1 reply; 68+ messages in thread
From: Mike Silva @ 2004-11-26 21:09 UTC (permalink / raw)
Marius Amado Alves <amado.alves@netcabo.pt> wrote in message news:<mailman.123.1101469316.10401.comp.lang.ada@ada-france.org>...
> Alexander E. Kopilovich wrote:
> >...
> > - The on-board software detects that one of the accelerometers is out of
> > range (actually, there was FPU exception generated when float-to-integer
> > conversion exceeded the capacity of the integer), this was interpreted as
> > hardware error and caused the backup processor to take over;...
> >
> > Do you agree that this addition is enough there?
>
> No. This whole talk of hardware-generated exception sounds like "FUD".
> Namely, it sounds like your trying to blame the hardware. The cause was
> a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And
> because it's connected to exceptions, the hypothesis that if the thing
> had been done in an exceptionless language like C the effect might have
> been different. And yes, maybe less bad. And none of the explanations
> I've seen so far (here, in books, and in the Internet) disprove this
> hypothesis.
Even accepting your assertion that your hypothesis has not been
disproven, what conclusion do you draw? That deliberately ignoring
out-of-range data (not throwing it away, just ignoring it) will
generally lead to safer systems than dealing with out-of-range data in
some pre-determined way that may not always be the right choice
(especially if the system is mis-used in a manner so that out-of-range
data is suddenly legal)?
What, again, is your conclusion?
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 21:09 ` Mike Silva
@ 2004-11-27 0:15 ` Marius Amado Alves
2004-11-27 19:41 ` Mike Silva
0 siblings, 1 reply; 68+ messages in thread
From: Marius Amado Alves @ 2004-11-27 0:15 UTC (permalink / raw)
To: comp.lang.ada
Mike Silva wrote:
> Even accepting your assertion that your hypothesis has not been
> disproven, what conclusion do you draw? That deliberately ignoring
> out-of-range data (not throwing it away, just ignoring it) will
> generally lead to safer systems than dealing with out-of-range data in
> some pre-determined way that may not always be the right choice
> (especially if the system is mis-used in a manner so that out-of-range
> data is suddenly legal)?
>
> What, again, is your conclusion?
I do not draw a general conclusion. I merely point out that it is
essential in this particular case to elicit the results of catching vs.
not catching the exception, and in that context of using an
"exceptional" language vs. an exceptionless one. Be very aware of
general conclusions. Again, general expressions like "deliberately
ignoring out-of-range data (not throwing it away, just ignoring it)"
just make things worse. Out of what range? What is the difference
between ignoring and throwing away? If it's data it's processed in some
way, cannot really be ignored or thrown away can it?
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-27 0:15 ` Marius Amado Alves
@ 2004-11-27 19:41 ` Mike Silva
0 siblings, 0 replies; 68+ messages in thread
From: Mike Silva @ 2004-11-27 19:41 UTC (permalink / raw)
Marius Amado Alves <amado.alves@netcabo.pt> wrote in message news:<mailman.129.1101514556.10401.comp.lang.ada@ada-france.org>...
> Mike Silva wrote:
> > Even accepting your assertion that your hypothesis has not been
> > disproven, what conclusion do you draw? That deliberately ignoring
> > out-of-range data (not throwing it away, just ignoring it) will
> > generally lead to safer systems than dealing with out-of-range data in
> > some pre-determined way that may not always be the right choice
> > (especially if the system is mis-used in a manner so that out-of-range
> > data is suddenly legal)?
> >
> > What, again, is your conclusion?
>
> I do not draw a general conclusion. I merely point out that it is
> essential in this particular case to elicit the results of catching vs.
> not catching the exception, and in that context of using an
> "exceptional" language vs. an exceptionless one.
But the exception was generated by the hardware. A non-maskable
exception handler was vectored to. What would that exception handler
have done differently if an exceptionless language had been used?
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 11:40 ` Marius Amado Alves
` (4 preceding siblings ...)
2004-11-26 21:09 ` Mike Silva
@ 2004-11-27 7:47 ` Martin Krischik
2004-11-29 20:04 ` Preben Randhol
6 siblings, 0 replies; 68+ messages in thread
From: Martin Krischik @ 2004-11-27 7:47 UTC (permalink / raw)
Marius Amado Alves wrote:
> Alexander E. Kopilovich wrote:
>>...
>> - The on-board software detects that one of the accelerometers is out of
>> range (actually, there was FPU exception generated when float-to-integer
>> conversion exceeded the capacity of the integer), this was interpreted as
>> hardware error and caused the backup processor to take over;...
