Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Niklas Holsti Newsgroups: comp.lang.java.programmer,comp.lang.c Subject: Re: Arithmetic overflow checking Date: Sat, 13 Aug 2011 21:54:10 +0300 Organization: Tidorum Ltd Lines: 44 Message-ID: <9anviiF606U1@mid.individual.net> References: <3797038f-22d1-40b2-8c12-60db5a0976b8@t5g2000yqj.googlegroups.com> <4e1bf1bc$0$15671$4fafbaef@reader2.news.tin.it> <36bp17tf79bhbd6hovf9srhmcs1jh1c040@4ax.com> <693db00d-83be-4830-a1fc-262d9d34d672@z15g2000pre.googlegroups.com> <9d33ce51-1f6a-4782-8098-a051456532ca@m6g2000prh.googlegroups.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Trace: individual.net I07pCeL96LZ2lbIOt5o4Jgyma/BMKlL1mGbDM6jfsdzVUiJ5Pm Cancel-Lock: sha1:uFhOE41UEHf1o/L91DlNrgWA0yA= User-Agent: Mozilla-Thunderbird 2.0.0.24 (X11/20100328) In-Reply-To: <9d33ce51-1f6a-4782-8098-a051456532ca@m6g2000prh.googlegroups.com> Xref: x330-a1.tempe.blueboxinc.net comp.lang.java.programmer:7088 comp.lang.c:9355 lewbloch wrote: > Gene Wirchenko wrote: >> lewbloch wrote: >>> Martin Gregorie wrote: >> [snip] >> >>>> [1] The instrument causing the problem was an unmodified Ariane 4 SRI >>>> which raised an out-of-limits exception when the normal Ariane 5 >>>> trajectory exceeded a permitted Ariane 4 horizontal velocity limit. >> ...the Ariane 5 having more powerful engines. >> >>> In other words, this was a case where there *was* an out-of-range >>> exception, thus it makes the exact opposite point to the one Gene >>> presumably wanted to support. >> The data I read was that the exception was not handled. IIRC, >> debugging got interpreted as navigational data. >> > > Precisely. There was an exception, and it was not handled. Having > the exception was not enough. There was an exception (overflow in a conversion instruction), and it was handled. However, the handler was designed for the Ariane 4, where the designers (after careful analysis of the data ranges for the Ariane 4) decided to assume that an overflow exception indicated a CPU HW failure, and consequently the handler shut down the CPU. The same overflow then occurred in the redundant CPU, which also shut down, so the rocket was left with no guidance. If the SW had been tested properly, the overflow exception would have occurred during testing, which would have revealed the flawed assumptions made in the reuse of the Ariane 4 SW on the Ariane 5. Surely that would have been better than ignoring the overflow. The Ariane 501 disaster is a poor guide for this discussion, because of the difficulty of proper exception handling in that system: you cannot abort the launch and return to the launch pad. In most applications, it is much easier to design reasonable and safe exception handlers. -- Niklas Holsti Tidorum Ltd niklas holsti tidorum fi . @ .