[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ada and Ariane 5 failure



Vladimir Ivanovic writes:
> "KS" == Kragen Sitaker <kragen@pobox.com> writes:
> 
>   KS> One of Ada's hidden gotchas, triggered by a bug which would have had
>   KS> no effect whatsoever in any other language I'm familiar with, in
>   KS> combination with a constellation of other mistakes, destroyed the
>   KS> first Ariane 5 rocket launched, at a cost of half a billion dollars.
> 
> My reading of the "Ariane 5 Failure Report" does not implicate Ada. I'm
> inclined to conclude exactly the opposite of what you did, namely that
> the bug would have had a similar effect in any of a number of other
> languages.
> 
> Please explain why you think Ada is a culprit here.

A 64-bit floating-point number was converted to a 16-bit integer; the
conversion overflowed.  In most languages on most platforms (I have to
back off my initial statement here; the Alpha's default handling of
floating-point exceptions is different, although I don't know if this would have .) the default behavior for
errors like these is to silently truncate.  The Ada-specified behavior
is to raise an exception.  The exception was not handled, crashing the
program.

The bug was in code whose results were not being used, so the results
that code produced were not important.  (Running this code was part of
the constellation of other mistakes.)

Generally, I prefer environments that raise exceptions instead of
giving me incorrect answers, but in this particular case, incorrect
answers would have been far preferable.

This is a perfect example of how Ada's safety measures don't buy you
as much safety as it might appear at first.

(I'm inclined to think that the best solution to this particular
family of problem is to use a dynamically-typed language, but
dynamically-typed languages have reliability costs of their own.)

What other languages and environments would this bug have had the same
effect in?  (Perhaps you should answer offlist, because I think it's
pretty definite that Ada isn't a lightweight language.)

-Kragen