>>
>> Do you agree that this addition is enough there?
>
> No. This whole talk of hardware-generated exception sounds like "FUD".
> Namely, it sounds like your trying to blame the hardware. The cause was
> a SOFTWARE enginering error. Yes, a BUG. In the Ada software.
The specification for that paricular pice of software was for the Ariane 4 -
and there it was proofen then all possible values where smaller then then
the range of Integer
The Software was right for what it was designed for. If you use the tires of
fiat punto on a ferrari you should not be supprised when you end up on the
hard sholder. And nobody would blame the tires - one would blame the stupid
driver.
It was a management descicion error to reuse the software.
With regards
Martin
--
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-26 11:40 ` Marius Amado Alves
` (5 preceding siblings ...)
2004-11-27 7:47 ` Martin Krischik
@ 2004-11-29 20:04 ` Preben Randhol
2004-11-30 3:11 ` Alexander E. Kopilovich
2004-11-30 13:24 ` Martin Krischik
6 siblings, 2 replies; 68+ messages in thread
From: Preben Randhol @ 2004-11-29 20:04 UTC (permalink / raw)
In article Marius Amado Alves wrote:
>No. This whole talk of hardware-generated exception sounds like "FUD".
>Namely, it sounds like your trying to blame the hardware. The cause was
>a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And
>because it's connected to exceptions, the hypothesis that if the thing
>had been done in an exceptionless language like C the effect might have
>been different. And yes, maybe less bad. And none of the explanations
>I've seen so far (here, in books, and in the Internet) disprove this
>hypothesis.
I'm confused. Didn't they turn off all exceptions checks?
Preben
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-29 20:04 ` Preben Randhol
@ 2004-11-30 3:11 ` Alexander E. Kopilovich
2004-11-30 15:20 ` Mike Silva
2004-11-30 13:24 ` Martin Krischik
1 sibling, 1 reply; 68+ messages in thread
From: Alexander E. Kopilovich @ 2004-11-30 3:11 UTC (permalink / raw)
To: comp.lang.ada
Preben Randhol wrote:
> > ... hardware-generated exception ...
>
> I'm confused. Didn't they turn off all exceptions checks?
They turned off software exception checks - because that brought much needed
gain in speed. But masking FPU exceptions would be unreasonable (if possible
at all for the particular processor architecture) - it will not speed up FPU
operations.
Alexander Kopilovich aek@vib.usr.pu.ru
Saint-Petersburg
Russia
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-30 3:11 ` Alexander E. Kopilovich
@ 2004-11-30 15:20 ` Mike Silva
2004-12-01 2:51 ` Alexander E. Kopilovich
0 siblings, 1 reply; 68+ messages in thread
From: Mike Silva @ 2004-11-30 15:20 UTC (permalink / raw)
"Alexander E. Kopilovich" <aek@VB1162.spb.edu> wrote in message news:<mailman.155.1101784287.10401.comp.lang.ada@ada-france.org>...
> Preben Randhol wrote:
>
> > > ... hardware-generated exception ...
> >
> > I'm confused. Didn't they turn off all exceptions checks?
>
> They turned off software exception checks - because that brought much needed
> gain in speed. But masking FPU exceptions would be unreasonable (if possible
> at all for the particular processor architecture) - it will not speed up FPU
> operations.
At least equally important is that they determined, through analysis,
that data for the variable in question that exceeded the range of a
16-bit integer could only be due to a hardware problem, and that the
code should act accordingly (switch to backup hardware). They had
"protected" other similar conversions but determined that this
conversion should be left unprotected (capable of generating an
out-of-range exception). To quote from the report:
"The reason for the three remaining variables, including the one
denoting horizontal bias, being unprotected was that further reasoning
indicated that they were either physically limited or that there was a
large margin of safety, a reasoning which in the case of the variable
BH turned out to be faulty. It is important to note that the decision
to protect certain variables but not others was taken jointly by
project partners at several contractual levels."
Thus if one of these variable conversions produced an out-of-range
result it was considered to indicate a hardware failure, and that the
designated action for hardware failure was appropriate.
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-30 15:20 ` Mike Silva
@ 2004-12-01 2:51 ` Alexander E. Kopilovich
0 siblings, 0 replies; 68+ messages in thread
From: Alexander E. Kopilovich @ 2004-12-01 2:51 UTC (permalink / raw)
To: comp.lang.ada
Mike Silva wrote:
> At least equally important is that they determined, through analysis,
> that data for the variable in question that exceeded the range of a
> 16-bit integer could only be due to a hardware problem, and that the
> code should act accordingly (switch to backup hardware). They had
> "protected" other similar conversions but determined that this
> conversion should be left unprotected (capable of generating an
> out-of-range exception). To quote from the report:
>
> "The reason for the three remaining variables, including the one
> denoting horizontal bias, being unprotected was that further reasoning
> indicated that they were either physically limited or that there was a
> large margin of safety, a reasoning which in the case of the variable
> BH turned out to be faulty. It is important to note that the decision
> to protect certain variables but not others was taken jointly by
> project partners at several contractual levels."
