Path: csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!weretis.net!feeder4.news.weretis.net!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail From: Keith Thompson Newsgroups: comp.lang.java.programmer,comp.lang.c Subject: Re: Arithmetic overflow checking Date: Wed, 13 Jul 2011 13:41:51 -0700 Organization: None to speak of Lines: 47 Message-ID: References: <36bp17tf79bhbd6hovf9srhmcs1jh1c040@4ax.com> <693db00d-83be-4830-a1fc-262d9d34d672@z15g2000pre.googlegroups.com> <9d33ce51-1f6a-4782-8098-a051456532ca@m6g2000prh.googlegroups.com> <8vlr17d90u9cb63hf64hhstaoamdgsb5je@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Injection-Info: mx04.eternal-september.org; posting-host="mytEQcPL+ceHcrnNa7VoaQ"; logging-data="10111"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+q2LAUsokRMKnsjBWeYfK3" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) Cancel-Lock: sha1:vXWx07G7MfFmqWzAVqX3fJ13C0w= sha1:QvJGzwR5NXKRSMBQMuy8R8Q8IwM= Xref: x330-a1.tempe.blueboxinc.net comp.lang.java.programmer:6172 comp.lang.c:8259 markspace <-@.> writes: > On 7/13/2011 12:16 PM, lewbloch wrote: >> The lesson I derive is that nothing is too simple, trivial or obvious >> to overlook. > > > What I got from reading that is that the root problem was that the range > of values that the sensor was capable of producing was not understood. > Either or both physically producing, or would produce under normal (or > abnormal) system operation. As I recall, the range of values the sensor was capable of producing was understood correctly *when the code was written*. The problem is that the code was written for the Ariane 4. Management decided to re-use the same code, with no modifications, on the Ariane 5 -- on which the valid range of values from the sensor was quite different. > It was a failure to understand the the design, and its parameters. That > failure of understanding was then propagated down to the code level. > "We don't need to protect this because an out of range can't happen." Decisions had to be made when the code was written about which exceptions to handle, and which to assume couldn't happen. Handling them all wasn't an option because it would have slowed down the system enough so it wouldn't work at all. The particular decisions were correct for Ariane 4. > Somewhere, somehow, somebody has to ultimately understand what the > system does, and when. If you don't have that, then no amount of > general wolf-fencing (i.e., catching exceptions) will help, because you > won't know that the exception even means, let alone what to do about it. Given the decision to re-use the same code with no changes for a new rocket (when the code wasn't designed for cross-rocket portability in the first place), an improperly handled exception was just one of many ways that it could have gone wrong. (All this is based on my rather vague recollection of my partial reading of the report.) -- Keith Thompson (The_Other_Keith) kst-u@mib.org Nokia "We must do something. This is something. Therefore, we must do this." -- Antony Jay and Jonathan Lynn, "Yes Minister"