From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,7e8cebf09cf80560 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news2.google.com!news1.google.com!news.glorb.com!news.mv.net!nntp.TheWorld.com!not-for-mail From: Robert A Duff Newsgroups: comp.lang.ada Subject: Re: How would Ariane 5 have behaved if overflow checking were not turned off? Date: Tue, 15 Mar 2011 15:44:15 -0400 Organization: The World Public Access UNIX, Brookline, MA Message-ID: References: <82d3lsvqw7.fsf@stephe-leake.org> NNTP-Posting-Host: shell01.theworld.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: pcls6.std.com 1300218255 29048 192.74.137.71 (15 Mar 2011 19:44:15 GMT) X-Complaints-To: abuse@TheWorld.com NNTP-Posting-Date: Tue, 15 Mar 2011 19:44:15 +0000 (UTC) User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (irix) Cancel-Lock: sha1:Ksu7wzyNzNuPXCMnah8hUF4bdNs= Xref: g2news2.google.com comp.lang.ada:19192 Date: 2011-03-15T15:44:15-04:00 List-Id: (Sorry for emailing this, Keith. I meant to post. Oops.) Keith Thompson writes: > Stephen Leake writes: >> Just to remind people; the real problem was that Ariane 4 code was >> reused on Ariane 5, without carefully considering the design, also >> without adequate testing. >> >> Ariane 5 is a bigger rocket; it has bigger accelerations. The range for >> accelerations in the code, which was correct for Ariane 4, was incorrect >> for Ariane 5. >> >> No amount of "defensive programming" can handle such a fundamental >> design error. > > As I recall, the problem was that an exception message was sent > and interpreted as binary data, because it was incorrectly assumed > that the exception could never happen. The exception occurred in > a subsystem that wasn't even needed at the time. I wouldn't call that "the problem" -- I'd call it a symptom of the problem. The problem was using (correct!) Ariane 4 software to control an Ariane 5 rocket, as Stephen Leake says above. The assumption you mention above was correct! For Ariane 4, of course -- that's what they analyzed the assumption for. >... (It's entirely > possible I've got this wrong.) I don't think so -- your memory (of the symptom!) matches mine. > What if the subsystem had handled the exception and quietly > terminated? I've no idea. Maybe it would have worked, but that would have been purely accidental. All the details of how the exception or whatever led to the crash seem irrelevant, to me. You can't expect software designed for one rocket to work for another rocket without changing it to meet the new specs. Apparently, they didn't even bother to look at it to see if it needed changing. - Bob