>
> Thus if one of these variable conversions produced an out-of-range
> result it was considered to indicate a hardware failure, and that the
> designated action for hardware failure was appropriate.
Yes, they dealt with their data checks very selectively. And yes, this is
important indeed to recognize that, if one studies the case to that depth,
from a programmer's viewpoint.
(But it is outside of FAQ's scope, I think... at least outside of the scope
of Observer's version of the FAQ; anyway, I believe that those persons who
are able to recognize that importance and are interested in it, can and should
read Report from the beginning to the end and acquire that info from there.)
Alexander Kopilovich aek@vib.usr.pu.ru
Saint-Petersburg
Russia
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-29 20:04 ` Preben Randhol
2004-11-30 3:11 ` Alexander E. Kopilovich
@ 2004-11-30 13:24 ` Martin Krischik
2004-11-30 17:28 ` Preben Randhol
1 sibling, 1 reply; 68+ messages in thread
From: Martin Krischik @ 2004-11-30 13:24 UTC (permalink / raw)
Preben Randhol wrote:
> In article Marius Amado Alves wrote:
>>No. This whole talk of hardware-generated exception sounds like "FUD".
>>Namely, it sounds like your trying to blame the hardware. The cause was
>>a SOFTWARE enginering error. Yes, a BUG. In the Ada software. And
>>because it's connected to exceptions, the hypothesis that if the thing
>>had been done in an exceptionless language like C the effect might have
>>been different. And yes, maybe less bad. And none of the explanations
>>I've seen so far (here, in books, and in the Internet) disprove this
>>hypothesis.
>
> I'm confused. Didn't they turn off all exceptions checks?
They turned of a few select runtime checks. They had proof that on an Ariane
4 they would not be needed as the Arinane 4 will never exceed the max.
values.
However, as Alexander pointed out, with the software checks disabled some
hardware checks from the floating point unit kicked in instead and crashed
the hole programm.
You must understande that modern CPUs there support hardware exceptions and
modern programming laguages support software exceptions. And they have
nothing to do with each other.
On as side note: The new M$ C and C++ compiler automaticly convert hardware
exceptions into software exceptions - which I have to confess make things a
lot easier.
With Regards
Martin
--
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-30 13:24 ` Martin Krischik
@ 2004-11-30 17:28 ` Preben Randhol
2004-12-01 9:27 ` Martin Krischik
0 siblings, 1 reply; 68+ messages in thread
From: Preben Randhol @ 2004-11-30 17:28 UTC (permalink / raw)
In article <3193657.BGZLZqeFdM@linux1.krischik.com>, Martin Krischik wrote:
>
>They turned of a few select runtime checks. They had proof that on an Ariane
>4 they would not be needed as the Arinane 4 will never exceed the max.
>values.
>
>However, as Alexander pointed out, with the software checks disabled some
>hardware checks from the floating point unit kicked in instead and crashed
>the hole programm.
>
>You must understande that modern CPUs there support hardware exceptions and
>modern programming laguages support software exceptions. And they have
>nothing to do with each other.
Yes, but if C doesn't have exceptions, then I don't see why a C program
wouldn't crashed as the Ada program did when they had turned off the
sw exceptions.
Preben
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-11-30 17:28 ` Preben Randhol
@ 2004-12-01 9:27 ` Martin Krischik
2004-12-01 16:59 ` Preben Randhol
0 siblings, 1 reply; 68+ messages in thread
From: Martin Krischik @ 2004-12-01 9:27 UTC (permalink / raw)
Preben Randhol wrote:
> In article <3193657.BGZLZqeFdM@linux1.krischik.com>, Martin Krischik
> wrote:
>>
>>They turned of a few select runtime checks. They had proof that on an
>>Ariane 4 they would not be needed as the Arinane 4 will never exceed the
>>max. values.
>>
>>However, as Alexander pointed out, with the software checks disabled some
>>hardware checks from the floating point unit kicked in instead and crashed
>>the hole programm.
>>
>>You must understande that modern CPUs there support hardware exceptions
>>and modern programming laguages support software exceptions. And they have
>>nothing to do with each other.
>
> Yes, but if C doesn't have exceptions, then I don't see why a C program
> wouldn't crashed as the Ada program did when they had turned off the
> sw exceptions.
Maybe you want to brush up your C and read "ISO/IEC 9899:1999 7.14". In C
exceptions are called signal and in the case discussed a the "SIGFPE" would
have been raised. Without a signal handler the programm would have died.
With Regards
Martin
--
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-12-01 9:27 ` Martin Krischik
@ 2004-12-01 16:59 ` Preben Randhol
2004-12-01 18:53 ` Martin Krischik
2004-12-05 6:52 ` Brian May
0 siblings, 2 replies; 68+ messages in thread
From: Preben Randhol @ 2004-12-01 16:59 UTC (permalink / raw)
In article <1780586.KJpDkK3SiU@linux1.krischik.com>, Martin Krischik wrote:
>Maybe you want to brush up your C and read "ISO/IEC 9899:1999 7.14". In C
>exceptions are called signal and in the case discussed a the "SIGFPE" would
>have been raised. Without a signal handler the programm would have died.
Ok now I'm even more confused. Could somebody please explain why a C
program would have worked even with the HW exception? Wasn't that the
argument? That C would work and Ada would fail?
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-12-01 16:59 ` Preben Randhol
@ 2004-12-01 18:53 ` Martin Krischik
2004-12-02 21:07 ` Preben Randhol
2004-12-05 6:52 ` Brian May
1 sibling, 1 reply; 68+ messages in thread
From: Martin Krischik @ 2004-12-01 18:53 UTC (permalink / raw)
Preben Randhol wrote:
> In article <1780586.KJpDkK3SiU@linux1.krischik.com>, Martin Krischik
> wrote:
>>Maybe you want to brush up your C and read "ISO/IEC 9899:1999 7.14". In C
>>exceptions are called signal and in the case discussed a the "SIGFPE"
>>would have been raised. Without a signal handler the programm would have
>>died.
> Ok now I'm even more confused. Could somebody please explain why a C
> program would have worked even with the HW exception? Wasn't that the
> argument? That C would work and Ada would fail?
Simson Garfinkel (http://www.klein.com/dvk/publications/FlyingLinux.pdf)
thinks that C would have worked but most of us here at comp.lang.ada thing
that C would have failed as well.
With Regards
Martin
--
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-12-01 18:53 ` Martin Krischik
@ 2004-12-02 21:07 ` Preben Randhol
0 siblings, 0 replies; 68+ messages in thread
From: Preben Randhol @ 2004-12-02 21:07 UTC (permalink / raw)
To: comp.lang.ada
Martin Krischik <martin@krischik.com> wrote on 01/12/2004 (19:01) :
> Preben Randhol wrote:
>
> > In article <1780586.KJpDkK3SiU@linux1.krischik.com>, Martin Krischik
> > wrote:
> >>Maybe you want to brush up your C and read "ISO/IEC 9899:1999 7.14". In C
> >>exceptions are called signal and in the case discussed a the "SIGFPE"
> >>would have been raised. Without a signal handler the programm would have
> >>died.
>
> > Ok now I'm even more confused. Could somebody please explain why a C
> > program would have worked even with the HW exception? Wasn't that the
> > argument? That C would work and Ada would fail?
>
> Simson Garfinkel (http://www.klein.com/dvk/publications/FlyingLinux.pdf)
> thinks that C would have worked but most of us here at comp.lang.ada thing
> that C would have failed as well.
OK Then I'm not confused anymore as I think the same :-)
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: Would You Fly an Airplane with a Linux-Based Control System?
2004-12-01 16:59 ` Preben Randhol
2004-12-01 18:53 ` Martin Krischik
@ 2004-12-05 6:52 ` Brian May
1 sibling, 0 replies; 68+ messages in thread
From: Brian May @ 2004-12-05 6:52 UTC (permalink / raw)
>>>>> "Preben" == Preben Randhol <randhol@bacchus.pvv.ntnu.no> writes:
Preben> Ok now I'm even more confused. Could somebody please
Preben> explain why a C program would have worked even with the HW
Preben> exception? Wasn't that the argument? That C would work and
Preben> Ada would fail?
If the program was implemented based on the same specifications for
both languages, and hence responded in the same way to error
conditions in the same way, then both would have exactly the same
problem.
Perhaps, though a C programmer would be more likely to ignore an error
condition and pretend nothing went wrong? If so, I am not sure this is
a good strategy.
--
Brian May <bam@snoopy.apana.org.au>
^ permalink raw reply [flat|nested] 68+ messages in thread